PRIVACY POLICY REGARDING THE RIGHTS OF NATURAL PERSONS IN RELATION TO THE PROCESSING OF THEIR PERSONAL DATA
PRIVACY POLICY REGARDING THE RIGHTS OF NATURAL PERSONS IN RELATION TO THE PROCESSING OF THEIR PERSONAL DATA
I. INTRODUCTION
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 — on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter: the Regulation) — prescribes that the Data Controller shall take appropriate measures to provide the data subject with all information relating to the processing of personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Furthermore, the Data Controller shall facilitate the exercise of the data subject’s rights.
The obligation to provide prior information to the data subject is also stipulated by Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.
With the information provided below, we fulfil our statutory obligation in this regard.
This Privacy Notice shall be published on the Company’s website or, upon request, shall be provided to the data subject.
I. INTRODUCTION
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 — on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter: the Regulation) — prescribes that the Data Controller shall take appropriate measures to provide the data subject with all information relating to the processing of personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Furthermore, the Data Controller shall facilitate the exercise of the data subject’s rights.
The obligation to provide prior information to the data subject is also stipulated by Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.
With the information provided below, we fulfil our statutory obligation in this regard.
This Privacy Notice shall be published on the Company’s website or, upon request, shall be provided to the data subject.
I. INTRODUCTION
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 — on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter: the Regulation) — prescribes that the Data Controller shall take appropriate measures to provide the data subject with all information relating to the processing of personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Furthermore, the Data Controller shall facilitate the exercise of the data subject’s rights.
The obligation to provide prior information to the data subject is also stipulated by Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.
With the information provided below, we fulfil our statutory obligation in this regard.
This Privacy Notice shall be published on the Company’s website or, upon request, shall be provided to the data subject.
II. IDENTIFICATION OF THE DATA CONTROLLER
The issuer of this Notice, who is also the Data Controller:
Company name: Imperial Dental Kft.
Tax number: 23063077-2-13
Company registration number: 13-09-238569
Registered seat: 2083 Solymár, Vörösmarty Street 75
Telephone/Fax: +36 1 225 0055
Website: www.imperialdental.hu
E-mail address: info@imperialdental.hu (hereinafter: the Company or Imperial Dental)
Joint Data Controllership with Duna Medical Center Kft.
Duna Medical Center Kft. (registered seat: 1095 Budapest, Lechner Ödön fasor 5; company registration number: 01-09-191967; tax number: 24963145-2-43) and Imperial Dental Kft. qualify as Joint Data Controllers with respect to the personal data of patients who have a healthcare relationship with DMC, but whose treatment is provided by Imperial Dental.
The tasks of appointment scheduling, administration, invoicing, and security camera data processing are carried out by DMC within its own systems as an independent data controller.
Technical background of data processing:
Data are stored in the Főnix system operated by DMC.
For the purpose of documenting the treatment, Imperial Dental records the necessary health data in its own Flexident system.
II. IDENTIFICATION OF THE DATA CONTROLLER
The issuer of this Notice, who is also the Data Controller:
Company name: Imperial Dental Kft.
Tax number: 23063077-2-13
Company registration number: 13-09-238569
Registered seat: 2083 Solymár, Vörösmarty Street 75
Telephone/Fax: +36 1 225 0055
Website: www.imperialdental.hu
E-mail address: info@imperialdental.hu (hereinafter: the Company or Imperial Dental)
Joint Data Controllership with Duna Medical Center Kft.
Duna Medical Center Kft. (registered seat: 1095 Budapest, Lechner Ödön fasor 5; company registration number: 01-09-191967; tax number: 24963145-2-43) and Imperial Dental Kft. qualify as Joint Data Controllers with respect to the personal data of patients who have a healthcare relationship with DMC, but whose treatment is provided by Imperial Dental.
The tasks of appointment scheduling, administration, invoicing, and security camera data processing are carried out by DMC within its own systems as an independent data controller.
Technical background of data processing:
Data are stored in the Főnix system operated by DMC.
For the purpose of documenting the treatment, Imperial Dental records the necessary health data in its own Flexident system.
II. IDENTIFICATION OF THE DATA CONTROLLER
The issuer of this Notice, who is also the Data Controller:
Company name: Imperial Dental Kft.
Tax number: 23063077-2-13
Company registration number: 13-09-238569
Registered seat: 2083 Solymár, Vörösmarty Street 75
Telephone/Fax: +36 1 225 0055
Website: www.imperialdental.hu
E-mail address: info@imperialdental.hu (hereinafter: the Company or Imperial Dental)
Joint Data Controllership with Duna Medical Center Kft.
Duna Medical Center Kft. (registered seat: 1095 Budapest, Lechner Ödön fasor 5; company registration number: 01-09-191967; tax number: 24963145-2-43) and Imperial Dental Kft. qualify as Joint Data Controllers with respect to the personal data of patients who have a healthcare relationship with DMC, but whose treatment is provided by Imperial Dental.
The tasks of appointment scheduling, administration, invoicing, and security camera data processing are carried out by DMC within its own systems as an independent data controller.
Technical background of data processing:
Data are stored in the Főnix system operated by DMC.
For the purpose of documenting the treatment, Imperial Dental records the necessary health data in its own Flexident system.
II. CHAPTER II DATA PROCESSORS
A Data Processor is any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller (Regulation Article 4, point 8).
The prior consent of the data subject is not required for the engagement of a data processor, but the data subject must be informed. Accordingly, we hereby inform you that, pursuant to Annex No. 1 of the Data Protection Policy, for the purposes defined therein, the data processors specified in the same annex are authorized to act.
II. CHAPTER II DATA PROCESSORS
A Data Processor is any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller (Regulation Article 4, point 8).
The prior consent of the data subject is not required for the engagement of a data processor, but the data subject must be informed. Accordingly, we hereby inform you that, pursuant to Annex No. 1 of the Data Protection Policy, for the purposes defined therein, the data processors specified in the same annex are authorized to act.
II. CHAPTER II DATA PROCESSORS
A Data Processor is any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller (Regulation Article 4, point 8).
The prior consent of the data subject is not required for the engagement of a data processor, but the data subject must be informed. Accordingly, we hereby inform you that, pursuant to Annex No. 1 of the Data Protection Policy, for the purposes defined therein, the data processors specified in the same annex are authorized to act.
II. ENSURING THE LAWFULNESS OF DATA PROCESSING
Data Processing Based on the Data Subject’s Consent
Where the Company intends to process personal data on the basis of consent, the data subject's consent must be obtained prior to the processing of their personal data.
Consent is also deemed to be given where the data subject, while visiting the Company’s website, marks a corresponding checkbox, applies appropriate technical settings in relation to information society services, or makes any other statement or action which, in the given context, clearly indicates the data subject’s acceptance of the intended processing of their personal data. Silence, pre-ticked boxes, or inactivity shall not constitute consent.
The consent shall cover all processing activities carried out for the same purpose or purposes. If the processing serves multiple purposes simultaneously, consent must be given for all the intended purposes of the data processing.
Where the data subject's consent is given within the context of a written declaration which also relates to other matters — for example, the conclusion of a sales or service agreement — the request for consent shall be presented in a manner clearly distinguishable from those other matters, using intelligible and easily accessible language in a clear and plain form. Any part of such a declaration that infringes the Regulation shall not be binding.
The Company shall not make the conclusion or performance of a contract conditional on the data subject granting consent to the processing of personal data that is not necessary for the performance of that contract.
The withdrawal of consent shall be made possible in a manner as simple as that by which the consent was given.
If personal data is collected on the basis of the data subject's consent, the Data Controller may process the collected data, without requiring additional consent and even after the withdrawal of the consent, if processing is necessary to comply with a legal obligation applicable to the Data Controller, provided that no other legal provisions state otherwise.
Data processing based on consent is carried out solely on the basis of the data subject’s voluntary, prior, and explicit consent. Consent may be withdrawn at any time, without justification, via the e-mail address : info@imperialdental.hu.
Data Processing Based on Legal Obligation
In cases where data processing is based on a legal obligation, the scope of the data that may be processed, the purpose of processing, the duration of data storage, and the recipients of the data are determined by the relevant legal provisions.
Data processing based on compliance with a legal obligation does not require the data subject’s consent, as such processing is mandated by law. Before commencing such data processing, the data subject must be informed that the data processing is mandatory. Furthermore, the data subject must be provided with clear and detailed information regarding all facts related to the processing of their data, in particular the purpose and legal basis of the data processing, the identity of the person authorized to process and handle the data, the duration of the processing, the fact that the data is processed on the basis of a legal obligation, and the recipients of the data. The information provided must also cover the data subject’s rights and available legal remedies. In cases of mandatory data processing, the information may also be provided by publicizing the relevant legal provisions that contain these details.
Legitimate Interest
The Company may process the data subject's personal data on the basis of legitimate interest.
CCTV Surveillance System
A CCTV surveillance system operates within the premises of the clinic. This system is operated not by Imperial Dental Kft., but by Duna Medical Center Kft., which acts as an independent data controller and is therefore solely responsible for the processing of personal data recorded by the surveillance system. The purpose of the surveillance system is to ensure personal and property security. The video recordings are stored on DMC’s servers. Data subjects may exercise their related rights (e.g. access requests, requests for deletion) directly with Duna Medical Center Kft.
Appointment Booking, Administration, and Invoicing
For medical services provided by Duna Medical Center Kft., appointment booking, administrative tasks, and invoicing are all managed within DMC's own system. The patient is registered in the Főnix system operated by DMC, payments are made at DMC’s reception, and invoices are issued by DMC. For data processing related to invoicing purposes, Duna Medical Center Kft. acts as an independent data controller. Imperial Dental Kft. does not have access to these data, or only to the extent strictly necessary to carry out the treatment.
Facilitating the Data Subject’s Rights
The Company is obligated to ensure that the data subject is able to exercise their rights in relation to all forms of data processing.
Imperial Dental Kft. has appointed a Data Protection Officer (DPO) to ensure compliance with legal obligations regarding the protection of personal data and to guarantee the exercise of data subjects' rights.
The DPO is responsible for monitoring data processing activities, facilitating compliance with relevant legislation, and ensuring effective communication with both data subjects and supervisory authorities. Name of the Data Protection Officer: Email address:
Data subjects may contact the DPO directly with any questions, comments, or complaints related to data processing.
Processing of Personal Data in the Electronic Health Service Space
Hungary’s new e-health system, the Electronic Health Service Space (EESZT), makes health data available electronically that patients previously had to keep in paper form.
The EESZT is fundamentally a system designed to facilitate the flow of information, enabling data uploaded to the system to reach the appropriate person more quickly and easily. Since this concerns healthcare services, the transmitted data includes both personal and health data. The system ensures complete data security at the highest protection level (Level 5). The data controller of the EESZT is the National Healthcare Service Center (ÁEEK), which operates the system.
Detailed information on the functioning of the EESZT and the processing of data within the system is provided in Annex 2 of this privacy notice.
Data Processing Related to Workplace Surveillance
The Company operates an electronic surveillance system at its headquarters, business premises, and areas open to clients, with the purpose of protecting human life, physical integrity, personal freedom, business secrets, and property. This system may enable direct surveillance, the recording and storage of images, audio, or both. The behavior of the data subject captured by the cameras is considered personal data.
The legal basis for this data processing is the legitimate interest of the employer.
The presence of electronic surveillance in a given area must be clearly indicated with easily visible and readable signage placed in a way that informs third parties entering the area. Information must be provided for each individual camera, including details about the existence of surveillance, the purpose of recording and storing images and/or audio, the legal basis for data processing, the storage location of the recordings, the storage duration, the identity of the operator, the persons authorized to access the data, the data security measures in place for storage, as well as information on the data subjects’ rights and the procedures for enforcing those rights.
Audio and video recordings of third parties entering the monitored area (clients, visitors, guests) may be made and processed with their implied consent. Implied consent is particularly given when a natural person enters the monitored area despite clear signage and information about the surveillance system being present.
Recordings may be retained for a maximum of 3 (three) working days if not used. "Use" is defined as employing the recording or other personal data as evidence in court or other official proceedings.
Data Processing Related to Newsletter Services
Individuals registering for the newsletter service on the Company’s website may provide their consent to the processing of their personal data by checking a corresponding checkbox. Pre-ticked boxes are prohibited. The Privacy Notice must be made accessible via a link during subscription. Data subjects may unsubscribe from the newsletter at any time by using the “Unsubscribe” function in the newsletter, or by submitting a written or email request, which constitutes withdrawal of consent. In such cases, all data of the unsubscribing person must be deleted without delay. Personal data that may be processed: name (surname, first name), email address, telephone number.
Purpose of data processing: a. Sending newsletters about the Company’s products and services b. Sending promotional materials
Legal basis for data processing: the data subject's consent.
Recipients and categories of recipients of personal data: employees of the Company performing customer service and marketing tasks, and employees of the Company’s IT service provider acting as data processors for the purpose of providing hosting services.
Duration of data storage: until the newsletter service is terminated or until the data subject withdraws their consent (submits a deletion request).
II. ENSURING THE LAWFULNESS OF DATA PROCESSING
Data Processing Based on the Data Subject’s Consent
Where the Company intends to process personal data on the basis of consent, the data subject's consent must be obtained prior to the processing of their personal data.
Consent is also deemed to be given where the data subject, while visiting the Company’s website, marks a corresponding checkbox, applies appropriate technical settings in relation to information society services, or makes any other statement or action which, in the given context, clearly indicates the data subject’s acceptance of the intended processing of their personal data. Silence, pre-ticked boxes, or inactivity shall not constitute consent.
The consent shall cover all processing activities carried out for the same purpose or purposes. If the processing serves multiple purposes simultaneously, consent must be given for all the intended purposes of the data processing.
Where the data subject's consent is given within the context of a written declaration which also relates to other matters — for example, the conclusion of a sales or service agreement — the request for consent shall be presented in a manner clearly distinguishable from those other matters, using intelligible and easily accessible language in a clear and plain form. Any part of such a declaration that infringes the Regulation shall not be binding.
The Company shall not make the conclusion or performance of a contract conditional on the data subject granting consent to the processing of personal data that is not necessary for the performance of that contract.
The withdrawal of consent shall be made possible in a manner as simple as that by which the consent was given.
If personal data is collected on the basis of the data subject's consent, the Data Controller may process the collected data, without requiring additional consent and even after the withdrawal of the consent, if processing is necessary to comply with a legal obligation applicable to the Data Controller, provided that no other legal provisions state otherwise.
Data processing based on consent is carried out solely on the basis of the data subject’s voluntary, prior, and explicit consent. Consent may be withdrawn at any time, without justification, via the e-mail address : info@imperialdental.hu.
Data Processing Based on Legal Obligation
In cases where data processing is based on a legal obligation, the scope of the data that may be processed, the purpose of processing, the duration of data storage, and the recipients of the data are determined by the relevant legal provisions.
Data processing based on compliance with a legal obligation does not require the data subject’s consent, as such processing is mandated by law. Before commencing such data processing, the data subject must be informed that the data processing is mandatory. Furthermore, the data subject must be provided with clear and detailed information regarding all facts related to the processing of their data, in particular the purpose and legal basis of the data processing, the identity of the person authorized to process and handle the data, the duration of the processing, the fact that the data is processed on the basis of a legal obligation, and the recipients of the data. The information provided must also cover the data subject’s rights and available legal remedies. In cases of mandatory data processing, the information may also be provided by publicizing the relevant legal provisions that contain these details.
Legitimate Interest
The Company may process the data subject's personal data on the basis of legitimate interest.
CCTV Surveillance System
A CCTV surveillance system operates within the premises of the clinic. This system is operated not by Imperial Dental Kft., but by Duna Medical Center Kft., which acts as an independent data controller and is therefore solely responsible for the processing of personal data recorded by the surveillance system. The purpose of the surveillance system is to ensure personal and property security. The video recordings are stored on DMC’s servers. Data subjects may exercise their related rights (e.g. access requests, requests for deletion) directly with Duna Medical Center Kft.
Appointment Booking, Administration, and Invoicing
For medical services provided by Duna Medical Center Kft., appointment booking, administrative tasks, and invoicing are all managed within DMC's own system. The patient is registered in the Főnix system operated by DMC, payments are made at DMC’s reception, and invoices are issued by DMC. For data processing related to invoicing purposes, Duna Medical Center Kft. acts as an independent data controller. Imperial Dental Kft. does not have access to these data, or only to the extent strictly necessary to carry out the treatment.
Facilitating the Data Subject’s Rights
The Company is obligated to ensure that the data subject is able to exercise their rights in relation to all forms of data processing.
Imperial Dental Kft. has appointed a Data Protection Officer (DPO) to ensure compliance with legal obligations regarding the protection of personal data and to guarantee the exercise of data subjects' rights.
The DPO is responsible for monitoring data processing activities, facilitating compliance with relevant legislation, and ensuring effective communication with both data subjects and supervisory authorities. Name of the Data Protection Officer: Email address:
Data subjects may contact the DPO directly with any questions, comments, or complaints related to data processing.
Processing of Personal Data in the Electronic Health Service Space
Hungary’s new e-health system, the Electronic Health Service Space (EESZT), makes health data available electronically that patients previously had to keep in paper form.
The EESZT is fundamentally a system designed to facilitate the flow of information, enabling data uploaded to the system to reach the appropriate person more quickly and easily. Since this concerns healthcare services, the transmitted data includes both personal and health data. The system ensures complete data security at the highest protection level (Level 5). The data controller of the EESZT is the National Healthcare Service Center (ÁEEK), which operates the system.
Detailed information on the functioning of the EESZT and the processing of data within the system is provided in Annex 2 of this privacy notice.
Data Processing Related to Workplace Surveillance
The Company operates an electronic surveillance system at its headquarters, business premises, and areas open to clients, with the purpose of protecting human life, physical integrity, personal freedom, business secrets, and property. This system may enable direct surveillance, the recording and storage of images, audio, or both. The behavior of the data subject captured by the cameras is considered personal data.
The legal basis for this data processing is the legitimate interest of the employer.
The presence of electronic surveillance in a given area must be clearly indicated with easily visible and readable signage placed in a way that informs third parties entering the area. Information must be provided for each individual camera, including details about the existence of surveillance, the purpose of recording and storing images and/or audio, the legal basis for data processing, the storage location of the recordings, the storage duration, the identity of the operator, the persons authorized to access the data, the data security measures in place for storage, as well as information on the data subjects’ rights and the procedures for enforcing those rights.
Audio and video recordings of third parties entering the monitored area (clients, visitors, guests) may be made and processed with their implied consent. Implied consent is particularly given when a natural person enters the monitored area despite clear signage and information about the surveillance system being present.
Recordings may be retained for a maximum of 3 (three) working days if not used. "Use" is defined as employing the recording or other personal data as evidence in court or other official proceedings.
Data Processing Related to Newsletter Services
Individuals registering for the newsletter service on the Company’s website may provide their consent to the processing of their personal data by checking a corresponding checkbox. Pre-ticked boxes are prohibited. The Privacy Notice must be made accessible via a link during subscription. Data subjects may unsubscribe from the newsletter at any time by using the “Unsubscribe” function in the newsletter, or by submitting a written or email request, which constitutes withdrawal of consent. In such cases, all data of the unsubscribing person must be deleted without delay. Personal data that may be processed: name (surname, first name), email address, telephone number.
Purpose of data processing: a. Sending newsletters about the Company’s products and services b. Sending promotional materials
Legal basis for data processing: the data subject's consent.
Recipients and categories of recipients of personal data: employees of the Company performing customer service and marketing tasks, and employees of the Company’s IT service provider acting as data processors for the purpose of providing hosting services.
Duration of data storage: until the newsletter service is terminated or until the data subject withdraws their consent (submits a deletion request).
II. ENSURING THE LAWFULNESS OF DATA PROCESSING
Data Processing Based on the Data Subject’s Consent
Where the Company intends to process personal data on the basis of consent, the data subject's consent must be obtained prior to the processing of their personal data.
Consent is also deemed to be given where the data subject, while visiting the Company’s website, marks a corresponding checkbox, applies appropriate technical settings in relation to information society services, or makes any other statement or action which, in the given context, clearly indicates the data subject’s acceptance of the intended processing of their personal data. Silence, pre-ticked boxes, or inactivity shall not constitute consent.
The consent shall cover all processing activities carried out for the same purpose or purposes. If the processing serves multiple purposes simultaneously, consent must be given for all the intended purposes of the data processing.
Where the data subject's consent is given within the context of a written declaration which also relates to other matters — for example, the conclusion of a sales or service agreement — the request for consent shall be presented in a manner clearly distinguishable from those other matters, using intelligible and easily accessible language in a clear and plain form. Any part of such a declaration that infringes the Regulation shall not be binding.
The Company shall not make the conclusion or performance of a contract conditional on the data subject granting consent to the processing of personal data that is not necessary for the performance of that contract.
The withdrawal of consent shall be made possible in a manner as simple as that by which the consent was given.
If personal data is collected on the basis of the data subject's consent, the Data Controller may process the collected data, without requiring additional consent and even after the withdrawal of the consent, if processing is necessary to comply with a legal obligation applicable to the Data Controller, provided that no other legal provisions state otherwise.
Data processing based on consent is carried out solely on the basis of the data subject’s voluntary, prior, and explicit consent. Consent may be withdrawn at any time, without justification, via the e-mail address : info@imperialdental.hu.
Data Processing Based on Legal Obligation
In cases where data processing is based on a legal obligation, the scope of the data that may be processed, the purpose of processing, the duration of data storage, and the recipients of the data are determined by the relevant legal provisions.
Data processing based on compliance with a legal obligation does not require the data subject’s consent, as such processing is mandated by law. Before commencing such data processing, the data subject must be informed that the data processing is mandatory. Furthermore, the data subject must be provided with clear and detailed information regarding all facts related to the processing of their data, in particular the purpose and legal basis of the data processing, the identity of the person authorized to process and handle the data, the duration of the processing, the fact that the data is processed on the basis of a legal obligation, and the recipients of the data. The information provided must also cover the data subject’s rights and available legal remedies. In cases of mandatory data processing, the information may also be provided by publicizing the relevant legal provisions that contain these details.
Legitimate Interest
The Company may process the data subject's personal data on the basis of legitimate interest.
CCTV Surveillance System
A CCTV surveillance system operates within the premises of the clinic. This system is operated not by Imperial Dental Kft., but by Duna Medical Center Kft., which acts as an independent data controller and is therefore solely responsible for the processing of personal data recorded by the surveillance system. The purpose of the surveillance system is to ensure personal and property security. The video recordings are stored on DMC’s servers. Data subjects may exercise their related rights (e.g. access requests, requests for deletion) directly with Duna Medical Center Kft.
Appointment Booking, Administration, and Invoicing
For medical services provided by Duna Medical Center Kft., appointment booking, administrative tasks, and invoicing are all managed within DMC's own system. The patient is registered in the Főnix system operated by DMC, payments are made at DMC’s reception, and invoices are issued by DMC. For data processing related to invoicing purposes, Duna Medical Center Kft. acts as an independent data controller. Imperial Dental Kft. does not have access to these data, or only to the extent strictly necessary to carry out the treatment.
Facilitating the Data Subject’s Rights
The Company is obligated to ensure that the data subject is able to exercise their rights in relation to all forms of data processing.
Imperial Dental Kft. has appointed a Data Protection Officer (DPO) to ensure compliance with legal obligations regarding the protection of personal data and to guarantee the exercise of data subjects' rights.
The DPO is responsible for monitoring data processing activities, facilitating compliance with relevant legislation, and ensuring effective communication with both data subjects and supervisory authorities. Name of the Data Protection Officer: Email address:
Data subjects may contact the DPO directly with any questions, comments, or complaints related to data processing.
Processing of Personal Data in the Electronic Health Service Space
Hungary’s new e-health system, the Electronic Health Service Space (EESZT), makes health data available electronically that patients previously had to keep in paper form.
The EESZT is fundamentally a system designed to facilitate the flow of information, enabling data uploaded to the system to reach the appropriate person more quickly and easily. Since this concerns healthcare services, the transmitted data includes both personal and health data. The system ensures complete data security at the highest protection level (Level 5). The data controller of the EESZT is the National Healthcare Service Center (ÁEEK), which operates the system.
Detailed information on the functioning of the EESZT and the processing of data within the system is provided in Annex 2 of this privacy notice.
Data Processing Related to Workplace Surveillance
The Company operates an electronic surveillance system at its headquarters, business premises, and areas open to clients, with the purpose of protecting human life, physical integrity, personal freedom, business secrets, and property. This system may enable direct surveillance, the recording and storage of images, audio, or both. The behavior of the data subject captured by the cameras is considered personal data.
The legal basis for this data processing is the legitimate interest of the employer.
The presence of electronic surveillance in a given area must be clearly indicated with easily visible and readable signage placed in a way that informs third parties entering the area. Information must be provided for each individual camera, including details about the existence of surveillance, the purpose of recording and storing images and/or audio, the legal basis for data processing, the storage location of the recordings, the storage duration, the identity of the operator, the persons authorized to access the data, the data security measures in place for storage, as well as information on the data subjects’ rights and the procedures for enforcing those rights.
Audio and video recordings of third parties entering the monitored area (clients, visitors, guests) may be made and processed with their implied consent. Implied consent is particularly given when a natural person enters the monitored area despite clear signage and information about the surveillance system being present.
Recordings may be retained for a maximum of 3 (three) working days if not used. "Use" is defined as employing the recording or other personal data as evidence in court or other official proceedings.
Data Processing Related to Newsletter Services
Individuals registering for the newsletter service on the Company’s website may provide their consent to the processing of their personal data by checking a corresponding checkbox. Pre-ticked boxes are prohibited. The Privacy Notice must be made accessible via a link during subscription. Data subjects may unsubscribe from the newsletter at any time by using the “Unsubscribe” function in the newsletter, or by submitting a written or email request, which constitutes withdrawal of consent. In such cases, all data of the unsubscribing person must be deleted without delay. Personal data that may be processed: name (surname, first name), email address, telephone number.
Purpose of data processing: a. Sending newsletters about the Company’s products and services b. Sending promotional materials
Legal basis for data processing: the data subject's consent.
Recipients and categories of recipients of personal data: employees of the Company performing customer service and marketing tasks, and employees of the Company’s IT service provider acting as data processors for the purpose of providing hosting services.
Duration of data storage: until the newsletter service is terminated or until the data subject withdraws their consent (submits a deletion request).
III. VISITOR DATA PROCESSING ON THE COMPANY’S WEBSITE (INFORMATION ON THE USE OF COOKIES)
Visitors to the website must be informed about the use of cookies, and – except for technically essential session cookies – their consent must be obtained.
General Information on Cookies
A cookie is a piece of data sent by the website to the visitor's browser (in the form of a variable name-value pair), to be stored by the browser and later retrieved by the same website. A cookie may remain valid only until the browser is closed, or for an unlimited period. During each subsequent HTTP(S) request, the browser sends these data to the server, thereby modifying data stored on the user's device.
The purpose of cookies is to enable online services to identify users (e.g. recognizing whether a user is logged in) and handle their session accordingly. The risk arises from the fact that users are not always aware of this tracking, and cookies may allow the website operator or embedded third-party services (e.g. Facebook, Google Analytics) to track users and build profiles about them. In such cases, the content of cookies qualifies as personal data.
Types of Cookies:
a. Technically Essential Session Cookies: These are indispensable for the proper functioning of the website, necessary for identifying the user, such as tracking whether they are logged in or what they have placed in their cart. Typically, only a session ID is stored while other data remain on the server, which is more secure. It is critical that the session cookie value is securely generated to prevent session hijacking. In some terminologies, all cookies deleted upon closing the browser are referred to as session cookies.
b. Functionality Cookies: These remember the user's preferences, such as how they prefer the website to be displayed. Essentially, these store setting data in the cookie.
c. Performance Cookies: Although the name suggests otherwise, these cookies collect information on the user's behavior on the visited website, including time spent, clicks, etc. They are usually third-party applications (e.g. Google Analytics, AdWords, Yandex.ru cookies) and can be used to create user profiles.
Information on Google Analytics cookies is available here: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Information on Google AdWords cookies is available here: https://support.google.com/adwords/answer/2407785?hl=hu
Accepting and enabling cookies is not mandatory. You can adjust your browser settings at any time to reject all cookies or to notify you when a cookie is being sent. Although most browsers accept cookies by default, these settings can generally be modified to prevent automatic acceptance and to prompt you each time for a choice.
You can find more information on cookie settings for the most popular browsers at the following links: Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11 Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7 Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9 Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8 Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq Safari: https://support.apple.com/hu-hu/HT201265
Please note that certain website functions or services may not function properly without cookies.
Information on the cookies used on the Company's website and data generated during visits: Data collected during visits: When using the Company’s website, the following data about the visitor or the device used for browsing may be recorded and processed:
a. IP address used by the visitor;
b. browser type;
c. operating system characteristics of the browsing device (set language);
d. time of visit;
e. visited (sub)page, function, or service;
f. clicks.
These data are retained for a maximum of 90 days and are primarily used for investigating security incidents.
Cookies Used on the Website
Technically Essential Session Cookies: Purpose of data processing: to ensure the proper functioning of the website. These cookies are necessary for visitors to browse the website, use its full features smoothly, and access services available through the website. This includes, for example, remembering actions performed by the visitor or identifying logged-in users during a single session. The processing period of these cookies lasts only for the duration of the current visit; they are automatically deleted when the session ends or the browser is closed.
The legal basis for this data processing is Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services, which states that the service provider may process personal data that are technically essential for providing the service. The provider must select and operate the tools used in providing information society services in a way that personal data are processed only when absolutely necessary for the provision of the service and to achieve other objectives defined by law, and only to the extent and for the time necessary.
Functionality Cookies: These remember the user’s preferences, such as how the user prefers the website to be displayed. Essentially, these cookies store setting data in the cookie itself. Legal basis for data processing: the visitor’s consent. Purpose of data processing: to enhance the efficiency of the service, improve user experience, and make the website more user-friendly.
Performance Cookies: These collect information about the user’s behavior on the visited website, such as time spent on the site and clicks. They are typically third-party applications (e.g. Google Analytics, AdWords). Legal basis for data processing: the data subject’s consent. Purpose of data processing: website analytics, sending advertising offers.
III. VISITOR DATA PROCESSING ON THE COMPANY’S WEBSITE (INFORMATION ON THE USE OF COOKIES)
Visitors to the website must be informed about the use of cookies, and – except for technically essential session cookies – their consent must be obtained.
General Information on Cookies
A cookie is a piece of data sent by the website to the visitor's browser (in the form of a variable name-value pair), to be stored by the browser and later retrieved by the same website. A cookie may remain valid only until the browser is closed, or for an unlimited period. During each subsequent HTTP(S) request, the browser sends these data to the server, thereby modifying data stored on the user's device.
The purpose of cookies is to enable online services to identify users (e.g. recognizing whether a user is logged in) and handle their session accordingly. The risk arises from the fact that users are not always aware of this tracking, and cookies may allow the website operator or embedded third-party services (e.g. Facebook, Google Analytics) to track users and build profiles about them. In such cases, the content of cookies qualifies as personal data.
Types of Cookies:
a. Technically Essential Session Cookies: These are indispensable for the proper functioning of the website, necessary for identifying the user, such as tracking whether they are logged in or what they have placed in their cart. Typically, only a session ID is stored while other data remain on the server, which is more secure. It is critical that the session cookie value is securely generated to prevent session hijacking. In some terminologies, all cookies deleted upon closing the browser are referred to as session cookies.
b. Functionality Cookies: These remember the user's preferences, such as how they prefer the website to be displayed. Essentially, these store setting data in the cookie.
c. Performance Cookies: Although the name suggests otherwise, these cookies collect information on the user's behavior on the visited website, including time spent, clicks, etc. They are usually third-party applications (e.g. Google Analytics, AdWords, Yandex.ru cookies) and can be used to create user profiles.
Information on Google Analytics cookies is available here: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Information on Google AdWords cookies is available here: https://support.google.com/adwords/answer/2407785?hl=hu
Accepting and enabling cookies is not mandatory. You can adjust your browser settings at any time to reject all cookies or to notify you when a cookie is being sent. Although most browsers accept cookies by default, these settings can generally be modified to prevent automatic acceptance and to prompt you each time for a choice.
You can find more information on cookie settings for the most popular browsers at the following links: Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11 Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7 Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9 Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8 Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq Safari: https://support.apple.com/hu-hu/HT201265
Please note that certain website functions or services may not function properly without cookies.
Information on the cookies used on the Company's website and data generated during visits: Data collected during visits: When using the Company’s website, the following data about the visitor or the device used for browsing may be recorded and processed:
a. IP address used by the visitor;
b. browser type;
c. operating system characteristics of the browsing device (set language);
d. time of visit;
e. visited (sub)page, function, or service;
f. clicks.
These data are retained for a maximum of 90 days and are primarily used for investigating security incidents.
Cookies Used on the Website
Technically Essential Session Cookies: Purpose of data processing: to ensure the proper functioning of the website. These cookies are necessary for visitors to browse the website, use its full features smoothly, and access services available through the website. This includes, for example, remembering actions performed by the visitor or identifying logged-in users during a single session. The processing period of these cookies lasts only for the duration of the current visit; they are automatically deleted when the session ends or the browser is closed.
The legal basis for this data processing is Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services, which states that the service provider may process personal data that are technically essential for providing the service. The provider must select and operate the tools used in providing information society services in a way that personal data are processed only when absolutely necessary for the provision of the service and to achieve other objectives defined by law, and only to the extent and for the time necessary.
Functionality Cookies: These remember the user’s preferences, such as how the user prefers the website to be displayed. Essentially, these cookies store setting data in the cookie itself. Legal basis for data processing: the visitor’s consent. Purpose of data processing: to enhance the efficiency of the service, improve user experience, and make the website more user-friendly.
Performance Cookies: These collect information about the user’s behavior on the visited website, such as time spent on the site and clicks. They are typically third-party applications (e.g. Google Analytics, AdWords). Legal basis for data processing: the data subject’s consent. Purpose of data processing: website analytics, sending advertising offers.
III. VISITOR DATA PROCESSING ON THE COMPANY’S WEBSITE (INFORMATION ON THE USE OF COOKIES)
Visitors to the website must be informed about the use of cookies, and – except for technically essential session cookies – their consent must be obtained.
General Information on Cookies
A cookie is a piece of data sent by the website to the visitor's browser (in the form of a variable name-value pair), to be stored by the browser and later retrieved by the same website. A cookie may remain valid only until the browser is closed, or for an unlimited period. During each subsequent HTTP(S) request, the browser sends these data to the server, thereby modifying data stored on the user's device.
The purpose of cookies is to enable online services to identify users (e.g. recognizing whether a user is logged in) and handle their session accordingly. The risk arises from the fact that users are not always aware of this tracking, and cookies may allow the website operator or embedded third-party services (e.g. Facebook, Google Analytics) to track users and build profiles about them. In such cases, the content of cookies qualifies as personal data.
Types of Cookies:
a. Technically Essential Session Cookies: These are indispensable for the proper functioning of the website, necessary for identifying the user, such as tracking whether they are logged in or what they have placed in their cart. Typically, only a session ID is stored while other data remain on the server, which is more secure. It is critical that the session cookie value is securely generated to prevent session hijacking. In some terminologies, all cookies deleted upon closing the browser are referred to as session cookies.
b. Functionality Cookies: These remember the user's preferences, such as how they prefer the website to be displayed. Essentially, these store setting data in the cookie.
c. Performance Cookies: Although the name suggests otherwise, these cookies collect information on the user's behavior on the visited website, including time spent, clicks, etc. They are usually third-party applications (e.g. Google Analytics, AdWords, Yandex.ru cookies) and can be used to create user profiles.
Information on Google Analytics cookies is available here: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Information on Google AdWords cookies is available here: https://support.google.com/adwords/answer/2407785?hl=hu
Accepting and enabling cookies is not mandatory. You can adjust your browser settings at any time to reject all cookies or to notify you when a cookie is being sent. Although most browsers accept cookies by default, these settings can generally be modified to prevent automatic acceptance and to prompt you each time for a choice.
You can find more information on cookie settings for the most popular browsers at the following links: Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11 Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7 Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9 Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8 Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq Safari: https://support.apple.com/hu-hu/HT201265
Please note that certain website functions or services may not function properly without cookies.
Information on the cookies used on the Company's website and data generated during visits: Data collected during visits: When using the Company’s website, the following data about the visitor or the device used for browsing may be recorded and processed:
a. IP address used by the visitor;
b. browser type;
c. operating system characteristics of the browsing device (set language);
d. time of visit;
e. visited (sub)page, function, or service;
f. clicks.
These data are retained for a maximum of 90 days and are primarily used for investigating security incidents.
Cookies Used on the Website
Technically Essential Session Cookies: Purpose of data processing: to ensure the proper functioning of the website. These cookies are necessary for visitors to browse the website, use its full features smoothly, and access services available through the website. This includes, for example, remembering actions performed by the visitor or identifying logged-in users during a single session. The processing period of these cookies lasts only for the duration of the current visit; they are automatically deleted when the session ends or the browser is closed.
The legal basis for this data processing is Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services, which states that the service provider may process personal data that are technically essential for providing the service. The provider must select and operate the tools used in providing information society services in a way that personal data are processed only when absolutely necessary for the provision of the service and to achieve other objectives defined by law, and only to the extent and for the time necessary.
Functionality Cookies: These remember the user’s preferences, such as how the user prefers the website to be displayed. Essentially, these cookies store setting data in the cookie itself. Legal basis for data processing: the visitor’s consent. Purpose of data processing: to enhance the efficiency of the service, improve user experience, and make the website more user-friendly.
Performance Cookies: These collect information about the user’s behavior on the visited website, such as time spent on the site and clicks. They are typically third-party applications (e.g. Google Analytics, AdWords). Legal basis for data processing: the data subject’s consent. Purpose of data processing: website analytics, sending advertising offers.
V. INFORMATION ON THE RIGHTS OF THE DATA SUBJECT
Information on the rights of the data subject
Summary of the data subject’s rights:
a. Transparent information, communication, and facilitation of the exercise of the data subject’s rights;
b. Right to prior information – if personal data are collected from the data subject;
c. Information to the data subject and provision of information if the personal data were not obtained directly from the data subject by the data controller;
d. Right of access by the data subject;
e. Right to rectification;
f. Right to erasure (“right to be forgotten”);
g. Right to restriction of processing;
h. Obligation to notify about rectification or erasure of personal data or restriction of processing;
i. Right to data portability;
j. Right to object;
k. Rights related to automated decision-making in individual cases, including profiling;
l. Limitations;
m. Information to the data subject regarding data breaches;
n. Right to lodge a complaint with a supervisory authority (right to administrative remedy);
o. Right to an effective judicial remedy against a supervisory authority;
p. Right to an effective judicial remedy against the data controller or data processor.
Detailed rights of the data subject:
Transparent information, communication and facilitation of the exercise of the data subject’s rights
The data controller shall provide the data subject with all information and each notification relating to the processing of personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, particularly where any information is addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. Upon request of the data subject, the information may also be provided orally, provided the identity of the data subject is proven by other means.
The data controller shall facilitate the exercise of the data subject’s rights.
The data controller shall inform the data subject without undue delay and in any event within one month of receipt of the request about the measures taken in response to the request for exercising their rights. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests, provided that the data subject is informed of such extension within one month of receipt of the request.
If the data controller does not take action on the request of the data subject, the data controller shall inform the data subject without delay and at the latest within one month of receipt of the request about the reasons for not taking action, and about the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
The data controller shall provide the information and communication relating to the data subject’s rights free of charge; however, a reasonable fee may be charged where the requests are manifestly unfounded or excessive as provided for by the Regulation
Detailed rules are set out under Article 12 of the Regulation.
Right to prior information – where personal data are collected from the data subject
The data subject shall have the right to be informed about the facts and circumstances related to data processing prior to the commencement of such processing. In this regard, the data subject shall be informed of: a. The identity and contact details of the data controller and, where applicable, of the controller’s representative; b. The contact details of the data protection officer, if applicable; c. The purposes of the intended processing and the legal basis of the processing; d. In case of processing based on legitimate interests, the legitimate interests pursued by the controller or a third party; e. The recipients or categories of recipients of the personal data, if any;
To ensure fair and transparent processing, the data controller shall also inform the data subject of the following additional information: a. The period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period; b. The data subject’s right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject, and the right to object to such processing, as well as the right to data portability; c. Where the processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; d. The right to lodge a complaint with a supervisory authority; e. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as the possible consequences of failure to provide such data; f. The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved and the significance and the envisaged consequences of such processing for the data subject.
Where the data controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the data controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant additional information.
The detailed rules on the right to prior information are laid down in Article 13 of the Regulation.
Information to the data subject and information to be provided if the personal data were not obtained from the data subject
If the data controller did not obtain the personal data from the data subject, the controller shall provide the data subject with the information referred to in the previous section no later than one month after obtaining the personal data; if the personal data are used for contacting the data subject, at the latest upon the first communication with the data subject; or if the data are to be disclosed to another recipient, at the latest when the personal data are first disclosed. This information shall include the categories of personal data concerned, the source of the personal data, and, if applicable, whether the data come from publicly accessible sources.
The further rules are governed by the provisions laid down in the previous section (Right to prior information).
Detailed rules on this information obligation are set out in Article 14 of the Regulation.
Right of access of the data subject
The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the related information referred to in points 8-9 of this chapter. (Article 15 of the Regulation).
Where personal data are transferred to a third country or to an international organization, the data subject has the right to be informed about the appropriate safeguards pursuant to Article 46 of the Regulation.
The data controller shall provide a copy of the personal data undergoing processing to the data subject. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
Detailed rules on the right of access are set out in Article 15 of the Regulation.
Right to rectification
The data subject has the right to have inaccurate personal data concerning them rectified by the data controller without undue delay upon request.
Considering the purpose of processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
These rules are set out in Article 16 of the Regulation.
Right to erasure (“right to be forgotten”)
The data subject has the right to obtain from the data controller the erasure of personal data concerning them without undue delay, and the controller shall be obliged to erase personal data concerning the data subject without undue delay if:
a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b. the data subject withdraws consent on which the processing is based and there is no other legal ground for processing;
c. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d. the personal data have been unlawfully processed;
e. the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
f. the personal data have been collected in relation to the offer of information society services directly to a child.
The right to erasure shall not apply if processing is necessary for:
a. exercising the right of freedom of expression and information;
b. compliance with a legal obligation or the performance of a task carried out in the public interest or in the exercise of official authority;
c. reasons of public health;
d. archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of those objectives;
e. establishment, exercise, or defense of legal claims.Detailed rules on the right to erasure are contained in Article 17 of the Regulation.
Right to restriction of processing
Where processing is restricted, such personal data may be processed only with the data subject’s consent or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest of the Union or a Member State, except for storage.
The data subject has the right to obtain restriction of processing from the data controller if one of the following applies:
a. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy;
b. the processing is unlawful and the data subject opposes erasure and requests restriction instead;
c. the controller no longer needs the personal data for processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
d. the data subject has objected to processing pending verification whether the controller’s legitimate grounds override those of the data subject.The data subject shall be informed before the restriction of processing is lifted.
Relevant rules are contained in Article 18 of the Regulation.
Notification obligation related to rectification, erasure or restriction of processing
The data controller shall communicate any rectification, erasure, or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Upon request, the data subject shall be informed about those recipients.
These rules are set out in Article 19 of the
Regulation.
Right to Data Portability
Under the conditions set out in the Regulation, the data subject shall have the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another data controller without hindrance from the controller to whom the personal data were provided, if:
a. the processing is based on consent or on a contract; and
b. the processing is carried out by automated means.
The data subject may also request the direct transmission of personal data between data controllers.
Exercising the right to data portability shall not adversely affect the rights and freedoms of others and shall not infringe Article 7 of the Regulation (Right to erasure, “right to be forgotten”). The right to data portability shall not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
Detailed rules are set out in Article 20 of the Regulation.
Right to Object
The data subject shall have the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them based on public interest, the exercise of official authority (Article 6(1)(e)), or legitimate interests pursued by the controller (Article 6(1)(f)), including profiling based on those provisions. In such cases, the controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
The data subject shall be explicitly informed of their right to object no later than at the first communication with the data subject, and this information shall be presented clearly and separately from other information.
The data subject may exercise the right to object by automated means based on technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject shall have the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Automated Decision-Making in Individual Cases, Including Profiling
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
This right shall not apply if the decision: a. is necessary for entering into or performance of a contract between the data subject and the controller; b. is authorized by Union or Member State law to which the controller is subject, which also lays down suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests; or c. is based on the explicit consent of the data subject.
In the cases mentioned under points (a) and (c), the controller shall implement suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests, including at least the right to obtain human intervention from the controller, to express their point of view, and to contest the decision.
Further rules are contained in Article 22 of the Regulation.
Restrictions
Union or Member State law may restrict the scope of rights and obligations (Articles 12–22, 34, and 5 of the Regulation) applicable to the controller or processor by legislative measures, provided that such restrictions respect the essence of fundamental rights and freedoms.
The conditions for such restrictions are set out in Article 23 of the Regulation.
Information to the Data Subject About a Personal Data Breach
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication shall describe the nature of the personal data breach clearly and in an understandable manner and include at least: a. the name and contact details of the data protection officer or other contact point where more information can be obtained; b. the likely consequences of the personal data breach; c. the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The data subject need not be informed if any of the following conditions are met: a. the controller has implemented appropriate technical and organizational protection measures, such as encryption, which were applied to the data affected by the breach; b. the controller has taken subsequent measures to ensure the high risk to the rights and freedoms of data subjects is no longer likely to materialize; c. communication would involve disproportionate effort. In such cases, a public communication or similar measure shall be made to inform the data subjects effectively.
Further provisions are contained in Article 34 of the Regulation.
Right to Lodge a Complaint with a Supervisory Authority (Right to Administrative Remedy)
The data subject shall have the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of their personal data infringes the Regulation. The supervisory authority with which the complaint is lodged shall inform the complainant about the progress and outcome of the complaint, including the right to an effective judicial remedy.
These rules are contained in Article 77 of the Regulation.
If the data subject believes that their personal data processing does not comply with applicable laws, they may complain to the data controller or contact the supervisory authority:
National Authority for Data Protection and Freedom of Information (NAIH) Address: 1055 Budapest, Falk Miksa utca 9–11. Phone: +36 1 391 1400 Email: ugyfelszolgalat@naih.hu Website: www.naih.hu
Complaints related to the data processing practices of DMC can also be submitted directly to: Duna Medical Center Ltd. Address: 1095 Budapest, Lechner Ödön fasor 5.
Right to an Effective Judicial Remedy Against a Supervisory Authority
Without prejudice to any other administrative or non-judicial remedies, every natural or legal person shall have the right to an effective judicial remedy against legally binding decisions of a supervisory authority concerning them.
Without prejudice to any other administrative or non-judicial remedies, every data subject shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with a complaint or fails to inform the data subject within three months about the progress or outcome of the complaint.
Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority has its seat.
Where proceedings are brought against a decision of a supervisory authority in relation to which the Board has issued an opinion or decision within the consistency mechanism, the supervisory authority shall submit that opinion or decision to the court.
These provisions are contained in Article 78 of the Regulation.
Right to an Effective Judicial Remedy Against the Controller or Processor
Without prejudice to available administrative or non-judicial remedies, including the right to complain to a supervisory authority, every data subject shall have the right to an effective judicial remedy if they consider that their rights under the Regulation have been infringed as a result of the non-compliant processing of their personal data.
Proceedings against a controller or processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Such proceedings may also be brought before the courts of the Member State where the data subject has their habitual residence, unless the controller or processor is a public authority exercising public powers of a Member State.
These provisions are contained in Article 79 of the Regulation.
Imperial Dental applies IT, organizational, and technical measures during data processing to ensure data protection. In the event of a data breach, the supervisory authority and, if necessary, the data subjects will be notified in accordance with applicable laws.
Budapest, 1 July 2025
V. INFORMATION ON THE RIGHTS OF THE DATA SUBJECT
Information on the rights of the data subject
Summary of the data subject’s rights:
a. Transparent information, communication, and facilitation of the exercise of the data subject’s rights;
b. Right to prior information – if personal data are collected from the data subject;
c. Information to the data subject and provision of information if the personal data were not obtained directly from the data subject by the data controller;
d. Right of access by the data subject;
e. Right to rectification;
f. Right to erasure (“right to be forgotten”);
g. Right to restriction of processing;
h. Obligation to notify about rectification or erasure of personal data or restriction of processing;
i. Right to data portability;
j. Right to object;
k. Rights related to automated decision-making in individual cases, including profiling;
l. Limitations;
m. Information to the data subject regarding data breaches;
n. Right to lodge a complaint with a supervisory authority (right to administrative remedy);
o. Right to an effective judicial remedy against a supervisory authority;
p. Right to an effective judicial remedy against the data controller or data processor.
Detailed rights of the data subject:
Transparent information, communication and facilitation of the exercise of the data subject’s rights
The data controller shall provide the data subject with all information and each notification relating to the processing of personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, particularly where any information is addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. Upon request of the data subject, the information may also be provided orally, provided the identity of the data subject is proven by other means.
The data controller shall facilitate the exercise of the data subject’s rights.
The data controller shall inform the data subject without undue delay and in any event within one month of receipt of the request about the measures taken in response to the request for exercising their rights. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests, provided that the data subject is informed of such extension within one month of receipt of the request.
If the data controller does not take action on the request of the data subject, the data controller shall inform the data subject without delay and at the latest within one month of receipt of the request about the reasons for not taking action, and about the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
The data controller shall provide the information and communication relating to the data subject’s rights free of charge; however, a reasonable fee may be charged where the requests are manifestly unfounded or excessive as provided for by the Regulation
Detailed rules are set out under Article 12 of the Regulation.
Right to prior information – where personal data are collected from the data subject
The data subject shall have the right to be informed about the facts and circumstances related to data processing prior to the commencement of such processing. In this regard, the data subject shall be informed of: a. The identity and contact details of the data controller and, where applicable, of the controller’s representative; b. The contact details of the data protection officer, if applicable; c. The purposes of the intended processing and the legal basis of the processing; d. In case of processing based on legitimate interests, the legitimate interests pursued by the controller or a third party; e. The recipients or categories of recipients of the personal data, if any;
To ensure fair and transparent processing, the data controller shall also inform the data subject of the following additional information: a. The period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period; b. The data subject’s right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject, and the right to object to such processing, as well as the right to data portability; c. Where the processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; d. The right to lodge a complaint with a supervisory authority; e. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as the possible consequences of failure to provide such data; f. The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved and the significance and the envisaged consequences of such processing for the data subject.
Where the data controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the data controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant additional information.
The detailed rules on the right to prior information are laid down in Article 13 of the Regulation.
Information to the data subject and information to be provided if the personal data were not obtained from the data subject
If the data controller did not obtain the personal data from the data subject, the controller shall provide the data subject with the information referred to in the previous section no later than one month after obtaining the personal data; if the personal data are used for contacting the data subject, at the latest upon the first communication with the data subject; or if the data are to be disclosed to another recipient, at the latest when the personal data are first disclosed. This information shall include the categories of personal data concerned, the source of the personal data, and, if applicable, whether the data come from publicly accessible sources.
The further rules are governed by the provisions laid down in the previous section (Right to prior information).
Detailed rules on this information obligation are set out in Article 14 of the Regulation.
Right of access of the data subject
The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the related information referred to in points 8-9 of this chapter. (Article 15 of the Regulation).
Where personal data are transferred to a third country or to an international organization, the data subject has the right to be informed about the appropriate safeguards pursuant to Article 46 of the Regulation.
The data controller shall provide a copy of the personal data undergoing processing to the data subject. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
Detailed rules on the right of access are set out in Article 15 of the Regulation.
Right to rectification
The data subject has the right to have inaccurate personal data concerning them rectified by the data controller without undue delay upon request.
Considering the purpose of processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
These rules are set out in Article 16 of the Regulation.
Right to erasure (“right to be forgotten”)
The data subject has the right to obtain from the data controller the erasure of personal data concerning them without undue delay, and the controller shall be obliged to erase personal data concerning the data subject without undue delay if:
a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b. the data subject withdraws consent on which the processing is based and there is no other legal ground for processing;
c. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d. the personal data have been unlawfully processed;
e. the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
f. the personal data have been collected in relation to the offer of information society services directly to a child.
The right to erasure shall not apply if processing is necessary for:
a. exercising the right of freedom of expression and information;
b. compliance with a legal obligation or the performance of a task carried out in the public interest or in the exercise of official authority;
c. reasons of public health;
d. archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of those objectives;
e. establishment, exercise, or defense of legal claims.Detailed rules on the right to erasure are contained in Article 17 of the Regulation.
Right to restriction of processing
Where processing is restricted, such personal data may be processed only with the data subject’s consent or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest of the Union or a Member State, except for storage.
The data subject has the right to obtain restriction of processing from the data controller if one of the following applies:
a. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy;
b. the processing is unlawful and the data subject opposes erasure and requests restriction instead;
c. the controller no longer needs the personal data for processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
d. the data subject has objected to processing pending verification whether the controller’s legitimate grounds override those of the data subject.The data subject shall be informed before the restriction of processing is lifted.
Relevant rules are contained in Article 18 of the Regulation.
Notification obligation related to rectification, erasure or restriction of processing
The data controller shall communicate any rectification, erasure, or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Upon request, the data subject shall be informed about those recipients.
These rules are set out in Article 19 of the
Regulation.
Right to Data Portability
Under the conditions set out in the Regulation, the data subject shall have the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another data controller without hindrance from the controller to whom the personal data were provided, if:
a. the processing is based on consent or on a contract; and
b. the processing is carried out by automated means.
The data subject may also request the direct transmission of personal data between data controllers.
Exercising the right to data portability shall not adversely affect the rights and freedoms of others and shall not infringe Article 7 of the Regulation (Right to erasure, “right to be forgotten”). The right to data portability shall not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
Detailed rules are set out in Article 20 of the Regulation.
Right to Object
The data subject shall have the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them based on public interest, the exercise of official authority (Article 6(1)(e)), or legitimate interests pursued by the controller (Article 6(1)(f)), including profiling based on those provisions. In such cases, the controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
The data subject shall be explicitly informed of their right to object no later than at the first communication with the data subject, and this information shall be presented clearly and separately from other information.
The data subject may exercise the right to object by automated means based on technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject shall have the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Automated Decision-Making in Individual Cases, Including Profiling
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
This right shall not apply if the decision: a. is necessary for entering into or performance of a contract between the data subject and the controller; b. is authorized by Union or Member State law to which the controller is subject, which also lays down suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests; or c. is based on the explicit consent of the data subject.
In the cases mentioned under points (a) and (c), the controller shall implement suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests, including at least the right to obtain human intervention from the controller, to express their point of view, and to contest the decision.
Further rules are contained in Article 22 of the Regulation.
Restrictions
Union or Member State law may restrict the scope of rights and obligations (Articles 12–22, 34, and 5 of the Regulation) applicable to the controller or processor by legislative measures, provided that such restrictions respect the essence of fundamental rights and freedoms.
The conditions for such restrictions are set out in Article 23 of the Regulation.
Information to the Data Subject About a Personal Data Breach
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication shall describe the nature of the personal data breach clearly and in an understandable manner and include at least: a. the name and contact details of the data protection officer or other contact point where more information can be obtained; b. the likely consequences of the personal data breach; c. the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The data subject need not be informed if any of the following conditions are met: a. the controller has implemented appropriate technical and organizational protection measures, such as encryption, which were applied to the data affected by the breach; b. the controller has taken subsequent measures to ensure the high risk to the rights and freedoms of data subjects is no longer likely to materialize; c. communication would involve disproportionate effort. In such cases, a public communication or similar measure shall be made to inform the data subjects effectively.
Further provisions are contained in Article 34 of the Regulation.
Right to Lodge a Complaint with a Supervisory Authority (Right to Administrative Remedy)
The data subject shall have the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of their personal data infringes the Regulation. The supervisory authority with which the complaint is lodged shall inform the complainant about the progress and outcome of the complaint, including the right to an effective judicial remedy.
These rules are contained in Article 77 of the Regulation.
If the data subject believes that their personal data processing does not comply with applicable laws, they may complain to the data controller or contact the supervisory authority:
National Authority for Data Protection and Freedom of Information (NAIH) Address: 1055 Budapest, Falk Miksa utca 9–11. Phone: +36 1 391 1400 Email: ugyfelszolgalat@naih.hu Website: www.naih.hu
Complaints related to the data processing practices of DMC can also be submitted directly to: Duna Medical Center Ltd. Address: 1095 Budapest, Lechner Ödön fasor 5.
Right to an Effective Judicial Remedy Against a Supervisory Authority
Without prejudice to any other administrative or non-judicial remedies, every natural or legal person shall have the right to an effective judicial remedy against legally binding decisions of a supervisory authority concerning them.
Without prejudice to any other administrative or non-judicial remedies, every data subject shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with a complaint or fails to inform the data subject within three months about the progress or outcome of the complaint.
Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority has its seat.
Where proceedings are brought against a decision of a supervisory authority in relation to which the Board has issued an opinion or decision within the consistency mechanism, the supervisory authority shall submit that opinion or decision to the court.
These provisions are contained in Article 78 of the Regulation.
Right to an Effective Judicial Remedy Against the Controller or Processor
Without prejudice to available administrative or non-judicial remedies, including the right to complain to a supervisory authority, every data subject shall have the right to an effective judicial remedy if they consider that their rights under the Regulation have been infringed as a result of the non-compliant processing of their personal data.
Proceedings against a controller or processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Such proceedings may also be brought before the courts of the Member State where the data subject has their habitual residence, unless the controller or processor is a public authority exercising public powers of a Member State.
These provisions are contained in Article 79 of the Regulation.
Imperial Dental applies IT, organizational, and technical measures during data processing to ensure data protection. In the event of a data breach, the supervisory authority and, if necessary, the data subjects will be notified in accordance with applicable laws.
Budapest, 1 July 2025
V. INFORMATION ON THE RIGHTS OF THE DATA SUBJECT
Information on the rights of the data subject
Summary of the data subject’s rights:
a. Transparent information, communication, and facilitation of the exercise of the data subject’s rights;
b. Right to prior information – if personal data are collected from the data subject;
c. Information to the data subject and provision of information if the personal data were not obtained directly from the data subject by the data controller;
d. Right of access by the data subject;
e. Right to rectification;
f. Right to erasure (“right to be forgotten”);
g. Right to restriction of processing;
h. Obligation to notify about rectification or erasure of personal data or restriction of processing;
i. Right to data portability;
j. Right to object;
k. Rights related to automated decision-making in individual cases, including profiling;
l. Limitations;
m. Information to the data subject regarding data breaches;
n. Right to lodge a complaint with a supervisory authority (right to administrative remedy);
o. Right to an effective judicial remedy against a supervisory authority;
p. Right to an effective judicial remedy against the data controller or data processor.
Detailed rights of the data subject:
Transparent information, communication and facilitation of the exercise of the data subject’s rights
The data controller shall provide the data subject with all information and each notification relating to the processing of personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, particularly where any information is addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. Upon request of the data subject, the information may also be provided orally, provided the identity of the data subject is proven by other means.
The data controller shall facilitate the exercise of the data subject’s rights.
The data controller shall inform the data subject without undue delay and in any event within one month of receipt of the request about the measures taken in response to the request for exercising their rights. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests, provided that the data subject is informed of such extension within one month of receipt of the request.
If the data controller does not take action on the request of the data subject, the data controller shall inform the data subject without delay and at the latest within one month of receipt of the request about the reasons for not taking action, and about the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
The data controller shall provide the information and communication relating to the data subject’s rights free of charge; however, a reasonable fee may be charged where the requests are manifestly unfounded or excessive as provided for by the Regulation
Detailed rules are set out under Article 12 of the Regulation.
Right to prior information – where personal data are collected from the data subject
The data subject shall have the right to be informed about the facts and circumstances related to data processing prior to the commencement of such processing. In this regard, the data subject shall be informed of: a. The identity and contact details of the data controller and, where applicable, of the controller’s representative; b. The contact details of the data protection officer, if applicable; c. The purposes of the intended processing and the legal basis of the processing; d. In case of processing based on legitimate interests, the legitimate interests pursued by the controller or a third party; e. The recipients or categories of recipients of the personal data, if any;
To ensure fair and transparent processing, the data controller shall also inform the data subject of the following additional information: a. The period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period; b. The data subject’s right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject, and the right to object to such processing, as well as the right to data portability; c. Where the processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; d. The right to lodge a complaint with a supervisory authority; e. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as the possible consequences of failure to provide such data; f. The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved and the significance and the envisaged consequences of such processing for the data subject.
Where the data controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the data controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant additional information.
The detailed rules on the right to prior information are laid down in Article 13 of the Regulation.
Information to the data subject and information to be provided if the personal data were not obtained from the data subject
If the data controller did not obtain the personal data from the data subject, the controller shall provide the data subject with the information referred to in the previous section no later than one month after obtaining the personal data; if the personal data are used for contacting the data subject, at the latest upon the first communication with the data subject; or if the data are to be disclosed to another recipient, at the latest when the personal data are first disclosed. This information shall include the categories of personal data concerned, the source of the personal data, and, if applicable, whether the data come from publicly accessible sources.
The further rules are governed by the provisions laid down in the previous section (Right to prior information).
Detailed rules on this information obligation are set out in Article 14 of the Regulation.
Right of access of the data subject
The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the related information referred to in points 8-9 of this chapter. (Article 15 of the Regulation).
Where personal data are transferred to a third country or to an international organization, the data subject has the right to be informed about the appropriate safeguards pursuant to Article 46 of the Regulation.
The data controller shall provide a copy of the personal data undergoing processing to the data subject. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
Detailed rules on the right of access are set out in Article 15 of the Regulation.
Right to rectification
The data subject has the right to have inaccurate personal data concerning them rectified by the data controller without undue delay upon request.
Considering the purpose of processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
These rules are set out in Article 16 of the Regulation.
Right to erasure (“right to be forgotten”)
The data subject has the right to obtain from the data controller the erasure of personal data concerning them without undue delay, and the controller shall be obliged to erase personal data concerning the data subject without undue delay if:
a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b. the data subject withdraws consent on which the processing is based and there is no other legal ground for processing;
c. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d. the personal data have been unlawfully processed;
e. the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
f. the personal data have been collected in relation to the offer of information society services directly to a child.
The right to erasure shall not apply if processing is necessary for:
a. exercising the right of freedom of expression and information;
b. compliance with a legal obligation or the performance of a task carried out in the public interest or in the exercise of official authority;
c. reasons of public health;
d. archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of those objectives;
e. establishment, exercise, or defense of legal claims.Detailed rules on the right to erasure are contained in Article 17 of the Regulation.
Right to restriction of processing
Where processing is restricted, such personal data may be processed only with the data subject’s consent or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest of the Union or a Member State, except for storage.
The data subject has the right to obtain restriction of processing from the data controller if one of the following applies:
a. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy;
b. the processing is unlawful and the data subject opposes erasure and requests restriction instead;
c. the controller no longer needs the personal data for processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
d. the data subject has objected to processing pending verification whether the controller’s legitimate grounds override those of the data subject.The data subject shall be informed before the restriction of processing is lifted.
Relevant rules are contained in Article 18 of the Regulation.
Notification obligation related to rectification, erasure or restriction of processing
The data controller shall communicate any rectification, erasure, or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Upon request, the data subject shall be informed about those recipients.
These rules are set out in Article 19 of the
Regulation.
Right to Data Portability
Under the conditions set out in the Regulation, the data subject shall have the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another data controller without hindrance from the controller to whom the personal data were provided, if:
a. the processing is based on consent or on a contract; and
b. the processing is carried out by automated means.
The data subject may also request the direct transmission of personal data between data controllers.
Exercising the right to data portability shall not adversely affect the rights and freedoms of others and shall not infringe Article 7 of the Regulation (Right to erasure, “right to be forgotten”). The right to data portability shall not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
Detailed rules are set out in Article 20 of the Regulation.
Right to Object
The data subject shall have the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them based on public interest, the exercise of official authority (Article 6(1)(e)), or legitimate interests pursued by the controller (Article 6(1)(f)), including profiling based on those provisions. In such cases, the controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
The data subject shall be explicitly informed of their right to object no later than at the first communication with the data subject, and this information shall be presented clearly and separately from other information.
The data subject may exercise the right to object by automated means based on technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject shall have the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Automated Decision-Making in Individual Cases, Including Profiling
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
This right shall not apply if the decision: a. is necessary for entering into or performance of a contract between the data subject and the controller; b. is authorized by Union or Member State law to which the controller is subject, which also lays down suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests; or c. is based on the explicit consent of the data subject.
In the cases mentioned under points (a) and (c), the controller shall implement suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests, including at least the right to obtain human intervention from the controller, to express their point of view, and to contest the decision.
Further rules are contained in Article 22 of the Regulation.
Restrictions
Union or Member State law may restrict the scope of rights and obligations (Articles 12–22, 34, and 5 of the Regulation) applicable to the controller or processor by legislative measures, provided that such restrictions respect the essence of fundamental rights and freedoms.
The conditions for such restrictions are set out in Article 23 of the Regulation.
Information to the Data Subject About a Personal Data Breach
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication shall describe the nature of the personal data breach clearly and in an understandable manner and include at least: a. the name and contact details of the data protection officer or other contact point where more information can be obtained; b. the likely consequences of the personal data breach; c. the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The data subject need not be informed if any of the following conditions are met: a. the controller has implemented appropriate technical and organizational protection measures, such as encryption, which were applied to the data affected by the breach; b. the controller has taken subsequent measures to ensure the high risk to the rights and freedoms of data subjects is no longer likely to materialize; c. communication would involve disproportionate effort. In such cases, a public communication or similar measure shall be made to inform the data subjects effectively.
Further provisions are contained in Article 34 of the Regulation.
Right to Lodge a Complaint with a Supervisory Authority (Right to Administrative Remedy)
The data subject shall have the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of their personal data infringes the Regulation. The supervisory authority with which the complaint is lodged shall inform the complainant about the progress and outcome of the complaint, including the right to an effective judicial remedy.
These rules are contained in Article 77 of the Regulation.
If the data subject believes that their personal data processing does not comply with applicable laws, they may complain to the data controller or contact the supervisory authority:
National Authority for Data Protection and Freedom of Information (NAIH) Address: 1055 Budapest, Falk Miksa utca 9–11. Phone: +36 1 391 1400 Email: ugyfelszolgalat@naih.hu Website: www.naih.hu
Complaints related to the data processing practices of DMC can also be submitted directly to: Duna Medical Center Ltd. Address: 1095 Budapest, Lechner Ödön fasor 5.
Right to an Effective Judicial Remedy Against a Supervisory Authority
Without prejudice to any other administrative or non-judicial remedies, every natural or legal person shall have the right to an effective judicial remedy against legally binding decisions of a supervisory authority concerning them.
Without prejudice to any other administrative or non-judicial remedies, every data subject shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with a complaint or fails to inform the data subject within three months about the progress or outcome of the complaint.
Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority has its seat.
Where proceedings are brought against a decision of a supervisory authority in relation to which the Board has issued an opinion or decision within the consistency mechanism, the supervisory authority shall submit that opinion or decision to the court.
These provisions are contained in Article 78 of the Regulation.
Right to an Effective Judicial Remedy Against the Controller or Processor
Without prejudice to available administrative or non-judicial remedies, including the right to complain to a supervisory authority, every data subject shall have the right to an effective judicial remedy if they consider that their rights under the Regulation have been infringed as a result of the non-compliant processing of their personal data.
Proceedings against a controller or processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Such proceedings may also be brought before the courts of the Member State where the data subject has their habitual residence, unless the controller or processor is a public authority exercising public powers of a Member State.
These provisions are contained in Article 79 of the Regulation.
Imperial Dental applies IT, organizational, and technical measures during data processing to ensure data protection. In the event of a data breach, the supervisory authority and, if necessary, the data subjects will be notified in accordance with applicable laws.
Budapest, 1 July 2025