Dear Visitor,
On creating an appointment online personal information is required in order for us to identify your appointment. Please be advised that personal information is provided on a voluntary basis and that the personal information provided will be handled based on your voluntary consent. Such consent is deemed to be given by the registration of your personal information on our website’s user interface.
Data management will solely be conducted with relation to the services provided and will not be disclosed or forwarded to third parties. The personal data provided will solely be managed until such time as our company provides you services and will be deleted thereafter.
Our data management procedures and principles as well as rights you are entitled to in the course of data management, provisions governing objections to data management and rights enforcement, in particular, are contained in our Data Management Policy available on our website.
Suba Dentál Kft.
DATA MANAGEMENT AND DATA SECURITY POLICY
Data controller intends to ensure the data subjects’ right of access to information and set out the governing principles and procedures prevailing in the course of data management. The present Policy aims to provide the data subjects with adequate information as to the data management activities conducted by the Data controller, the data managed by them or processed by a duly authorised data processor as well as all relevant circumstances of data management and processing, and in the event of data transfer, the legal basis and addressee of such data transfer.
By means of the present Policy, Data controller is looking to fulfil its statutory records maintenance obligation, and determine a reference level of data security and a procedure to enforce the same.
The present Policy extends to all procedures conducted by Data controller where data processing of natural persons is concerned, except for Data controller’s employees with respect to whom a separate policy has been endorsed and whose data management is governed by special provisions of such separate policy.
. The present Policy comes into effect as of 25th May 2018 and shall be effective until repealed.
Definitions
For the purposes of the present Policy the legal person of Data controller is Suba Dentál Korlátolt Felelősségű Társaság. The details of the Data controller are as follows:
Headquarters: | 1024 Budapest, Ady Endre utca 1. 3. em. 10. |
Company registration number: | 01-09-197084 |
VAT number: | HU25054721 |
Telephone number: | +3617928950 |
Mobile Telephone: | +36706355144 |
Electronic mail address: | info@subadental.com |
Represented by: | Dr. Suba Csongor ügyvezető |
Data processing pertaining to the employment relationship of employees employed by Data controller conducted in the course of their work qualifies as data management conducted by Data controller.
The present Policy’s terminology corresponds to the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council, with some of the terms reiterated below:
- personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- data concerning health:means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
- particular data: personal data which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, as well as genetic data and biometric data capable of uniquely identifying natural persons and data concerning healthor personal data concerning sex life or sexual orientation
- data processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- the data subject’s consent:means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- data processor: the natural or legal person, public authority, agency or any other organisation processing personal data on the data controller’s behalf;
- profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- employee: natural persons in an employment relationship with Data controller in its capacity as employer
Terms and abbreviations frequently used in the present Policy:
- Privacy Act– Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council (EU).
- Civil code – Act V of 2013 on the Civil Code
- Labour Code – Act I of 2012 on the Labour Code
- Act on Consumer protection – Act CLV of 1997
Data processor’s data protection body
Data controller’s activities such as data protection, data processing, data security and information security shall be managed by the manager appointed from time to time supervising Data Controller, who, by issuing instructions and policies to the employees under their immediate control shall supervise Data controller’s full organisation insofar as data protection and processing are concerned.
Data controller makes the present Policy available to all its employees and sees that the present Policy is complied with. Data controller shall ensure that its employees get acquainted with, and observe, the legal and regulatory obligations relative to data processing, and shall consider compliance with data protection regulations as an essential job-related duty, furthermore they may only access personal data if they hold appropriate authorisations, in a manner and for the purposes set out in their respective job descriptions, and may only process such data as exhaustively described therein.
All employees shall
- organise and conduct their work in compliance with Data controller’s data protection and privacy policies and shall protect any data created or acquired and recorded in paper format in the course of their work from unwarranted access, loss and physical damage
- not share or publish their individual access credentials and passwords
- log off the IT systems after use and foreclose access to the electronic devices on departure or on interruption of a session, and in case of paper format data processing, lock away and keep locked storage media; leaving such storage media unattended is forbidden
- from to time, in the interest of preventing loss of electronically stored data, prepare or have another appropriately authorised employee prepare, backups of data stored on the data storage devices, to which they have exclusive access
- participate in a data protection training organised by Data Controller
- in the event of detecting a personal data breach incident, proceed as per appendix 1 to the present Policy on handling personal data breach incidents
Employees shall access and process personal data as set out in their individual job descriptions. Employees and data processors in charge of data processing shall submit a non-disclosure statement with regard to data processing and shall be responsible for policy compliance and the integrity, inviolability and availability of the personal data they process, as well as personal data breach incidents and infringements arising from their wilful or negligent conduct.
In the interest of preventing unwarranted access, Data Controller shall provide their IT systems with a firewall and virus protection and shall select programs that comply with the IT security regulations as amended from time to time. Data Controller shall assign different authority levels to its IT systems and shall restrict access thereto by means of password protection and shall see that measures are taken to ensure restorability of files, in particular, regular backups of data, and the separate and secure storage of back-ups.
In order to ensure the security of personal data stored in paper format Data Controller shall place documents containing such data in lockable rooms equipped with fire and property protection systems, foreclosing access to such rooms by unauthorised personnel.
Electronic data processing shall exclusively take place on computers owned by or exclusively used by Data Controller where activity logging is ensured. Data stored on servers shall solely be accessible to appropriately authorised personnel. For the security of data stored on the network, data loss shall be prevented by the continuous mirroring of data on the server.
Deletion, rectification and restriction of the processing authorities of personal data by Data Controller are subject to the consent of appropriately authorised personnel or Data Controller’s manager, on condition that records of requests to this effect shall be maintained by Data Controller.
Basic rules applying to data processing
Data Controller shall process personal data solely in order to exercise its rights and fulfil its obligations, and in conformance with the purpose limitation principle, shall only process such data to the required extent and for the necessary term. Data processing will accordingly be conducted at all times with a view to meeting the objectives set for a particular period. If the objective of data processing is no longer valid or processing of the data is otherwise illegal, such data will be deleted.
Only such personal data may be processed as are suited and indispensible for fulfilling the objectives of data processing. Data Controller shall apprise the data subject of the objectives of data processing prior to recording the data, through publicly available information sheets or policy or individual communication.
In the course of data collection the accuracy, completeness and, if required for the purpose of data processing, the updating of data shall be ensured and data subject identifiability will only extend through the term necessary for data processing objectives.
If Data Controller engages data processors for processing the data on its behalf, such data processors shall provide adequate guarantees as to implementing appropriate technical security measures and organisational measures to provide for compliance with statutory provisions relating to data processing and the protection of data subject rights
Data controller shall conduct data processing in any one of the following cases:
- data processing is necessary for the protection of the data subject’sor another natural person’s vital interests
- data processing is necessary for the performance of a contractto which data subject is a party, or if, prior to concluding the contract, it is necessary for the performance of certain measures on data subject’s request
- data processing is required for the performance of Data controller’slegal obligation
- data subject has given their consentto the processing of their personal data for one or several definite reasons
- data processing is in the public interest or is necessary for performing dutiesin relation to exercising official powers conferred on data controller
- data processing is required for the enforcement of data controller’s or a third party’s lawful interests, except if data subject’s interests or basic rights and liberties override such interests and necessitate the protection of personal data
Data controller represents that the processing of data concerning health pursuant to Article 9 (1) h) of the GDPR is legal pursuant to a contract concluded with a healthcare professional.
Data controller shall inform data subject in advance as to the legal basis for data processing by means of a publicly accessible document, policy or individual communication.
Data subject’s consent shall solely be legally compliant if given voluntarily, unambiguously and based on adequate information, that is, in possession of the information pertaining to data processing. Data controller declares that by registration and provision of personal data on its website the data subject is deemed to have consented to the processing of their data for designated purposes of which data subject shall receive a short text warning prior to their data being sent. Withdrawal of the consent shall not affect the legality of data processing based on consent prior to withdrawal, that is, withdrawal shall exclusively apply to the future.
If data processing is stipulated by law, or is necessary for Data controller’s performance of a legal obligation, data processing is mandatory. If data subject defaults on their obligation to supply data Data Controller shall be entitled and obliged to deny the provision of services.
The duration of data processing shall be determined in the information on data processing. As a general rule Data Controller stipulates that data processing shall continue as long as the processing of the relevant data is required, subject to the purpose of data processing. Consent-based data processing will continue until withdrawal of the consent or enforcement of a court or regulatory ruling on the deletion of data, or until expiry of the limitation period of the enforceability of rights and obligations arising from the legal relationship on account of which Data Controller processes personal data. Pursuant to Section 6:22 of the Civil Code the general limitation period is 5 years. Legal data processing continues until expiry of the statutory limitation period or until the existence of conditions.
Data controller stipulates that pursuant to Section 30 of Act XLVII of 1997 on the processing and protection of health care data and associated personal data medical records shall be retained for at least 30 years, and discharge summaries for at least 50 years of data collection. In the interest of medical treatment or scientific research the mandatory recordkeeping period may be extended, if justified. If continuation of recordkeeping is unjustified, the records must be destroyed. Scans recorded with a diagnostic imaging method shall be retained for 10 years and medical records based on the scan shall be kept for 30 years of recording thereof. If the medical records have scientific relevance, they shall be submitted to the competent archives following expiry of the mandatory recordkeeping period.
In the event Data controller ceases to exist without a legal successor scientifically relevant documentation shall be handed over to the archives with other documentation submitted to a body designated by the Government. However, should the Data controller cease to exist without a legal successor and if tasks it earlier performed are delegated to another organisation,
- a) healthcare documentation generated within ten years preceding Controller’s dissolution shall be transferred to the organisation now handling such documentation,
- b) healthcare documentation not transferred as per section a) shall be filed with the archives or a body appointed by the Government in the aforesaid manner
THE RIGHTS OF, AND THE ENFORCEMENT OF RIGHTS BY, DATA SUBJECTS
Right of access to information and personal data
Data subject is entitled to request information on the scope of their personal data being processed, the circumstances of data processing with particular regard to the purpose, legal basis, duration of data processing and personal data breach incidents, if any, as well as available legal remedies. Data subject is entitled to access to information even if Data Controller acquired their personal data from another person in which case Data Controller will also provide extensive information as to the identity of data provider, and the time and manner of data recording.
Data subject is entitled to receive feedback from Data Controller as to whether their personal data are being processed, and if so, Data Controller shall provide data subject with access to the relevant personal data being processed. On data subject’s request Data Controller shall provide Data subject with a copy of the data being processed.
Data subjects are entitled to request rectification and where required and possible, completion of inaccurate data, and data subject’s request shall be satisfied without undue delay.
Right to Erasure (“Right to be forgotten�?) and objection
In case of data being processed with the data subject’s consent, data subjects are entitled to claim erasure of their data, and, subject to the validity of such claim, all requested data shall be deleted from all databases. If data processing is based on Data Controller’s legitimate interest data subject is entitled to object to their data being processed in which case data processing may only continue if Data Controller’s right to data processing overrides data subject’s interests, rights and liberties, or if the data being processed are implemental in the submission, enforcement or defence of legal claims. Until an overriding interest is established, access to the personal data at issue shall be restricted by Data Controller as set forth below.
If the processing of personal data is no longer required for the purposes for which they were processed hitherto, or if data processing is illegal, data subject may also initiate deletion of such data.
If personal data are processed for scientific, historical research or statistical purposes, data subject is entitled to object to processing their personal data on grounds of their personal status, except if such data processing is required for tasks performed in the public interest. Pursuant to Sections 24 and 26 of Act CLV of 2016 Data controller is obliged to provide data for statistical purposes, in such instances the data transferred are unsuitable for the identification of persons in a customer relationship with Data controller. Data controller declares that for the purposes of quality assurance case studies and statistics will be drawn up that are nonetheless unsuitable for the identification of data subjects.
Right to restriction of data processing
Data subjects shall be entitled to the restriction of their respective data being processed in the following instances:
- If the accuracy of their personal data is disputed by the employee concerned
- data processing is illegal but data subject objects to the deletion of data, and requests their restriction of use instead
- Data controller no longer needs the personal data for data processing but data subject requests them for the submission, enforcement or defence of legal claims
Personal data under restriction may only be processed – except for storage – subject to data subject’s consent, or for the submission, enforcement or defence of legal claims or the protection of rights of other natural or legal persons or in the important public interest of the European Union or a member state.
In the event of rectification or deletion of personal data or if data processing is restricted for whatever reason, Data controller shall notify all addressees with whom such data were shared, except if this proves unfeasible or requires undue effort. On request, data subject shall be apprised of these addressees by Data controller.
Notification of data subject in the event of a personal data breach incident
If a personal data breach incident occurs at Data Controller which is likely associated with a high risk to the data subject’s rights and liberties Data Controller shall advise data subject of all relevant circumstances without undue delay. Data Controller shall notify data subject through publicly available information in the following instances:
- Data Controller has taken appropriate technical and organisational protection measures and such measures were applied in relation to the data involved in the personal data breach incident, in particular, measures such as encryption, that render personal data unintelligible to persons with no right of access thereto.
- Data controller took further measures following the personal data breach incident that will, in all likelihood, eliminate high risks earlier threatening data subject’s rights and liberties
- The disclosure of information would require undue efforts.
Data controller’s policy on personal data breach incidents are detailed in a separate policy constituting appendix 1.
Data controller processes personal data for direct marketing purposes exclusively with a view to providing a newsletter service, subject to voluntary consent.
For filing requests and declarations on data processing please use Data Controller’s aforesaid contact details.
Data Controller shall inspect all requests and declarations on data processing and will decide thereupon following 30 (thirty) days of receipt which will be communicated to data subject in writing – including electronic mail. In its written reply, Data controller shall also indicate available legal remedies.
Data controller stipulates that subject to its content a request or declaration is acceptable, precisely on account of the data protection regulations, only if the applicant identifies themselves, failing which, Data Controller may request the applicant to supply missing information, the lead-time required for which, should identification indeed be required, will not count towards the aforesaid deadline. Data Controller shall keep records of requests received to comply with its legal obligations regarding data protection, which shall encompass applicant’s name, date of request and the application.
Should data subject disagree with Data controller’s decision made as aforesaid, or should Data Controller miss the aforesaid deadline without proper justification or fail to respond to the request, data subject is entitled to initiate court proceedings within 30 days. The data subject may bring a lawsuit regarding data processing before the competent court of their place of residence or temporary residence – as they choose. The court will process the request out of turn. The burden of proof as to the regulatory compliance of data processing shall be carried by Data Controller. In addition to the compensation claim for damage a grievance claim arising from the breach of personal rights, with particular regard to the right of self-determination on privacy, may also be brought against Data controller. If Data controller has retained a data processor to carry out data processing operations, Data controller (in addition to the data processor – as the case may be) shall also be held liable for damages or grievances caused by the data processor. Data Controller shall only be exempt from liability arising from such damage or grievance if it can substantiate that the damage or breach of personal rights was brought forth by an inavertible circumstance beyond the scope of data processing. No compensation for damages or grievances will be entertained if the damage or legal injury arising from the breach of personal rights is imputable to data subject’s wilful or severely negligent conduct, in particular, the provision of false data.
In case of a violation of the right of informational self-determination the data subject is entitled to file a report with the National Authority for data Protection and Freedom of Information (address:1125 Budapest, Szilágyi Erzsébet fasor 22/c, website: http://www.naih.hu).
Data Controller stipulates that legal restrictions may apply to a certain scope of data subject rights, subject to basic data subject rights, in which case Data Controller shall comply with the statutory regulations. In reply to requests and declarations concerning such data Data controller shall indicate the statutory restrictions in its reply.
Data Controller furthermore represents that it may be exempt from confidentiality obligations by law, and pursuant to sectoral legislation and official regulations Data Controller may be obligated to transfer data, particularly on grounds of public health.
DATA PROCESSING RELEVANT TO THE CONTRACT
Data processing with regard to services rendered to natural persons
Data Controller sets forth that it is a business organisation dealing in dental outpatient care rendering different dental, dental hygiene or oral surgery services to natural persons. In conducting its business, it is indispensable for Data Controller to handle the data concerning health of natural persons,
On execution of the contract, during the provision of services, and on termination thereof Data Controller shall, in order to fulfil its contractual obligations, process the personal data of natural persons with whom it is in a customer relationship, provided on the medical record and registration form constituting appendix 2 hereto.
The legal basis for data processing is the performance of the contract concluded with the data subject as aforesaid, the legal basis for which, insofar as data concerning health are concerned, is provided under Section (2) h) of Article 9 of the GDPR, as in default of the required data Data Controller is not capable of providing appropriate treatment. The supplied data will be processed for the term stipulated in the chapter entitled “Basic rules applying to data processing�? of the present Policy, since such data constitute integral part of, and are indispensable to, the medical documentation. Data controller furthermore declares that it shall undertake a warranty pursuant to the contract concluded with the data subject, the performance of which necessitates the processing of personal data recorded during the provision of services. Personal data including name and residence address are furthermore necessary for the issue of invoice for the payment of the service fee stipulated in the service contract concluded by parties.
Data Controller stipulates for the data subject to sign the informed consent form pursuant to regulatory requirements on the conduct of its activities, as well as to read and acknowledge the contents of, and sign, the treatment information sheet. Data Controller is entitled to process such documentation as aforesaid, being as it is part of the medical documentation.
In order to rule out any discrepancies in the personal data provided by the data subject Data controller’s employee is entitled to view data subject’s identity documents, which will not be copied.
In the interest of providing services Data Controller shall perform the tasks stipulated by the contract concluded with the data subject, in particular, it shall draw up a Treatment and cost calculation plan, it may record scans using diagnostic imaging methods and document the treatments. The full scope of personal data thus derived and used throughout such activities shall constitute part of the medical documentation.
On performance of the service contract concluded with the data subject Data Controller is precluded from deleting said data, but will see that such data is securely locked away. In the interest of providing services Data Controller shall forward and share the personal data acquired from the data subject and required for the treatment along with personal data generated in course of the treatment to the following subcontractors:
- “MY DENTIST” Fogászati Betéti Társaság(headquartered at: 1062 Budapest, Bajza utca 54., with VAT number: 22517085-1-42 and company registration number: 01-06-778171)
- DÖ-MEDIC Korlátolt Felelősségű Társaság(headquartered at: 1025 Budapest, Szemlőhegy utca 40. fszt. 1. with VAT number: 23013742-1-41 and company registration number: 01-09-948963)
- Lili Diófási private entrepreneur(headquartered at: 7627 Pécs, Pósa Lajos utca 72.)
- SICURO INVEST Tanácsadó Korlátolt Felelősségű Társaság (headquartered at: 4030 Debrecen, Boróka utca 18. with VAT: 24304982-1-09 and company registration number: 09-09-024519)
Data Controller shall fully inform data subject as to the fact of data transfer to its subcontractors, the data transferred and the addressees.
Data transfer to a Partner Clinic
Data controller represents that it is in partnership with the following outpatient dental care provider: Endodent Hungary Egészségügyi és Kereskedelmi Korlátolt Felelősségű Társaság (headquartered at: 1221 Budapest, Sárkány utca 9., with VAT number: 14283820-1-43 and company registration number: 01-09-897013, hereinafter referred to as Partner Clinic). Data subject’s data shall be transferred to Partner Clinic in order to facilitate data subject’s continued treatment, of which data subject is also notified by the service contract and data transfer is required in the interest of the contract. Partner Clinic’s data processing is governed by its own privacy principles.
Transfer of data concerning health in the interest of the data subject
Data controller sets forth that data processing and data transfer are permitted by paragraph 2 of Article 9 of the GDPR insofar as it is necessary to protect the essential interests of the data subject or another natural person if data subject is unable to give their consent on account of their physical or legal incapacity.
Data subject is entitled to arrange for the payment stipulated by the service contract concluded with the Data Controller through an insurer or health fund, and shall hand over a copy of the contract to this effect to Data Controller. On request, Data Controller may assist with the arrangement of payment with Payor, on account of which Data Controller shall be entitled to handle additional data, including data relating to Payor and the basis of payment, subject to agreement with data subject. Data controller is entitled to send payor the invoice issued for the services.
Data Controller sets forth that in the interest of payment, particularly in case of French patients, scans prepared with imaging diagnostic methods and the client’s registration sheet will also be forwarded if required for the release of payment.
Payment described hereunder may also be concluded through an intermediary in a separate contractual relationship with data subject. Data transfer in this case shall be performed subject to data subject’s consent, a statement of which shall be sought by Data Controller. The data to be transferred shall be enlisted on the consent form, and the intermediary shall solely use such data for enforcing data subject’s insurance claim. Data security rules as applicable between the insurer and its intermediary shall be stipulated by a contract concluded by them.
If data subject withholds their consent, data subject shall see that payment of the service fee is arranged by other means.
Data processing in relation to the registration of complaints
In order to enforce consumer rights, Data Controller provides complaints management to its customers qualifying as consumers. Consumer complaints will be registered with the following personal data: Consumer’s name, consumer’s signature, and the conduct (omission) constituting grounds for the complaint. Processing such data is mandatory by law and the scope of such data is defined under paragraph 5 of Section 17/A of the Act on Consumer protection. Pursuant to paragraph 7 of Section 17/A the complaints record and a copy of the response shall be retained for 5 (five) years and presented on request to regulatory authorities.
The legal basis for data processing in relation to consumer complaints is the performance of a legal obligation.
PROCESSING IN RELATION TO DATA CONTROLLER’S LAWFUL INTEREST
Recordkeeping of inquiries as to data processing
Data Controller keeps record of data subject’s inquiries concerning data processing, recording the time and content of the inquiry, and where possible, name of the data subject and the data processing measures implemented. The aim of recordkeeping is to ensure the auditability of statutory and regulatory compliance, establish transparency and the highest level of data security, which is of outstanding interest for Data Controller, and, albeit indirectly, for the data subjects. Records can be accessed solely by Data Controller’s administrator and specially authorised employees, in the event of regulatory controls and data protection inspection, and shall be kept until Data Controller’s termination without a legal successor. Restriction of access to the records and the purpose limitation principle ensure that data subjects’ rights and liberties are not compromised.
The video surveillance system applied by Data Controller
On its premises at 1024 Budapest, Ady Endre utca 1 3/9, for the purposes of property protection and monitoring personnel employed by Data Controller and thereby ensuring quality assurance, Data Controller employs a video surveillance system capable of capturing video footage.
The video surveillance system monitors the target area exclusively used by Data Controller, with no public areas being monitored. Data Controller monitors work and the precise organisation and execution of workflows, indispensable with a view to ensuring quality assurance for customers of Data Controller. Data Controller sets forth that in the interest of ensuring an appropriate level of operation it considers video surveillance indispensable, by the operation of which – pursuant to the warranty provisions below – the data subjects’ rights are not violated, or the extent of violation is so minimal that Data Controller’s above interests override such violations.
Use of the video footage captured is only warranted in the event of damage caused to the protected premises, workplace accident, an infringement or a suspicion of criminal offense. Data Controller shall use the footage in compliance with the purpose limitation principle and shall only hand it over to third parties in the event of a legal obligation, in particular, in the event of criminal or infringement proceedings.
Surveillance is conducted with six different 90 degree-angle cameras as per the following:
Monitored event, target area | Location |
Entrance door, persons arriving and intending to enter | area in front of the entrance door, part of the stairwell, lift door, neighbour’s entrance door |
lounge area, the patients present; finding colleagues | entrance door, washroom door and dressing room door, and approximately half of the lounge |
monitoring the reception, patients arriving and departing, patients about to pay and availability of receptionist | entrance door, reception desk, cash register |
Office no. 1; whether treatment or consultation is underway | the complete treatment room except the computer niche |
X-ray room; whether treatment or consultation is underway | the complete treatment room except the computer niche |
Office no. 2; whether treatment or consultation is underway | the complete treatment room except the computer niche |
The CCTV cameras installed continuously make recordings during the day in opening hours. The pictures captured by the CCTV cameras are displayed on the monitor placed at the reception. Data processing occurs in an automated fashion but decisions are not made in an automated fashion.
Data Controller does not conduct surveillance on such premises, particularly dressing rooms, shower rooms and washrooms, where this would violate human dignity.
Recordings are stored for 3 (three) days. Recordings are deleted by the expiry of the storage time set. Retention of recordings exceeding 3 days is only warranted in exceptional cases, particularly, in the event of damage caused to the protected premises.
The recordings shall be stored at Data Controller’s headquarters at 1024 Budapest, Ady Endre utca 1. 3rd floor 9. Viewing the recordings is only permitted to Data Controller and the staff working at the reception who monitor the recordings during their working hours between 8.00 and 20.00 hours. The subsequent re-viewing of the recordings is only warranted in the event of a suspicion as detailed above. Data Controller sees to the safe storage of recordings and that no unauthorised personnel have access to them.
Data processing of job applicants
Data Controller offers data subjects the opportunity to apply for positions advertised by it in a manner determined in the respective job advertisement. Job applications are based on voluntary consent.
The scope of personal data to be processed extends to all personal data provided by the data subject in the course of application, in particular, the natural person’s name, date and place of birth, mother’s name, residence address, qualifications, credentials, photograph, telephone number, e-mail address, and the applicant’s references. Data Controller may contact a reference person named in the references in order to verify the information, to which data subject gives their consent by voluntarily providing the reference information.
Personal data processing encompasses the application, assessment of the application, the selection of the most suitable candidate, conclusion of a work contract with the selected person and communication. In this instance personal data will not be transferred, such data will only be disclosed to the person authorised to assess the job application. The term of data processing shall be that of the job application assessment, or in the event of refusal of the application, receipt of notice to this effect, following which applicants not admitted shall be notified of the refusal and their personal data will be deleted. The processing of the personal data of admitted applicants, following the conclusion of an employment contract, shall be governed by policies specific to employees.
The use of Data Controller’s website
Cookies are small files created by the program displaying the website operated by the Data Controller on the visitor’s computer, mobile or other device providing internet access, to facilitate the recognition of the visitor’s device and thereby to target content tailored to the visitor’s requirements. The cookie is sent by the web server to the visitor’s browser and the browser resends it to the server. The cookie does not contain executable files, viruses or spyware, and neither does it have access to data stored on visitor’s computer. Information and personal data generated by the use of cookies shall not be transferred by Data Controller to third parties, and data technically recorded shall not be connected to other personal data, and no decision shall be made by Data Controller on the basis thereof.
In order to use services for statistical purposes Data Controller applies cookies of Google Analytics as a third party with a view to developing its website and enhancing user experience.
Data subject may delete the cookies used by Data Controller at any time from their internet device. The process of the deletion of cookies is determined by the browser used by the data subject and detailed in the help menu thereof.
Data Controller provides its customers an opportunity to book the services offered online. When booking online provision of personal data is necessary in order to enable Data Controller to identify the service required, the customer and the date of booking. Such personal data are provided on a voluntary basis and processing thereof is based on voluntary consent. Voluntary consent is deemed to be given by data subject’s registering their personal data on the website’s electronic surface. The scope of the personal data processed matches that of the data provided on booking.
Data processing is exclusively conducted with relation to the services offered by Data Controller, and no data shall be disclosed or transferred to third parties. The personal data provided are used solely for the duration of the services, and immediately deleted thereafter.
The publication of case studies and photographs
With regard to Paragraph 1 of Article 2:48 of the Civil Code Data Controller will exclusively create and publish audio and motion and video recordings subject to data subject’s prior consent and in the manner determined therein. Such data processing occurs exclusively with subject’s express, voluntary and clear consent. The scope of the data processed is set out on the consent form, and the duration of data processing expires on removal of the publication or on withdrawal of data subject’s consent.
If the data subject is recognisable on the audio, motion and video recordings, such data qualifies as personal data and consent as to its processing can be withdrawn at any time. In the event of withdrawal of consent or on receipt of a demand for deletion, Data controller shall immediately take the necessary IT measures for the relevant data to become permanently inaccessible.
Data Controller represents that the case studies will be exhibited in an anonymous fashion with the data subjects not being recognisable. If a recording is attached to the case study where a data subject is recognisable, data subject’s express consent to the combination of the case study with the recording shall be sought.
Data transfer to an intermediary
Data Controller stipulates that the payment of the service fee for the services via an insurer or health fund as aforesaid may necessitate the transfer of personal data to the insurer or its intermediary. As stated above, such consent is voluntary.
Data controller provides subscribers a newsletter service with direct marketing purposes. Subscription to the newsletter service is voluntary and the legal basis for the related data processing is the data subject’s voluntary consent which can be revoked at any time by a unilateral statement, without any justification, and Data Controller shall not take legal recourse over the withdrawal of consent. Data processing extends to the data subject’s name and electronic mail, and continues until data subject’s withdrawal of their consent or Data Controller’s termination the newsletter service. Withdrawal of consent is through written statement addressed to the Data Controller or by clicking the unsubscribe link in the newsletter.
HANDLING OF PERSONAL DATA BREACH INCIDENTS
A separate policy has been adopted by Data Controller in the interest of preventing, handling, remedying, and the recordkeeping of, personal data breach incidents annexed hereto as appendix no. 1 and which the Data Controller shall publicly disclose and shall acquaint its employees with. Procedures for Data Controller’s handling personal data breach incidents shall be governed by such separate policy.
Data Controller’s management shall be entitled to formulate and amend the present Policy.
Data Controller shall publish the present Policy on its website and at its headquarters and shall acquaint its employees therewith.
POLICY ON THE MANAGEMENT OF PERSONAL DATA BREACH INCIDENTS
In its capacity as Data Controller, Suba Dentál Korlátolt Felelősségű Társaság (headquartered at: 1024 Budapest, Ady Endre utca 1. 3. em. 9., with company registration number 01-09-197084, VAT number: 25054721-2-41, telephone number: +36307278616, e-mail: subadr@gmail.com">subadr@gmail.com, hereinafter referred to as Data Controller), pursuant to the legislation in force and having regard to the state of the art of science and technology, the costs of implementation, the nature, scope, circumstances and objectives of data processing as well as the risks to the rights and liberties of natural persons, is under obligation to implement reasonable technical and organisational measures in order to guarantee a level of data security appropriate to the extent of the risk.
Personal data breach incidents include breaches of security that result in the incidental or illegal destruction, loss, modification, unwarranted publication of, and unwarranted access to, personal data transferred, stored, or otherwise processed. Personal data breach incidents involve, in particular, loss of a laptop or mobile phone storing personal data, insecure storage, destruction and transfer of data carriers storing personal data, and attacks against IT systems used by Data Controller and website hacks.
Data Controller strives to prevent personal data breach incidents; measures and procedures as to the management, remedy and recordkeeping of which are detailed in the present Policy.
- Proactive measures
Data Controller has developed a data protection system in which all relevant circumstances relating to data processing have been regulated. Data controller shall ensure that its employees get acquainted with, and observe, the legal and regulatory obligations relative to data processing, and shall consider compliance with data protection regulations as an essential job-related duty, furthermore they may only access personal data if they hold appropriate authorisations, in a manner and for the purposes set out in their respective job descriptions, and may only process such data as itemised therein. Employees and data processors carrying out data processing shall make a non-disclosure statement regarding data processing.
Data Controller shall ensure the protection of personal data both in its electronic and paper-format records. In the interest of the protection of electronically processed data Data Controller provides its IT systems with firewall and virus protection and programs a firewall and virus protection and shall select programs that comply with the IT security regulations as amended from time to time. Data Controller shall assign different authority levels to its IT systems and shall restrict access thereto by means of password protection and shall see that measures are taken to ensure restorability of files, in particular, regular backups of data, and the separate and secure storage of back-ups.
Data Controller shall store documents containing personal data locked away, ensuring physical protection and in compliance with its document management system and sees that no unauthorised personnel have access thereto.
Risk assessment in the event of a personal data breach incident
In the event of a personal data breach incident Data Controller shall assess the incident as per the following criteria:
- The scope and classification of affected data (personal data or a special category thereof), the number and category of data subjects involved, identifiability on the basis of the affected data of those involved
- circumstances of data processing
- whether immediate action is required to avert further damage or to mitigate the damage caused; whether the management of the personal data breach incident necessitates work beyond, or causes disruption to, routine management
- whether the damage has placed the data subject in a permanently adverse situation
- whether the damage may give rise to criminal or infringement proceedings
- the investigation of the circumstances of the damage caused, the extent of damage to security and the investigation of wilfulness in relation to the occurrence of the personal data breach incident
III. Procedure in the event of a personal data breach incident
If any of Data Controller’s employees detects a personal data breach incident they shall report the same without delay to a person acting on employer’s behalf and record the circumstances thereof, particularly the following:
- Time and date of detection, the (presumable) time and data of the occurrence of the data breach incident;
- the scope of personal data affected by the personal data breach incident;
- the reason and duration of the incident
A data breach incident may be reported by any person at Data Controller’s aforesaid contact details.
In order to remedy the data breach incident, the person acting on employer’s behalf or the employee entitled or authorised to take action shall take the necessary measures without delay and document the same in detail. Such measures include, in particular, withdrawal of certain employee authorisations, modification of passwords and the temporary blocking of IT systems.
In the interest of following up on such measures and notifying the data subjects involved, Data Controller maintains records including the scope of the personal data involved, the scope and number of persons affected by the personal data breach incident, and the time, circumstances and effects of, and measures implemented to avert, the data breach incident, as well as any other data stipulated by data protection legislation.
The aforementioned assessment of the personal data breach incident is due within 24 hours of detection thereof. Data Controller shall, without undue delay, but preferably within 72 hours of becoming aware of the personal data breach incident, file a report to the National Authority for Data Protection and Freedom of Information as per appendix no. 1, except if the personal data breach incident is likely associated with risks as aforesaid.
In the event of a significant risk Data Controller shall apprise the data subject of the personal data breach incident, the nature thereof, its potential consequences, as well as remedial measures taken or planned, including, if applicable, those intended to mitigate the potential adverse consequences arising from the personal data breach incident. The data subject shall be notified by means of publicly available information, if any of the following conditions are met:
- Data Controller has taken appropriate technical and organisational protection measures and such measures were applied in relation to the data involved in the personal data breach incident, in particular, measures such as encryption, that render personal data unintelligible to persons with no right of access thereto.
- Data controller took further measures following the personal data breach incident that will, in all likelihood, eliminate high risks to data subject’s rights and liberties in the future
- The disclosure of information would require undue effort.
Services requiring personal data collection
Registration pages, forms for submitting queries
Using the services of subadental.com may occasionally necessitate the completion of registration forms. On such pages we request personal information (such as your name, mailing address, e-mail address) in order to contact you. At times we may also request other data (such as demographic information), but strive at all times to ensure that the quantity and extent of additional information requested is proportionate to the benefits offered.
If personal data are requested for paid services we may require further personal information such as delivery address, credit card number, etc. These data are required for the completion of the payment procedure as well as for contractual fulfilment of obligations as regards notification and delivery.
The placement of anonymous user identifiers (cookies)
Anonymous user identifiers (cookies) are files or small pieces of data stored on your computer (or other internet-capable device such as a smart phone or tablet) when you visit a Subadental page. A cookie usually contains the name of the website where it comes from and its “lifespan�? (in other words the duration for which it remains on the device) and its value, usually a randomly assigned individual number.
Cookies are subsequently used to customise Subadental pages and products to meet your interests and demands and facilitate navigation thereof. Cookies help accelerate your future activities and enhance user experience. Cookies are also capable of drawing up anonymised cumulative statistics ensuring a better understanding of the way our pages are being used by viewers and facilitating improvement of their structure and contents. Based on such information your identity cannot be established.
Two kinds of cookies are used on Subadental’s pages: session cookies and permanent cookies. Session cookies are temporary, in other words they remain on your device until you leave Subadental’s webpage. Permanent cookies, on the other hand, may remain much longer on your device, sometimes until such time as you manually delete them.
Other pages also gather information using pixel tags which can be shared with third parties. This directly supports our promotional activities and website development. For instance our users’ information may be shared with advertising agencies so online ads on our websites can be used more efficiently. Nevertheless this information will not be able to identify you even though it can be linked to personal information.
Cookies used on Subadental’s webpage
Required cookies
Such cookies are largely required for the seamless operation of Subadental’s pages, enabling you to navigate between our websites and use different functions. For example autocomplete based on previously entered text facilitates use when navigating back to a certain page during the same session.
Such cookies are not capable of personal identification. They are solely intended for performance measurement and analysis.
They help understand the way users interact with our websites by providing information on the websites visited. This helps us improve the performance of our websites and optimise our ads. For instance analytical cookies provide information as to how much time visitors spend on the page, the way they use its individual functions as well as any issues they encountered, such as error messages. Conversion cookies enable us to measure click-through rate, that is, the number of times when a visitor clicks an advertisement and visits the advertised webpage and performs a pre-defined operation. Conversion cookies are not used for targeting ads and are only stored by the system for a limited period. These cookies gather information in a cumulative and anonymous fashion, are not capable of identifying a user individually and nor do they collect information indirectly attributable to the user (e. g. IP address).
Functional cookies
These cookies enable functions such as saving customised settings, social media shares, functions (such as “Keep me logged in�? during logging in, or the “remember my address/region�? function, to offer a more customised online experience. Information collected by such cookies may include personal information such as the user name or profile picture shared by the user. You will be clearly apprised at all times of the nature and purpose of the information gathered, what is done therewith and who it is shared with. If you do not accept these cookies this may compromise your customer experience as well as website performance and functionality and may furthermore restrict access to the contents of the website.
These cookies facilitate the display of customised advertisements (remarketing)
These cookies enable us, among others, to render the advertisements we run more appealing to users. They help display advertisements to visitors to an earlier web page on other webpages. For instance they can record the kind of browser or devices users are using, the websites visited and the subpages opened. These cookies are not intended for personal identification
Third-party service providers
In providing services we often draw on external service providers. Personal information handled by the systems of external service providers are subject to the privacy policies of such external service providers.
Google Analytics
Our websites use Google Inc.’s web analytics service “Google Analytics�? (hereinafter referred to as “Google�?. Google Analytics uses cookies, that is, text files stored on your computer with which to analyse your use of our webpage. Information generated by cookies and relevant to the way the website is used is forwarded to, and stored on, Google’s own servers.
On the present website IP anonymisation is active, that is, your IP address is rendered unidentifiable prior to forwarding, in European Union member states or states contracted to the European Economic Area. The IP address forwarded by your browser via Google Analytics will not be linked to other data generated by Google. With appropriate settings of your browser you can prevent the storage of cookies on your computer. Please be advised, however, that in such a case there is a likelihood that you will not be able to use the functions offered by the website to the fullest extent. By downloading and installing the plug-in following the link below you can prevent Google from collecting and processing data relevant to your use of the present Website generated by cookies: http://tools.google.com/dlpage/gaoptout.
Hotjar
In order to customise our webpage to our customers’ demands we apply the system of Hotjar (www.hotjar.com) which is intended to collect and store data in the interest of optimisation. In this context, your browser’s and your internet device’s data (such as its type and display dimensions, browser type, operation system and session duration) will be collected and processed.
You can switch of the collection and storage of the data in your own browser. See the link below for further details: https://www.hotjar.com/opt-out
Google Adwords
In order to monitor and measure advertisement campaigns, as well as to create audiences based on website visits, Google uses cookies, viz., text files stored on your computers. Google informs you on the cookies used for advertisements. If you would like to reject online, interest-based ads from Google and other companies participating in the system go to the website of the European Interactive Digital Advertising Alliance. Rejection needs to be performed one by one on all browsers you use.
In order to monitor and measure Facebook Inc. (hereinafter referred to as “Facebook�?) advertisement campaigns, as well as to create audiences based on website visits for remarketing purposes and for using Facebook Analytics we use a java code snippet (a program code running in the browser) called Facebook Pixel. Facebook Pixel collects and forwards information relevant to the web session to Facebook via HTTP headers, such as the user’s IP address, date of visit, the browser used, the page(s) viewed and conversion tracking). Facebook can then link such information to a given advertiser or Facebook user via the Pixel identifier and Facebook cookie, and establish whether any given visitor has performed any interaction with any of the advertisers’ adverts earlier or whether they comply with a pre-defined audience attribute based on which the visitor can be classified into some advertisement segment. Facebook stores the collected data in an aggregated and anonymized fashion in its own data centres for a maximum of 180 days.
Facebook’s cookie policy: https://www.facebook.com/policies/cookies/
If you would like to reject online, interest-based ads from Facebook and other companies participating in the system go to the website of the European Interactive Digital Advertising Alliance. Rejection needs to be performed one by one on all browsers you use.
MANAGING DATA PROTECTION INCIDENTS POLICY
Suba Dental Limited Liability Company as the data controller (registered office: 1024 Budapest, Ady Endre Street 1, 3rd floor, No. 9, company registration number: 01-09-197084, tax number: 25054721-2-41, phone number: +36307278616, email: subadr@gmail.com, hereinafter referred to as the Data Controller) is obliged to take appropriate technical and organizational measures in accordance with the applicable legal requirements, taking into account the state of science and technology, the costs of implementation, the nature, scope, context, and purposes of data processing, as well as the risks to the rights and freedoms of natural persons, in order to ensure a level of data security appropriate to the risk. A data protection incident is considered a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data transmitted, stored, or otherwise processed. Data protection incidents include, in particular, the loss of laptops or mobile phones used by the Data Controller, insecure storage, destruction, or transmission of data carriers containing personal data, and attacks on the information systems used by the Data Controller, including website breaches. The Data Controller strives to prevent, manage, remedy, and record data protection incidents, as outlined in this Policy.
- Preventive Measures The Data Controller has established a data protection system in which all relevant circumstances related to data processing have been regulated. The Data Controller ensures that its employees are aware of and comply with their data processing obligations, considers compliance with data protection regulations as an essential job duty, limits access to personal data to specific authorizations based on employees' roles, and requires employees and data processors involved in data processing to sign confidentiality agreements. To protect personal data, the Data Controller maintains physical security for paper documents containing personal data. To safeguard electronically processed data, the Data Controller uses firewalls and antivirus protection for its information systems and selects programs that meet current information security requirements. Different levels of access are assigned to its information systems, access to information is restricted by password protection, and measures are taken to ensure the possibility of data recovery, including regular data backups and secure storage of backups. Documents containing personal data are securely stored in accordance with the Data Controller's document management system, and unauthorized access is prevented.
Risk Assessment in the Event of a Data Protection Incident In the event of a data protection incident, the Data Controller investigates it under the following circumstances:
- The scope of affected data, their classification (personal data or special categories of data), the number and categories of data subjects, and the identifiability of the data subjects from the data affected by the data protection incident.
- The circumstances of data processing.
- Whether immediate action is required to prevent further harm or mitigate the harm caused by the data protection incident, whether the incident disrupts normal business operations.
- Whether the incident has caused lasting adverse effects to the data subjects.
- Whether there are criminal or administrative law consequences.
- Investigation of the circumstances of the breach, the extent of security reduction, and the assessment of intent in connection with the occurrence of the data protection incident.
III. Procedure in the Event of a Data Protection Incident
If any employee of the Data Controller detects a data protection incident, they are obligated to report it promptly to the person exercising the employer's authority and record the circumstances, including, in particular:
- The date and time of detection, and, if ascertainable, the date and time of the (presumed) occurrence of the data protection incident.
- The scope of personal data affected by the data protection incident.
- The cause and extent of the incident. A data protection incident can be reported by any person using the contact information provided by the Data Controller. To remedy the data protection incident, the person exercising the employer's authority, or the employee authorized or required to act based on their job, must take immediate action and document it in detail. Such actions may include revoking certain permissions of employees, changing passwords, and temporarily locking information systems. The Data Controller keeps a record of these measures and informs the data subjects in cases of significant risk, disclosing the nature of the incident, likely consequences, and measures taken or planned to mitigate potential adverse effects, including measures to alleviate any potential adverse effects resulting from the data protection incident. Data subjects are informed through publicly accessible information if any of the following conditions are met:
- The Data Controller has implemented adequate technical and organizational protection measures, and these measures have been applied to the data affected by the data protection incident, particularly measures such as encryption that make the data incomprehensible to unauthorized persons.
- After the data protection incident, the Data Controller has taken further measures to ensure that the high risk to data subjects' rights and freedoms is unlikely to materialize.
- Providing information would require disproportionate effort.