Privacy Policy Information

 

Information on data processing activities conducted by Revay Dental Clinic

Revay Dental Clinics Zrt. (headquarters: 1065 Budapest, Révay u. 12., company registration number: 01-10-049600, tax number: 26190905-2-42, phone number: +361-690-13-04, email: [email protected], legally represented by: Dr. Lukács Péter Zoltán, CEO), as the data controller, considers it important to respect and enforce the data protection rights of its clients and all other affected natural persons (hereinafter referred to as "data subjects"). Therefore, it hereby informs the data subjects that it respects their personal rights and, in its data processing activities, acts in accordance with the applicable material and procedural rules of Hungarian law, the currently valid Internal Data Protection Policy, and other internal regulations.

This Privacy Notice is a brief summary of the Data Controller's Internal Data Protection Policy (hereinafter referred to as the "Policy"), created with the purpose of informing the data subjects concisely about the Data Controller's data processing activities and relevant regulations. This document is to be considered as an annex to the Policy, and in matters not addressed in the Notice, the provisions of the Policy and applicable laws shall prevail and be interpreted together. The full version of the Notice and the Policy is continuously available at the actual location of data processing, at 1065 Budapest, Révay u. 12.

For clarity, the Data Controller has presented the relevant information in a question-and-answer format and, where possible, in tables, explaining with examples when necessary. Transparency is also supported by the fact that each data processing activity has been defined separately, allowing the notice to be useful independently for providing the most essential information. Each data processing activity fulfills the information obligations set out in Articles 13-14 of the GDPR.

Who are the data subjects?

The categories of data subjects: A data subject is any natural person who is identified or identifiable, directly or indirectly, based on any specified personal data, whose data is processed by the Data Controller. Therefore, the data subjects are primarily the interested parties, individual clients, the Data Controller’s own employees, natural person partners, representatives or contact persons of non-natural person partners, and possibly other employees. The categories of data subjects are clearly defined for each data processing activity.

Who processes my data?

The data is processed by the Data Controller's employees, only to the extent necessary for the performance of their tasks.

Does the Data Controller transfer data to other parties?

The processing of personal data is primarily carried out by the Data Controller, or if the task is outsourced, the data processor(s) specified in Appendix I of the Policy will perform the task. In this case, the Data Controller transfers data to the data processors and is responsible for their activities.

The Data Controller may transfer the data specified by the data subject to its Partners if the legal basis for data processing is clear (e.g., the data subject has voluntarily and explicitly consented) and the data is necessary for the processing.

What are my rights?

Under the Info Act and Regulation (EU) 2016/679 of the European Parliament and the Council, the data subject has the following rights: the right to information, the right to rectification, the right to erasure, the right to be forgotten, the right to restriction of processing, the right to object, the right to go to court, and the right to lodge a complaint with a supervisory authority.

The detailed definitions and limitations of each right are specified in the Policy.

Where and how can I request detailed information about data processing, transfer, and how can I exercise my rights?

The Data Controller reminds data subjects that they can request information and exercise their other rights—unless prohibited by law—by sending a statement to the email address [email protected] or another contact method provided by the Data Controller. The Data Controller will review and respond to the statement within the shortest time possible, but no later than 15 days from receipt, and will take the necessary actions based on the statement, the Policy, and applicable laws. If joint data processing occurs, the data subject may exercise their rights with any of the data controllers involved.

Where can I turn in case of a violation of my right to self-determination?

National Authority for Data Protection and Freedom of Information  
Address: 1055 Budapest, Falk Miksa utca 9-11.  
Mailing address: 1374 Budapest, P.O. Box 603  
Phone: +36 (1) 391-1400  
Fax: +36 (1) 391-1410  
Website: [https://www.naih.hu](https://www.naih.hu)  
Email: [email protected]

In the case of violations related to content harmful to minors, hate speech, exclusionary content, correction, the rights of deceased individuals, or violation of reputation:

National Media and Infocommunications Authority  
Address: 1015 Budapest, Ostrom u. 23-25.  
Mailing address: 1525, P.O. Box 75  
Phone: (06 1) 457 7100  
Fax: (06 1) 356 5520  
Email: [email protected]

In case of a violation of rights, the data subject may turn to court. The court will handle the case on an expedited basis. The Data Controller is obliged to prove that the data processing complies with the provisions of the law.

In case the Data Controller violates the data subject's personal rights by unlawfully processing their data or by breaching the data security requirements, the data subject may claim compensation for the harm from the Data Controller.

How does the Data Controller ensure the security of my data?

The Data Controller ensures the security of the data. To this end, it takes the necessary technical and organizational measures and establishes the procedural rules required to enforce the applicable laws, data protection, and confidentiality regulations.

The Data Controller protects the data with appropriate measures against unauthorized access, modification, transmission, disclosure, deletion, or destruction, as well as against accidental destruction and damage, and against inaccessibility resulting from changes in the applied technology.

The Data Controller ensures the enforcement of data security rules through internal regulations, instructions, and procedures that are separate in content and form from the Internal Data Protection Policy and this Notice.

When defining and applying measures to ensure data security, the Data Controller takes into account the current state of technology and selects the data processing solution that provides a higher level of protection for personal data, unless it would cause disproportionate difficulty.

The Data Controller ensures, particularly in relation to IT security tasks, that:

  • Measures to protect against unauthorized access, including software and hardware protection, as well as physical protection (access control, network protection)
  • Measures ensuring the possibility of data recovery, including regular security backups and the secure management of copies (mirroring, backups
  • Protection of data from viruses (antivirus protection)
  • Physical protection of data and the devices that store them, including protection against fire, water damage, lightning strikes, and other natural disasters, as well as the recoverability of damages caused by such events (archiving, fire protection)

 

Other information

Information under Article 30, paragraph 1, point d) of the GDPR: The processing of personal data is primarily carried out by the Data Controller, or if the task is outsourced, it is performed by the data processor(s) specified in Appendix I of the Internal Data Protection Policy. In this case, the Data Controller transfers data to the data processors and is responsible for their activities.

Information under Article 30, paragraph 1, point g) of the GDPR: The Data Controller ensures the security of the data. To this end, the Data Controller takes the necessary technical and organizational measures and establishes the procedures needed to enforce applicable legal provisions and data and confidentiality protection rules.

What data processing activities does the Data Controller carry out, for what purposes, and for how long does it process my data?

Data processing by the organs of the healthcare provider network.

  1. Within the healthcare provider network, the processing of health and personal identification data is authorized, unless otherwise provided by law:
    1. medical care service provider,
    2. leader of the service provider, and
    3. A person appointed by the service provider's manager (Employee).
  2. During the processing of health and personal identification data, it must be ensured that the data is protected against accidental or intentional destruction, alteration, damage, disclosure, and unauthorized access.
    • Data recording
      1. During data recording, the date and time of data entry and the identity of the person recording the data must be documented in the medical records.
      2. Every note or entry in the patient's documentation must be authenticated with a signature or initials and, if necessary, a date. In the case of electronic data management, the clear identification of the person making the entry must also be ensured.
    • Data modification
      1. 1. If an entry needs to be modified due to an error or any other reason, it must be done in a way that the original data remains identifiable. The modification must also be authenticated with initials, and in the case of electronic data management, the system must ensure the clear identification of the person making the entry and the logging of the modification.
    • Data deletion
      1. Data may only be deleted in accordance with this Policy. During deletion, data protection regulations must be observed, with special attention to unauthorized access. Manually managed data must be physically destroyed, while electronically stored data must be irreversibly altered.

General rules for data processing for dental care purposes

  1. The recording of health data is part of dental care.
  2. Legal basis for data processing: voluntary consent. The provision of health and personal identification data by the data subject (or their legal representative) is voluntary, except for the personal identification data required by law for healthcare services. If the patient voluntarily approaches the Data Controller as the service provider, their consent for the processing of health and personal identification data related to the care provided shall be considered as given, unless stated otherwise.
  3. Legal basis for data processing: mandatory data processing. The data subject (or their legal representative) is obliged to provide their health and personal identification data to the healthcare provider Data Controller upon request.
    1. If it is likely or confirmed that the person has been infected by the pathogen of a certain disease, or is suffering from infection-related poisoning or an infectious disease
    2. If it is necessary for the conduct of screening and fitness examinations
    3. In the case of acute poisoning
    4. If it is likely that the data subject is suffering from an occupational disease
    5. If the data provision is necessary for the medical treatment, maintenance, or protection of the health condition of a minor child
    6. If it is for the purposes of law enforcement, crime prevention, or if the competent authority orders an investigation during a prosecutorial, judicial procedure, or an administrative or regulatory procedure
    7. If the data provision is necessary for the purposes of checks under the law on national security services
  4. Legal basis for data processing: vital interest. In case of urgent need and the lack of the treated individual's ability to make decisions, the data can be processed.
  5. During medical treatment, data that comply with professional standards must be recorded in the healthcare documentation. The dentist performing the treatment decides which health data, in addition to the mandatory ones, need to be recorded in accordance with professional standards.
  6. The Data Controller does not record data that are not directly related to the medical treatment of the affected patient.
  7. During medical treatment, the management of healthcare documentation must be organized in such a way that only the staff responsible for the medical treatment of the patient can access the documentation and the patient's personal data.

General provisions regarding each data processing activity in connection with the services provided by the Data Controller

  1. The general rule is that, within the scope of data processing activities and services provided by the Data Controller, the processing of all data related to the data subject is based on voluntary consent. The general purpose is to ensure the provision of the service and to maintain communication.
  2. The above general rule is supplemented by data processing based on other legal grounds, such as data processing required by law, about which the Data Controller informs the data subjects during the determination of each data processing activity.
  3. General rule is that...
    1. For certain services, there is the possibility to provide additional data that help to fully understand the data subject's needs; however, these are not a condition for accessing the services provided by the Data Controller.
    2. Any personal data provided during data processing activities is stored by the Data Controller in separate data files, distinct from other provided data. These data files may only be accessed by the authorized staff of the Data Controller, if the Data Controller employs staff members.
    3. The Data Controller does not transfer or disclose individual data or entire data files to third parties without prior consent from the data subject, except for mandatory data transfer or disclosure based on legal provisions. The Data Controller takes all necessary security measures to ensure that the data is not accessed by unauthorized individuals.
    4. Any modifications, deletions, and/or locking of data recorded and stored during data processing activities, as well as requests for detailed information about data processing, can be made by the data subject through a request sent to the following email address, if no other contact details are provided for the specific data processing activity: [email protected]
    5. The provision of data by the data subject for each data processing activity is a condition for accessing the services provided by the Data Controller.
  4. In any data processing activity defined below, the data storage provider specified in Appendix I of the Policy performs data processing tasks for electronically managed data, unless the Data Controller uses its own hosted storage. In this case, the relevant line in Appendix I is not filled in.

What data processing activities do we carry out exactly?

  1. Revay Dental Clinic Zrt. is a dental clinic providing dental care as a healthcare service provider and business entity. Patient examinations are carried out within the framework of private healthcare.
  2. Our patients voluntarily visit our private clinic and choose the care they wish to receive.
  3. If the treated person voluntarily approaches our Dental Clinic, their consent for the processing of health and personal identification data related to the treatment shall be considered as given, unless stated otherwise.
  4. In our Dental Clinic, we collect personal identification data directly from the data subject. Our staff only examines the documents to verify the accuracy of the data, and they do not make any copies of them in any case.

I. One-time information request

This typically includes questions arising in connection with the treatment.

  1. The Data Controller allows data subjects to request information from the Data Controller by providing their data as detailed below.
  2. The information request is based on voluntary consent
  3. Scope of data subjects: Any natural person who contacts the Data Controller and requests information from the Data Controller by providing their personal data. Typically, this is a patient in relation to their treatment.
  4. Scope and purpose of processed data:
    Name* - identification  
    Phone number - communication  
    Email address* - communication  
    Content of the question* - response
     
  5. The purpose of data processing is to provide appropriate information to the data subject and maintain communication
  6. The activity and process involved in data processing are typically as follows:
    1. The data subject contacts the Data Controller through the available means provided by the Data Controller, typically by personally consulting with the Data Controller's staff in the clinic regarding a question or topic related to the (planned) treatment.
    2. The Data Controller responds to the data subject's question—usually verbally, but in some cases in writing.
  7. Duration of data processing: until the purpose is fulfilled. If the information request and/or provision of information is associated with legal effects, or significantly affects either the data subject or the Data Controller, the Data Controller will process the data in accordance with the retention period of the related data.
  8. The method of data processing: electronically or on paper, manually.
  9. Source of data: directly from the data subject.
  10. Data disclosure: It is not disclosed to third parties..
  11. Organizational and technical measures to protect the processed data: see in a separate section.
  12. Automated decision-making, profiling: this does not occur in connection with data processing.
  13. The Data Controller highlights that if the data subject does not provide the data marked with *, the Data Controller will refuse to provide the service (data processing).

II. Request for a quote

  1. The Data Controller allows data subjects to request a quote from the Data Controller by providing their data as detailed below.
  2. The request for a quote is based on voluntary consent.
  3. Scope of data subjects: Any natural person who requests a quote from the Data Controller in relation to a given service (treatment, intervention) by providing their personal data.
  4. Scope and purpose of processed data:
    Name* - identification  
    Phone number - communication  
    Email address* - communication  
    Content of the question/request* - response
  5. The purpose of data processing is to provide the data subject with an appropriate quote and maintain communication.
  6. The activity and process involved in data processing are as follows:
    1. The data subject sends their data to the Data Controller through the available means provided by the Data Controller and requests a quote.
    2. The Data Controller prepares an appropriate quote in response to the data subject's request, or if additional information is required for the quote, the Data Controller contacts the data subject via the contact details provided by the data subject. After obtaining the necessary information, the Data Controller prepares the quote and sends it to the data subject via the same method through which the quote request was received, unless the data subject has specified otherwise.
    3. The data subject, in accordance with the purpose of data processing, voluntarily consents to the Data Controller contacting them through the provided contact details during the quote request to clarify the quote or to confirm the data subject's order.
  7. Duration of data processing: Data Controller
    1. If the data subject does not respond substantively to the quote within the validity period of the offer, the Data Controller will process the data until the expiration of the validity period.
    2. If the data subject responds substantively to the offer within its validity period and accepts it, the Data Controller will process the data until the expiration of the rights and obligations arising from the legal relationship between the Data Controller and the data subject. For example, if the data subject does not respond substantively to the offer, the Data Controller will delete all documents containing data related to the quote request and provision (e.g., emails, offers).
  8. The method of data processing: electronically and/or manually on paper.
  9. Source of data: directly from the data subject.
  10. Data disclosure: It is not disclosed to third parties.
  11. Organizational and technical measures to protect the processed data: see in the separate chapter.
  12. Automated decision-making, profiling: this does not occur in the context of data processing.
  13. The Data Controller points out that if the data subject does not provide the data marked with a *, the Data Controller will refuse to provide the service (data processing).

III. Data processing related to Customer and Partner Records

  1. The Data Controller maintains electronic and/or paper-based records of natural person clients, partners, as well as representatives and contacts of non-natural person clients and partners, in which the processed data is manually entered.
    This includes the management of patient data in the CRM or FlexiDent.
  2. The legal basis for data processing: the administrative step of becoming a customer/partner, according to Article 6(1)(b) of the GDPR (data processing is necessary for taking steps at the request of the data subject prior to entering into a contract).
  3. The scope of data subjects: All natural persons, as well as representatives of legal entities, who are or wish to be customers or partners of the Data Controller.
  4. The scope of processed data:
    name* identification  
    phone number* contact  
    email address* contact  
    represented organization data identification
     
  5. The purpose of data processing is to maintain records of the Data Controller's clients (patients) and Partners, facilitate smooth communication, and track the steps taken.
  6. The activity and process related to data processing are as follows::
    1. The Data Controller obtains and records the data through the previously described method (see Chapter 2).
  7. Timespan of data processing:
    1. It lasts until the general limitation period (5 years) after the termination of the legal relationship.
    2. If an accounting document containing the data of the data subject has been issued, the duration of data processing regarding the data on the document shall be 8 years, in accordance with Section 169 (2) of the Accounting Act.
    3. If the legitimate interest of the Data Controller requires it, the duration of data processing shall last until the interest ceases. In this case, the Data Controller supports the interest with a legitimate interest balancing test.
  8. The method of data processing: electronically and/or on paper, manually, or automatically.
  9. Source of data: directly from the data subject.
  10. Data disclosure: not disclosed to third parties.
  11. Organizational and technical measures for the protection of the processed data: see the separate chapter.
  12. Automated decision-making, profiling: this does not occur in connection with data processing.
  13. Regarding the data marked with *, the Data Controller draws attention to the fact that these data are minimally necessary for identification and communication purposes.

IV. Data processing related to the conclusion of a consent statement/agreement.

  1. The Data Controller may condition the provision of its services on the prior conclusion of a consent statement and/or agreement, of which the data subject is informed.
  2. The consent statement is based on voluntary consent, while the legal basis for the conclusion of the agreement is the agreement itself.
  3. The scope of the data subjects: Every natural person who, by providing their personal data, gives a consent statement and/or enters into an agreement with the Data Controller in relation to the use of a service provided by the Data Controller.
  4. The scope and purpose of the processed data:
    name* identification
    address* identification/contact
    place and date of birth* identification
    mother's name identification
    phone number* contact
    email address contact
     
  5. The purpose of data processing is the identification of the data subject, providing the appropriate service to the data subject in accordance with the consent statement and/or the provisions of the agreement, as well as communication.
  6. The activity and process related to data processing are as follows:
    1. The data subject, based on their own discretion, decides freely and voluntarily to use the Data Controller's service(s). If they wish to use the service(s), they provide the aforementioned data and give consent or enter into an agreement with the Data Controller.
    2. The consent statement and/or agreement are stored by the Data Controller in an electronic record system specifically used for this purpose and/or on paper.
  7. If the data subject reveals a fact that affects or excludes the provision of the service to the Data Controller, or if the Data Controller clearly and demonstrably finds such a fact in connection with the data subject, the Data Controller will refuse to provide the respective service(s).
  8. Duration of data processing: For personal data that appears on documents supporting accounting records, the duration of data processing (in relation to the document) is at least 8 years in accordance with Section 169 (2) of Act C of 2000.
  9. Method of data processing: electronically and/or on paper, manually.
  10. Source of data: directly from the data subject.
  11. Data disclosure: not disclosed to third parties / disclosed to third parties, these persons are listed in Appendix I.
  12. Organizational and technical measures for the protection of processed data: see separate chapter.
  13. Automated decision-making, profiling: this does not occur in the context of data processing.
  14. The Data Controller points out that if the data marked with * are not provided by the data subject to the Data Controller, the Data Controller will refuse to provide the service (data processing).

V.Data processing related to health data and documentation

  1. The data subject’s past and current health data, health documentation may be disclosed to the Data Controller for the purpose of informing the Data Controller and clarifying the subsequent service (intervention), and the Data Controller records, stores, and processes health data and health documentation during the examination of the data subject.
  2. The recording of health data and documentation is part of the service provision (treatment). The physician performing the treatment decides which health data needs to be recorded and stored in accordance with professional standards.
  3. The data subject voluntarily provides their health data and documentation, and furthermore, the data subject voluntarily consents to the examinations.
  4. The scope of data subjects: All natural persons who provide their health data or documentation to the Data Controller, or who give prior consent to an examination, the result of which is the processing of health data or documentation.
  5. The scope of data affected by data processing and its purpose regarding the medical history form:
    name* identification  
    address* identification/contact  
    occupation* statistics  
    email address* contact  
    date of birth* identification  
    mobile phone number* contact  
    social security number identification, used for health fund support  
    health data, documentation according to the current questionnaire* necessary for providing the service/care  
    date* identification  
    signature* identification  
    how the individual heard about the clinic* statistics  
  6. name* identification  
    social security number* identification, used for health fund support  
    date of birth* identification  
    address* identification/contact  
    phone number* contact  
    diagnosis* used for providing service/care, for later verifiability  
    type of surgery* used for providing service/care, for later verifiability  
    allergies, risk factors* used for providing service/care, for later verifiability  
    medications* used for providing service/care, for later verifiability  
    x-ray* used for providing service/care, for later verifiability  
    stitches* used for providing service/care, for later verifiability  
    surgical description* for later verifiability  
    materials used* used for providing service/care
  7. The direct purpose of data processing is to support which service provided by the Data Controller is suitable for the data subject, as well as offering a proposal, answering the data subject's questions, and maintaining communication.
  8. The healthcare data necessary for the service can be processed by the doctor and other individuals involved in the treatment of the data subject, such as the assistant, in accordance with the instructions of the treating doctor and to the extent necessary for the performance of their duties.
  9. Other warranty regulations related to health data and documentation that the Data Controller fully complies with:
    1. If the Data Controller becomes aware of health data based on the voluntary consent of the data subject, the Data Controller will process it in accordance with the provisions of Act CXII of 2011 and Act XLVII of 1997 on the processing and protection of health and related personal data, as follows:
    2. The Data Controller only collects the most necessary health data, but the data subject may, of course, disclose additional data, which the Data Controller is also obligated to retain.
    3. The Data Controller and the Employee acting on its behalf are obliged to maintain the medical confidentiality they become aware of.
    4. The Data Controller does not transfer health data to any data processor.
    5. The Data Controller transfers health data and documentation only in cases where,
      1. ha érintett a továbbításhoz kifejezetten, önkéntesen és írásban hozzájárult a továbbítás címzettjének tudatában; vagy
      2. in case of imminent danger to life, or
      3. if the transmission of health and personal identification data is required by law.
    6. The data subject is entitled to receive information regarding the data processing related to the treatment, may access the health and personal identification data concerning them, may review the medical documentation, and can request copies of them.
    7. The right to the aforementioned information extends to the person authorized by the data subject in writing during the duration of their treatment, and after the completion of the treatment, it applies to the person authorized by the data subject in a document with full evidential value.
  10. The Data Controller and the Employee are exempt from the confidentiality obligation if
    1. the data subject or their legal representative has given written consent to the transfer of health and personal identification data, within the limitations specified therein, and
    2. the transfer of health and personal identification data is required by law (e.g., public health interest)
  11. The activity and process involved in data processing:
  12. Data processing duration: The healthcare documentation and health data must be retained by the Data Controller for at least 30 years in accordance with Section 30, Paragraph 1 of Act XLVII of 1997, the discharge report for at least 50 years, diagnostic imaging recordings for 10 years from their creation, and the report from the imaging recording must be retained for 30 years from the creation of the recording.
  13. The method of data processing: electronically and/or on paper, manually.
  14. Source of data: from White Cross Hotel Kft, who collects the data directly from the data subject.
  15. Data disclosure: It is not disclosed to third parties.
  16. Organizational and technical measures to protect the processed data: See a separate section.
  17. Automated decision-making, profiling: This does not occur in relation to the data processing.
  18. The Data Controller points out that if the data marked with * is not provided by the data subject, the Data Controller will refuse to provide the service (data processing).

VI. With the data subject's consent, images, video recordings, and audio recordings of the data subject are made.

Here is the English translation of the provided text:

This includes any recording made by the Data Controller for a specific purpose regarding the data subject.

The Data Controller, in strict compliance with Section 2:48. (1) of the Civil Code, creates and takes steps (e.g., forwarding, publishing) regarding audio, video, and image recordings of the data subject only with the prior consent of the data subject, and the steps will align with the consent granted by the data subject in the relevant declaration.

The data processing can only take place with the voluntary, explicit consent of the data subject.

Scope of the data subjects: All natural persons who, with prior consent, allow the creation of image, video, and/or audio recordings about them (for example, during the use of services).

Scope and purpose of the processed data:
- Audio recording of the data subject: identification, marketing
- Image of the data subject: identification, marketing
- Other images, including video recordings, where the data subject is identifiable: identification, marketing

The purpose of the data processing is the goal determined by the data subject’s consent, for example:
- Creation of an image of the data subject for later identification and thus for discreet greeting or contact.
This includes cases where the Data Controller takes an image of the data subject and places it on the anamnesis sheet, so when the data subject is addressed, the staff member can greet them directly.

- The forwarding of audio, image, and video recordings created with the data subject’s consent to a partner or third party or the publication of these on the Data Controller's website or social media, thus forming part of the Data Controller’s marketing activities.

The Data Controller declares that the data subject is aware that if the created audio, image, and video recording makes the data subject identifiable, the data will be considered personal data, and the following rules apply to its processing.

Depending on the consent, the Data Controller may upload the data into the CRM, and the data can also be processed by Helvetic Clinics Int.

If the data subject is recognizable from the data, they can withdraw their consent at any time, whether before uploading to the website or social media or after the upload (deletion request).

Upon receiving a deletion request, the Data Controller is immediately obligated to take steps to remove the data.

The Data Controller provides more information about the data processing related to the data subject’s recordings in response to inquiries sent to the email address: [email protected]. Deletion or blocking requests from the website and/or social media or from the database can also be requested here.

Data processing duration: Until the data subject requests deletion.

Data processing method: Electronically and/or manually on paper.

Source of the data: Directly from the data subject.

Data disclosure: The Data Controller may disclose the created data in accordance with the voluntary consent of the data subject, making the data (e.g., images) available to third parties.

Organizational and technical measures for the protection of the processed data: See the separate chapter.

Automated decision-making, profiling: This does not occur in relation to the data processing.

VII. Camera System

The Data Controller operates a camera system at its premises located at 1065 Budapest, Révay u. 12, for purposes defined in a camera policy that is formally separate from this Regulation. The operation of each camera is indicated by informational signs notifying the data subjects.  
The legal basis for the data processing is the legitimate interest, in accordance with the application of the GDPR. The legitimate interest is in line with the objectives defined in the Camera Policy.  
For example, the data subject's legitimate interest is the protection of life, physical integrity, or property. Similarly, the Data Controller's legitimate interest is the protection of its property, as well as the life and physical integrity of its employees.  
The data subjects include any natural person who enters or stays in an area monitored by a CCTV system.  
The scope and purpose of the data processed:  
- Image of the data subject for identification purposes.  
The purpose of data processing, in accordance with the goals defined in the camera policy, includes:  
- Property protection related to assets, tools, and equipment in the monitored area, personal protection, identification of the data subjects, prevention of accidents, investigation of the circumstances of accidents, quality assurance, clarification of disputes (legal or otherwise), examination of complaints, etc. The specific purpose of data processing is determined for each camera separately in the annex to the relevant camera policy.  
The location of storage: The Clinic located at 1065 Budapest, Révay u. 12, operated by the Data Controller.  
Detailed regulations regarding the operation of the camera system are included in the camera policy, which is formally separate from this Regulation. However, it must be interpreted together with the applicable Internal Data Protection Regulation. The Camera Policy is considered an annex to the Data Protection and Data Security Policy and is available at the location.  
Data retention period: According to Section 31, Subsection 2 of Act CXXXIII of 2005 (if not used, the recording is stored for 3 business days from the recording date). If the Data Controller stores the data for a period differing from this general rule, it will be supported by a legitimate interest balancing test in accordance with the statutory deadline.  
The method of data processing: Electronic and automated.  
Source of data: Directly from the data subject.  
Data disclosure: The data will not be disclosed to third parties (except for authorities or courts).  
Organizational and technical measures for the protection of processed data: See the separate section.  
Automated decision-making, profiling: There is no such processing in relation to this data processing.

VIII. Questionnaire, Evaluation System

VIII. Questionnaire, Evaluation System

Data subjects can provide their feedback electronically and/or via a paper-based questionnaire, as part of the quality assurance process applied by the Data Controller.

Filling out the evaluation questionnaire is based on voluntary consent.

The data subjects: All natural persons who have used the services of the Data Controller and evaluate them for the purpose of quality improvement and/or feedback.

Data processed and purposes:
- Name: identification
- Email address: contact
- Textual evaluation: quality assurance
- Evaluation of the services provided by the Data Controller: quality assurance

The purpose of data processing is to improve the quality of services, investigate any complaints, and ensure communication.

Providing the data is not mandatory; it only serves to facilitate the precise investigation of potential complaints and ensure a response from the Data Controller to the data subject.

The activity and process related to data processing are as follows:

The data subject can evaluate the Data Controller and its provided services/products through a questionnaire or free-form written feedback, using the available method provided by the Data Controller.

The data subject informs the Data Controller of their evaluation electronically and/or in paper form.

The Data Controller stores electronically sent evaluations in the designated electronic record-keeping system, the CRM, and shares it with Helvetic Clinics Int., who is authorized to process and use it as per the previously defined terms.

If a complaint arises, the Data Controller will respond in writing to the data subject.

In line with the purpose of data processing, the data subject voluntarily consents to being contacted via the provided contact details to address their complaint or take any other necessary steps regarding their complaint.

Data retention period: Until the purpose is achieved.

Data processing method: Electronically and/or manually in paper form.

Data source: Directly from the data subject.

Data disclosure: Not disclosed to third parties.

Organizational and technical measures for the protection of processed data: See the separate section.

Automated decision-making, profiling: No such actions are performed in connection with the data processing.

IX. Appointment reservation

This refers to the case when the data subject arranges a new appointment with the Data Controller’s staff at the Clinic, for example, for the continuation of the treatment.

The Data Controller allows the data subjects to request an appointment from the Data Controller by providing the data detailed below.

The scheduling and booking of appointments is based on voluntary consent.

The data subjects: All natural persons who provide their data to book an appointment.

The scope of the data processed:
- Name* identification
- Phone number* communication
- Email address communication
- Appointment* necessary for service provision

The purpose of data processing is to provide the data subject with an appointment and to maintain communication.

The activities and process related to data processing are as follows:

- The data subject can schedule an appointment with the Data Controller through the means provided by the Data Controller, typically in person at the Clinic. 
- During the appointment scheduling, the Data Controller records the data revealed during the discussion in an electronic registration system (FlexiDent) and/or on paper, and confirms the reserved appointment verbally and/or in writing. 
- Ideally, the data subject personally appears at the Data Controller’s clinic at the scheduled time to receive professional and comprehensive information, as well as care/services.

Duration of data processing:

- Until the purpose is achieved.
- If the appointment (or absence thereof) has legal consequences or if it is relevant for proving the fulfillment of a legal obligation or the enforcement of a legitimate interest, the Data Controller retains the data for the general statute of limitations period or until the legitimate interest exists.

The method of data processing: electronically and/or on paper, manually. 
Source of data: directly from the data subject.
Data disclosure: not disclosed to third parties.
Organizational and technical measures to protect processed data: see separate chapter.
Automated decision-making, profiling: this does not occur in the context of data processing.

Regarding data marked with *, the Data Controller highlights that if the data subject does not provide them to the Data Controller, the provision of the service (data processing) will be denied.

X. Social media marketing

The Data Controller is available at https://www.facebook.com/dental.clinic.hungary/ and other social media platforms.

The use of social media sites, particularly the Facebook page, and the communication, contact, and other actions taken through those platforms with the Data Controller are based on voluntary consent.

The data subjects: All natural persons who voluntarily follow, share, or like the content on the Data Controller's social media pages, particularly the Facebook page.

The scope of the data processed and the purpose:
- Public name of the data subject identification
- Public photo identification
- Public email address communication
- Message sent via social media platform communication, response basis
- Evaluation or other action by the data subject improvement of quality or the purpose of other actions

The Data Controller communicates with the data subjects through social media only when the data subject contacts the Data Controller via the platform. The scope and purpose of the data processing become relevant when the data subject reaches out to the Data Controller via the social media platform.

The purpose of the data processing on social media platforms, particularly on Facebook, is to share, publish, and market the content found on the website. The social media platform also allows the data subject to stay informed about the latest promotions.

The data subject voluntarily agrees to follow or like the Data Controller's content based on the terms of the social media platform. For example, the data subject can subscribe to the news feed on the Facebook page by clicking the "like" button and thus consents to the Data Controller's news and offers being published on their own feed. The data subject can also unsubscribe by clicking the "dislike" button or delete unwanted posts using the settings for their news feed.

The data subject can evaluate the Data Controller through text or numerically if the social media platform allows it.

The Data Controller posts pictures/videos of various events, services, and other content on their social media, especially on Facebook. The Data Controller may also link the Facebook page to other social media platforms in accordance with the rules of the facebook.com social media platform, meaning that the publication on the Facebook page includes publication on connected platforms as well.

If the publication is not from a public event or a public figure's appearance (Civil Code § 2:48), the Data Controller always requests written consent from the data subject before publishing the images.

The data subject can find information about the data processing of the specific social media platform on that platform, and information about Facebook's data processing can be found at facebook.com.

Duration of data processing: Until the data subject requests deletion.

The method of data processing: electronically, manually.

Source of data: directly from the data subject.

Data disclosure: Data will be disclosed to third parties only if a Partner handles the social media marketing. In such cases, the Partner is named in Annex I.

Organizational and technical measures to protect processed data: see separate chapter.

Automated decision-making, profiling: The Data Controller does not engage in profiling or automated data processing in relation to this data processing. However, the Data Controller points out that the operator of the social media platform may engage in profiling or other automated data processing, but in such cases, the platform operator will be the data controller.

XI. Complaint handling

The Data Controller ensures that the data subject can communicate their complaint about the service, the conduct, activities, or omissions of the Data Controller, either verbally (in person, by phone) or in writing (in person or via a document delivered by someone else, by post, or by email).

The complaint handling process is initiated based on voluntary consent.

The data subjects: All natural persons who wish to communicate their complaint regarding a service or the behavior, activities, or omissions of the Data Controller either verbally or in writing.

The scope of the processed data and its purpose:
- Complaint identifier identification
- Name identification
- Date and time of complaint receipt identification
- Phone number communication
- Call time identification
- Personal data provided during the conversation identification
- Billing/correspondence address communication
- Complained product/service complaint investigation
- Attached documents complaint investigation
- Reason for complaint complaint investigation
- The complaint itself complaint investigation

The purpose of data processing is to identify the data subject and the complaint, handle the complaint, and ensure communication.

The activity and process related to data processing are as follows:
- The data subject communicates their complaint verbally (in person, by phone) or in writing (in person, via document delivered by someone else, by post, or by email) to the Data Controller.
- If the data subject files their complaint verbally, the Data Controller will complete a complaint report form or a record with equivalent content.
- If the data subject wishes to file the complaint in writing, they have the opportunity to do so.
- The Data Controller processes the complaint and responds within the shortest time possible.
- The Data Controller strives for the timely resolution of complaints in accordance with mutual interests.

The duration of data processing: The Data Controller will keep the complaint report and the copy of the response for the statutory limitation period (5 years) from the time of their creation.

The method of data processing: electronically and/or manually on paper.

Source of data: directly from the data subject.

Data disclosure: Data will only be disclosed to a third party if necessary for the enforcement of the rights of the data subject, the Data Controller, or a third party, or to fulfill obligations.

Organizational and technical measures to protect processed data: see separate chapter.

Automated decision-making, profiling: No automated decision-making or profiling occurs in relation to this data processing.

XII. Data processing related to the consent statement

This includes the management of consent statements related to data processing..

The Data Controller requests a paper-based or electronic consent statement from the data subjects to access, process, and, if applicable, transfer their data.  
Providing a consent statement is based on voluntary consent.  
Scope of data subjects: Any natural person who provides a consent statement to the Data Controller for the processing of their data for a specific purpose.  

Scope of data processed and its purpose:  
- Name: identification  
- Place and date of birth: identification  
- Data specified in the consent statement: necessary for the fulfillment of consent  

Purpose of data processing: handling of consent statements for proving the legal basis of data processing, as well as fulfilling the consent (accountability principle), and for communication.  

The activity and process affected by data processing are as follows:  
The data subject provides their consent to the processing of their data through the method made available by the Data Controller.  
For example, the data subject gives prior consent electronically on the website or on paper for the processing of their data.  
The Data Controller stores and processes consent statements in paper form or electronically for later retrieval and proof. The consent statements are handled confidentially by the Data Controller.  

Duration of data processing:  
- Until the expiration of the enforceability of rights and obligations arising from the legal relationship in connection with which the Data Controller processes personal data, or  
- If no such legal relationship exists, until the data subject requests deletion.  

Method of data processing: electronically and/or manually on paper.  
Source of data: directly from the data subject.  
Data disclosure: specified in Annex I, if the consent involves data transmission.  
Organizational and technical measures to protect the processed data: see a separate section.  
Automated decision-making, profiling: such actions do not take place in connection with data processing.  

The Data Controller draws attention to the fact that if the data subject does not provide the *-marked data, the Data Controller will refuse to provide the service (data processing).

XIII. Data processing related to the Corporate Partner Program

The Data Controller offers a unique, discounted offer to employees of partner companies based on agreements made with certain partner companies.  
Registration is based on voluntary consent, which takes place on the registration page provided by the Data Controller (https://helvetic-clinics.hu/partner). The partner company informs its employees about the discounted opportunities provided by the Data Controller but does not record or forward any data to the Data Controller. Registration is the employee's own decision.  

Scope of data subjects: Any natural person who registers on the Data Controller's website to receive discounted services, providing their personal data.  

Scope of processed data and purpose:  
- Partner ID*: identification  
- Name*: identification/contact  
- Email address: contact  
- Phone number*: contact  

Purpose of data processing: identification of the data subject, providing the relevant discounted service to the data subject, and communication.  

The activity and process affected by data processing are as follows:  
The data subject voluntarily, without influence, decides to take advantage of the Data Controller’s service(s). If the data subject wishes to use the service(s), they register on the platform by providing the data mentioned above.  
The registration is stored in the Data Controller's electronic record-keeping system, which is specifically used for this purpose.  
If the data subject reveals any facts that would influence or exclude the provision of the service(s) to the Data Controller, or if the Data Controller finds any such facts about the data subject that are clear and provable, the Data Controller will refuse to provide the service(s).  

Duration of data processing: For personal data that is included in records supporting accounting, the data processing duration (in relation to the record) is at least 8 years, according to Section 169(2) of Act C of 2000.  
Method of data processing: electronically.  
Source of data: directly from the data subject.  
Data disclosure: not disclosed to third parties/disclosed to third parties as specified in Annex I.  
Organizational and technical measures to protect the processed data: see a separate section.  
Automated decision-making, profiling: such actions do not take place in connection with data processing.  

The Data Controller draws attention to the fact that if the data subject does not provide the *-marked data, the Data Controller will refuse to provide the service (data processing).

Who else can see my data?

Referring to the provisions outlined in the Privacy and Data Security Policy, the Data Controller hereby notifies and informs the data subjects that the Data Controller is in contact with the following data processors:

A. The data processor entrusted with outsourced accounting and payroll tasks:
Name: RSM Hungary Zrt.
Registered office: 1138 Budapest, Faludi utca 3.
Tax number: 14020867-2-41
Company registration number: 01-10-045727
Represented by: Kalocsai Zsolt
B. The data processor entrusted with documentation tasks:
Name: Flexi Medical Hungary Zrt.
Registered office: 1027 Budapest, Tölgyfa utca 28.
Tax number: 27303296-2-41
Company registration number: 01-10-140667
Represented by: Friss Tamás Gábor
C. The data processor entrusted with the task of hosting services:
Név: MAXER Hosting Kft.
Registered offices: 9024 Győr, Répce u. 24.
Tax number: 13670452-2-08
Company registration number: 08-09-013763
Represented by: Nyers Péter
D. The data processor entrusted with dental laboratory tasks:
Technician name: Artiflex Dentis Kft.
Registered office: 1065 Budapest, Révay utca 12
Tax number: 23364543-2-42
Company registration number: 01-09-275953
Represented by: Románszky László
Technician name: Románszky Ágnes individual entrepreneur
Registered offices: 2000 Szentendre, Vörösgyürű sétány 36
Tax number: 69363070-1-33
Company registration number: 53073921
Represented by: Románszky Ágnes
Technicians name: Románszky László individual entrepreneur
Registered offices: 2000 Szentendre, Vörösgyürű sétány 36
Tax number: 69351811-1-33
Company registration number: 53056823
Represented by: Románszky László

Referring to the provisions outlined in the Privacy and Data Security Policy, the Data Controller hereby notifies and informs the data subjects that the Data Controller transfers data in the following cases:

A. The Data Controller transfers data to the Central Implant Registry.

Scope of transferred data:

Name,  
Place and date of birth,  
Address,  
Mother's name,  
Gender,  
Implant manufacturer,  
Serial number

We inform you that if the specialist performing your treatment at our Dental Clinic finds it necessary, for your comfort and to improve the quality of service, to involve another specialist within the clinic, for the safety and speed of the treatment, they may allow access to and transfer data related only to your treatment to the collaborating healthcare provider’s doctor working with our clinic. Your treating doctor will always inform you of this in advance.

Information notice on the data processing activities carried out by Revay Dental Clinic

I. Information and access to personal data

As a Patient, you can request to be informed whether we process your personal data, and if so, we will provide you access to the personal data we process.  
You can contact us in writing at any time regarding the processing of your personal data. You may request information via a registered or return receipt requested letter sent to our Dental Clinic’s address, or via email. We consider a request for information sent by letter to be valid if the patient can be clearly identified based on the request. We will only consider an email request for information valid if it is sent from the patient’s registered email address. However, this does not preclude us from identifying the patient in other ways before providing the requested information.  
The information request may include details about the data we process regarding the patient, the source of the data, the purpose of data processing, the legal basis, duration, any data processors’ names and addresses, activities related to data processing, and in the case of data transfer, to whom and for what purpose your data has been or will be disclosed.

II. Right to rectification

  1. You may request from our Dental Clinics the rectification of any inaccurate personal data we process. Considering the purpose of data processing, you may also request the completion of incomplete personal data.

III. Right to erasure

  1. The patient may request the deletion of their personal data processed by our Dental Clinics. Deletion may be refused if the processing of personal data is authorized by law. Therefore, if the legal basis for data processing is a legal obligation, we cannot delete such data, as the storage of this data is required by law for our Dental Clinics. Such data includes, in particular, data related to healthcare services and billing. In every case, we will inform you of the refusal of your deletion request, specifying the reason for the refusal. After fulfilling a request for the deletion of personal data, please note that the previously deleted data cannot be restored.

IV. Right to restriction of processing

As a patient using our services, you may request that the processing of your personal data be restricted by our Dental Clinics if you dispute the accuracy of the personal data processed. In this case, the restriction applies for the duration that allows the Data Controller to verify the accuracy of the personal data.  
You may also request that the processing of your personal data be restricted if the processing is unlawful, but you, as a patient, oppose the deletion of the processed personal data and instead request a restriction on its use.  
Furthermore, as a patient, you may request that the processing of your personal data be restricted if the purpose of data processing has already been achieved, but you require the data to be processed by the Data Controller for the establishment, exercise, or defense of legal claims.

V. Right to data portability

  1. The patient may request that the Dental Clinic provide the personal data provided by the patient and processed in an automated manner in a machine-readable format, or transfer it to another Data Controller.

VI.Right to object

The patient may object to the processing of their personal data if the processing is carried out for the purpose of direct marketing.

We reserve the right to modify or update this Information Notice at any time without prior notice. Any modification will only apply to personal data collected after the publication of the modified version.

Please regularly check our Information Notice to stay informed about any changes and how they may affect you!

Date: June 1, 2021  
Revay Dental Clinic Zrt.  
Dr. Péter Zoltán Lukács  
CEO

Book an appointment: 0539301323 Book an appointment