+36 1 377 6737 Make an appointment online

Data Processing Policy

The purpose of this short information is to enable the patients to become familiar with the processing and protection of all health data and the relating personal data provided in the course of medical treatment, since processing of personal data shall be fair, lawful and transparent.

It should be transparent to natural persons (i.e. persons, the data subjects) how personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.

The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed.

We process personal data in a manner that ensures appropriate availability in due time, security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing. Hereby, we inform you that the data processor maintains the right to change the data protection regulations in line with the effective legal regulations.

 

  1. Information on the Data Controller

Name: Dr. Rose Magánkórház Kft.

Registered Seat: 1051 Budapest, Széchenyi tér 7-8.

E-mail: info@drrose.hu

Fax:     +36 1348 486

Phone: +36 1 377 6737 (from 8.00 a.m. to 20.00 p.m. on working days)

website: http://www.drrose.hu/en

 

  1. Legislation underlying data processing

In particular, the following acts are relevant to data processing in the course of using health service:

 

  1. Lawfulness of processing

Processing shall be lawful only if and to the extent that at least one of the following applies:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

 

  1. Data processing related to medical care

4.1. Scope of data processed and purpose of data processing: In order to provide secure and personalised medical care it is essential to record personal data stipulated in the legislation (Health Care Data Act) and also the known medical data with the aim to provide medical care.

4.2 Legal base of data processing: On the one hand, the legal base of data processing is your consent as the user of services, furthermore the mandatory provision of a contract or a legal regulation, e.g. in relation to financing cases.

4.3. Duration of data processing: DR ROSE Private Hospital Kft. as healthcare provider shall process/store health data and relating personal data in line with the legal provisions (Health Care Data Act). For this reason, your consent cannot be withdrawn, requests for ultimate cancellation of health data and relating personal data cannot be fulfilled. Health documentation shall be kept minimum for 30 years from the recording of the data, while a hospital discharge summary shall be kept minimum for 50 years. Images taken during imaging diagnostic procedures shall be kept for 10 years from the date of recording and the findings made on the image shall be kept for 30 years from the date of recording the image. Retention period for prescriptions shall be 5 years.

 

  1. Law enforcement in relation to the processing of health data and relating personal data

In the event of having any questions regarding data processing, please turn to our data protection officer. Contact details of the data protection officer Name: Dr. Tündik Henrietta attorney, healthcare lawyer, E-mail:iroda(kukac)tundikhenrietta.hu, adatvedelem@drrose.hu, Mailing address: 1051 Budapest, Széchenyi tér 7-8.

You may require information which personal data of yours we process, however - given the particular nature of data processing and due to the protection of your data -, this opportunity is provided only following identity verification. Complaints regarding lawfulness of data processing shall be sent to the above contact addresses. Furthermore, upon unlawful processing of your personal data or infringement of your rights of informational self-determination provided in Info Act, you can turn to the Budapest Capital Regional Court (1055 Budapest, Markó u. 27. Mailing address: 1363 Bp. P. O. Box 16) or you can file a claim with the court having jurisdiction based on your domicile or you can turn to the National Authority for Data Protection and Freedom of Information (1135 Budapest, Szilágyi Erzsébet fasor 22c, www.naih.hu).

 

  1. Data Protection Regulation

Hereby we inform you that our data protection regulations contain further, detailed information on data processing and patients’ rights (e.g. data processing related to the use of the website, access to documentation, who can have access, possibility to require copies, data mobility etc.) The data protection regulation is available on our website at www.drrose.hu/hu, and in a paper-based format the regulation is available at all the receptions of Dr. Rose Private Hospital, upon request a copy is provided.

 

Dated in Budapest on the 1st day of December 2018.

 

Lancsalics Petra

Managing director

Dr. Rose Magánkórház Kft.

 

DATA PROTECTION AND DATA PROCESSING REGULATION, 2018-2019

Application of data protection and data processing rules

Name of the organisation and the data controller: Dr. ROSE Magánkórház Korlátolt Felelősségű Társaság

Date of professional operating license: 1st day of December 2018

Short name: Dr. ROSE Magánkórház Kft.

Registered seat of the organisation:1051 Budapest, Széchenyi tér 7-8.

Person responsible for issuing the regulation: Lancsalics Petra managing director

Coming into force of the regulation: 1st day of December 2018.

This regulation shall be applied to the protection of natural persons coming into contact with DR. ROSE Magánkórház Kft. with regard to the processing of personal data and to general rules on the free movement of such data and to the processing of personal data of natural persons involved in health care and persons coming into contact with the health service provider. Contents of the regulation shall be applied in the course of specific data controlling activities, and when instructions regulating data processing and information are given.  Furthermore, on the basis of Section 30 (5) a) of Eütv., this regulation shall be applied 10 years retroactively in relation to health care data base handed over by Dr. ROSE Egészségügyi Szolgáltató Kft. terminating the provision of health care services without succession (in relation to all special fields, such as orthopaedics, plastic surgery, health maintenance etc.) to the new service provider Dr. Rose Magánkórház Kft. and the entity dealing with health care task.

 Section V of this regulation was created for the sake of completeness, but only for inner use regarding data processing with the aim of administration and record keeping, which - at DR. ROSE Kft. - are applied to data processing of the personal data of medical workers and further persons working in the field of healthcare and partner companies. It is applied as long as the Labour Policy of the company is accepted.

 Dr. ROSE Magánkórház Kft. is dedicated to provide the highest protection to natural persons’ privacy and also to protect special data and the relating personal information gained in the course of providing health care services.

 Main rules governing this regulation:

Out of the several legal regulations relating to controlling personal data, we highlight – without aiming to give an exhausting list –, the main governing rules: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (GDPR), The Fundamental Law of Hungary (27 April 2011), Act V of 2013 on the Civil Code (hereinafter referred to as Ptk.), Act CLIV of 1997 on Health Care (hereinafter referred to as Eütv.)  Act XLVII of 1997 on the processing and protection of health care data and associated personal data, Act CXII of 2011 on Right of Informational Self-Determination and on Freedom of Information (Infotv.), Act C of 2000 on Accounting, Act CXXIII of 2005 on Security Services and the Activities of Private Investigators (hereinafter referred to as Szvtv.) and Act I of 2012 on Labour Code (hereinafter referred to as Mt.).

Mandatory application of a Data Protection Officer (DPO)

On the basis of Article 37 Section (1) c) of GDPR, Dr. ROSE Magánkórház Kft. is obliged to employ (appoint) a data protection officer, since it controls a special category of personal data in large number.

Regarding the fact that in the course of providing in- and outpatient care in our institution, which is our main activity, we become familiar with medical data and related personal data provided by the patients or in the field of paediatry by the closest relative/statutory representative, and also in the course of manual, imaging diagnostic and labour diagnostic examinations further sensitive data come into existence. For this reason, in order to efficiently protect personal data in our institution and for the sake of effective accountability, we appoint a data protection officer who is in touch with the data protection authority.

Data Protection Officer:

Name:

Dr. Tündik Henrietta attorney

Special fields:

Health care lawyer, data protection officer

Contact information:

+36308281020

iroda@tundikhenrietta.huadatvedelem@drrose.hu


Scope of the regulation

This regulation is valid until recall, its scope shall cover all the organisational units of Dr. ROSE Magánkórház Kft., its data processors, workers, officers and employees.  This regulation shall be reviewed annually and any time when the legislation changes. Only the data controller is entitled to amend the regulation.

Dated in Budapest on the 1st day of February 2018.

 

....................................................

Lancsalics Petra

managing director

 

Table of Contents

Application of data protection and data processing rules. 2

Chapter I. 6

I.1. Purpose of the regulation. 6

I.1.1. Important concepts, definitions on the basis of the GDPR.. 6

I.1.2. Definitions of Eüaktv. 7

Chapter II. Guidelines on data processing. 9

II.1. Guidelines on data processing according to GDPR.. 9

II.2. Guidelines on processing medical data and related personal data. 9

  1. 2. 1. Mandatory application of Eüaktv. in the course of data processing. 9

II.2.2. Personal data may be processed only in cases necessary to reach a legitimate purpose and to the necessary extent. 10

II.3. Persons entitled to data processing. 11

II.3.1. Within the health care network, the following persons shall be entitled to process the health care data and personal identification data - unless Eüaktv. prescribes otherwise: 11

  1. 4. Data Security. 12

Chapter III. Rules of data processing for medical treatment 12

III. 1. Medical secret 12

III. 2. Release from the obligation of keeping medical secret 12

III. 3. Right of the patient to become familiar with health care data. 12

III. 3. 1. Right to data portability. 12

III. 4. Right of other people apart from the data subject concerned to become familiar with health care data: 13

III. 5. Medical data may be disclosed on the basis of a written request by the following persons: 13

III. 6. In the event of death of the data subject – upon written request –, the following persons are entitled to become familiar with health care data: 14

III. 7. Extent of confidentiality against other healthcare providers. 14

III. 8. Recording health care data. 14

III. 9. Possibility of data transmission and combining data. 15

III. 10. Extent of data transmission in the interest of medical treatment, objection to data transmission: 15

III. 11. However, in the below cases, even against the prohibition of the data subject, the health care data and personal identification data shall be transmitted as per Eüaktv. 15

III. 12. Data transmission in urgent cases: 16

III. 13. Voluntary nature of data provision and exceptions from voluntary data provision. 16

III. 13. 1. Voluntary data provision. 16

III. 13. 2. Exception from the rule on voluntary data provision: 16

III. 13. 3. Consent to data processing shall be deemed granted. 16

III. 13. 4. Presumption of voluntarily given consent 17

III. 14.  Who may be present during the medical treatment 17

III. 14. 1. Beyond that, the following persons may be present without the consent of the data subject 17

III. 15. Data on the prescription. 17

III. 16. Recording health care data and personal identification data. 18

III. 16. 1. Compulsory retention period of health care documentation. 18

III. 16. 2. After the expiry of compulsory recording period, the following rules shall be taken in consideration: 18

III. 16. 3 Continuous provision of technical conditions. 19

III. 16. 4. Correction or deletion of health care data. 19

III. 16. 5. Preparation of an authentic copy. 19

III. 17. Responsibility of the head of the institution. 19

III. 17. 1. In the course of his activity the head of the institution shall 19

III. 18. Data Protection Officer 19

Chapter IV. Provisions of GDPR for e-data processing. 20

IV.1. Processing personal e-data. 20

  1. 2. Consent of data subject, conditions. 21
  2. 3. Processing which does not require identification. 21
  3. 4. Informing the data subject and rights of the data subject 22
  4. 5. Revision of personal data. 22
  5. 6. Tasks of data controller 22
  6. 7. Rights related to data processing. 23
  7. 8. Summarising the tasks of data controller in order to provide proper data protection. 24
  8. 9. Data Protection Officer 26
  9. 9. 1. Legal status of the data protection officer 26
  10. 9.2. Duties of the data protection officer 27
  11. 10. Personal data breach. 27

Chapter V. Data control with the aim of filing and record keeping. 27

  1. 1. Legal base of data control 28
  2. 2. Data processing with the purpose of administration and record keeping have the following aims: 28

Chapter VI. Marketing data processing. 29

Chapter VII. Rules on application of surveillance system/camera. 30

Chapter VIII. Miscellaneous. 30

VIII. 1. Data processing for other reasons. 30

VIII. 2. Laws forming the basis of data procession. 31

-         Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information. 31

Chapter I

I.1. Purpose of the regulation

The purpose of our privacy policy is that data controller Dr. Rose Magánkórház Kft. ensures the legality of data processing in relation to its data processing activity in order to protect the fundamental rights and freedom of natural persons (PEOPLE) and to ensure proper processing of personal data.

In the course of its activity, the organisation intends to fully comply with the legal regulations on controlling personal data, especially with the provisions of GDPR and Eüaktv. which sets out special provisions on domestic patients.

Since processing of health data and relating data is essential while providing health care services, these data shall be highly protected due to their confidential nature and the widespread information technology. For this reason, the purpose of this regulation is to define the conditions and aims of processing special personal data regarding health condition and the relating personal data.

Furthermore, it is also an important purpose of the regulation that by getting familiar with its provisions and complying with them employees will be able to control the data of natural persons in a lawful way.

I.1.1. Important concepts, definitions on the basis of the GDPR

  • controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Personal data concerning health means personal data related to the physical or mental health of a natural person, which carry information about his or her past, current or future health status; The followings are included:

  • registration because of health care services;
  • a number, symbol or particular data assigned to a natural person to uniquely identify the natural person for health purposes;
  • information derived from the testing or examination of a body part or bodily substance, including genetic data and biological samples;
  • and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.

  • third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future;
  • pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; 
  • filing system means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
  • personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

I.1.2. Definitions of Eüaktv.

  • health care data: data disclosed by the data subject or told by someone else about the data subject or noticed, examined, measured mapped or derived by the health care network and relate to the corporal, mental and spiritual condition, pathological addiction of a person and the circumstances of the disease and death and cause of death; furthermore any other data that can be related to the above and which may influence the above (e.g. conduct, environment, occupation);
  • personal identification data: family name and first name, maiden name, gender, place and date of birth, maiden family name and first name of the mother, place of stay, social security number (hereinafter referred to as TAJ number) jointly, or any of these if it is proper or may be proper to identify the data subject.
  • medical treatment:  all activities which aim to deliver examination, treatment, continuous care, nursing care and medical rehabilitation, to alleviate pain and suffering, furthermore to perform the work-up of findings from the patient’s investigations, in the interest of promoting  health; preventing, detecting early and treating disease; improving a condition arising as a result of a disease or preventing further deterioration of  health; included shall be all activities related to medicines, therapeutic appliances and therapeutic services as well as ambulance and patient  transportation services, obstetrical care;
  • medical secret: medical data and personal identification data learnt by the data controller during the medical treatment, and any data learnt in connection with the necessary, in progress or finished medical treatment, furthermore other data related to the medical treatment;
  • medical records: notes, records or data recorded in any other way, regardless of the carrier or form thereof, that contain medical and personal identification information related to the treatment of a patient and that will come to the knowledge of a health care worker in the course of delivering healthcare services;
  • attending physician: attending physician as per Section 3 (b) of Eütv.
  • medical provider: physician carrying out the medical treatment, medical professional or other person carrying out any activity related to the medical treatment of the patient, pharmacist;
  • data controller: means a natural or a legal person, an organisation without a legal personality, who or which is entitled to process medical data and the relating personal data or personal identification data with the purpose of processing data in line with the provisions of the law.
  • next of kin: spouse, direct-line relative, adopted, step and foster child, adoptive, step and foster parents, sibling, and common-law spouse;
  • medical emergency: a sudden change in health which, in the absence of urgent medical care, would endanger the patient’s life, or result in a severe or permanent health impairment;
  •  EEA state: member state of the European Union and a participant in the agreement on the European Economic Area, or a state which is a non-member of the European Economic Area agreement but the citizens of which have the same legal status as citizens of a state which is a member of the European Economic Area on the basis of an international agreement between the non-member state in question and the member states of the European Union.
  • third country: each state which is not an EEA state;

 

Chapter II. Guidelines on data processing

II.1. Guidelines on data processing according to GDPR

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Personal data shall be collected for specified, explicit and legitimate purposes.

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Personal data shall be accurate and kept up to date. Inaccurate personal data shall be erased without delay.

Personal data shall be kept in a form which permits identification of data subjects for no longer than it is necessary. Personal data may be stored for longer periods where the data will be processed solely for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes.

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures.

The principles of data protection should apply to any information concerning an identified or identifiable natural person.

Employee of the organization carrying out the data processing shall bear disciplinary liability, liability for damage, misdemeanour and criminal liability for the lawful processing of the data. Insofar as the employee learns that the processed personal data is erroneous, incomplete or out of date, the employee shall correct it or initiate its correction at the employee dealing with the recording of the data.

II.2. Guidelines on processing medical data and related personal data

II. 2. 1. Mandatory application of Eüaktv. in the course of data processing

Provisions of Eüaktv. shall be applied to each organisation and natural person providing health care service and professional supervision thereof (hereinafter referred to as health care network) and each legal personality, organisation not having legal personality and natural persons which or who process personal identification data (hereinafter referred to as other data controller organisation).

Furthermore, Eüaktv. shall be applied in relation to each natural person getting in touch with or using the services of any health care service network or other data controller organisation, irrespective of the fact whether the person is ill or healthy (hereinafter referred to as data subject) and also in relation to medical data and personal identification data relating to the data subject and processed in compliance with Eüaktv.

II.2.2. Personal data may be processed only in cases necessary to reach a legitimate purpose and to the necessary extent.  

For data processing purposes listed below in section A)-B) only as much and such health and personal identification data shall be processed which is essential in order to meet the data processing purpose.

  1. Aim of processing medical and personal identification data:
  • facilitate preservation, improvement and maintenance of health,
  • facilitate the successful medical treatment activity of healthcare providers, including professional supervision as well,
  • following the medical condition of data subject,
  • taking measures which are necessary due to public health and epidemiological interests,
  • application of patients’ rights.
  1. Beyond that, the law allows that medical data and personal identification data – in cases set out in the law – are processed due to the following reason:
  • education of health care professionals,
  • physician-professional and epidemiological examination, analysis and planning, organising health care service and planning of costs,
  • statistical examination,
  • anonymisation with the aim of impact assessment and scientific research,
  • assisting the official control or legal supervision of the entity or person controlling health data and the work of organisations carrying out professional or legal supervision, if the purpose of supervision cannot be reached otherwise, and to carry out the tasks of organisations financing health services,
  • declaration of social security and social services, in case it is carried out on the basis of the health condition,
  • prosecution, and crime prevention within the scope of authorisation to carry out the tasks set out in Act XXXIV of 1994 on the police,
  • dealing with tasks set out in Act CXXV of 1995 on the national security services, within the scope set out in that act,
  • proceedings of administrative authority
  • misdemeanour proceedings,
  • proceedings of prosecutors,
  • court procedure,
  • placement and caretaking of data subjects out of healthcare institutions,
  • stating ability to work, irrespective whether this activity is carried out as an employment, civil servant, government service, public service, state service, official service legal relationship or within the framework of any other relationship,
  • unemployment benefit, facilitating employment and the relating monitoring,
  • medication ordered on the basis of a prescription for those who are entitled to medical treatment, continuous and safe serving and provision of therapeutic appliances and medical treatment.
  • examination, recording and making the necessary labour protection measures in case of accidents at work, occupational diseases – including the enhanced exposure cases as well,
  • ethical procedures carried out against health care employees,
  • declaration of efficiency and support of medicine and therapeutic appliances getting efficiency-based support and to work out the financing schedule of diseases treated with these medicines,
  • organizing patient-transportation,
  • evaluation and development of the quality of medical services, regular supervision and development of evaluation criteria of health services,
  • supervision, measurement and evaluation of the performance of health system,
  • facilitation of effective and safe medication for those who are entitled to medical treatments and in order to create a cost-effective medicine therapy,
  • to exercise the rights related to the cross-border medical services within the European Union.
  1. Data processing with different purpose

The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected (e.g. patient satisfaction survey). In such cases, no legal basis different from that which allowed the collection of the personal data is required.

It is also allowed by the legislator to process personal data for purposes other than those listed in Section A)-B) above (e.g. sending newsletters, telemarketing, website registration etc.), upon the written consent of the data subject or the statutory or authorised representative (hereinafter jointly referred to as statutory representative), however, consent has to be based on proper information.

II.3. Persons entitled to data processing

II.3.1. Within the health care network, the following persons shall be entitled to process the health care data and personal identification data - unless Eüaktv. prescribes otherwise:

  • healthcare provider,
  • head of the institution and
  • data protection officer.

II. 4. Data Security

In the course of processing medical data and personal identification data security of data shall be ensured against deliberate or accidental elimination, destruction, alteration, damage, disclosure and unauthorised access.

Data controller shall ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

 

Chapter III. Rules of data processing for medical treatment

III. 1. Medical secret

  • With the exception of the contents of Section III. 2., data controller and data processor shall be obliged to keep medical secret.

III. 2. Release from the obligation of keeping medical secret

Data controller shall be relieved from its confidentiality obligation if

  • a) the patient or his or her statutory representative gave consent in writing to transmit health care data and personal identification data within restrictions thereof, and
  • b) transmitting health care data and personal identification data is mandatory as per the provisions of law.

III. 3. Right of the patient to become familiar with health care data

  • Data subject is entitled to be informed about data processing in relation to medical treatment,
  • to become familiar with health care data and personal identification data relating to him/her
  • may look into the medical documentation
  • may get copies thereof at his/her own cost.  First copy shall be provided free of charge. Copying fees may not be exaggerated and may not obstacle or aggravate the right to access of data subjects.

III. 3. 1. Right to data portability

Article 20 of the general data protection regulation (GDPR) defines right to data portability as a new right. Data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance. This right, which is applicable under certain conditions, supports the decision, disposal and conscious conduct of the user – if it is technically feasible at the data controller.

The data subject shall have the right to data portability in relation to those data which

  1. relate to the data subject (i.e. no anonymous data) and
  2. data subject provided the Company with and
  3. exercising this right shall not adversely affect the rights and freedoms of others.

Data controller shall be responsible for all security measures which are necessary to ensure that personal data are safely transmitted to the proper addressees (by encrypting information, and by means of authentication measures).

Data controller shall reject the request if data portability is limited by law or if exercise thereof by the data subject may adversely affect others rights and freedom. The Company shall inform the data subject about rejection within one month from the receipt of the request. Insofar as data controller has substantiated doubts about the person of the applicant, it may request additional information in order to identify the person.

Provision of personal data shall be free of charge, unless when requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character.

Data controller shall not be responsible for data processing of the data subject or other company accepting personal data.

Insofar as the data subject requires the data controller – based on the right of its data portability –, to accept data, the company is entitled to decide if it accepts the data or not.

III. 4. Right of other people apart from the data subject concerned to become familiar with health care data:

The following persons are entitled to become familiar with the data:

  • during the time healthcare is delivered to the data subject, a person designated by him or her by means of written authorisation,
  • following the conclusion of the patient's medical treatment, only the person being authorized by the data subject in a fully conclusive private deed.

III. 5. Medical data may be disclosed on the basis of a written request by the following persons:

While the patient is alive and after his or her death

  • spouse of the data subject,
  • direct relative,
  • sibling,
  • and partner

Persons listed in Section III. 5. shall be entitled to exercise their right to become familiar with the health care data, even if the medical data is necessary

  • a) for exploring reasons influencing the life or health of the spouse, direct relative, sibling, partner or descendants and
  • aa) if it is necessary due to health care of the above persons

and

  • there are no other ways to become acquainted with such health care data or to establish them by inference.

As for Section III. 5., only those medical data can be revealed, which can be directly related with reasons listed in a) and aa).

III. 6. In the event of death of the data subject – upon written request –, the following persons are entitled to become familiar with health care data:

  • statutory representative,
  • close relative,
  • and heir.

Persons listed in Section III. 6.

  • may become familiar with health care data in relation to the cause of death or related thereto,
  • furthermore, health care data related to medical treatment before death
  • may look into medical documentation,
  • and may get copies thereof at their own cost.

III. 7. Extent of confidentiality against other healthcare providers

Except for GP of the data subject and court expert, healthcare provider shall be bound by confidentiality against those healthcare professionals, who did not take part in:

  • the medical examination,
  • the setting up of the diagnoses and
  • the treatment or during the operation.

Exception from Section III. 7.

  • if disclosure of data is necessary to set up a diagnose or
  • to provide the patient with further medical treatment.

III. 8. Recording health care data

  • Recording health care data is part of the medical treatment.
  • Physician carrying out the medical treatment and medical officer shall decide which health care data shall be recorded in line with the professional rules – apart from data mandatorily recorded as per Section 13 of Eüaktv. – for the purposes listed in Section II. 2. 2.A) of this regulation.
  • Other person carrying out medical treatment of the data subject may record health care data in line with the instructions of the physician carrying out the medical treatment and to the extent necessary to carry out his or her assignments.

III. 9. Possibility of data transmission and combining data

  • In case of data control and data processing for the purposes exhaustively listed under point A)-C) of section II. 2. 2 of this regulation, health care data and personal identification data may be forwarded and combined within the medical service network.
  • Health care data and personal identification data originating from different sources may be combined only until that time and to such extent which is strictly necessary in order to take measures of prevention, treatment, public health and epidemiology.
  • It means further restriction that transmission and combination of health care and personal identification data within the medical service providing network is possible for purposes set out under subpoint B) of II. 2. 2., if these purposes are directly related to the operation of healthcare and patient care system (e.g. EESZT, which is currently being implemented in our institution).

III. 10. Extent of data transmission in the interest of medical treatment, objection to data transmission: 

In case of data control and processing as per Section II.2.2. A) all such medical data relating to the illness of the data subject may be transmitted which:

  • a) is important on the basis of the decision of the attending physician or the general practitioner in the interest of the medical treatment.
  • b) exception shall be
    • if the data subject prohibits that in writing or
    • in a declaration set out a in self-determination recording.

Before transmission, the data subject shall be informed about the possibility to object.

  1. c) Special provisions regarding transmission of health care data on previous illnesses not related to the current one,
  • Health care data on previous illness
  • not related to the current illness existing at the time of transmission
  • cannot be transmitted without the consent of the data subject
  • not even in case under Section III.10. a) – except Article 11 (3) and 13 of Eüaktv.

III. 11. However, in the below cases, even against the prohibition of the data subject, the health care data and personal identification data shall be transmitted as per Eüaktv.

Upon request of the medical provider, the data subject (statutory representative) shall be obliged to hand over the health care data and personal data

  • if it is probable or has been verified that the data subject has been infected by the agent of any of the illnesses listed in Annex 1, or suffers from toxic infection or communicable disease except case in Section 15 (6). (Section 15 (6): In case the data subject desires to take part in a screening test – without previously identifying himself or herself – in order to find out if he or she is infected by HIV virus, the patient is not obliged to hand over personal identification data to the medical service provider/.
  • if it is necessary
  • due to carrying out screening and evaluation for fitness for a position listed in Annex 2 or in case of acute toxicity,
  • if it is probable that the person suffers from occupational disorder as per Annex 3,
  • if data provision is necessary due to the interest of a foetus or because of the medical treatment, preservation the condition or protection of a minor,
  •  if the competent authority has ordered the examination due to criminal investigation, prevention of a crime or because of proceedings of a public prosecutor or a court or it was ordered in the course of misdemeanour proceedings or proceedings of administrative authority,
  •  if data provision is necessary because of inspection in line with the act on national security.”

 III. 12. Data transmission in urgent cases:

  • in case of urgent need, all the health care data connected to the medical treatment
  • and personal identification data known by the physician carrying out the treatment may be transmitted.

III. 13. Voluntary nature of data provision and exceptions from voluntary data provision

III. 13. 1. Voluntary data provision

  • Provision of health care data and personal identification data of the data subject is voluntary.

III. 13. 2. Exception from the rule on voluntary data provision:

  • in the course of mandatory provision of personal identification data (see definitions) necessary for using health service and
  • in cases defined in Section 13 of Eüaktv. (e.g. infection, toxication etc.), data provision is compulsory (cases in Section 13 of Eüaktv. are detailed in Section III. 11. of this regulation).

III. 13. 3. Consent to data processing shall be deemed granted

  • in the event when data subject turns to healthcare network voluntarily,
  • consent to processing health care data and personal identification data relating to the medical treatment – unless otherwise declared –
  • shall be deemed given, and the data subject (statutory representative) shall be informed thereof.

III. 13. 4. Presumption of voluntarily given consent

  • In emergency
  • or if the data subject has no capacity, giving voluntary consent to data processing shall be presumed.

III. 13. 5. Health care data inappropriate for identifying a person may be transmitted without time and territorial restriction.

III. 14.  Who may be present during the medical treatment

  • apart from the physician carrying out the treatment and other person assisting in health care, only those persons may be present, to the presence of whom the data subject gives consent.

III. 14. 1. Beyond that, the following persons may be present without the consent of the data subject

  • Apart from persons set out in Section 17 (2) of Eüaktv. (in institutions which are designated institutions for training medical professionals e.g. medical student) the following persons may be present:
  1. a) the physician who treated the data subject due to the same illness before,
  2. b) who was given permission due to professional-scientific reasons by the head of the institution or by the person responsible for data protection, except when the data subject expressly objected to that.

III. 15. Data on the prescription

Regarding the fact that at the inpatient and outpatient praxis operated by Dr. ROSE Magánkórház Kft. only privately financed patients are provided with medical treatment, the information in this section covers neither data processed in relation to medical treatment financed from social security funds, nor other data processing which is necessary in other publicly financed cases.

We deem it necessary to set out in this section that in case medicine, therapeutical appliances or medical treatment are prescribed, the following data shall be indicated in the prescription:

  • name of the data subject,
  • address
  • date of birth.

III. 16. Recording health care data and personal identification data

Health care data and personal identification data received from the patient in order to carry out medical treatment and transmission of these data shall be recorded.

Note on data transmission shall contain the addressee of data transmission, date and way of transmission and also the scope of transmitted data.

Instrument of recording may be any kind of data storage device which provides protection of data as it is set out in Section 6 of Eüaktv.

Physician carrying out the treatment shall make a note of medical data recorded by him or another health care professional and the physician shall also make notes on his own activity and measures relating to the treatment. The note shall form an integral part of the record.

III. 16. 1. Compulsory retention period of health care documentation

  • medical documentation shall be kept at least for 30 years from the date of recording the data, 
  • discharge summary shall be kept at least for 50 years.
  • copies of images taken during imaging diagnostic procedures shall be kept for 10 years from the date of taking, while findings based on these images shall be kept for 30 years.
  • prescriptions shall be kept for 5 years.

III. 16. 2. After the expiry of compulsory recording period, the following rules shall be taken in consideration:

  • a) for the sake of medical treatment or scientific research – if it is reasoned –, the data may be recorded henceforward.
  • b) if recording is not reasoned any longer – with the exception of subsection c) –, the recording shall be destroyed.
  • c) if the medical documentation has scientific significance, it shall be handed over to the competent archives after the compulsory retention period expires.
  • d) in case the entity handling the documentation ceases to exist without succession – with the exception of subsection e)
    • da) medical documentation with scientific value shall be handed over to the competent archives,
    • db) other medical documentation shall be handed over to the organ designated by the Government.
  • e) Insofar as the entity handling the documentation ceases without succession, but a different entity performs the function the ceased entity used to:
    • ea) documentation which came into existence 10 years before the date of termination of the entity handling the medical documentation shall be kept by the entity that performs the tasks,
    • eb) medical documentation not handed over in line with point a), shall be handed over to a different entity or data controller designated by the Government.

III. 16. 3 Continuous provision of technical conditions

For the sake of data retention, it shall be continuously ensured that the data carrier remains readable under the given technical conditions or to get into a readable state.

III. 16. 4. Correction or deletion of health care data

The erroneous health care data may be deleted or corrected following the entry thereof in such a way that the data entered originally can be established.

III. 16. 5. Preparation of an authentic copy

If it is necessary due to data safety reasons or the physical protection of the stored data requires, or if data disclosure obligation prescribes, the data controller shall make an authentic copy of the recorded data and the medical documentation. Contents of an authentic copy shall be governed by Section 6 of Eüaktv.

III. 17. Responsibility of the head of the institution

Within the healthcare institution the head of that institution which controls the data shall be responsible for the protection of health care data and personal identification data.

III. 17. 1. In the course of his activity the head of the institution shall

  1. ensure that data protection rules are kept,
  2. monitor the data controlling activity of data controllers and that of processors and also the activity relating to data processing,
  3. initiate the application of new technologies and equipment developed in the field of data safety,
  4. ensure data processing training of persons dealing with data control and data processing,
  5. give permission to look into the medical documentation in case of scientific research [Section 21 (1) of Eüaktv.]
  6. appoint the data protection officer (persons responsible for data protection),
  7. monitor the activities of the data protection officer and person (persons) responsible for data protection,
  8. ensure the preparation of the privacy policy of the institution,
  9. decide about the further storage or destruction of recorded data following the mandatory recording period.

III. 18. Data Protection Officer

  • Activity set out in Section III. 17. 1., subsection 1-4, may be performed by a data protection officer.
  • If an employer employs more than 20 data controllers per organisational unit, the head of the institution shall appoint a person responsible for data protection in each organisational unit.
  • Person responsible for data protection may be
  1. a) a physician having a specialisation or
  2. b) a person holding a law degree and having minimum 2 years of practice or
  3. c) a person holding a higher education degree and having minimum 2 years of experience in health care data control.

Chapter IV. Provisions of GDPR for e-data processing

IV.1. Processing personal e-data                                                                             

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and to identify them. In the course of processing health care data and related personal data, Dr. ROSE Magánkórház Kft. does not create profiles.

Data may be processed only if

  • data subject consents by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her,
  • by means of a written statement, including by electronic means, or an oral statement.

This could include  

  • ticking a box when visiting an internet website (e.g. newsletter subscription).

Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

Consent is deemed to be given if

  • a user chooses technical settings in the course of using electronic services,
  • or makes such a declaration or behaves in a way which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.

Personal data shall be processed in a manner

  • that ensures appropriate security and confidentiality of the personal data in order to
  • prevent unauthorised access to personal data and the equipment used for the processing,
  • and unauthorised use thereof.

Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.

Such specific protection should, in particular,

  • apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles.

Inaccurate personal data

  • every reasonable step must be taken to ensure
  • that any personal data that is inaccurate is corrected or erased without delay.

IV. 2. Consent of data subject, conditions

  • Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
  •  If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters.
  • The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof.  Withdrawal shall be as easy as giving consent.
  • When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
  • If the offer of information society services is directly related to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

IV. 3. Processing which does not require identification

If the purposes for which a controller processes personal data do not require the identification of a data subject at all or any longer by the controller, the controller shall not be obliged to keep additional information.

If the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible.

IV. 4. Informing the data subject and rights of the data subject

The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes.

Where the personal data are collected from the data subject, the data subject should be informed whether he or she is obliged to provide the personal data and also about the consequences, where he or she does not provide such data.

The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case.

A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed.

Data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent. Medical data and the related personal data may not be erased on that ground, since data controller shall be obliged to keep such data as it is prescribed by law.

Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing at any time and free of charge.

IV. 5. Revision of personal data

In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.

Periodic review defined by the head of the organisation shall be 1 year.

IV. 6. Tasks of data controller

In order to carry out lawful data processing, data controller shall apply internal data protection rules. This regulation covers the competence and liability of data controller.

The controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with the effective laws. (accountability).

Those measures should take into account the nature, scope, context and purposes of the processing and the risk posed to the rights and freedoms of natural persons.

Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures. On the basis of this regulation, those measures shall be reviewed and updated where necessary.

The controller or processor should maintain proper records of processing activities under its responsibility.

Each controller and processor should be obliged to cooperate with the supervisory authority and make those records available if requested in order to monitor those processing operations.

IV. 7. Rights related to data processing

Right to request information

Any person may request information via the provided contact channels on what data of his or her, on what legal basis, with what purpose and from what source and how long are processed. The application shall be answered without delay but maximum within 30 days to the provided contact address.

Right to rectification

Any person may request the modification of any of his or her data via the provided contact addresses. The application shall be dealt with and answered without delay but maximum within 30 days to the provided contact address.

Right to erasure

Any person may request the erasure of any of his or her data via the provided contact addresses. Upon request, it shall be carried out without delay but maximum within 30 days and information shall be sent to the provided contact address.

Right to blocking and restriction

Any person may request the blocking of of his or her data via the provided contact addresses. Blocking shall last until the reason set out makes it necessary to block the data. Upon request, it shall be carried out without delay but maximum within 30 days and information shall be sent to the provided contact address.

Right to object

Any person may object to data processing via the provided contact addresses. Objection shall be examined within the shortest time possible, but maximum within 15 days from its submission, a decision shall be made upon its validity, information shall be sent via the provided contact addresses.

Enforcement of rights related to data processing

National Authority for Data Protection and Freedom of Information

Mail address: 1530 Budapest, Pf.: 5.

Address: 1125  Budapest, Szilágyi Erzsébet fasor 22/C. 
Phone: +36 (1) 391-1400 
Fax: +36 (1) 391-1410 
E-mail: ugyfelszolgalat (at) naih.hu 
URL https://naih.hu 
coordinates: N 47°30'56''; E 18°59'57'' 

Upon infringement of his or her rights, the data subject may turn to court against data controller. Court shall act as a matter of urgency in the case. The data subject – as per his or her decision – may file the lawsuit at the court having competence at his or her place of residence or stay.

IV. 8. Summarising the tasks of data controller in order to provide proper data protection

  • Regarding data protection consciousness, professional competence shall be ensured in order to comply with the regulations. It is essential to prepare the colleagues professionally and to get familiar with the regulation.
  • The purpose, criteria of data processing and the concept of personal data processing shall be reviewed. Lawful data control and processing shall be ensured in line with the data protection and data processing regulation. 
  • In the course of informing the data subject properly, it shall be noted that in case of doubt the data controller shall prove that data subject consented to data processing –  if data processing is based on the consent of the data subject.
  •  Information provided to data subject shall be concise, easily accessible and understandable, for this reason it shall be compiled and introduced clearly in a simple and accessible language.
  • It is the requirement of transparent data processing that data subject be informed of the existence of the processing operation and its purposes. Information shall be provided before commencement of data processing and data subject shall be entitled to the right of information during data processing until processing ceases to exist.
  • Most important rights of data subject are summarized as follows:
  • access to the personal data relating to the data subject;
  • correction of personal data;
  • erasure of personal data;
  • restriction of processing personal data;
  • objection to profiling and automated data processing;
  • right to data portability.
  • The controller shall provide information to data subject without undue delay and in any event within one month from the receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In the course of performing the obligation to provide information, the medical secret shall be kept. Special data shall not be passed to unauthorised persons.
  • Data processing carried out by the organization shall be overviewed, and the right of informational self-determination shall be guaranteed. Upon request of the data subject, his or her data shall be erased without delay, if the data subject revokes consent to processing his or her data (e.g. in case of sending newsletters, since mandatory retention period of health care data is 5 years, 10 years, 30 years and can be 50 years, these data cannot be erased even upon request.)
  •  From the consent of the data subject, it shall unambiguously turn out that the data subject gives consent to data processing. If data processing is based on the consent of the data subject, the data controller shall prove that data subject consented to data processing in case doubt arises.
  • In the course of processing personal data of children, special attention shall be paid to keeping data processing rules. If the offer of information society services is directly related to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
  • In case personal data are controlled or processed against the law, notification obligation arises towards the supervisory authority. Controller shall notify the supervisory authority without undue delay – if possible 72 hours after learning about the personal data breach –, except when the personal data breach is unlikely to result in a risk to the rights of natural persons.
  • In certain cases, it may be reasoned to carry out a data protection impact assessment before data processing is commenced and, in the course thereof. During the impact assessment it shall be examined, how the planned data processing operations affect the protection of personal data. If the data protection impact assessment declares that data processing is likely to involve with high risk, data controller shall consult with the supervisory authority before the personal data are processed.
  • Data shall be protected by proper measures, especially from unauthorised access, alteration, transmission, disclosure or destruction and accidental loss and injury, furthermore becoming inaccessible due to the change of the applied technique.
  • In order to protect data processed electronically in the records, it shall be ensured by proper technical solution that data stored in records shall not be directly combinable and attached to the data subjects.
  • Upon planning and applying data safety, the current development of technics shall be taken in consideration. Among several data control methods, the data controllers shall choose the one which provides a higher level of data security, unless it involves with disproportionate difficulty for the data controller.

IV. 9. Data Protection Officer

Rules on appointing a data protection officer:

The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks of data control.

The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

The controller or the processor shall disclose the contact details of the data protection officer and communicate them to the supervisory authority.

IV. 9. 1. Legal status of the data protection officer

The controller shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. Resources necessary to maintain the data protection officer’s expert knowledge shall be provided.

Data protection officer shall not receive any instructions regarding the performance of his/her duties. Data protection officer shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.

Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights.

The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks.

The data protection officer may fulfil other tasks and duties however, such tasks and duties shall not result in a conflict of interests.

IV. 9.2. Duties of the data protection officer

  • Data protection officer shall inform and advise the controller or the processor and the employees who carry out processing;
  • He or she shall monitor compliance with the policies of the controller or processor in relation to the protection of personal data;
  • He or she shall provide advice where requested as regards the data protection impact assessment and monitor its performance;
  • cooperates with supervisory authorities.

IV. 10. Personal data breach

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud.

The personal data breach shall be announced at the supervisory authority without undue delay and not later than 72 hours after having become aware of it, unless it can be demonstrated, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The data subject shall be notified about a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.

Personal data breaches shall be recorded.

 

Chapter V. Data control with the aim of filing and record keeping

The organisation may control personal data with filing and record keeping purposes in cases belonging to its activity.

V. 1. Legal base of data control

  • voluntary and firm consent of the data subject based on proper information
  • Following the provision of detailed instruction – covering the purpose, legal base, duration and rights of the data subject –, the data subject shall be notified about the voluntary feature of the processing of personal data.
  • Consent to data processing shall be set out in writing.

V. 2. Data processing with the purpose of administration and record keeping have the following aims:

  • processing the data of members and employees of the organisation, which is based on legal obligation;
  • processing the data of persons being in agency relationship with the organisation with the aim of keeping contact, accounting and registration;
  • data of other organisations, institutions and entrepreneurships being in business contact with the organisation, which data may be contact information and identification data of natural persons as well;

Data processing in line with the above is partly based on legal obligations, and the data subject expressly consented to the processing of his or her data (for example due to a labour contract or the person registered as a partner on the website etc...)

In case of documents containing personal data as well and sent in writing to the organisation (e. g. CV, job application and other submissions etc.), consent of the data subject shall be presumed. After the case is completed – in lack of consent to further use –, the documents shall be destroyed. Fact of destruction shall be recorded in a protocol.

In case of data processing with administrative purpose, personal data are exclusively contained in the documents of the given case and records. Processing of these data shall last until the culling of the document forming the basis of processing.

Data processing for administration and record keeping shall be reviewed annually in order to ensure that the personal data are not kept longer than necessary and inaccurate personal data shall be erased without delay.

Compliance with the laws shall be also ensured in case data processing is carried out with the purpose of administration and record keeping.

Chapter VI. Marketing data processing

Data processing due to sending newsletter and direct marketing material

Dr. ROSE Magánkórház Kft. – as data controller –, requires data subjects to provide separate and written voluntary consent, based on information, that personal data provided by them may be controlled – as it is set out in the information – with the aim of sending newsletters and direct marketing materials.

Dr. ROSE Magánkórház Kft. sends newsletter and/or direct marketing material only if the data subject acknowledged that – on the basis of his or her written declaration – the Company may send such materials to him or her. Subscription to newsletters and direct marketing services may be accessed only by prior consent to data processing.

Dr. ROSE Magánkórház Kft. may control data in the newsletter and direct marketing data processing recordings only in line with the contents of declaration of consent, until they are withdrawn and data may be disclosed to a third party only with the prior consent of the data subject.

Declaration of consent on sending newsletters and direct marketing materials may be withdrawn by the data subject at any time, without limitation and free of charge. In this case, all the personal data processed with the aim of sending newsletters and direct marketing materials shall be erased from the records of Dr. ROSE Magánkórház Kft. without delay and no newsletter or direct marketing material may be sent to the data subject any more. Data subject shall send the declaration for withdrawal to the e-mail address info@drrose.hu and to the mailing address 1051 Budapest, Széchenyi tér 7-8., furthermore data subject can directly unsubscribe at the end of the newsletter as well.

In the course of sending newsletters, the aim of data control is keeping in touch with those who are interested, the clients and partners by means of newsletter.

When sending direct marketing materials, the aim of data control is that the Company prepares and sends customised marketing offers to those who gave their consents with the purpose of obtaining business and sends information about products and services distributed by the Company.

The legal basis of data control shall also be defined, which is identical in both cases (newsletter and direct marketing: consent of the data subject to processing data for a specified purpose as per Article 6, Paragraph (1), Point a) of GDPR.

Duration of data storage shall be until the termination of newsletter/direct marketing services or until the consent is withdrawn.

Regarding the taken over database, these regulations shall be applied in line with the strict rules on medical secret in a way that concurrently with sending a newsletter, the privacy policy of the new service provider shall always be made available. Insofar as the patient uses health service after 01 December 2018, he or she has to fill in the registration form. In this form consent given before 01 December 2018 to receive newsletters is affirmed or withdrawn.

The data controller sends newsletters to the data subjects to their e-mail address by electronic mail with regard to its legitimate interest, in case all conjunctive elements of the consent cannot be fulfilled. /Preamble (47) of the GDPR; Article 6 Paragraph (1) Subsection f) of the GDPR/

According to the result of the interest assessment test, when the newsletters are sent, the interests or fundamental rights and freedoms of the data subjects are not violated so that they would override the legitimate interest of the Private Hospital.

In addition to this, the data subject can reasonably expect sending of e-mails or communication by e-mail, as when medical records are sent or appointments are made online, the data subject has requested and uses electronic communication.

The protection of the property of the Private Hospital is a fundamental right formulated in the Constitution. Newsletter sending also serves the interests of data subjects by facilitating their information knowledge and raising awareness, while making it possible to transfer information related to health maintenance. In the event of a protest or unsubscription, it will not be possible to send newsletters in the future. By placing a privacy link in the newsletter, the data controller wishes to assist the data subject in exercising his or her rights related to data management.

Addressees of data processing at the Company are patients, and colleagues dealing with the service of the data subject.

Employees and contributors of Dr. ROSE Magánkórház Kft. taking part in data control and/or data processing are entitled to get familiar with the personal data of those who subscribe for our newsletter/direct marketing services to an extent substantiated by their tasks and jobs and they are under confidentiality obligation.

Chapter VII. Rules on application of surveillance system/camera

In the course of applying an electronic surveillance system, the legal basis of data processing is the legal interest of the employer (regarding the employees) and the consent of the data subject (regarding visitors and customers), and in the surveilled area a warning notification (information) shall be placed at a clearly visible place. This notification shall be placed in relation to each camera located in the surveilled area. In case the company places a fake camera, the information shall cover the fact that the camera does not make any recordings.

Compulsory content of the information:

  1. legal basis of data processing (making the recording) (Article 6 Section (1) (f) of GDPR),
  2. location and purpose of each camera, area and/or object surveilled by the cameras and the fact whether the camera monitors directly or if the footage is stored.
  3. name of the operator (legal or natural person), and the person of the data controller and data processor,
  4. place and duration of storing the recording and data protection measures in relation to storing the recordings,
  5. who, when and how can watch the recordings, how they can be used and to whom, when, how and to what purpose may they be transmitted,
  6. rights of the employees and how they can exercise them, where they can make a complaint and
  7. if the right of informational self-determination of the employees is infringed what enforcement they can resource to.

In order to inform clients and visitors information shall be placed at a clearly visible place and in a prominent manner and they shall be warned that by entering into the premises they give their consent to be recorded.

It shall be regulated in a separate rule, who can have access to the recordings, who have authorisation and what type of authorisation it is, who checks the final erasure of the recordings, who supervises that and it also shall be determined when the recordings can be watched either by the employer or the employee, who can give permission and the necessary form shall be attached.

Chapter VIII. Miscellaneous

VIII. 1. Data processing for other reasons

Insofar as the organisation intends to carry out such data processing which is not set out in this regulation, this internal policy of the organisation shall be amended beforehand, and new additional rules complying with the new data processing purpose shall be attached.

VIII. 2. Laws forming the basis of data procession

  • Regulation 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.

  • Act LXVI of 1995 on public records, public archives, and the protection of private archives.
  • Act CVIII of 2001 on certain aspects of electronic commerce and information society services.
  • The Fundamental Law of Hungary (27 April 2011)
  • Act V of 2013 on the Civil Code
  • Act XLVII of 1997 on the processing and protection of health care data and associated personal data,
  • Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (hereinafter Szvtv.),
  • Act I of 2012 on Labour Code (hereinafter referred to as Mt.).