Basic Rules Governing Data Processing
The Controller processes personal data exclusively for the purpose of exercising rights and fulfilling obligations, and processes personal data solely in accordance with the principle of purpose limitation, to the extent and for the duration necessary. Accordingly, data processing is carried out at every stage for the predetermined purpose; if the purpose of the processing ceases to exist or the data processing otherwise becomes unlawful, the data shall be deleted.
Only personal data that is indispensable for achieving the purpose of data processing and suitable for attaining that purpose may be processed. Before collecting the data, the Controller communicates the purpose of the data processing to the data subject through publicly available information, regulations, or individual notification.
During data processing, the accuracy, completeness and—where required for the purpose of processing—up-to-dateness of the data must be ensured, as well as that the data subject can only be identified for the time necessary for the purpose of the data processing.
If the Controller uses data processors during processing, such processors shall be selected exclusively from persons who provide adequate guarantees for compliance with applicable data protection legislation and ensure the implementation of appropriate technical and organisational measures to protect data subjects’ rights.
The Controller carries out data processing if any of the following conditions is met:
the processing is necessary to protect the vital interests of the data subject or another natural person
the processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract
the processing is necessary for compliance with a legal obligation to which the Controller is subject
the data subject has given consent to the processing of their personal data for one or more specific purposes
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller
the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data
The Controller states that under Article 9(1) and point (h) of Article 9(2) of the GDPR, health data may be processed on the basis of a contract with a healthcare professional.
The Controller informs data subjects about the legal basis of data processing in advance via publicly available documents, regulations or individual notification.
Consent of the data subject is valid only if it is freely given, specific, informed and unambiguous—meaning that the data subject provides it in possession of appropriate information regarding the data processing. The Controller notes that by registering on the website or providing personal data on the website, the data subject consents to the processing of the personal data provided within a defined scope, which is indicated by a brief notice before submission. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal; therefore, withdrawal applies only to the future.
Where the processing of personal data is required by law or is necessary for the Controller to fulfil a legal obligation, the processing is mandatory. In cases of mandatory processing, if the data subject fails to provide the required data, the Controller is entitled and obliged to refuse the provision of the service.
The duration of data processing is specified in the information pertaining to the given processing. As a general rule, the Controller records in this Regulation that data shall be processed as long as necessary for the processing of the given data—taking into account the purpose of the processing. Where data is processed based on consent, processing lasts until the withdrawal of consent, until a court or authority orders deletion, or until the limitation period for enforcing rights and obligations arising from the legal relationship under which the Controller processes the personal data expires. Under Section 6:22 of the Civil Code, the general limitation period is 5 years. Processing based on law lasts for the period or under the conditions specified by that law.
The Controller notes that under Section 30 of Act XLVII of 1997 on the processing and protection of health and related personal data, medical documentation must be retained for at least 30 years from the date of recording, and discharge summaries for at least 50 years. After the mandatory retention period, the data may continue to be stored if justified for medical treatment or scientific research. If further retention is not justified, the records must be destroyed. Diagnostic imaging records must be kept for 10 years from their creation, and reports based on such images for 30 years. If the medical documentation has scientific relevance, it must be transferred to the competent archives after the mandatory retention period.
If the mandatory retention period for data processing is ongoing and the Controller ceases to exist without legal succession, medical documentation of scientific significance must be transferred to the archives, while other medical documentation must be transferred to the authority designated by the Government. If the Controller ceases to exist without legal succession but its former tasks are taken over by another body:
a) medical documentation created within ten years prior to the termination of the Controller must be transferred to the body performing the task
b) medical documentation not transferred under point (a) must be transferred to the archives or to the body designated by the Government as described above.
RIGHTS OF DATA SUBJECTS AND ENFORCEMENT OF THEIR RIGHTS
Right to Information and Access to Personal Data
The data subject has the right to request information about the personal data processed concerning them and about the circumstances of data processing, including the purpose and legal basis of processing, the duration of processing, and any data protection incidents, as well as the available legal remedies in case of a violation of data processing rules. This right applies even if the Controller obtained the personal data from another person, in which case the Controller also provides detailed information on who collected the data, when, and how.
The data subject has the right to obtain confirmation from the Controller as to whether personal data concerning them is being processed, and, if such processing is taking place, access to the personal data being processed. Upon the data subject’s request, the Controller provides a copy of the processed data.
Right to Rectification
Data subjects have the right to request the rectification of incorrectly recorded personal data or, where necessary and possible, its completion, which the Controller must carry out without undue delay.
Right to Erasure (“Right to be Forgotten”) and Right to Object
Where data processing is based on the data subject’s consent, the data subject has the right to request deletion of the data, and—if the request is valid—the data must be deleted from all databases. Where processing is based on the Controller’s legitimate interest, the data subject has the right to object to the processing, in which case the personal data may only continue to be processed if the Controller’s interest in processing outweighs the interests, rights and freedoms of the data subject, or if the personal data is related to the submission, enforcement or defence of legal claims. Until the overriding interest is established, access to the data must be restricted by the Controller as described below.
If personal data is no longer needed for the purpose for which it was processed, or if processing is unlawful, the data subject may also request deletion.
If personal data is processed for scientific or historical research or statistical purposes, the data subject has the right to object to processing on grounds related to their particular situation, unless processing is necessary for a task carried out in the public interest. The Controller is required to provide statistical data under Sections 24 and 26 of Act CLV of 2016 on Official Statistics, in which case the transmitted data cannot identify persons in a client relationship with the Controller. The Controller states that for the purpose of quality assurance, case studies and internal statistics are prepared, which do not allow the identification of data subjects.
Right to Restriction of Processing
Data subjects have the right to request that the Controller restrict the processing of their personal data in the following cases:
the accuracy of the personal data is contested by the data subject
the processing is unlawful, and the data subject opposes deletion and instead requests restricted use
the Controller no longer needs the personal data for processing, but the data subject requires it for the submission, enforcement, or defence of legal claims
Personal data subject to restriction may, with the exception of storage, only be processed with the data subject’s consent, or for the submission, enforcement or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State.
Where personal data has been rectified or deleted or processing has been restricted, the Controller informs all recipients to whom the personal data has been disclosed, except where this proves impossible or involves disproportionate effort. Upon request, the Controller informs the data subject of such recipients.
Informing the Data Subject About a Data Protection Incident
If a data protection incident occurs at the Controller and it is likely to result in a high risk to the rights and freedoms of the data subject, the Controller shall inform the data subject without undue delay of all relevant circumstances. The Controller informs the data subject through publicly available information if any of the following conditions is met:
the Controller has implemented appropriate technical and organisational protection measures applied to the affected data, particularly measures—such as encryption—that render the data unintelligible to unauthorised persons
the Controller has taken subsequent measures that ensure the high risk to the data subject’s rights and freedoms is no longer likely to materialise
notification would require disproportionate effort
The Controller’s procedure for data protection incidents is detailed in the separate regulation forming Annex 1.
The Controller processes personal data for direct marketing purposes solely for the provision of a newsletter service, based on voluntary consent.
Enforcement of Rights
The data subject may submit requests and notifications related to the data processing at the contact details of the Controller indicated above.
The Controller shall examine all requests and notifications related to the data processing and shall make a decision within 30 (thirty) days of receipt, which it shall communicate to the data subject in writing, including by electronic mail. In its written reply, the Controller shall also indicate the available legal remedies.
The Controller records that, depending on the content of the request or notification, it may be accepted only if the applicant identifies himself/herself, as required by data protection regulations. If the necessary identification is not provided, the Controller may call upon the applicant to remedy the deficiency, and such period shall not be included in the above deadline, provided that identification is genuinely required. For the purpose of fulfilling its data protection obligations, the Controller keeps a record of incoming requests, which includes the identity of the applicant, the date of the application, and the content of the request.
If the data subject does not agree with the Controller’s decision as described above, or if the Controller fails to meet the applicable deadline without proper justification, or does not respond to the request, the data subject is entitled to turn to a court within 30 days. The data subject may initiate legal proceedings before the competent tribunal according to his/her domicile or place of residence. The court shall proceed without delay. It is the Controller’s obligation to prove that the data processing complies with the legal requirements. In the lawsuit, in addition to compensation for damages caused by unlawful data processing, claims for non-pecuniary damages arising from the violation of personality rights—particularly the right to informational self-determination—may also be enforced. If the Controller used a data processor to perform certain data processing operations, the Controller shall also be liable—alongside the data processor, depending on the case—for any damage or non-pecuniary harm caused to the data subject. The Controller shall be exempt from liability for any damage or harm only if it proves that the damage or the violation of the data subject’s personality rights was caused by an unavoidable event outside the scope of the data processing. Damages shall not be compensated, and non-pecuniary damages shall not be claimed to the extent that the damage or infringement results from the data subject’s intentional or grossly negligent conduct, including in particular in cases of providing false information.
In the event of a violation of the data subject’s right to informational self-determination, the data subject is entitled to lodge a complaint with the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, website: http://www.naih.hu).
The Controller notes that the rights of the data subject may be restricted by law in certain cases, in consideration of the fundamental rights of the data subjects, in which case the Controller is obliged to comply with the mandatory legal provisions. In such cases, the Controller shall indicate the legal restriction when responding to incoming requests and notifications.
The Controller further notes that laws may exempt it from certain confidentiality obligations; in particular, the Controller may be required to transfer data based on sectoral legislation and regulatory requirements for public health reasons.
DATA PROCESSING RELATED TO CONTRACTS
Data Processing in Connection with Services Provided to Natural Person Clients
The Controller records that it is a business entity engaged in outpatient dental care services, providing various dental, dental hygiene, and oral surgery services to natural persons. It is essential for the Controller’s activities to process the health data of natural persons.
In relation to the conclusion, performance—and thereby provision of the service—and termination of the contract, the Controller processes the personal data indicated on the registration and medical history form, which forms Annex 2, for the purpose of fulfilling its contractual obligations with natural person clients.
The legal basis for data processing, as outlined above, is the performance of the contract concluded with the data subject—which, in the case of health data, is ensured by Article 9(2)(h) of the GDPR—as the Controller cannot provide proper treatment without collecting the requested data. The personal data provided are processed for the period defined in the chapter on the fundamental rules of data processing of this Policy, as these data form part of the medical documentation and are indispensable thereto. The Controller further records that, under the contract concluded with the data subject, it provides a warranty for its treatments, for which the personal data collected during service provision must be processed. The processing of personal data such as name and address is also necessary for issuing the invoice required for the payment of the service fee stipulated in the contract.
The Controller notes that, pursuant to applicable legislation governing its activities, it requires the data subject to sign a consent statement and to acknowledge and sign the treatment information document, both of which it is entitled to process as part of the medical documentation.
To ensure the accuracy of the personal data provided by the data subject, the Controller’s employee is entitled to inspect the data subject’s personal identification documents; however, these documents shall not be copied.
For the purpose of providing the service, the Controller performs the tasks specified in the contract concluded with the data subject, including in particular preparing a Treatment and Cost Calculation Plan, producing imaging diagnostics during treatment, and documenting treatments. The complete set of personal data created or used in these activities forms part of the medical documentation.
Following the performance of the contract concluded with the data subject, the Controller is not legally permitted to delete the data, as explained above, but shall ensure their secure storage.
For the purpose of providing the service, the Controller transfers or discloses the personal data obtained from the data subject or generated during the treatment to the following subcontractors involved in the treatment:
“MY DENTIST” Fogászati Betéti Társaság (registered office: 1062 Budapest, Bajza utca 54., tax number: 22517085-1-42, company registration number: 01-06-778171)
DÖ-MEDIC Korlátolt Felelősségű Társaság (registered office: 1025 Budapest, Szemlőhegy utca 40. fszt. 1., tax number: 23013742-1-41, company registration number: 01-09-948963)
SICURO INVEST Tanácsadó Korlátolt Felelősségű Társaság (registered office: 4030 Debrecen, Boróka utca 18., tax number: 24304982-1-09, company registration number: 09-09-024519)
Upon request, the Controller shall provide the data subject with complete information regarding the data transferred to subcontractors and the recipients of such data.
Data Transfer to the Partner Clinic
The Data Controller states that it maintains a partnership with the following economic entity providing outpatient dental care: Endodent Hungary Egészségügyi és Kereskedelmi Korlátolt Felelősségű Társaság (registered seat: 1221 Budapest, Sárkány utca 9., tax number: 14283820-1-43, company registration number: 01-09-897013; hereinafter: Partner Clinic). The data necessary for the data subject’s treatment are transferred to the Partner Clinic in order to ensure that the treatment of the data subject can be continued there. The data subject is informed of this fact in the service agreement; the data transfer is carried out for the purpose of performing the contract. The Partner Clinic’s data processing activities are governed by its own data protection principles.
Transfer of Health Data in the Interest of the Data Subject
The Data Controller states that under Article 9(2)(c) of the GDPR, data processing and data transfer are permissible if necessary to protect the vital interests of the data subject or another natural person, where the data subject is physically or legally incapable of giving consent.
Data Transfer to the Insurance Provider
The data subject may fulfil the payment obligation arising from the service agreement concluded with the Data Controller through insurance or health fund financing, in which case the data subject provides the Data Controller with a copy of the relevant contract. Upon request, the Data Controller assists in dealing with the payer; for this purpose, and in agreement with the data subject, it is entitled to process the necessary data, including data relating to the payer and the legal relationship forming the basis of the payment. The Data Controller is entitled to send the invoice issued for the service to the payer.
The Data Controller states that in order to facilitate payment—primarily in the case of its clients of French nationality—beyond the invoice, imaging diagnostic recordings and the client’s registration form may also be forwarded, where this is required by the payer’s administrative procedure.
In cases where payment is handled through an intermediary who has a separate contractual relationship with the data subject, data transfer to the intermediary is based on the data subject’s consent, which the Data Controller obtains through a separate declaration. The data transferred are listed in the declaration containing the consent; the intermediary processes these data exclusively for the purpose of asserting the data subject’s insurance claim. The data security rules between the insurer and its intermediary are established in their mutual agreement.
If the data subject does not provide consent, they acknowledge that they are required to settle the service fee by other means.
Data Processing in Connection with Complaint Handling
To ensure the enforcement of consumer rights, the Data Controller provides complaint handling for clients who qualify as consumers. A protocol must be completed for consumer complaints, which records the following personal data: the consumer’s name, address, signature, and data relating to the conduct (or omission) forming the basis of the complaint. The processing of these data is carried out for the purpose of fulfilling a legal obligation, with the scope of data defined in Section 17/A (5) of the Consumer Protection Act (Fgytv.). The Data Controller must retain the protocol and a copy of the response for five (5) years under Section 17/A (7) of the Consumer Protection Act and must make them available to supervisory authorities upon request.
The legal basis for processing in connection with consumer complaints is therefore the performance of a legal obligation.
Data Processing Based on the Legitimate Interest of the Data Controller
Registering Data Protection-Related Requests
The Data Controller keeps a record of data subject requests concerning data processing, including the date of the request, its content, the identification of the data subject (where possible), and the measures taken by the Data Controller. The purpose of maintaining this register is to ensure the verifiability of compliance with legal and regulatory requirements relating to data processing, to ensure transparency, and to maintain the highest possible level of data protection—representing an essential interest of the Data Controller and, indirectly, of the data subjects as well. Only the Data Controller’s case handlers and specifically authorised employees may access the register; beyond this, it may only be used during official inspections for data protection purposes. The register is maintained until the Data Controller ceases to exist without legal succession. Access restrictions and purpose limitation ensure that the rights and freedoms of data subjects are not infringed.
Electronic Surveillance System Used by the Data Controller
The Data Controller operates an electronic surveillance system capable of recording images at its premises located at 1024 Budapest, Ady Endre utca 1., 3rd floor, door 9., for the purposes of property protection and monitoring employees working in an employment relationship, thereby ensuring quality assurance of the services provided.
The surveillance system monitors only the areas exclusively used by the Data Controller; it does not extend to public areas. Through the operation of the surveillance system, the Data Controller monitors work performance and the organisation and execution of workflows, which is also essential for quality control of the services provided to clients. The Data Controller notes that the use of the surveillance system is indispensable for its adequate operation and that—given the safeguards described below—data subjects’ rights are either not infringed or are infringed only to such a minimal extent that the Data Controller’s interests override them.
Recorded footage is used exclusively in the event of damage occurring in the protected premises, workplace accidents, or suspicion of misdemeanour or criminal offence. The Data Controller processes the recordings strictly for purpose-specific reasons and transfers them to third parties only where required by law (such as in criminal or misdemeanour proceedings).
The surveillance is carried out using six cameras with a 90-degree viewing angle placed as follows:
| Monitored event / area | Placement |
|---|---|
| Entrance door, arriving persons attempting to enter | area in front of the entrance door, part of staircase, lift door, neighbouring entrance door |
| Waiting area, locating present patients and staff | entrance, restroom and changing room doors, approximately half of the waiting area |
| Reception, arriving and leaving patients, patients waiting to pay, locating the receptionist | entrance door, reception desk, cash register |
| Treatment Room 1 – whether treatment or consultation is ongoing | entire treatment room except computer corner |
| X-ray room – whether treatment or consultation is ongoing | entire treatment room except computer corner |
| Treatment Room 2 – whether treatment or consultation is ongoing | entire treatment room except computer corner |
The cameras record continuously during opening hours. The footage is displayed on a monitor located at the reception. The processing is automated, but decisions are not made automatically.
The Data Controller does not carry out surveillance in areas where it would infringe human dignity, such as changing rooms, showers, or restrooms.
The retention period for the recordings is three (3) days. After the retention period lapses, the recordings are deleted. Retaining footage longer than three days is permitted only in exceptional cases, particularly when damage occurs in the protected premises.
Recordings are stored at the Data Controller’s registered office at 1024 Budapest, Ady Endre utca 1., 3rd floor, door 9. Only the Data Controller and reception staff are authorised to view the footage; they monitor it during daily working hours between 08:00 and 20:00. Playback of footage is permitted only in the circumstances outlined above. The Data Controller ensures secure storage and prevents unauthorised access.
Data Processing Based on Consent
Processing the Data of Job Applicants
The Data Controller allows data subjects to apply for advertised job positions in the manner specified in the job posting. Submitting an application is based on voluntary consent.
The personal data that may be processed include all data provided by the data subject during the application process, in particular: name, date and place of birth, mother’s name, address, qualifications, photograph, telephone number, email address, and references. If reference data are provided, the Data Controller may contact the person indicated for verification, to which the data subject consents by voluntarily providing such data.
Personal data are processed for the assessment of the application, selection of the most suitable candidate, conclusion of an employment contract with the selected candidate, and for communication purposes. Personal data are not transferred to third parties; they are accessible only to those authorised to evaluate the application. The duration of data processing is the period required to assess the application; if the application is withdrawn, the Data Controller deletes the personal data after receiving the withdrawal notice. Unsuccessful applicants are notified of the rejection, and their data are subsequently deleted. The processing of personal data of successful applicants is subject to separate rules applicable to employees after the establishment of employment.
Use of the Controller’s Website
A cookie is a small data file that may be created on the visitor’s computer, mobile phone, or any other device providing internet access by the program displaying the website operated by the Controller, enabling the identification of the visitor’s device and thereby ensuring the display of content tailored to the visitor’s needs. The cookie is sent by the web server to the visitor’s browser, which then returns it to the server. Cookies do not contain executable files, viruses, or spyware, and do not access data stored on the visitor’s computer.
The Controller does not disclose to third parties any information or personal data resulting from the use of cookies, the technically recorded data cannot be linked to other personal data, and the Controller does not make decisions based on such data. For statistical purposes – to improve its website and enhance user experience – the Controller also uses third-party cookies such as those of Google Analytics.
Cookies used by the Controller may be deleted at any time by the data subject through the browser of the device used for browsing the internet. The procedure for deleting cookies is determined by the browser used by the data subject, which provides detailed information in its help menu.
Login on the Website
The Controller enables its clients to log in to the services provided through its website. The provision of personal data is necessary for login in order for the Controller to identify the service to be provided, the client, and the requested appointment time. The provision of personal data is voluntary, and the personal data provided are processed by the Controller on the basis of voluntary consent. Voluntary consent is deemed granted by registering the personal data on the electronic interface of the website.
The scope of personal data processed corresponds to the data provided during login. Data processing is carried out exclusively in connection with the services provided by the Controller, and such data are not disclosed or transferred to third parties. The personal data provided are processed by the Controller only for the duration of the service provided to the data subject, after which they are deleted.
Publication of Case Studies and Photographs
Taking into account Section 2:48 (1) of the Civil Code, the Controller creates and publishes audio, image, and video recordings of the data subject only with the prior consent of the data subject and within the scope specified in such consent. This data processing is carried out exclusively on the basis of the data subject’s explicit, voluntary, and specific consent.
The scope of data processed is specified in the consent, and data processing continues until the termination of publication or the withdrawal of the consent by the data subject. If the data subject can be identified from the audio, image, or video recording, the data qualifies as personal data, and the consent to its processing may be withdrawn at any time. Upon receiving the withdrawal of consent or a deletion request, the Controller must immediately take the necessary IT measures to make the data permanently inaccessible.
The Controller states that case studies are presented in anonymized form, from which the data subject cannot be identified. If a recording of the data subject from which they are identifiable is attached to a case study, the express consent of the data subject as described above is required for linking the case study and the recording.
Data Transfer to an Intermediary
The Controller states that, as described above, in order to ensure the payment of the service fee by an insurance company or health fund, it may be necessary for the Controller to transfer certain personal data to the insurer or its intermediary. Such consent is voluntary as described above.
Newsletter Service
For the purpose of direct marketing, the Controller provides a newsletter service to persons who subscribe to this service. Subscription to the newsletter service is voluntary, and the legal basis for data processing is the voluntary consent of the data subject, which may be withdrawn at any time by a unilateral declaration without justification; the Controller does not impose any adverse legal consequences for the withdrawal of consent.
Data processing applies to the data subject’s name and email address and continues until the data subject withdraws their consent or the Controller discontinues the newsletter service. Withdrawal of consent may be made by a written statement sent to the Controller or by clicking the unsubscribe link included in the newsletter.
Management of Data Protection Incidents
The Controller has adopted a separate internal policy for the prevention, management, remediation, and documentation of data protection incidents, which is attached as Annex 1 to this Policy and is made publicly accessible by the Controller and communicated to its employees. The Controller’s procedures regarding the management of data protection incidents are governed by this separate policy.
Final Provisions
This Policy may be established and amended by the Controller’s executive management at any time. The Controller publishes this Policy on its website and at its registered office and communicates it to its employees.
COOKIE NOTICE
Services Requiring the Collection of Personal Data
Registration Pages, Inquiry Submission Forms
In order to use the services of subadental.com, it may be necessary in certain cases to complete registration forms. On such pages, we request personal data required for contacting you (name, postal address, email address). At times we request additional data (e.g., demographic information), however we always strive to ensure that the scope and depth of such supplementary information remain proportionate to the benefits gained by using the given service.
If we request personal data in connection with the use of a paid service, we may also ask for additional personal data such as shipping address, credit card number, etc. This data is necessary for completing the payment process, fulfilling notification and delivery obligations, and ensuring proper contractual performance.
Placement of Anonymous Visitor Identifiers (Cookies)
Anonymous visitor identifiers (cookies) are files or pieces of information stored on your computer (or any other internet-enabled device, such as a smartphone or tablet) when you visit a Suba Dental page. A cookie generally contains the name of the website it originated from, its own “lifetime” (i.e., how long it will remain on the device), and its value, which is usually a randomly generated unique number.
We use cookies to better tailor Suba Dental pages in the future, to offer our products according to your interests and needs, thereby making the use of our pages easier. Cookies help to speed up your future activities and improve your experience when using our pages. Cookies also enable anonymous, aggregated statistics to be generated, allowing us to better understand how people use our pages and thus improve their structure and content. We cannot personally identify you from this information.
Two types of cookies may be used on Suba Dental pages: session cookies and persistent cookies. Session cookies are temporary, meaning they remain on your device only until you leave the Suba Dental page. Persistent cookies remain on your device much longer—possibly until you delete them manually.
Other sites may also collect information using pixel tags, which may be shared with third parties. This directly supports our promotional activities and website development. For example, information on how visitors use our website may be shared with advertising agencies so that online advertisements on our websites may be used more effectively. Nonetheless, this information is not personally identifiable, although it may be associated with personal data.
Cookies Used on the Suba Dental Website
Strictly Necessary Cookies
These are essential for the proper functioning of the Suba Dental pages, enabling you to navigate our websites and use various functions. For example, remembering previous steps or text entered makes the site easier to use when navigating back to a page within the same session. These cookies do not individually identify users.
Performance Measurement and Analytics Cookies
These help us understand how visitors interact with our websites by providing information about the locations visited. This assists us in improving website performance and optimizing our advertisements. Analytics cookies, for example, provide information on how long visitors spend on the site, how they use its functions, and any problems encountered, such as error messages. Conversion cookies allow us to measure when someone clicks on an advertisement and then later visits the advertised website and completes a predefined action. Conversion cookies are not used for targeting advertisements, and the system stores them only for a limited period. These cookies collect data in aggregated and anonymous form; they do not identify individuals and do not collect information that could indirectly identify the visitor (e.g., IP address).
Functionality Cookies
These cookies enable functions such as saving custom settings and enabling social sharing features (such as the “stay logged in” function during login or remembering address/region), providing a more personalized online experience. The information collected by such cookies may include personal data the user has shared, such as username or profile picture. We always provide clear information about what data we collect, how we use it, and with whom we share it. If you do not accept these cookies, it may affect your experience on the website, including performance and functionality, and may limit your access to certain site content.
Cookies Enabling Personalized Advertising (Remarketing Cookies)
These cookies help make the advertisements we run more appealing to users. They enable us, for instance, to display advertisements on other websites to previous visitors of our own. They can record the type of browser or device used, which websites were visited, and which subpages were viewed. These cookies are not used for personal identification.
Third-Party Service Providers
In connection with the provision of services, we use various external service providers. Regarding personal data processed in the systems of external service providers, the privacy policies of such providers apply.
Google Analytics
Our websites use “Google Analytics,” the web analytics service of Google Inc. (“Google”). Google Analytics uses cookies, i.e., text files stored on your computer that help analyze how you use our website. Information generated by cookies regarding your usage is transmitted to and stored on Google’s servers.
IP anonymization is active on this website; therefore, in EU Member States and states party to the EEA Agreement, Google will truncate your IP address before transmission so that it cannot be used to identify you. The IP address transmitted by your browser through Google Analytics is not linked with other Google data.
You may prevent the storage of cookies by adjusting your browser settings. However, please note that in such a case, you may not be able to fully use all features of this website. You may also prevent Google from collecting and processing data generated by cookies related to your use of this website by downloading and installing the plug-in available at: http://tools.google.com/dlpage/gaoptout.
Hotjar
To tailor our website to the expectations of our clients, we use the system of Hotjar Ltd. (www.hotjar.com), through which data is collected and stored for optimization purposes. In this context, data from your browser and internet-connection device (device type, screen size, browser type, operating system, pages visited, visit duration) is processed and stored. You may disable the collection and storage of data within your browser; further details are available at: https://www.hotjar.com/opt-out
Google Adwords
To track and measure Google advertising campaigns and to create custom audiences (remarketing) based on website visits, Google uses cookies stored on your computer. Google’s information notice on advertising-related cookies applies. If you wish to opt out of interest-based advertising from Google and other participating companies, please visit the website of the European Interactive Digital Advertising Alliance. Opt-out must be performed separately in each browser you use.
For tracking and measuring Facebook advertising campaigns, creating custom audiences (remarketing) based on website visits, and using Facebook Analytics, we use a short JavaScript code snippet known as Facebook Pixel. Facebook Pixel collects and transmits session-related information via HTTP headers to Facebook during website visits—such as visitor IP address, time of visit, browser used, pages viewed, and referrer source. Facebook may associate this information with advertisers or Facebook users using the Pixel ID and Facebook cookie, allowing determination of whether a visitor has previously interacted with any of the advertiser’s ads or fits predefined audience attributes used for segmentation.
Facebook stores the collected data in aggregated and anonymized form in its own data centers for a maximum of 180 days.
Facebook’s cookie policy: https://www.facebook.com/policies/cookies/
To opt out of interest-based online advertising from Facebook and other participating companies, visit the European Interactive Digital Advertising Alliance website. Opt-out must be performed separately in each browser you use.
REGULATION ON HANDLING DATA PROTECTION INCIDENTS
Suba Dentál Limited Liability Company as data controller (registered office: 1024 Budapest, Ady Endre Street 1, 3rd floor, 9th door, company registration number: 01-09-197084, tax number: 25054721-2-41, phone number: +36307278616, e-mail: subadr@gmail.com, hereinafter referred to as Controller) is obliged, in accordance with the provisions of the applicable legislation, during its data processing, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances, and purposes of the data processing, and the risks to the rights and freedoms of natural persons, to implement appropriate technical and organizational measures to ensure a level of data security appropriate to the degree of risk.
A data protection incident shall mean a breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. A data protection incident thus particularly includes the loss of a laptop or mobile phone storing personal data used in the operation of the Controller, unsafe storage, destruction, or transmission of data carriers containing personal data, and attacks against the IT systems used by the Controller, including website hacking.
The Controller seeks to include in this Regulation its measures and procedures for the prevention, handling, remediation, and recording of data protection incidents.
Preventive measures
The Controller has established a data protection system in which all relevant circumstances regarding data processing are regulated. The Controller ensures that its employees are familiar with and comply with the obligations related to data processing, considers compliance with data protection regulations an essential work duty, and that employees may come into contact with personal data only according to specified authorizations, for purposes and in a manner corresponding to their job, and may process them only in a strictly defined way. Employees and data processors performing data processing make a confidentiality statement regarding data processing.
The Controller ensures the protection of personal data in both electronic and paper-based records. To protect electronically processed data, the Controller secures its IT systems with a firewall and antivirus protection, and selects the programs it uses so that they meet the information security requirements at all times. It defines different authorization levels for its IT systems and restricts access to information with password protection, and also ensures measures to allow recovery of data files, in particular through regular backups and the separate, secure storage of copies.
Documents containing personal data are stored by the Controller in a locked manner, providing physical protection, according to its document management organization, and the Controller ensures that unauthorized persons cannot access them.
Risk assessment in the event of a data protection incident
In the event of a data protection incident, the Controller examines it according to the following circumstances:
the scope of the affected data, their classification (personal data or any special category thereof), the number and category of affected persons, and the identifiability of the data subjects from the data affected by the data protection incident
the circumstances of the data processing
whether immediate measures are necessary to prevent further harm or to reduce the damage caused by the incident, whether handling the data protection incident requires work beyond normal operations, whether it causes disruption to normal operations
whether the harm caused resulted in a lasting adverse effect on the data subject
whether there may be criminal or administrative legal consequences
examination of the circumstances of the breach, the extent of the security reduction, examination of intentionality in connection with the occurrence of the data protection incident
Procedure in the event of a data protection incident
If any employee of the Controller observes a data protection incident, they are obliged to report it without delay to the person exercising employer authority and to record its circumstances, including in particular:
the date and time of detection, and, if ascertainable, the date and time of the (assumed) occurrence of the data protection incident;
the scope of personal data affected by the data protection incident;
the cause and extent of the occurrence.
A data protection incident may be reported by any person through the contact details of the Controller provided above.
In order to remedy the data protection incident, the person exercising employer authority, or the employee entitled or obliged to act on the basis of their job, shall take the necessary measures without delay and document them in detail. Such measures include, in particular, the removal of certain authorizations of employees, changing passwords, and temporarily locking IT systems.
The Controller keeps records for the purpose of monitoring these measures and informing the data subjects, which contain the scope of the affected personal data, the number and circle of persons affected by the data protection incident, the date, circumstances, and effects of the data protection incident, and the measures taken to remedy it, as well as other data prescribed by law regulating data processing, if the law requires such.
The evaluation of the data protection incident according to the above must be carried out within 24 hours of becoming aware of it. The Controller shall, without undue delay – if possible, no later than 72 hours after becoming aware of the data protection incident – make a report to the National Authority for Data Protection and Freedom of Information according to Annex 1, except where the data protection incident is likely to result in no risk.
In the event of significant risk, the Controller shall inform the data subject about the data protection incident, its nature, and the likely consequences, as well as the measures taken or planned for remediation, including, where applicable, measures to mitigate any adverse consequences resulting from the data protection incident. The data subject shall be informed via publicly published information if any of the following conditions are met:
The Controller has implemented appropriate technical and organizational protection measures and applied them to the data affected by the data protection incident, in particular measures – such as encryption – that render the data unintelligible to persons not authorized to access personal data;
Following the data protection incident, the Controller has taken further measures ensuring that the high risk to the rights and freedoms of the data subject is likely no longer to materialize;
Informing the data subject would require disproportionate effort.