Privacy policy

Data Controller Details

Data Protection Officer’s Details

Buda Health Center LLC (BHC)

Represented by: Dr István Csernavölgyi Chief Executive Officer

Dr Ádám Kéri 

Dr Szonja Kéri, Dr Tamás Sándor Kéri

Chief Data Protection Officer: Dr Ádám Kéri

1-3 Királyhágó street Budapest 1126

Mailing address: 1281 Budapest, Post Office Box.12.

Company registration number      

Cg.01-10-141707. 

Website: https://bhc.hu/en

E-mail adress: dpo@bhc.hu

E-mail adress: adam.keri.office@icloud.com 

NAMES OF THE AREAS PRESENTED

1. THE HOSTING PROVIDER OF THE HTTPS://BHC.EN WEBSITE OPERATED BY THE DATA CONTROLLER, AND THE OPERATOR OF ITS MOBILE APPLICATION

2. DATA MANAGEMENT RELATED TO COOKIES USED ON THE HTTPS://BHC.EN WEBSITE, AS WELL AS DATA COLLECTED BY THE MOBILE APPLICATION

3. GENERAL NEWSLETTER DELIVERY

4. SENDING EXCLUSIVE (SPECIAL) NEWSLETTERS AND CAREGIVER (PERSONALIZED) NEWSLETTERS

5. CONTACTING CUSTOMER SERVICE /by phone; or by emailing info@bhc.hu (except: For the Private Inpatient Care Unit); as well as magankorhaz@bhc.hu as well as using the e-mail address in magankorhaz@bhc.hu for Private Inpatient Care/

6. REQUEST FOR PROPOSALS FOR OUR HEALTHCARE SERVICES

7. REGISTRATION FOR THE CUSTOMER SERVICE FEATURE ON THE WEBSITE OR MOBILE APP, AND CREATION OF A PERSONAL CUSTOMER ACCOUNT

8. USE OF THE CUSTOMER SERVICE FUNCTION VIA THE ONLINE PLATFORM OR MOBILE APP, I.E., DATA PROCESSING RELATED TO PERSONAL CUSTOMER ACCOUNTS

9. OPERATION OF THE CORPORATE DATA EXCHANGE PORTAL; AS WELL AS THE SUPPLEMENTARY DATA MANAGEMENT RULES FOR OCCUPATIONAL HEALTH EXAMINATIONS (INCLUDING: SCREENING TESTS)

10. ONLINE APPOINTMENT BOOKING VIA THE WWW.FOGLALJORVOST.HU WEBSITE

11. PATIENT REGISTRATION (DATA VERIFICATION), MEDICAL RECORDS, AND INVOICING

12. HANDLING OF MEDICAL REPORTS SENT TO THE DATA CONTROLLER VIA E-MAIL OR UPLOADED TO PERSONAL ONLINE CUSTOMER ACCOUNTS

13. TELEPHONE CONSULTATION

14. VIDEOCONSULTATION

15. COMPLAINT HANDLING

16. CUSTOMER SATISFACTION SURVEY

17. REPORTING FOUND ITEMS

18. BEK ACADEMY DATA MANAGEMENT ON THE HTTPS://AKADEMIA.BHC.HU WEBSITE

19. ACCEPTING JOB APPLICATIONS

20. THE DATA CONTROLLER'S APPEARANCE ON SOCIAL MEDIA SITES

21. RELEVANT IMPORTANT LEGISLATION

22. OVERVIEW OF DATA SUBJECT RIGHTS

23. HOW WE PROTECT YOUR PERSONAL DATA

24. DEFINITIONS

25. PRINCIPALS OF PRIVACY POLICY

Web hosting provider’s name:

Brainsum Kft.

Web hosting provider’s registered office:

2836 Baj, 27 Bem József Street

Web hosting provider’s branch office:

8652 Siójut, Land register number 89/9 

Company registration number:

Cg.11-09-024421.

Web hosting provider’s contact details:

info@brainsum.com

Web hosting provider’s name:

BitRoll Kft.

Web hosting provider’s registered office:

1085 Budapest, 69 József krt., Ground Floor, Unit 1

Web hosting provider’s registered office seat:

1082 Budapest, Nap Street 29, 1st Floor, Unit 8

Company registration number:

Cg.01-09-407123.

Web hosting provider’s contact details:

https://bitroll.hu

info@bitroll.hu

MOANA SOFTWARE MAGYARORSZÁG Kft.

1025 Budapest, Zöldlomb Street 32-34/b, 4th floor 16.

3100 Salgótarján, 32 Ruhagyári Street

Cg.01-09-699603.

info@moanasoftware.com

https://www.moanasoftware.com

SMP Solutions Zrt.

1138 Budapest, 47–49 Madarász Viktor Street, Building 2 3rd floor

1139 Budapest 53 Fiastyúk Street

1139 Budapest 69 Fiastyúk Street

1139 Budapest 71/b Fiastyúk Street

1138 Budapest, 47–49 Madarász Viktor Street, Building 1 Ground floor

Cg.01-10-140383.

smp@smp.hu

https://smpsolutions.hu

Name of the cookie

Function of the cookie

Legal basis

Duration

Data Controller’s legitimate interest.

Until the end of the session.

This is to distribute the website's traffic across multiple servers to optimize response times.

Data Controller’s legitimate interest.

Until the end of the session.

Data Controller’s legitimate interest.

1 year

Data Controller’s legitimate interest.

1 year

Data Controller’s legitimate interest.

30 days

Stores the user's consent status regarding cookies for the current domain.

Data Controller’s legitimate interest.

180 days

Name of the cookie

Function of the cookie

Legal basis

Duration

The data subject's consent.

1 day

Name of the cookie

Function of the cookie

Legal basis

Duration

The data subject's consent.

2 years

The data subject's consent.

1 day

The data subject's consent.

1 day

The data subject's consent.

30 days

The data subject's consent.

1 day

Name of the cookie

Function of the cookie

Legal basis

Duration

Facebook uses it to deliver a range of advertising products, such as real-time bidding by third-party advertisers.

The data subject's consent.

3 months

It is to detect whether the user intends to leave the page by moving the cursor. This allows the website to display certain pop-ups to keep the users on the website or convert them into customers.

The data subject's consent.

Until the end of the session.

The data subject's consent.

1 year

It collects data on user behaviour and interactions to optimize the website and deliver more relevant ads on the site.

The data subject's consent.

3 months

The data subject's consent.

30 days

The aim of data management

Information about the data controller’s services and current promotions.

The legal basis for data management:

The data subject’s consent pursuant to Article 6(1)(a) of the GDPR, which may be withdrawn at any time without giving a reason.

Description of the legitimate interest:

The data management is not based on a legitimate interest.

Categories of data subjects:

Natural persons who have subscribed to the General Newsletter.

Categories of personal data processed:

The data subject's name, email address for newsletter delivery, and the type of newsletter requested.

Source of personal data:

The data is provided by the data subject themselves.

The duration of data management:

We process the data until the data subject withdraws their consent (or unsubscribes); or, in the case of a subscription request, until the 72-hour confirmation period specified in the data controller’s response email expires without result (after which a subscription request not confirmed by the data subject within 72 hours will be deleted).

Recipients (subjects of data transmission):

MOANA SOFTWARE MAGYARORSZÁG LLC. (registered office: 1025 Budapest, Zöldlomb Street 32-34/b, 4th floor 16., Cg.01-09-699603., contact details: info@moanasoftware.com, website: https://www.moanasoftware.com) as web hosting provider (and also as a data processor), it processes the data uploaded to the data controller’s internal system (in this case, it forwards requests to subscribe to, unsubscribe from, or inquire about the newsletter, but does not store any related data itself).

Brainsum Kft. (registered office 2836 Baj, 27 Bem József Street, Company registration number: Cg.11-09-024421., website: https://brainsum.com, contact details: info@brainsum.com), As a data processor and hosting provider, it processes the data uploaded to the data controller’s website (https://bhc.en) (for example, when users subscribe to the newsletter there); and this data processor carries out the developments requested by the data controller.

A RAAB SOFTWARE Kft. (9024 Győr, 36 Szigethy Attila Street,  3rd Floor, Apartment 6, Cg.08-09-032732.,contact details: info@raabsoftware.hu, website: https://raabsoftware.hu) acts as a data processor in the process. The data processor is responsible for the editing and structuring newsletters.

When using the newsletter subscription feature, the 72-hour confirmation process (confirmation, failure, or rejection of the subscription) is handled within the Microsoft Azure system, meaning it is carried out using the cloud-based service provided by MICROSOFT CORPORATION (WA 98052, One Microsoft Way, Redmond, USA), and thus MICROSOFT CORPORATION acts as a data processor. Details of the Azure service are available here https://azure.microsoft.com.

Additionally, Twilio SendGrid Inc. (registered office: 101 Spear Street, 1st Floor, San Francisco, CA 94105, USA; acts as a data processor. Court record: California, registration nr: 4518652, contact details: legalnotices@twilio.com), whose duty is – through its cloud-based service – to store subscriber information (name, email address, and newsletter type) and to send newsletters to the stored email addresses.

In the course of performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Neither MICROSOFT CORPORATION, nor Twilio SendGride Inc as a data processors, are not a European Union-registered entities; thus, they qualify as a so-called third-country entities. However, since July 17, 2023, they have been a party to the data protection frameworks in effect between the EU and the US, the UK, and Switzerland and the US (Data Privacy Framework, https://www.dataprivacyframework.gov/s/participant-search/participant-d… light of this, data protection compliance has been achieved. 

Contact details of MICROSOFT’s data protection officer: https://www.dataprivacyframework.gov/s/participant-search/participant-d…

Twilio SendGrid Inc.'s data protection and contact information are available here: https://www.twilio.com/en-us/gdpr; and https://www.twilio.com/en-us/legal/privacy.

Automated decision-making, profiling:

No automated decision-making or profiling takes place.

Is the provision of data mandatory:

It is not mandatory, but if the data subject does not provide their information, we will naturally be unable to send the General Newsletter.

What are the consequences if the data subject does not provide their personal data:

The data subject will not receive the General Newsletter.

The aim of data management

Information about the data controller’s current health services (e.g., screenings) and seasonal health services (e.g., vaccinations) (Exclusive Newsletter); and 

up-to-date information on personalized professional recommendations tailored specifically to the individual, based in part on the analysis and evaluation of their health data; for the purposes of health maintenance, prevention, or follow-up care (Caregiver Newsletter).

The legal basis for data management:

Consent of the data subject (i.e., given by the patient) pursuant to Article 6(1)(a) of the GDPR;

in the case of the Caregiver Newsletters, this is supplemented by the data subject’s explicit consent for the processing of health data, in accordance with Article 9(2)(a) of the GDPR.

Both consent and explicit consent may be withdrawn at any time without providing a reason.

Description of the legitimate interest:

The data management is not based on a legitimate interest. 

Categories of data subjects:

Patients who are natural persons and have subscribed to the Exclusive Newsletter and/or the Caregiver Newsletter.

Categories of personal data processed:

The data subject’s name, email address for newsletter delivery (which, in the case of the Caregiver Newsletter, must be exclusively the email address associated with the online personal client account), and the type of newsletter requested; In the case of the Caregiver Newsletter, additionally the data subject’s BHC file ID (i.e., the patient’s internal identification number) and medical history data (type, date, and frequency of healthcare services received from the data controller, ICD code), as well as relevant demographic data (e.g., place of residence, gender, age).

Health data are considered special categories of personal data under Article 9(1) of the GDPR, and their management requires the explicit consent of the data subject.

Source of personal data:

The data is provided by the data subject themselves.

The duration of data management:

We process the data until the data subject withdraws their consent, or explicit consent (or unsubscribes); or, in the case of a subscription request, until the 72-hour confirmation period specified in the data controller’s response email expires without result (after which a subscription request not confirmed by the data subject within 72 hours will be deleted).

Recipients (subjects of data transmission):

MOANA SOFTWARE MAGYARORSZÁG LLC. (registered office: 1025 Budapest, Zöldlomb Street 32-34/b, 4th floor 16., Cg.01-09-699603., contact details: info@moanasoftware.com, website: https://www.moanasoftware.com) as web hosting provider (and also as a data processor), it processes the data uploaded to the data controller’s internal system (in this case, it forwards requests to subscribe to, unsubscribe from, or inquire about the newsletter, but does not store any related data itself).

Brainsum Kft. (registered office 2836 Baj, 27 Bem József Street, Company registration number: Cg.11-09-024421., website: https://brainsum.com, contact details: info@brainsum.com), As a data processor and web hosting provider, it processes the data uploaded to the data controller’s website (https://bhc.en) (for example, when users subscribe to the newsletter there); and this data processor carries out the developments requested by the data controller.

A RAAB SOFTWARE Kft. (9024 Győr, 36 Szigethy Attila Street, 3rd Floor, Apartment 6, Cg.08-09-032732., contact details: info@raabsoftware.hu, website: https://raabsoftware.hu) acts as a data processor in the process. The data processor is responsible for the editing and structuring newsletters.

When using the newsletter subscription feature, the 72-hour confirmation process (confirmation, failure, or rejection of the subscription) is handled within the Microsoft Azure system, meaning it is carried out using the cloud-based service provided by MICROSOFT CORPORATION (WA 98052, One Microsoft Way, Redmond, USA), and thus MICROSOFT CORPORATION acts as a data processor. Details of the Azure service are available here https://azure.microsoft.com.

Additionally, Twilio SendGrid Inc. (registered office: 101 Spear Street, 1st Floor, San Francisco, CA 94105, USA; acts as a data processor. Court record: California, registration nr: 4518652 , contact details: legalnotices@twilio.com), whose task is—through its cloud-based service—to store subscription data (for the Exclusive Newsletter: name, email address, and newsletter type; and for the Caregiver Newsletter: name, email address, newsletter type, and BHC file ID); and to send the newsletter to the email addresses stored in its system.

In the course of performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Neither MICROSOFT CORPORATION, nor Twilio SendGride Inc as a data processor, are not a European Union-registered entities; thus, they qualify as a so-called third-country entities. However, since July 17, 2023, they have been a party to the data protection frameworks in effect between the EU and the US, the UK, and Switzerland and the US (Data Privacy Framework, https://www.dataprivacyframework.gov/s/participant-search/participant-d… light of this, data protection compliance has been achieved. 

Contact details of MICROSOFT’s data protection officer: https://www.dataprivacyframework.gov/s/participant-search/participant-d…

Twilio SendGrid Inc.'s data protection and contact information are available here: https://www.twilio.com/en-us/gdpr; and https://www.twilio.com/en-us/legal/privacy.

Automated decision-making/profiling:

When determining the recipients of the Caregiver Newsletter—that is, its target audience—the data controller uses automated data processing, the steps of which are described in detail in the text preceding the table. 

However, this does not constitute automated decision-making, as it does not have a significant impact on the data subject.

Is the provision of data mandatory:

No, but in this case, we will not be able to send you the Exclusive and/or Caregiver Newsletter.

What are the consequences if the data subject does not provide their personal data:

The data subject will not receive the Exclusive and or the Caregiver Newsletter.

Responding to inquiries and requests from data subjects; ensuring transparent operations. In addition, another purpose of recording telephone calls is to enable the handling of any complaints and the enforcement of legal claims.

The legal basis for the processing of telephone communications—where the call involves a recorded conversation with customer service—is the legitimate interest of the data controller, the healthcare provider, and the patient, pursuant to Article 6(1)(f) of the GDPR.

The legal basis for processing personal data collected through email contact is the performance of a contract, in accordance with Article 6(1)(b) of the GDPR.

Regarding special categories of data (e.g., health data), data processing is permitted under Article 9(2)(a) of the GDPR (the data subject’s explicit consent) or Article 9(2)(h) (the provision of health care or other medical services).

The legal basis for recording telephone conversations with customer service is the legitimate interest of the data controller, the healthcare provider, and the patient. The legitimate interest is to ensure greater accountability in connection with the provision of healthcare; to establish and document the possibility of filing complaints or enforcement of legal claims.

However, the patient can expect their data to be processed, as they are informed of this both at the start of the consultation and on the data controller’s website. Recording of telephone conversations related to healthcare is a particularly important safeguard for which there is no less restrictive alternative.

The data subject is also entitled to several rights. These rights are described in detail in this document. It is specifically emphasized that the patient in question may object to the recording of their personal data. Under your right of access, you may also request a copy of the audio recording, specifying the exact date, time, and phone number of the call. Finally, patients may request information regarding the processing of their personal data.

Individuals who call the data controller’s customer service by phone or who are contacted by the data controller’s customer service by phone;

as well as those who send personal data to the email adressesinfo@bhc.hu ormagankorhaz@bhc.hu .

In the case of telephone contact, the personal data processed include: the data subject’s name, possibly their identification number and contact information, personal data provided by a person calling the data controller’s customer service or by a person called back by customer service, as well as special categories of such data (health data); personal data disclosed by customer service, including special categories of personal data (health data).

In the case of a recorded telephone conversation, the data controller also handles the call’s unique identification number (which includes the date and time of the call and the data subject’s telephone number), as well as the data subject’s voice.

In the case of email, the personal data processed includes the following: the sender of the email, the sender’s email address, the date and time the email was sent, the subject line of the email, and the content of the email and any attachments.

The data is provided by the data subject themselves; in the case of a phone call, this is supplemented by personal data provided during the customer service response or callback, while in the case of an email, it is supplemented by personal data included in the written response.

In the case of voice recordings, the duration of data processing is 5 years from the date of the recording made on the landline. An exception to this rule applies if enforcement of legal claims are taken during this period. In this case, data processing will continue throughout the period necessary for the enforcement of legal claims.

All personal data related to medical records—including electronic correspondence containing such data— must be retained for at least 30 years pursuant to Section 30(1) of the Health Care Act (Eüak) (depending on the course of medical care).

With regard to electronic inquiries in which the personal data contained therein do not constitute a patient’s health data (where the statutory obligation to process such data does not apply), and where no coordination process aimed at providing health services takes place following the inquiry, the data controller will retain the personal data contained in the email for 60 days.

Personal data may be disclosed to third parties for the purpose of providing healthcare services. Third parties are defined as professional staff involved in the provision of healthcare services who are not employed by the facility, as well as cooperating independent business entities (doctors, patient transport providers, laboratories, diagnostic companies, home visit service providers, etc.).

Patients are also informed separately about the transfer of data.

The VCC Life Hungary Kft. (registered office: 1117 Budapest, 8–10 Október huszonharmadika Street Allee Corner Office Building, Bercsényi Tower, 4th Floor; company registration number: Cg.01-09-735941., TAX id nr: 13452696-2-43, contact details:info@virtual-call-center.hu) As a data processor, it provides the technical infrastructure for storing audio recordings of recorded telephone conversations conducted with customer service, and, if necessary, provides the technical infrastructure for customer service to access the audio recordings; it then deletes the audio recordings after the data retention period has expired.

E-prescriptions issued as part of healthcare services, as well as medical records, are transmitted to the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of the Interior (1051 Budapest, József Attila u. 2-4, Health Line; Email: info@egeszsegvonal.gov.hu). 2-4. Healthline: 1812, E-mail: info@egeszsegvonal.gov.hu) the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of Interior (1051 Budapest, 2-4 József Attila street). This is based on the fulfilment of a legal obligation (Section 2(1a) of EMMI Decree No. 39/2016 (XII.21)).

https://e-egeszsegugy.gov.hu/hu/mi-az-eeszt-

In the course of performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Data transfer does not take place.

Automated decision-making, profiling does not take place.

The data subject is not required to provide this information.

In the absence of data provided by the data subject, achieving the purpose of contacting them may be hindered (e.g., it may not be possible to reach the data subject with the response; or it may not be possible to provide an accurate response due to a lack of data, etc.).

Data reporting is the foundation of quality healthcare.

The aim of data management

Submitting a bid for healthcare services in response to a request for proposals.

The legal basis for data management:

If an individual requests the offer for their own use, the legal basis for data processing is the performance of a contract pursuant to Article 6(1)(b) of the GDPR.

If the request is made by a legal entity or organization—for example, if an employer’s contact person or legal representative requests it on behalf of their employees as part of an occupational health examination; then the legal basis for processing the data of the contact persons and legal representatives is legitimate interest pursuant to Article 6(1)(f) of the GDPR (which is the legitimate interest of both the data controller, BHC, and the employer).

If you also provide us with special categories of personal data (e.g., health data), data processing is permitted under Article 9(2)(a) and (h) of the GDPR (based on the data subject’s explicit consent, or for the purpose of providing health services or medical care).

Description of the legitimate interest:

Data processing is based on legitimate interests only in the case of the processing of data pertaining to contacts and legal representatives. In such cases, the contact person or legal representative of the legal entity/organization contacts the data controller with a request for a quote; therefore, the processing of the contact person’s or legal representative’s data is unavoidable for the purposes of communication and responding to the request and is also in the significant interest of both parties. In addition, the details of legal representatives are recorded in an official registry and are accessible and verifiable by anyone.

Categories of data subjects:

Natural persons requesting a quote; contact persons or legal representatives of legal entities requesting a quote (e.g., in the case of an intention to use occupational health services).

Categories of personal data processed:

The name and address of the natural person making the request; where applicable, the name of the legal representative or contact person and the name and registered office of the legal entity/organization on whose behalf they are acting; optional contact details (email address and/or phone number)a description of the healthcare service and the associated prices (unit price, quantity, net price / VAT / gross price, total amounts); any discounts offered and their legal basis; the date of the quotation request and the date of issuance and delivery of the quotation, the validity period of the quotation.

If the quote is sent to the potential customer via email, the data controller will also process the contact email address of that person. (The quote is attached as a password-protected, encrypted PDF file.)

Source of personal data:

The data subject (or their legal representative or contact person) provides the data themselves.

The duration of data management:

The data controller typically retains the personal data provided in the request for proposal for 60 days. If services are provided, data processing will continue for the duration of the contractual relationship related to the service.

All personal data contained in medical records must be retained for at least 30 years in accordance with Section 30(1) of the Health Care Act (depending on the course of medical treatment).

Recipients (subjects of data transmission):

The company operating the data controller’s internal management system is MOANA SOFTWARE MAGYARORSZÁG Kft.,

data is thereby transferred to that company, acting as a data processor 

1025 Budapest, Zöldlomb Street 32-34/b, 4th floor 16 apt. contact details: info@moanasoftware.com, Cg.01-09-699603., TAX id nr: 12709407-2-41., e-mail: info@moanasoftware.com, website: https://www.moanasoftware.com).

Personal data—if the request for proposal process results in an agreement for the provision of healthcare services—will be disclosed to the parties specified in Section 11 for the purpose of providing such healthcare services (see: Section 11, RECIPIENTS).

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Data transfer does not take place.

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

No, in this is the case, we are unable to provide a quote for medical services in response to your request.

What are the consequences if the data subject does not provide their personal data:

The data subject in question does not receive an offer, so the healthcare service cannot be provided.

The aim of data management

Creating a personal customer account for the purpose of dealing with administrative matters online or by using the mobile app.

The legal basis for data management:

The data subject’s consent pursuant to Article 6(1)(a) of the GDPR, which may be withdrawn at any time without giving a reason. In this case, your registration (i.e., your personal account) will be deleted.

Regarding special categories of data (e.g., health data), data processing is permitted under Article 9(2)(a) and (h) of the GDPR (based on the data subject’s explicit consent, or for the purpose of providing health services or medical care).

Description of the legitimate interest:

The data management is not based on a legitimate interest.

Categories of data subjects:

Patients registering to create a personal account.

Categories of personal data processed:

The registrant’s username, password, email address, name, mother’s maiden name, gender, address, date of birth, phone number, preferred method of communication with the data controller (submit documentation), and social security number.

Source of personal data:

The data is provided by the data subject themselves.

The duration of data management:

Registration is based on the patient’s consent, which may be withdrawn at any time without providing a reason. In this case, your personal account will be deleted. 

However, please note that if you use our healthcare services, the data controller remains obligated to process your health data in accordance with Data Protection Act.

Recipients (subjects of data transmission):

When using the online customer service feature, users are authenticated via the Microsoft Azure Active Directory system, i.e., through a cloud-based service provided by MICROSOFT AZURE MICROSOFT CORPORATION (WA 98052, One Microsoft Way, Redmond, USA); thus, MICROSOFT acts as a data processor.

Contact details of MICROSOFT’s data protection officer: https://www.dataprivacyframework.gov/s/participant-search/participant-d…

The data controller also transfers data to MOANA SOFTWARE MAGYARORSZÁG Kft., 

to the data processor that operates the data controller’s online internal management system,

1025 Budapest, Zöldlomb Street 32-34/b, 4th floor 16 apt. contact details: info@moanasoftware.com, Cg.01-09-699603., TAX id nr: 12709407-2-41., e-mail: info@moanasoftware.com, website: https://www.moanasoftware.com).

To operate the mobile app, the data controller uses a data processor, which is the following company: SMP Solutions Zrt. (Registered office: 1138 Budapest, 47–49 Madarász Viktor Street, Building 2 3rd floor. company registration number: Cg. 01-10-140383, TAX id nr: 26777810-2-44., e-mail: smp@smp.hu, website: https://smpsolutions.hu)

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (Registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Data is transferred to a data processor, MICROSOFT CORPORATION, located in the United States, which is not a European Union-registered company; and is therefore considered a third-country entity; however, since July 17, 2023, it has been a participant of the data protection frameworks in effect between the EU and the US, the UK, and Switzerland and the US (Data Privacy Framework, https://www.dataprivacyframework.gov/s/participant-search/participant-d… this, data protection compliance has been achieved.

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

No, but in this case, we cannot create a personal customer account.

What are the consequences if the data subject does not provide their personal data:

A significant portion of administrative tasks cannot be handled online or via the mobile app (see the description in the following section).

The aim of data management

The purpose of the personal customer account is to enable users to manage their administrative matters via the online portal and mobile app; to book appointments for healthcare services, modify appointments, and view appointment history; and to access medical records and invoices issued in connection with healthcare services received from the data controller.

The legal basis for data management:

In the personal customer account, the data controller processes personal data not covered by the categories listed in the following paragraphs (e.g., username, password, etc.) based on the data subject’s consent, in accordance with Article 6(1)(a) of the GDPR; this continues until the data subject withdraws such consent and deletes their personal customer account. The data subject may do so at any time.

If the data subject has received healthcare services from the data controller, the data controller is required to retain the medical records pursuant to Section 136 of Act CLIV of 1997 (Health Care Act). The documentation also includes the date and time of the examination registered online. The legal basis for the processing of this personal data complies with Article 6(1)(c) of the GDPR complying with a legal obligation (documentation of medical records). 

Similarly, the legal basis for processing invoices is the fulfilment of a legal obligation. Regarding invoices issued for the provision of healthcare services, the basis for the documentation requirement (invoicing) is Section 159 and 169 of Act CXXVII of 2007 on Value-Added Tax, and Sections 166–169 of Act C of 2000 on Accounting.

Regarding special categories of data (e.g., health data), data processing is permitted under Article 9(h) of the GDPR (data processing for the purpose of providing health care).

Description of the legitimate interest:

The data management is not based on a legitimate interest.

Categories of data subjects:

Natural persons who register for a personal customer account.

Categories of personal data processed:

Registration data:

The registrant’s username, password, email address, name, mother’s maiden name, gender, address, date of birth, phone number, preferred method of communication with the data controller (submitting documentation), and social security number.

Other data: 

invoices, medical history, medical records, appointments for healthcare services, and the cancellation or rescheduling of appointments.

Source of personal data:

The data subject provides some of the data themselves, while other data is provided (or determined) by healthcare professionals involved in the provision of care. 

The duration of data management:

Data constituting part of the health records must generally be retained for 30 years pursuant to Section 30(1) of the Health Care Act, (depending on the course of health care).

The basis for the documentation requirement (invoicing) is Section 159 and Section 169 of Act CXXVII of 2007 on Value Added Tax, as well as Sections 166–169 of Act C of 2000 on Accounting; the data retention period is until the last day of the 8.th year following the issuance of the invoice.

The data controller will process other data until the data subject terminates their personal account.

Recipients (subjects of data transmission):

Personal data may be disclosed to third parties for the purpose of providing healthcare services. Third parties are defined as professional staff involved in the provision of healthcare services who are not employed by the facility, as well as cooperating independent business entities (doctors, patient transport providers, laboratories, diagnostic companies, home visit service providers, etc.).

Patients are also informed separately about the transfer of data.

E-prescriptions issued as part of healthcare services, as well as medical records, are transmitted to the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of the Interior (1051 Budapest, József Attila u. 2-4, Health Line; Email: info@egeszsegvonal.gov.hu). medical records, Healthline: 1812, E-mail:info@egeszsegvonal.gov.hu) the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of Interior (1051 Budapest, 2-4 József Attila street). This is based on the fulfilment of a legal obligation (Section 2(1a) No. 39/2016 (XII.21) EMMI DECREE.

The data controller also transfers data to MOANA SOFTWARE MAGYARORSZÁG Kft.,

to the data processor operating the online system

1025 Budapest, 32–34/b Zöldlomb Street 16 4th floor, info@moanasoftware..com, website: https://www.moanasoftware.com: company registration number Cg.01-09-699603).

To operate the mobile app, the data controller also uses a data processor, which is the following company: SMP Solutions Zrt. (Registered office: 1138 Budapest, 47–49 Madarász Viktor Street, Building 2 3rd floor. company registration number: Cg. 01-10-140383, TAX id nr: 26777810-2-44., e-mail: smp@smp.hu, website: https://smpsolutions.hu).

Online registration via personal customer accounts and the identification of users by the data controller take place within the Microsoft Azure Active Directory system, that is, through the cloud-based service provided by MICROSOFT AZURE (MICROSOFT CORPORATION, WA 98052, One Microsoft Way, Redmond, USA), meaning that MICROSOFT acts as a data processor.

Contact details of MICROSOFT’s data protection officer: https://www.dataprivacyframework.gov/s/participant-search/participant-d…

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06 , contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Data is transferred to a data processor, MICROSOFT CORPORATION, located in the United States, which is not a European Union-registered company; and is therefore considered a third-country entity; however, since July 17, 2023, it has been a participant of the data protection frameworks in effect between the EU and the US, the UK, and Switzerland and the US (Data Privacy Framework, https://www.dataprivacyframework.gov/s/participant-search/participant-d… this, data protection compliance has been achieved.

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

No, in this case, the data subject cannot manage their affairs through their personal account.

What are the consequences if the data subject does not provide their personal data:

A significant part of administrative tasks cannot be handled online or via a mobile app.

The aim of data management

The creation and operation of a corporate user account for the purpose of secure data transfer and the delivery of medical records between the contracting parties (the company and the data controller). In the broader sense, the purpose of data processing is to ensure the rapid and seamless delivery of healthcare services.

The legal basis for data management:

The registration and operation of the corporate customer account are carried out with the consent of the company, which the company may revoke at any time. In this case, your personal account will be deleted. However, this data processing falls outside the scope of the GDPR.

With regard to the personal data of the company contact person (name and, where applicable, email address) and the data controller’s employees (their names) displayed on the portal, the legal basis for data processing is the legitimate interest of the data controller pursuant to Article 6(1)(f) of the GDPR (which is also consistent with the legitimate interest of the company).

If an employee of the company receives healthcare services from the data controller, the data controller is required, pursuant to Section 136 of Act CLIV of 1997 (Health Care Act), to document the care provided and retain the medical records. The documentation may also include documents uploaded to the portal. The legal basis for the processing of this personal data complies with Article 6(1)(c) of the GDPR complying with a legal obligation (documentation of medical records).

Regarding special categories of data (e.g., health data), data processing is permitted under Article 9(2)(a) of the GDPR (based on the data subject’s explicit consent) or Article 9(2)(h) (the provision of health care or other medical services).

Similarly, the legal basis for the management and retention of invoice data is following a legal obligation. Regarding invoices issued for the provision of healthcare services, the basis for the documentation requirement (invoicing) is Section 159 and 169 of Act CXXVII of 2007 on Value-Added Tax, and Sections 166–169 of Act C of 2000 on Accounting.

Description of the legitimate interest:

In connection with the use of the portal, the legitimate interest regarding the personal data of the contact persons (name and, where applicable, email address) and the employees of the data controller (name) are linked to the legitimate interest in the obligation to cooperate with the contracting partner and the fulfilment of contractual rights and obligations; however, the employees of the parties may have a right to self-determination regarding the protection of their names and workplace contact information, however, providing this information—to their employer—is also a legal obligation arising from their employment contract; contractual performance and smooth communication are in the fundamental labour law interests of these contacts and employees, so no actual infringement of rights affects these data subjects.

The data controller processes the personal data of these data subjects solely in relation to the legal entity they represent and not in their capacity as natural persons.

Categories of data subjects:

Company contacts authorized to create and manage corporate user accounts,

employees involved in the data controller’s data upload process (whose names appear on the portal interface); 

and employees receiving healthcare services from the company, in their capacity as patients.

Categories of personal data processed:

Regarding the contact person who activates and manages the corporate user account: name, corporate username, password, email address, and company name.

Regarding data controller employees who upload documents and data to the data exchange portal: name.

All personal data of company employees affected by the documentation uploaded to the portal that appears in such documentation.

Typical documents and the personal data they contain:

“List of eligible individuals”: 

full name, birth name, gender, personal identification number, mother’s name, exact address, Social Security number, occupational health classification code (A, B, C, or D), job title, company-specific data, Hungarian Standard Classification of Occupation (FEOR nr), date of birth, date of occupational health examination, fitness for duty, examination validity, fitness to work from ophthalmology standpoint testing visual acuity, visual examination validity, email address, phone number, health insurance fund code, tax identification number.

“Referral Form” (for an occupational health examination): 

employee’s name, date of birth, address, job title, Social Security number, reason for the examination, the main health risks associated with the job, and the duration of such risks during working hours.

“Occupational Health Statistics Form”: 

company name; names of employees subject to the examination; for each employee: date of birth, social security number, job title, occupational health category, date of occupational health examination, description of the occupational health examination, occupational health fitness status, validity of occupational health fitness examination, date of ophthalmic examination, eye fitness status, validity of eye fitness, validity of fitness for work justified by chest X-ray, contract description, company email address, employee ID nr, any company-specific data.

“Screening TESTS Statistics Sheet”:

the date of the screening test, the names of the employees affected, and the following details: type of screening, type of contract.

Fitness for work assessments:

Date of examination, name, date of birth, job title, employer, opinion (simply stating whether the individual is suitable for the position, possibly with restrictions, or whether they are unsuitable).

Other information that can be uploaded to the portal includes appointments for healthcare services, cancellations of appointments, and changes to appointments, etc.

Regarding healthcare services, Section 11 of this Privacy Notice provides detailed guidance on other personal data recorded about the employee as a patient—which the data controller processes uniformly for all patients in accordance with legal requirements.

Source of personal data:

Some of the data processed is provided by the company, as the employer, through its contact person.

The employee appearing for the examination, as the data subject, provides the personal data documented there in part on his or her own when appearing for the examination; 

other data is determined by the professional staff of the data controller involved in the provision of healthcare services.

The duration of data management:

Documents uploaded to the corporate data exchange portal and the personal data they contain remain accessible for 30 days from the date of upload (provided the user account is active); after that, they are automatically deleted (since the purpose of the portal is not data storage, but rather data exchange and data transmission).

Please note, however, that when you use our healthcare services, the data controller remains obligated under the law to process your health and related data; therefore, deleting your user account does not automatically result in the deletion of documents uploaded or downloaded to it from the data controller’s administrative system.

Data constituting part of the health records pursuant to Section 30(1) of the Health Care Act, must generally be retained for 30 years (depending on the course of health care).

The basis for the documentation requirement (invoicing) is Section 159 and Section 169 of Act CXXVII of 2007 on Value Added Tax, as well as Sections 166–169 of Act C of 2000 on Accounting; the data retention period is until the last day of the 8.th year following the issuance of the invoice.

Recipients (subjects of data transmission):

Corporate user account registration and customer identification take place within the Microsoft Azure Active Directory system, that is, through the cloud-based service provided by MICROSOFT AZURE (MICROSOFT CORPORATION, WA 98052, One Microsoft Way, Redmond, USA), thus MICROSOFT acts as a data processor.

Contact details of MICROSOFT’s data protection officer: https://www.dataprivacyframework.gov/s/participant-search/participant-d…

The data controller also transfers data to MOANA SOFTWARE MAGYARORSZÁG Kft., 

to the data processor that operates the data controller’s online internal management system,

(1025 Budapest, Zöldlomb Street 32-34/b, 4th floor 16 apt. contact details: info@moanasoftware.com, Cg.01-09-699603., TAX id nr: 12709407-2-41., e-mail: info@moanasoftware.com, website: https://www.moanasoftware.com).

Personal data may be disclosed to third parties for the purpose of providing healthcare services. Third parties are defined as professional staff involved in the provision of healthcare services who are not employed by the facility, as well as cooperating independent business entities (doctors, patient transport providers, laboratories, diagnostic companies, home visit service providers, etc.).

Patients are also informed separately about the transfer of data.

E-prescriptions issued as part of healthcare services, as well as medical records, are transmitted to the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of the Interior (1051 Budapest, József Attila u. 2-4, Health Line; Email: info@egeszsegvonal.gov.hu). medical records, Healthline: 1812, E-mail: info@egeszsegvonal.gov.hu) the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of Interior (1051 Budapest, 2-4 József Attila street). This is based on the fulfilment of a legal obligation (Section 2(1a) of 39/2016 (XII.21 EMMI Decree).

For the purposes of electronic invoicing, invoice data—in connection with the “szamlazz.hu” invoicing software—will be transmitted to the following subcontractor: KBOSS.hu Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1031 Budapest 7. Záhony str company registration number:  Cg.01-09-303201., TAX id nr: 13421739-2-41., e-mail: info@szamlazz.hu, website: https://www.szamlazz.hu/szamla/main).

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Data is transferred to a data processor, MICROSOFT CORPORATION, located in the United States, which is not a European Union-registered company; and is therefore considered a third-country entity; however, since July 17, 2023, it has been a participant of the data protection frameworks in effect between the EU and the US, the UK, and Switzerland and the US (Data Privacy Framework, https://www.dataprivacyframework.gov/s/participant-search/participant-d… this, data protection compliance has been achieved.

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

No, in this case we are unable to create and maintain a corporate user account; furthermore, a refusal to provide data, or the provision of inaccurate or delayed data, may also hinder the delivery of healthcare services.

What are the consequences if the data subject does not provide their personal data:

This makes it impossible to conduct secure and simple data exchange and administrative procedures on the portal, and, in a broader sense, even to provide healthcare services.

The aim of data management

The provision of healthcare; the coordination of interactions between doctors/healthcare professionals and patients (care coordination); the implementation of treatment and preventive and curative healthcare activities.

The legal basis for data management:

Until the meeting between the doctor (healthcare professional) and the data subject takes place at our clinic at the relevant time, the legal basis for our data processing is “performance of a contract for the provision of healthcare services,” as specified in Article 6(1)(b) of the GDPR.

The legal basis for subsequent data management:

However, after the medical service (doctor-patient consultation) has taken place, the healthcare provider (including our facility) is required to retain the medical records in accordance with Section 136 of the Health Care Act. The date of the examination is also part of the documentation. The legal basis for data processing in this regard is therefore compliance with a legal obligation under Article 6(1)(c) of the GDPR (medical records).

The legal basis for the processing of invoices is similarly the fulfilment of a legal obligation; the statutory basis for this is Sections 159 and 169 of Act CXXVII of 2007 on Value Added Tax, as well as Sections 166–169 of Act C of 2000 on Accounting.

Regarding special categories of data (e.g., health data), data processing is permitted under Article 9(h) of the GDPR (data processing for the purpose of providing health care).

Description of the legitimate interest:

The data management is not based on a legitimate interest.

Categories of data subjects:

Natural persons who book appointments at the data controller's facility via the online appointment scheduling system on the https://foglaljorvost.hu website.

Categories of personal data processed:

Personal data provided to Foglaljorvost Online Kft. during the appointment booking process and forwarded by them to our institution (i.e., the data controller, Budai Health Center):

Name of the data subject; if the data subject is a legal representative, the fact that he/she is acting as such; in the case of a registered representative, the name of the patient being represented; Social Security number, phone number, and/or email address (contact information), the name and address of the healthcare facility to be visited, the name of the chosen doctor/healthcare professional, the exact date booked online (year, month, day), the booked hour and minute; information regarding any cancellation of the appointment; details of any appointment changes (same data fields as those for the original appointment booking).

Source of personal data:

The data subject provides the personal data directly to https://foglaljorvost Foglaljorvost Online Kft., which acts as the data controller and forwards—exclusively the above-mentioned data—to our facility (as an independent data controller).

The duration of data management:

Until the appointment between the doctor (healthcare professional) and the patient takes place, the patient may cancel the appointment, which also means that our clinic will terminate the data management, i.e., the data controller will delete the data received from Foglaljorvost Online Kft., as well as the booked appointment, upon the patient’s request.

The data controller follows a similar procedure when a date of appointment is changed: it deletes the record of the previous appointment along with the booked service, while continuing to process the new appointment and any related data.

Following a consultation between the doctor (healthcare professional) and the patient, the duration of data management is as follows:

Data constituting part of health records which includes the date of the healthcare service must generally be retained for 30 years pursuant to Section 30(1) of the Health Care Act, (depending on the course of health care).

The basis for the documentation requirement (invoicing) is Section 159 and Section 169 of Act CXXVII of 2007 on Value Added Tax, as well as Sections 166–169 of Act C of 2000 on Accounting; the data retention period is until the last day of the 8.th year following the issuance of the invoice.

Recipients (subjects of data transmission):

The data processing procedures related to the online appointment booking process on the https://foglaljorvost.hu website are described by Foglaljorvost Online Kft., as an independent data controller, in its own privacy policy, which is available here: https://foglaljorvost.hu/adatkezelesi-tajekoztato.

As an independent data controller, our facility receives the personal data listed above from Foglaljorvost Online Kft. via data transfer.

Personal data may be disclosed to third parties for the purpose of providing healthcare services. Third parties are defined as professional staff involved in the provision of healthcare services who are not employed by the facility, as well as cooperating independent business entities (doctors, patient transport providers, laboratories, diagnostic companies, home visit service providers, etc.).

Patients are also informed separately about the transfer of data.

E-prescriptions issued as part of healthcare services, as well as medical records, are transmitted to the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of the Interior (1051 Budapest, József Attila u. 2-4, Health Line; Email: info@egeszsegvonal.gov.hu). medical records, Healthline: 1812, E-mail: info@egeszsegvonal.gov.hu) the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of Interior (1051 Budapest, 2-4 József Attila street). This is based on the fulfilment of a legal obligation (Section 2(1a) of EMMI Decree No. 39/2016 (XII.21)).

To store data, the data controller uses the cloud-based service provided by MICROSOFT AZURE (MICROSOFT CORPORATION), and thus MICROSOFT CORPORATION (One Microsoft Way, Redmond, WA 98052, USA) acts as a data processor. Contact details of MICROSOFT’s data protection officer: https://www.dataprivacyframework.gov/s/participant-search/participant-d….

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06 , contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Data is transferred to a data processor, MICROSOFT CORPORATION, located in the United States, which is not a European Union-registered company; and is therefore considered a third-country entity; however, since July 17, 2023, it has been a participant of the data protection frameworks in effect between the EU and the US, the UK, and Switzerland and the US (Data Privacy Framework, https://www.dataprivacyframework.gov/s/participant-search/participant-d… this, data protection compliance has been achieved.

Automated decision-making/profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

No, in this case, the data subject cannot use the services of our clinic—that is, the data controller—by booking an appointment online at https://foglaljorvost.hu

What are the consequences if the data subject does not provide their personal data:

Online appointment bookings not enabled onhttps://foglaljorvost.hu website.

The aim of data management

The provision of healthcare services, the documentation and verification of medical, therapeutic, and preventive activities, as well as the fees paid by the patient.

The legal basis for data management:

Pursuant to Section 136 of the Health Care Act, a health care provider (and thus a data controller) is required to issue and retain medical documentation. The legal basis for data processing in this regard is therefore compliance with a legal obligation under Article 6(1)(c) of the GDPR.

The legal basis for issuing and storing invoices, as well as for the related data reporting, is likewise the fulfilment of a legal obligation; the legal basis for which is Sections 159 and 169 of Act CXXVII of 2007 on Value Added Tax, as well as Sections 166–169 of Act C of 2000 on Accounting.

Regarding special categories of data (e.g., health data), data processing is permitted under Article 9(h) of the GDPR (data processing for the purpose of providing healthcare).

Description of the legitimate interest:

The processing of data is not based on legitimate interests.

Categories of data subjects:

Individuals receiving healthcare services from the data controller.

Categories of personal data processed:

The patient’s name, mother’s maiden name, address, social security number, place and date of birth, contact information (email address and/or phone number); passport number or other form of identification for foreign nationals; 

the name, address, and contact information of the authorized representative;

the name, address, and contact information of the supporting person or the legal representative of a minor, 

personal data recorded in the health records; 

the name of the document issued (invoice, advance invoice, cancellation invoice, correction invoice), the fee for the service provided, and the invoice details related to payment; the details of the individual listed as the “customer” on the invoice, if that person is not the same as the data subject.

Source of personal data:

During data collection, the data subject provides personal data; during the provision of care, the data controller, as a healthcare provider, provides personal data. 

In the case of occupational health services, the employer itself provides personal data regarding its employees for the purpose of patient registration.

The duration of data management:

Data constituting part of the health records must generally be retained for 30 years pursuant to Section 30(1) of the Health Care Act, (depending on the course of health care).

The basis for the documentation requirement (invoicing) is Section 159 and Section 169 of Act CXXVII of 2007 on Value Added Tax, as well as Sections 166–169 of Act C of 2000 on Accounting; the data retention period is until the last day of the 8.th year following the issuance of the invoice.

Recipients (subjects of data transmission):

Personal data may be disclosed to third parties for the purpose of providing healthcare services. Third parties are defined as professional staff involved in the provision of healthcare services who are not employed by the facility, as well as cooperating independent business entities (doctors, patient transport providers, laboratories, diagnostic companies, home visit service providers, etc.).

Patients are also informed separately about the transfer of data.

We will inform the employer on the results (and only the results) of the occupational health examination.

E-prescriptions issued as part of healthcare services, as well as medical records, are transmitted to the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of the Interior (1051 Budapest, József Attila u. 2-4, Health Line; Email: info@egeszsegvonal.gov.hu). medical records, Healthline: 1812, E-mail:info@egeszsegvonal.gov.hu) the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of Interior (1051 Budapest, 2-4 József Attila street). This is based on the fulfilment of a legal obligation (Section 2(1a) of EMMI Decree No. 39/2016 (XII.21)).

To store data, the data controller uses the cloud-based service provided by MICROSOFT AZURE (MICROSOFT CORPORATION), and thus MICROSOFT CORPORATION (One Microsoft Way, Redmond, WA 98052, USA) acts as a data processor. Contact information for MICROSOFT’S data protection officer: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000KzNaAAK&status=Active

For the purposes of electronic invoicing, invoice data—in connection with the “szamlazz.hu” invoicing software—will be transmitted to the following subcontractor: KBOSS.hu Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1031 Budapest 7 Záhony street, company registration number:  Cg.01-09-303201., TAX id nr: 13421739-2-41., contact details: info@szamlazz.hu, website: https://www.szamlazz.hu).

The company operating the data controller’s internal management system is MOANA SOFTWARE MAGYARORSZÁG Kft.,

data is thereby transferred to that company, acting as a data processor 

(1025 Budapest, Zöldlomb Street 32-34/b, 4th floor 16 apt. contact details: info@moanasoftware.com, Cg.01-09-699603., TAX id nr: 12709407-2-41., e-mail: info@moanasoftware.com, website: https://www.moanasoftware.com).

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06 , contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Data is transferred to a data processor, MICROSOFT CORPORATION, located in the United States, which is not a European Union-registered company; and is therefore considered a third-country entity; however, since July 17, 2023, it has been a participant of the data protection frameworks in effect between the EU and the US, the UK, and Switzerland and the US (Data Privacy Framework, https://www.dataprivacyframework.gov/s/participant-search/participant-d… this, data protection compliance has been achieved.

Automated decision-making/profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

Under the law, the provision of personal data is voluntary; however, without such data, healthcare services cannot be accessed, unless the law provides for an exception (e.g., the need for emergency treatment).

What are the consequences if the data subject does not provide their personal data:

According to the law, the collection of medical records is a mandatory part of medical treatment. Without the relevant data reported by the data subject, medical services cannot be provided; unless the law specifies an exception (e.g., the need for urgent medical intervention).

Managing patients medical records in a single location (personal online account) was designed to improve accessibility, ensure quick and secure access exclusively for authorized users, and to support healthcare services. The data controller processes the documentation uploaded or received via email for the purpose of providing future healthcare services and accessing the patient’s past medical history.

The legal basis for data processing prior to the provision of healthcare services is the consent provided by the patient pursuant to Article 6(1)(a) of the GDPR. 

After this date, data management will be based on the legal obligation specified in Article 6(1)(c) of the GDPR.

The legal basis for this obligation is established by Section 136 of the Health Care Act, which stipulates that the data controller is required to retain medical records (including test results).

Regarding special categories of data (e.g., health data), data management is allowed under Article 9(2)(a) of the GDPR (the data subject’s explicit consent) and Article 9(2)(h) (the provision of medical care or health services).

The data management is not based on a legitimate interest.

Natural persons who send their medical records to the email address orvosilelet@bhc.hu or who upload these documents to their personal online customer account.

Personal data contained in the document, or—in the case of data transmission via email—the sender’s name, email address, the date and subject of the email, as well as the email’s content and attachments.

The data is provided by the data subject themselves.

Up until the point of receiving healthcare services, the data subject may withdraw their consent to the processing of their data at any time. In this case, the personal data (uploaded medical records) will be deleted.

If you have received medical services:

Data constituting part of the healthcare records—including previous medical records uploaded by the patient— must generally be retained for 30 years pursuant to Section 30(1) of the Health Care Act, (depending on the course of health care).

Personal data may be disclosed to third parties for the purpose of providing healthcare services. Third parties are defined as professional staff involved in the provision of healthcare services who are not employed by the facility, as well as cooperating independent business entities (doctors, patient transport providers, laboratories, diagnostic companies, home visit service providers, etc.).

Patients are also informed separately about the transfer of data.

Medical documents/ are forwarded to Healthline: 1812, E-mail: info@egeszsegvonal.gov.hu) the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of Interior (1051 Budapest, 2-4 József Attila street). This is based on the fulfilment of a legal obligation (Section 2(1a) of EMMI Decree No. 39/2016 (XII.21)).

https://e-egeszsegugy.gov.hu/hu/mi-az-eeszt-.

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details:info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Data transfer does not take place.

Automated decision-making, profiling does not take place.

The patient initiates contact; in his or her own interest and to ensure the success of the medical care, he or she provides his or her medical history in this manner.

If the documentation has not been sent to the healthcare provider—and is not available in the EESZT—the patient must present it in physical form during the appointment or personal consultation.

The aim of data management

Provision of emergency and non-emergency medical advice, as well as specialist consultations, without the need for an in-person visit; The purpose of the written summary is to fulfil the legal requirement to maintain health records, ensure the provider’s accountability, and enable the handling of any complaints and the enforcement of legal claims (which is also the reason for recording telephone conversations conducted through customer service).

The legal basis for data management:

Performance of a contract for the provision of healthcare services pursuant to Article 6(1)(b) of the GDPR.

In the case of emergency medical advice, the legal basis is also the vital interest of the data subject under Article 6(1)(d) of the GDPR, which is the provision of appropriate medical advice and care.

Data processing related to the health advisory service is necessary and permissible for the purposes of preventive healthcare and the provision of healthcare services (GDPR Article 9(2)(h)).

Regarding medical records, compliance with the legal obligation specified in Article 6(1)(c) of the GDPR. The legal basis for this obligation is established by Section 136 of the Health Care Act, which stipulates that the data controller is required to prepare and retain medical records.

Regarding the recording of telephone calls made through customer service, the legal basis for data processing is the legitimate interest of the data controller (the healthcare provider) and the patient, pursuant to Article 6(1)(f) of the GDPR. 

Regarding special categories of data (e.g., health data), data processing is permitted under Article 9(h) of the GDPR (provision of medical care and health services).

Description of the legitimate interest:

The legal basis for recording telephone conversations conducted through customer service is the legitimate interest of the data controller (the healthcare provider) and the patient. The legitimate interest is to ensure greater accountability in connection with the provision of healthcare; to establish and document the possibility of filing complaints or enforcement of legal claims.

However, the patient can expect their data to be processed, as they are informed of this both at the start of the consultation and on the data controller’s website. Audio recording is a particularly important safeguard in emergency consultations, for which there is no less restrictive alternative.

The data subject is also entitled to several rights. These rights are described in detail in this document. It is specifically emphasized that the patient in question may object to the recording of their personal data. Under your right of access, you may also request a copy of the audio recording. Finally, patients may request information regarding the processing of their personal data.

Categories of data subjects:

Patients calling the data controller’s designated phone number to ask for urgent or non-urgent specialist medical advice.

Categories of personal data processed:

Name of the person concerned, and, if applicable, the name of their employer, Social Security number, the data subject’s phone number, the data subject’s address/place of residence if an on-site consultation or transport to a facility is required, personal data provided by the patient necessary for specialist medical consultation, as well as special categories of such data (health data), the personal data and special categories of personal data (health data) contained in the specialist’s response, as well as the personal data recorded in the written summary.

In the case of a recorded telephone conversation, the data controller also handles the call’s unique identification number (which includes the date and time of the call and the data subject’s telephone number), as well as the data subject’s voice.

Source of personal data:

In most cases, the patient in question provides the data themselves (upon request for a specialist’s response); this is supplemented by personal data provided verbally or recorded in writing during the specialist’s response.

The duration of data management:

Regarding medical records, in accordance with Section 30(1) of the Health Care Act (depending on the course of medical treatment), the retention period for data management is typically 30 years.

In the case of voice recordings, the duration of data processing is 5 years from the date of the recording made on the landline. An exception to this rule applies if enforcement of legal claims is taken during this period. In this case, data processing will continue throughout the period necessary for the enforcement of legal claims.

Recipients (subjects of data transmission):

Personal data may be disclosed to third parties for the purpose of providing healthcare services. Third parties are defined as professional staff involved in the provision of healthcare services who are not employed by the facility, as well as cooperating independent business entities (doctors, patient transport providers, laboratories, diagnostic companies, home visit service providers, etc.).

Patients are also informed separately about the transfer of data.

The VCC Life Hungary Kft. (registered office: 1117 Budapest, 8–10 Október huszonharmadika Street Allee Corner Office Building, Bercsényi Tower, 4th Floor; company registration number: Cg.01-09-735941., TAX id nr: 13452696-2-43, contact details:info@virtual-call-center.hu) As a data processor, it provides the technical infrastructure for storing audio recordings of recorded telephone conversations conducted with customer service, and, if necessary, provides the technical infrastructure for customer service to access the audio recordings; it then deletes the audio recordings after the data retention period has expired.

E-prescriptions issued as part of healthcare services, as well as medical records, are transmitted to the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of the Interior (1051 Budapest, József Attila u. 2-4, Health Line; Email: info@egeszsegvonal.gov.hu). are forwarded to Healthline: 1812, E-mail: info@egeszsegvonal.gov.hu) the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of Interior (1051 Budapest, 2-4 József Attila street). This is based on the fulfilment of a legal obligation (Section 2(1a) of EMMI Decree 39/2016 (XII.21)).

https://e-egeszsegugy.gov.hu/hu/mi-az-eeszt-.

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Data transfer does not take place.

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

The data subject is not required to provide this information.

What are the consequences if the data subject does not provide their personal data:

Data reporting is the foundation of quality healthcare. It becomes impossible or inaccurate to provide a medical specialist opinion without adequate data reporting.

The aim of data management

Providing specialist consultations and enabling more accurate diagnosis of the patient’s health conditions via video conference; the purpose of the brief written summary is also to document the patient’s health-related complaints (symptoms) and the specialist’s advice, thereby ensuring the healthcare provider’s accountability.

The legal basis for data management:

Performance of a contract for the provision of healthcare services pursuant to Article 6(1)(b) of the GDPR. 

Data processing related to the health advisory service is necessary and permissible for the purposes of preventive healthcare and the provision of healthcare services (GDPR Article 9(2)(h)).

The processing of special categories of personal data for the purposes of preventive healthcare or the provision of healthcare services (Article 9(2)(h) of the GDPR) is necessary and permissible.

Regarding medical records, compliance with the legal obligation specified in Article 6(1)(c) of the GDPR. The legal basis for this obligation is established by Section 136 of the Health Care Act, which stipulates that the data controller is required to prepare and retain medical records.

No video or audio recordings are made, so no further data processing takes place there.

Description of the legitimate interest:

The data management is not based on a legitimate interest. 

Categories of data subjects:

Patients using the video consultation service.

Categories of personal data processed:

Name of the person concerned, and, if applicable, the name of their employer, Social Security number, address/place of residence of the data subject in case of an on-site consultation or the need for transport to a medical facility, data necessary for patient identification, personal data provided by the patient(s) necessary for specialist medical consultation, as well as special categories of such data (health data); the personal data and special categories of personal data (health data) contained in the specialist’s response, as well as the personal data recorded in the written summary.

Source of personal data:

In most cases, the patient in question provides the data themselves (upon request for a specialist’s response); this is supplemented by personal data provided verbally or recorded in writing during the specialist’s response.

The duration of data management:

Since the video consultation is not recorded, the data controller does not store the data subject’s voice, the video footage showing the data subject, or the verbatim transcript of the conversation. Regarding the other data, the duration of data processing is as follows:

Pursuant to Section 30 of the Health Care Act, the written summary must generally be retained for 30 years.

Recipients (subjects of data transmission):

Personal data may be disclosed to third parties for the purpose of providing healthcare services. Third parties are defined as professional staff involved in the provision of healthcare services who are not employed by the facility, as well as cooperating independent business entities (doctors, patient transport providers, laboratories, diagnostic companies, home visit service providers, etc.).

Patients are also informed separately about the transfer of data.

E-prescriptions issued as part of healthcare services, as well as medical records, are forwarded to the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of Interior (1051 Budapest, József Attila u.  are forwarded to Healthline: 1812, E-mail: info@egeszsegvonal.gov.hu) the Electronic Healthcare Services Platform (EESZT) operated by the Ministry of Interior (1051 Budapest, 2-4 József Attila street). This is based on the fulfilment of a legal obligation: Section 2, Paragraph 1a of EMMI Decree No. 39/2016 (December 21)

https://e-egeszsegugy.gov.hu/hu/mi-az-eeszt-.

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details:info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Third-country data transfer do not take place.

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

Data provision is not mandatory.

What are the consequences if the data subject does not provide their personal data:

The provision of data is the basis of appropriate healthcare services; therefore, a lack of data reporting can constitute an obstacle to it.

The aim of data management

Investigating the complaint filed, taking appropriate action; and determining whether the same complainant has filed a repeat complaint regarding the same matter.

The legal basis for data management:

Compliance with a legal obligation under Article 6(1)(c) of the GDPR (the legal basis is Section 29(4) of the Health Care Act regarding health care, and Section 17/A(2) of the Consumer Protection Act regarding general complaints).

About special categories of data (e.g., health data), data management is permitted under Article 9(h) and (i) of the GDPR. 

Description of the legitimate interest:

The data management is not based on a legitimate interest.

Categories of data subjects:

Natural persons who have filed a complaint not related to healthcare;

or the contact persons or legal representatives of legal entities filing such complaints;

Patients filing complaints regarding healthcare services (pursuant to Section 3(a) of the Health Care Act, “patient” means a person who uses or receives healthcare services);

and

a representative authorized by the person filing the complaint, or the legal representative of the natural person filing the complaint; 

the person(s) affected by the complaint based on its content.

Categories of personal data processed:

The name and contact information of the person concerned (for the purpose of contacting them), the place and date of the complaint, the content of the complaint; the content of any attached documents; handwritten signature of the complainant; 

the name(s) of the person(s) concerned by the complaint—based on its content—and all data concerning them;

the date and place of possible withdrawal of the complaint; the reason for the withdrawal, if provided by the data subject; the signature of the data subject or the data subject’s representative who is withdrawing the complaint;

the name of the authorized representative, contact person, or legal representative; the contact information provided by them (to facilitate communication); the date (place and time) and content of the power of attorney; and the names, addresses, and signatures of the witnesses to the document; where applicable, the name, registered office, and chamber identification number of the legal representative; and, in the case of a power of attorney recorded in a public document, the personal data requested to establish the complainant’s identity and included in the public document, as well as any personal data of the notary public appearing in the public document.

In the case of complaints submitted by telephone, the data controller also handles the complaint’s unique identification number (which consists of the date and time of the call and the caller’s phone number).

Source of personal data:

The data is provided by the data subject themselves.

The duration of data management:

The data controller shall retain the information contained in the complaint, as well as data related to the investigation conducted on that basis and the measures taken, for a period of five years from the completion of the last investigative action or measure (in accordance with Section 29(4) of the Health Care Act)

However, if a legal claim is filed within five years and the legal proceedings are still ongoing after five years, data processing will continue until the legal claim is resolved.

Recipients (subjects of data transmission):

Personal data may be disclosed to third parties only in cases specified by law (e.g., bad faith) or with the complainant’s consent, in connection with the investigation of the complaint.

Third parties are defined as professional staff involved in the provision of healthcare services who are not employed by the facility, as well as cooperating independent business entities (doctors, patient transport providers, laboratories, diagnostic companies, home visit service providers, etc.).

We hereby draw the attention of the data subject to the fact that if they do not consent to the transfer of data, their complaint may not be investigated, as the investigation will face limitations or obstacles in the absence of the ability to transfer data.

The VCC Life Hungary Kft. (registered office: 1117 Budapest, 8–10 Október huszonharmadika Street Allee Corner Office Building, Bercsényi Tower, 4th Floor; company registration number: Cg.01-09-735941., TAX id nr: 13452696-2-43.; e-mail address: info@virtual-call-center.hu), as a data processor, in the case of complaints made by phone, it provides the technical infrastructure for storing the audio recordings of calls with customer service, and, if necessary, provides the technical infrastructure for customer service to access the audio recordings; it then deletes the audio recordings after the data retention period has expired.

If the complaint is forwarded to an authority, court, prosecutor’s office, or other third party, such recipients will act as independent data controllers.

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Data transfer does not take place.

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

No, in such case, the ability to investigate the complaint or provide information regarding, is limited or impeded.

What are the consequences if the data subject does not provide their personal data:

In such case, the ability to investigate the complaint or provide information regarding, is limited or impeded.

The aim of data management

Evaluating the data controller’s services, ensuring that the services meet the required standards, and correcting and eliminating errors and deficiencies.

The legal basis for data management:

The legal basis for sending out satisfaction surveys is the legitimate interest of the data controller under Article 6(1)(f) of the GDPR.

When questionnaires are returned with personal data provided, the legal basis for further data processing is the data subject’s consent pursuant to Article 6(1)(a) of the GDPR, which may be withdrawn at any time without giving a reason.

If a complaint procedure is initiated based on the processing of additional personal data provided when returning the questionnaire, the legal basis for data processing is following a legal obligation pursuant to Article 6(1)(c) of the GDPR (the legal basis is Section 29(4) of the Health Act).

Description of the legitimate interest:

The data controller's legitimate interest is to identify errors and shortcomings and to continuously improve the quality of the service. However, this legitimate interest of the data controller also aligns with the legitimate interest of the data subject/patient.

Categories of data subjects:

Regarding the distribution of questionnaires, the data subjects are patients who have used the data controller’s healthcare services and have not opted out of receiving satisfaction surveys.

Categories of personal data processed:

The data subject’s name and email address (for the purpose of sending out the questionnaires); if the data subject submits a response containing additional personal data, the personal data processed also includes: the date the satisfaction survey was submitted, the date of the healthcare service used and mentioned, the healthcare professionals involved, and the data content of the evaluation.

Source of personal data:

The data is provided by the data subject themselves.

The duration of data management:

The data controller will process the data subject’s personal data for this purpose until the data subject objects to receiving the questionnaires; after that, the data subject will no longer receive the questionnaires.

If a patient returns the questionnaire without remaining anonymous and provides only positive feedback, the data controller will send a thank-you email and then delete any personal data contained in the response.

If the patient returns the questionnaire without remaining anonymous and raises a problem or expresses criticism, the data controller will treat this as a complaint submission and proceed in accordance with Section 15 (“Complaint Handling”).

The provisions of paragraph 15 apply.

Recipients (subjects of data transmission):

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details:info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Third country data transfer do not take place.

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

No, in this case, the survey is evaluated anonymously.

What are the consequences if the data subject does not provide their personal data:

The survey is evaluated anonymously, which may limit the identification and effective solutions of specific problems.

The aim of data management

Reviewing reports; locating and identifying the rightful owners of found items; communicating with the person who reported the item.

The legal basis for data management:

The data controller’s legitimate interest pursuant to Article 6(1)(f) of the GDPR.

Description of the legitimate interest:

The legitimate interest is to return lost items to their owners and to demonstrate the data controller’s accountability in this regard.

Categories of data subjects:

Natural persons who send a report to the email address above.

Categories of personal data processed:

The data subject's name, email address, the date the email was sent, the subject line, and the content.

Source of personal data:

The data is provided by the data subject themselves.

The duration of data management:

One year period from the date of submission.

Recipients (subjects of data transmission):

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Third country data transfer do not take place.

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

No, in this case, the purpose and effectiveness of data processing could be compromised.

What are the consequences if the data subject does not provide their personal data:

In this case, the purpose and effectiveness of data processing could be compromised, and it could hinder efforts to locate the owner.

Data Controller Details

Data Protection Officer’s Details

Buda Health Center LLC (BHC)

Represented by: Dr István Csernavölgyi Chief Executive Officer

Dr. Ádám Kéri, Dr Szonja Kéri, Dr Tamás Sándor Kéri

Chief Data Protection Officer: Dr Ádám Kéri

1126 Budapest,  1-3. Királyhágó street

1281 Budapest, Post Office Box.12.

Cg.01-10-141707., 

https://www.bhc.en,

dpo@bhc.hu

adam.keri.office@icloud.com

The aim of data management

Information about the data controller’s authorized employees; and facilitating contact with them (see: “About Us”); as well as information about the data controller’s healthcare activities, educational and other events it organizes, and current topics in healthcare (see: „News/blog”).

The legal basis for data management:

The legal basis for data management is the data controller’s legitimate interest pursuant to Article 6(1)(f) of the GDPR.

Description of the legitimate interest:

On the one hand the data controller’s significant legitimate interest is, the publication of contact information to support its training and educational activities and the participants in such training, as well as the description of the responsibilities of the staff organizing the training (“About Us”); and, on the other hand, to publish news, information, and current events related to the healthcare sector (“News/Blog”).

The publication of contact and job-related information about employees is necessary for the purpose of data management. In all cases, the description of their duties and contact information is provided to facilitate their work; furthermore, only work-related contact information is disclosed.

Personal data may also be displayed in text content (news articles, blog posts) in a targeted manner. Such data includes the data subject’s name, place of employment, job title, and position, as well as the fact that the data subject is involved in the event or incident described by the data controller. The textual content not only highlights the data controller’s achievements and future plans but also sheds a positive light on the third party mentioned in the text (recognition, awards, etc.),and thus is unlikely to infringe upon the aforementioned right, or may not infringe upon it at all.

We would like to specifically draw the attention of those concerned to their right to object.

We would also like to highlight that this table solely regulates the text-based display form; different rules apply to images and photos appearing on the website (see the table on data management in the following section).

Categories of data subjects:

Individuals who contribute as employees to the implementation and organization of the data controller’s educational and training activities conducted via the website (“About Us”);

 as well as individuals mentioned in the texts published on the website (“News/Blog”).

Categories of personal data processed:

The name of the employee concerned; their job title, email address, and mobile phone number (“About Us”);

or the name, job title, or professional qualifications of the person concerned; or, possibly, any achievements they have made, supported, or presented, or other information of positive news value (“News/Blog”).

Source of personal data:

Most of the data is collected by the data controller itself, with no involvement of the data subject (through the publication of articles and news, and the introduction of employees involved in the organization). The personal data regarding the data subject is appearing in articles and news reports is, for the most part, publicly available information that can be obtained from freely accessible sources—in many cases, sources that have already been published in the press. Employee data refers to workplace contact information available to the data controller.

Categories of recipients:

The website is freely accessible without prior registration or identification, meaning that any personal data uploaded to it is freely available to anyone until the data controller removes it from the website.

DigitalOcean LLC, a virtual server provider, may access the data for specific purposes in its capacity as a data processor.

Third-country data transfers:

Data is transferred to DigitalOcean LLC, a virtual server provider operating as a data processor (as described in Section 2).

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Scheduled deadline for data cancellation:

The written content appearing on the website is public and accessible to anyone; it remains available for review as long as it is current and newsworthy, that is, until the data controller removes it from the website. We would like to remind those concerned once again of their right to object to the processing of personal data based on legitimate interests.

Is the provision of data mandatory:

The data is collected partly by the data controller itself (“News/Blog”) and partly is already available (“About Us”), so the involvement of the data subjects is not necessary. 

Most of the personal data mentioned in articles and news reports is publicly available information that can be obtained from websites and other news sources. 

In addition to the employee's name, employee data includes information necessary for communication, the provision of which is a prerequisite for the employee to perform their duties and for contacting applicants for training.

What are the consequences if the data subject does not provide their personal data:

The data controller does not collect the personal data listed here directly from the data subject.

The aim of data management:

Information about the data controller’s employees, to help identify them (“OUR TEAM”);

and, in the “Gallery” section, a presentation of the atmosphere, quality, and characteristics of past events.

The legal basis for data management:

The data subject’s prior consent pursuant to Article 6(1)(a) of the GDPR.

If the data subject does not wish to give consent to the processing of images (photos) taken of him/her, he/she has the right to inform the data controller thereof. The data subject’s consent regarding the use of images is voluntary; that is, they are free to deny consent. In such cases, the images taken of him/her will not be processed.

If the data subject has given consent to the processing of images taken of them, they may withdraw that consent at any time thereafter without providing a reason. In such cases, the data controller will immediately remove the image uploaded to the website.

Please note that the data controller does not upload any photos or videos of children under the age of 16.

Description of the legitimate interest:

The processing of data is not based on legitimate interests.

Categories of data subjects:

The individuals appearing in the photos uploaded to the website (under the headings “OUR TEAM” and “Gallery”).

Categories of personal data processed:

A photo of the data subject (image) and his/her company shown in the photo, surroundings visible in the photo; the location of the photo and other information appearing in the photo.

Source of personal data:

The data subject provides this information voluntarily; however, the provision of personal data is not mandatory, and the data subject’s consent to the processing of personal data already provided may be freely withdrawn at any time.

Categories of recipients:

These areas of the website (the “About Us” menu item and the “Gallery” menu item under “Event Venue”) are freely accessible without prior registration or identification, meaning that any personal data uploaded there can be viewed by anyone; this remains the case until the data controller removes such data from the website.

Data is transferred to DigitalOcean LLC, a virtual server provider operating as a data processor.

Third-country data transfers:

Data is transferred to DigitalOcean LLC, a virtual server provider operating as a data processor (as described in Section 2).

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Scheduled deadline for data cancellation:

The photos appearing on the website are public and accessible to anyone; they remain available for review until the data controller removes them from the website or the data subject withdraws their consent.

Is the provision of data mandatory:

No. The data subject’s consent regarding the use of images is voluntary; that is, they are free to deny consent.

In addition, the data subject may withdraw their consent at any time in the future without providing a reason.

What are the consequences if the data subject do not provide their personal data:

The data subject is free to choose not to provide their personal data; in that case, the photo taken of them will not be uploaded to the website. If the data subject subsequently withdraws their consent, the photo of them will be removed from the website.

The aim of data management

-Getting to know the full extent of the website;

-Selecting events for (further) training purposes;

-Applying for training/education event;

-Providing the additional information required to enter an adult education contract;

-Proof of attendance at the training course;

- Reservation of the BEK Academy venue for another event;

-Providing the information required to issue an invoice (if a payment obligation arises);

- Providing the option to subscribe to BEK Academy Newsletters regarding the data controller’s events and training sessions organized by it.

The legal basis for data management:

The data subject’s consent pursuant to Article 6(1)(a) of the GDPR, which may be withdrawn at any time. In this case, your registration (i.e., your personal account) will be deleted.

Description of the legitimate interest:

The data management is not based on a legitimate interest.

Categories of data subjects:

Patients registering to create a personal customer account.

Categories of personal data processed:

To complete the first step of registering on the website—creating a personal account—you must provide an email address and password and agree to this Privacy Policy. 

We would like to note in advance that before registering for specific adult education events—the data processing for which is described in the following section—you must provide your Profile Data in full (pursuant to Act LXXVIII of 2013 on Adult Education /hereinafter: Please note that before registering for specific adult education events—the data processing for which is described in the following section—you must provide your Profile Data in full (since these are training programs falling under the scope of Act LXXVIII of 2013 on Adult Education /hereinafter: Fktv./), which are as follows: name, email address, phone number, identification of the category required for professional registration (doctor, healthcare professional, or other), birth name, mother’s name, place and date of birth, professional qualifications, highest level of education, medical license number, operating license number, healthcare professional registration number, whether the data subject is a BEK employee or BEK contributor, billing information (individual or legal entity/ company /name exact residential address or registered office, mailing address); whether the data subject subscribes to the BEK Academic Newsletter.

In your Profile Information, you will later find details about the events you have already registered for or attended.

Source of personal data:

The data is provided by the data subject themselves.

The duration of data management:

Registration is based on the patient’s consent, which may be withdrawn at any time without providing a reason. In this case, your personal account will be deleted. 

Please note, however, that if you have registered for a training or continuing education event; or have reserved a venue at the BEK Academy; or if any other legal relationship has been established between you and the data controller; the data controller will continue to process your personal data within the data processing period prescribed for these legal relationships (see: data processing described in the following sections); only the deletion of your personal customer account will be carried out in accordance with your request.

Recipients (subjects of data transmission):

Data is transferred to DigitalOcean LLC, a virtual server provider operating as a data processor (as described in Section 2).

Third-country data transfers:

Data is transferred to DigitalOcean LLC, a virtual server provider operating as a data processor (as described in Section 2).

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

No, but in this case, we cannot create a personal customer account.

What are the consequences if the data subject does not provide their personal data:

You will not be able to browse the entire website or use its key features.

The aim of data management

- Indication of intent to participate in training/further education events;

-Providing the additional information required to enter an adult education contract;

-Providing the personal information required to verify attendance at the training;

-Providing the information required to issue an invoice (if a payment obligation arises);

The legal basis for data management:

In the context of adult education, the legal basis for data processing is partly the performance of a contract for adult education pursuant to Article 6(1)(b) of the GDPR; and partly the fulfilment of a legal obligation under the Adult Education Act (Article 6 (1)(c) Fktv),  with the obligation prescribed by Section 21(1) of the Adult Education Act (see: Data that is mandatory to be processed in the context of adult education).

Regarding the transfer of data to OFTEX, as listed among the recipients (data recipients), the legal basis for data processing is the fulfilment of the legal obligation under Article 6 (1)(c) of the GDPR, the legal basis for which is 64/2011. (XI. 29.) NEFMI Decree on the continuous professional education of physicians, dentists, pharmacists, and holders of higher education degrees in healthcare. (XI.29.) NEFMI Decree No. 64 of November 29, 2011.

Regarding adult education, the legal basis for the mandatory data transfer to the Pest County Government Office (Adult Education Data Reporting System) is the fulfilment of a legal obligation under Section 15 of the Adult Education Act /Article 6(1)(c) of the GDPR/.

The legal basis for the processing of personal data necessary to comply with the documentation requirement is the fulfilment of a legal obligation pursuant to Article 6(1)(c) of the GDPR. This legal obligation is based on Sections 159 and 169 of Act CXXVII of 2007 on Value-Added Tax, and Sections 166–169 of Act C of 2000 on Accounting.

In the event of a legal dispute between the data controller and the data subject regarding the legal relationship relating to adult education, the legal basis for data processing is the legitimate interest referred to in Article 6(1)(f) of the GDPR.

Description of the legitimate interest:

Personal data is processed solely based on legitimate interest in the event of a legal dispute. In such cases, the data controller’s legitimate interest lies in fully clarifying the facts of the matter and facilitating the imposition of lawful sanctions, as well as in providing the available data as evidence to the competent authority, the public prosecutor’s office, and the court.

Since the legitimate interest described above is consistent with the interests of the data subject, no actual infringement of rights occurs.

Categories of data subjects:

Doctors, pharmacists, and healthcare professionals applying for training.

Categories of personal data processed:

Since the training event falls under the scope of the Fktv., it is mandatory to provide all profile information, which includes the following:

name, email address, phone number, identification of the category required for professional registration (physician, healthcare professional, or other), birth name, mother’s name, place and date of birth, professional qualifications, highest level of education, medical license number, operating license number, healthcare professional registration number, whether the data subject is a BEK employee or BEK contributor, billing information (individual or legal entity, company name, exact residential address or registered office, mailing address, tax ID number of the legal entity).

We would like to point out now that, under the "Profile Data" menu item, the personal customer account will record details of all training events for which the individual has registered or in which they have already participated (training history).

In connection with the conclusion of an adult education contract, 

the data controller is required, pursuant to Section 21(1) of the Data Protection Act, to process the following data for the purpose of conducting the adult education program: 

a) the person participating in the training

(aa) their personal identification data and—in connection with the issuance of an education identification number—their education identification number,

ab) their email address and

(ac) information regarding their highest level of education.

(b) data related to the training, concerning the person participating in the training

(ba) their highest level of education, vocational qualifications, professional skills, and knowledge of foreign languages,

(bb) upon entering the program and completing it, or, if the program is not completed, upon withdrawing from it,

(bc) assessment and grading during the course,

(bd) relate to payment obligations associated with the training and to the 

training loan taken out

Personal data processed for the purpose of verifying attendance: name, signature, training location, topic, and date of the training.

Personal data processed in connection with invoices issued for fee-based training events: company/name, address or registered office, tax ID number.

Source of personal data:

The data is provided by the data subject themselves.

The duration of data management:

The data controller will process the profile data provided by the data subject on the website until the data subject requests the termination of their personal customer account.

Pursuant to Section 21(5) of the Fktv. the data controller must retain adult education data for a period of 8 years from the date of conclusion of the adult education contract; the date of completion of attendance records; or the date of completion of the initial assessment of prior knowledge and competencies, regardless of whether the personal account is subsequently terminated.

Similarly, an 8-year retention requirement applies to the retention of account data and supporting documents under Act CXXVII of 2007 on Value Added Tax and Act C of 2000 on Accounting.

If legal proceedings (e.g., a dispute before an administrative authority, a prosecutor’s office, or a court) have been initiated within the aforementioned data retention period, the processing of the data will continue for the entire duration of the legal proceedings.

Recipients (subjects of data transmission):

For credit-based training, physicians are required to register through the OFTEX data management system. Oftex data management system is operated by ENEF Kft (2151 Fót, 14/a Mária Street Cg.13-09-066514., e-mail address: nfkft@nf.hu) which is an independent data controller. Their data protection notice is available here:

https://oftex.hu/project_o/actual_prg/system/launch.php?pg=./oftex/ADAT…

The data controller is required to report data on adult education events to the FAR system (Adult Education Data Reporting System) (Section 15 of the Adult Education Act) Data Controller provides data regarding:

(a) the name, nature, location, number of hours, first day of the training, and—except for trainings conducted via closed-system distance learning—the scheduled completion date of the education or training,

b) the personal identification data, email addresses, and highest level of education of the individuals participating in the training,

c) the tuition fee and who is responsible for paying it

the data is submitted to the state administrative body responsible for adult education (currently: Pest County Government Office, National Vocational and Adult Education Office. , 1089 Budapest, 7 Kálvária square felnottképzés@pest.gov.hu, phone: +36 1 210 9722) via the adult education data reporting system. This body acts as an independent data controller. 

The reporting obligation must be fulfilled no later than the start date of the training; in the event of a change in the data, no later than the third business day following the change; and, in the case of in-house training, by the last day of the quarter in which the training concludes.

The data provided in this manner may be used for statistical purposes and may be transferred for such purposes in a form that does not allow for the identification of individuals; furthermore, it may be transferred to and used by the Hungarian Central Statistical Office for statistical purposes in a form that allows for individual identification, free of charge. Hungarian Central Statistical Office is also an independent data controller.

In the event of a payment obligation, payment is processed using the Simple Pay application provided by OTP Mobile Service Provider 1138 Budapest, 135–139 Váci street, Building B, 5th floor; contact: idea@otpmobil.com), which is considered an independent data controller. Their data protection notice is available here:

 https://simplepay.hu/adatkezelesi-tajekoztatok/ 

As the data controller, BHC processes only the date, amount, and payment reference of online payments.

The invoice data is forwarded to the National Tax and Customs Administration of Hungary (NAV)

For the purpose of troubleshooting the accounting, payroll, and labour records software (ORGWARE), OrgwareCommercial and Service Limited Liability Company (headquartered at: 1149 Budapest, 32 Angol Street, company registration number: Cg.01-09-062418., TAX id nr: 10244830-2-42, e-mail address: support@orgware.hu or management@orgware.hu, website: http://www.orgware.humay access personal data as an independent data controller .

Data is transferred to DigitalOcean LLC, a virtual server provider operating as a data processor (as described in Section 2).

Data is transferred to the training provider to the minimum extent necessary (names of training applicants, number of applicants, and any personal data requested in advance by the provider—e.g., in the event of a knowledge level assessment, contact information).

In the event of an official inspection, personal data will be disclosed to the relevant authority (e.g., the Government Office); in the event of legal proceedings, personal data will be disclosed to the competent authority, the public prosecutor’s office, the court, or the legal representative. All these recipients are independent data controllers.

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Data is transferred to DigitalOcean LLC, a virtual server provider acting as a data processor (as described in section 2).

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

Providing personal information is a prerequisite for participating in the training program.

What are the consequences if the data subject does not provide their personal data:

He or she cannot participate in the training because, in the absence of the required data, an adult education contract cannot be entered into with him or her; his or her attendance and the earning of credit hours cannot be verified; and the data controller’s legal obligation to report adult education data cannot be fulfilled.

The aim of data management

Presenting information about the Data Controller’s events and training sessions and sharing general health-related news.

The legal basis for data management:

The data subject’s consent pursuant to Article 6(1)(a) of the GDPR, which may be withdrawn at any time without giving a reason.

Description of the legitimate interest:

The data management is not based on a legitimate interest.

Categories of data subjects:

Natural persons who have subscribed to the BEK Academy’s General Newsletter.

Categories of personal data processed:

The name and email address provided by the data subject.

Source of personal data:

The data is provided by the data subject themselves.

The duration of data management:

Until the data subject withdraws their consent (unsubscribes).

Recipients (subjects of data transmission):

Data is transferred to DigitalOcean LLC, a virtual server provider acting as a data processor (as described in section 2).

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Data is transferred to DigitalOcean LLC, a virtual server provider acting as a data processor (as described in section 2).

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

No, in this case, the BEK Academy Newsletter cannot be sent by the data controller.

What are the consequences if the data subject does not provide their personal data:

The data subject will not receive the BEK Academy’s General Newsletter.

The aim of data management

Reservation of the BEK Academy venue for other events—i.e., events not organized or advertised by the data controller—or an indication of intent to rent the premises.

The legal basis for data management:

The legal basis for data processing is the performance of a contract between the data subject (or the person represented by the data subject) and the data controller, in accordance with Article 6(1)(b) of the GDPR.

Regarding the personal data necessary to fulfil the documentation obligations associated with the contract, the legal basis for data processing is compliance with a legal obligation under Article 6(1)(c) of the GDPR. This legal obligation is based on Sections 159 and 169 of Act CXXVII of 2007 on Value-Added Tax, and Sections 166–169 of Act C of 2000 on Accounting.

In the event of a legal dispute between the data controller and the data subject regarding the lease agreement, the legal basis for data processing is the legitimate interest referred to in Article 6(1)(f) of the GDPR.

Description of the legitimate interest:

Personal data is processed solely based on legitimate interest in the event of a legal dispute. In such cases, the data controller’s legitimate interest lies in fully clarifying the facts of the matter and facilitating the imposition of lawful sanctions, as well as in providing the available data as evidence to the competent authority, the public prosecutor’s office, and the court.

Since the legitimate interest described above is consistent with the interests of the data subject, no actual infringement of rights occurs.

Categories of data subjects:

Individuals who have reserved the BEK Academy venue for another event and are requesting a contract proposal.

Categories of personal data processed:

Personal data processed when booking the BEK Academy venue for other events—i.e., data requested on the website—includes: the requester’s name, email address, phone number, company name, the event date, start and end date, the estimated number of attendees, and details of any additional requirements (projector, projection screen; technical assistance; cloakroom; wireless presenter; microphone; parking; streaming; microport; cleaning; laptop; sound system; catering; flipchart; stage setup; hostess), any additional comments from the requester, and the date and time the request for quotation was sent.

Following the successful booking of the venue and acceptance of the data controller’s offer, the following additional personal data are processed in the venue rental agreement: specific details of the venue, the nature of the event, the rental fee, payment details, the names and contact information of the contact persons and representatives, the date of the agreement, and their handwritten signatures.

Personal data processed in connection with the invoice issued: company name, address or registered office, tax identification number.

Source of personal data:

The data is provided by the data subject themselves.

The duration of data management:

The data controller will continue to process personal data processed in connection with the performance of the contract for the duration of the civil law statute of limitations (5 years from the date the claim arises), to ensure the possibility of processing such data should it be necessary to assert any legal claims.

In contrast, an 8-year retention requirement applies to the management of invoice data and supporting documents under Act CXXVII of 2007 on Value Added Tax and Act C of 2000 on Accounting.

Recipients (subjects of data transmission):

The invoice data is forwarded to the National Tax and Customs Administration of Hungary (NAV)

For the purpose of troubleshooting the (ORGWARE), OrgwareCommercial and Service Limited Liability Company (registered office: 1149 Budapest, 32 Angol Street, company registration number: Cg.01-09-062418., TAX id nr: 10244830-2-42, e-mail address: support@orgware.hu or management@orgware.hu, website: http://www.orgware.humay access personal data as an independent data controller . 

The data controller may disclose the personal data it processes to the authority conducting an inspection (e.g., the National Tax and Customs Administration) in the event of an official inspection; furthermore, in the event of a legal dispute, the personal data will be disclosed to the relevant authority, the public prosecutor’s office, the court, or a legal representative.

All these recipients above are independent data controllers.

Once the data controller receives a request for a quote via the website, the data is transferred to DigitalOcean LLC, a virtual server provider acting as a data processor (as described in section 2).

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06 , contact details:info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Data is transferred to DigitalOcean LLC, a virtual server provider acting as a data processor (as described in section 2).

Automated decision-making, profiling:

Automated decision-making, profiling does not take place.

Is the provision of data mandatory:

To reserve a venue at the BEK Academy via the website or request a quote online, you must provide your personal information.

What are the consequences if the data subject does not provide their personal data:

In the absence of this information, online reservations for the BEK Academy venue cannot be processed, as it is impossible to verify whether the time slot is available or to record who is making the reservation and to whom the offer should be sent.

The aim of data management

Filling vacant positions; identifying and selecting suitable candidates; assessing competencies; handling unsolicited job applications.

The legal basis for data management:

The legal basis for data management is the performance of a contract pursuant to Article 6(1)(b) of the GDPR. This is because, under the GDPR, submitting a job application constitutes an offer to enter a contract.

If an advertised position is filled, the legal basis for data processing regarding unsuccessful applications after the position has been filled—during the period for asserting claims under labour law or equal opportunity law—is the legitimate interest of the data controller pursuant to Article 6(1)(f) of the GDPR.

Description of the legitimate interest:

The reason behind data processing based on legitimate interests is that the applicant may assert a legal claim against the employer (or the parties may assert claims against each other) (e.g., why the applicant was not hired). The legitimate interest of the employer, as the data controller—which also coincides with the interests of the data subject—is to properly clarify the facts of the case, uncover evidence (i.e., establish provability), identify any potential violations of the law, and ensure that appropriate legal consequences can be applied.

Applicants can expect their data to be processed (the parties should be aware of the possibility of asserting civil claims, and the privacy notice available on the website provides details on this); furthermore, the availability of application documents will assist applicants in asserting their legal claims. Both the data controller and the data subject therefore have a significant interest in clarifying the facts of the case.

During the period in which legal claims are being pursued, the data controller will not process personal data in any other way and will store the applications separately from other personal data.

Categories of data subjects:

Natural persons who submit job applications to the data controller via the email address hr@bhc.hu are considered data subjects; that is, the data controller processes their personal data in the manner described herein.

Categories of personal data processed:

The data subject’s name, contact information, education, qualifications, professional experience, and any other relevant personal data necessary for the fulfilment of the position.

Please DO NOT SUBMIT photocopies of documents or photographs as part of your application. If the data controller receives such personal data, it shall be deleted in electronic form, and any documents held in paper form will be disposed. If this is not possible, the application will be returned and deemed invalid.

Source of personal data:

The data subject provides the personal data themselves and is therefore considered the source of the personal data.

The duration of data management:

If the data controller has published a job posting, the data controller will retain personal data in the event of an unsuccessful job application until the last day of the 3rd year following notification of the outcome of the application process. This is the last day of the statute of limitations for labour and equal opportunity law. It then permanently deletes the data stored electronically and destroys the paper-based materials.

If the data controller has not posted a job advertisement, but an interested party wishes to work for the data controller and therefore submits an application to the email address hr@bhc.hu, the data controller will retain the job application for 6 months.  If no vacancy arises during this period, the application materials will be deleted or destroyed.

The application materials of successful applicants will become part of their employment records; they will receive a separate privacy notice regarding this data processing.

If the applicants submits their application to the email address hr@bhc.hu, which is not dedicated for this purpose, but to another email address of the data controller (which was not created for this purpose), we hereby inform you that the applications sent to the incorrect address will be deleted.

Recipients (subjects of data transmission):

While performing its duties—strictly for the purposes specified—Bonitás IT Limited Liability Company may access personal data in its capacity as a data processor. (registered office 6725 Szeged, 18 Szabadkai Street, company registration number: Cg.06-09-012933., TAX id nr: 14445181-4-06, contact details: info@bonitasit.hu), which, in its capacity as a data controller, provides comprehensive application management, application development, infrastructure management, IT consulting and services, as well as IT security services.

Third-country data transfers:

Third-country data transfer do not take place.

Automated decision-making, profiling:

Automated decision-making or profiling does not take place.

Is the provision of data mandatory:

Data provision is not mandatory.

What are the consequences if the data subject does not provide their personal data:

The job application cannot be evaluated without the required information.