Data processing policy
We would like to inform you about the data processing involving you, carried out by our service provider (that is, the recording, collection, storage, organisation, querying, use, modification, erasure, transmission, etc. of information concerning you and related to your health status) below. Where appropriate, certain information may also apply, mutatis mutandis, to persons who can be lawfully informed or are entitled to make a statement instead of you or together with you (e.g. certain relatives). By coming to know this notice you expressly acknowledge the contents of this notice through implied action by using our services and consent to the continued processing of your data as necessary. Nevertheless, we may request your written consent where appropriate.
Our data processing practice may change over time due to the possible change of the law and our activities. Therefore, you are kindly requested to periodically check and review it, the possibly modified notice during your visits.
Name and address of the healthcare provider attending to you, which is considered a controller, and contact data of its representative:
GÉNLABOR Egészségügyi Kft., 1147 Budapest, Csömöri út 18. Managing director: Dr. Tünde Szobonya, Phone: +36 30 434 17 44
Name and contact information of our data protection officer (whom you can directly contact in data protection matters):
Dr. Péter Hanti, Inspekció 99 Bt., 8000 Székesfehérvár Szekfű Gy. u. 7. firstname.lastname@example.org, +36 30 5005 395
Scope of processed data: health data detected, examined, measured or derived from your connected personal data, which are considered relevant by the recording healthcare worker for the use of the given healthcare service, regardless of which lawful source they originate (including any information coming from deductions that can be made from other data). Obviously, we process historical data produced earlier to the extent necessary to provide the healthcare. As regards your publicly financed care, your health data are obviously linked to and processed together with your social security number (TAJ number). If considered professionally justified by the patient care provider, it may make image, video and audio recordings following your prior information, if necessary, in a way and to the extent not violating your personal rights and may make such recordings available to you (e.g. in the form of photos made by you about your own physical deformations). Given the nature of the healthcare, information concerning others (so-called third persons outside the relationship between our service provider and you) may also be included in the data processed in the interest of your treatment and car, including where you disclose information about others (the adequacy of such data is ensured by you to a reasonable extent). This also applies to special data (such as, for example, information related to the health status, which are also called sensitive data).
From your personal and identification data, in particular the following data will be recorded as necessary: name, gender, home address, date of birth and place of birth, birth name, mother’s name, place of stay, contact information (e.g. telephone, email), social security number, number, date and expiry of the document certifying public healthcare eligibility.
From your health data, in particular the following data will be recorded in the way and to the extent necessary for your care: anamnesis, dates and results of medical tests; diagnoses, risk factors, vaccines, fact and dates of consent to or refusal of certain health services; dates and events of interventions and treatments; medicine or other allergies; results of certain aptitude tests; content of the information received; other circumstances relevantly affecting the health status and its care (e.g. family-social conditions, disability, sports and recreational activities). Obviously, we process particularly sensitive data, included in your health data, if necessary (e.g. gynaecological, urinary-genital, sexual life-related, mental-psychological-psychiatric, pathological addiction-related, etc. data). The documentation also includes, in particular, any other test findings, data of consultations, treatment documentation, histology findings and imaging diagnostic recordings.
Where the use of publicly financed services, medicines or medical supplies or medical care (spa, medicinal swimming for children) is prescribed on a physician’s prescription (subsidized by the social security), we need to ask a number of special written statements from you pursuant to the legal requirements, which we keep as part of the records (your attending physician gives you more information about these).
In addition to the data recorded based on legal requirements, the processing also involved datasets that are necessary, reasonable and justified based on the professional regulations, which are defined by the patient care provider: such data processing, which is not prohibited by the law and does not violate the patients’ rights (involving the inclusion of professionally established statements of fact in documentations) shall not violate your personal rights and, in fact, serve your proper care.
Unless we apply another way of data recording (e.g. we record a telephone call), the contents of any exchange of information with you through any electronic channel (e.g. telephone call, e-mails) may be recorded in your documentation (e.g. the essence of information and advice given on the telephone).
Purpose of processing: Basically, the provision of healthcare to patients and the recipients of service (that is, you) (linked to any public health and epidemiological purposes affecting you or others). In this respect, the enforcement of your (patient’s) rights. It is in the interests of your health care (so it should be included here) if we can provide you information at the contact details you provided about free health maintenance and assessment events and opportunities that may be of public interest and aim at prevention and screening (a separate declaration is required). The quality assurance of healthcare and the analysis of patient pathways can also be legitimate data processing purposes.
Data concerning certain diseases are processed by the so-called state disease registers for public health purposes.
If necessary, official proceedings and legality-professional audits may also serve as the basis of processing your data.
If you undergo certain aptitude tests, the determination of your aptitude for the given activity may also be a purpose of using your data.
In the case of any other data processing, which is not related to the above, is not mandatory or anonymous, we give you separate information about the purpose thereof and ask for your separate consent (in writing, if necessary) (e.g. if our service provider would like to send you advertising material through electronic channels).
Bases of processing:
- a) Basically we process your data based on your voluntary consent, which should be considered granted by implied consent when you voluntarily make use of our service (simply by your disclosing your data to us (Section 12 of Act XLVII of 1997). Should you refuse or reject providing your data, whether in whole or in part, your proper healthcare service may become wholly or partly impossible. In case of urgency (which we must assume in all cases as long as we ascertain that there is no emergency) or in the absence of discretionary capacity (e.g. unconsciousness, impaired consciousness) we also presume that you consent to processing based on the above Act (in this case, we can provide any information only in part or afterwards).
- b) It may happen that the law specifically requires that you disclose your data or the recording/storage/transfer thereof. Such cases include, in particular, the following:
- ba) Work accidents, official notification of certain occupational diseases or infectious diseases (and the suspicion thereof), official notification of the results of certain screening tests, processing related to certain aptitude tests, notification of acute poisoning; complying with the requests of the competent authorities; interests of the care of the foetus and the child (Sections 13 and 15/A of Act XLVII of 1997). In the case of certain diseases that are typically sexually transferred, anonymous reporting to the authority, but we may also request naming the contacts (from whom you received or to whom you transferred the disease). Tuberculosis (TBC) should be highlighted, upon the occurrence of which we transfer data to the competent TB centre (Section 21 of Decree NM 18/1998. (VI. 3)).
- bb) Processing is also mandatory especially if you are not fully able to act and are unable to refuse the healthcare service itself or the necessarily related data processing, either (Section 20 (1) of Act CLIV of 1997);
- bc) For the same reason, if your life is in (direct) danger (Section 17 (2) of Act CLIV of 1997); if your condition or the absence of care jeopardizes others (Section 17 (2) a) of Act CLIV of 1997; or if you need emergency or compulsory psychiatric treatment (Sections 199-200 of Act CLIV of 1997).
It is also possible that the processing that used to be mandatory becomes voluntary and vice versa; your rights will be adapted accordingly.
- c) Processing based on the balancing of interests:
- ca) Exceptionally, data processing may be based on the need to protect your vital interests, in particular in the case of urgency or threatening condition or in order to execute our tasks of public interest, or the overriding legitimate interests of our service provider or other persons (Section 6 of Act CXII of 2011).
- cb) Data processing may also take place if obtaining your consent would be impossible or involve disproportionate cost (in order to fulfil our obligations and in the overriding legitimate interest of our service provider or another person). We may process your data to the necessary extent also if you are incapacitated or unable to consent to the processing in a proper form for other reasons (and there is no other entitled to make up the same): in order to protect your vital interests or of others or to protect life, physical integrity or property (or to prevent such emergencies) (Section 6 of Act CXII of 2011).
- cc) Your data may be processed also after the withdrawal of your consent to enable our service provider to fulfil its obligations and enforce its legitimate interests (Section 6 of Act CXII of 2011).
In the case of such processing based on the balancing of interests, we will inform you how the legitimate interests of our service provider or others relate to your legitimate interests and if the former should be given priority, the processing will take place on that basis.
- d) Lastly, processing may also be based on the fulfilment of the contract (e.g. for attendance or care) in place between us (this may typically overlap the previous three).
The sources of the data can be: You, other persons who lawfully disclose information about you, including other patient care or healthcare providers; documents concerning your previous healthcare services; separate systems storing information about you (e.g. National e-Health Infrastructure – see below).
Scope of persons entitled to come to know that data and transfer them inter se but subject to confidentiality without a time limit: healthcare providers involved in or contributing to your treatment and any healthcare workers employed by them in any kind of relationship (patient care attending physicians, psychologists, skilled health workers providing care, other persons and providers engaged in activities related to your care, etc. You may obviously come to know their names, positions and special qualification, as well as their other public data and relationship to our provider, as they process your data). Your data unrelated to your care may be accessed only to the extent, in the manner and until it is necessary to verify if the information is linked to your current care. If a healthcare worker is substituted and you use his/her services, he/she will act as a lawful data controller with similar rights. If necessary, in particular, in the case of a complaint against the head of the service provider, the data protection officer (data protection manager), the IT specialist, the head supervising physician, the special quality assurance head physicians or professional field leaders, or healthcare workers, the competent ethics committee, the representatives of the competent health authority, the authorised employee of the health insurer, the patient’s right representative and the body employing him/her and its representatives, the medical expert body and the authorities may also come to know your (health) data in the necessary manner and extent.
Method of data processing: in hard copy and electronically (subject to the rules of the quality assurance system). In a number of cases, the law requires different forms for obtaining your certain statements (simple written form when we may ask for your signature; statement made by involving two witnesses; notarial deed), which become part of the records. Where two witnesses are required, the witnesses may not know the contents of your statement, but only certify that you signed the document or acknowledge the document to be yours in their presence.
Place of data processing: Typically, on electronic media and cardfile system at the registered address of our provider (address: 1147 Budapest, Csömöri út 18.).
Duration of data procession: We retain your health documentation stored by us for 30 years from the recording of the given data, for 50 years in the case of final reports, for 10 years in the case of diagnostic imaging recordings (e.g. X-ray) made after 1 January 2012, respectively for 30 days in the case of diagnostic imaging recordings made earlier (the same applies to your statement that you have come to know this notice and our data processing records, provided, that they will be retained considering the longest duration data processing). As a rule, the documentation is destroyed after the expiry of the retention period.
Data are processed for 15 years by our data breach records, respectively for 20 years by our data transfer records. We process non-health data included in electronic mail or disclosed through your user account for no more than 5 years. Accounting documents are retained for 8 years. The National Health Insurance Data Controller (“NEAK”) processes the data transferred to it for 30 years.
Operated by the National Healthcare Services Centre (“ÁEEK”), the National e-Health Infrastructure (EESZT, see below) is a data processor that we are obliged to use and processes the data of medicine prescriptions and electronic referrals for 5 years. Other data are processed for 5 years from the patient’s death, and then are destroyed (for the details, see the section on the EESZT).
In the event that our provider terminates with a successor, the successor provider will be considered the data controller. In case we terminate without a successor, your data will be transferred to the competent state body. If our tasks are assumed by another provider, the data produced during the last 10 years will be transferred to that provider. In addition, we may transfer data to another provider based on your written consent.
You may access your date: in addition to the basic information on processing above (which you can come to know by viewing this information at any time, that is, automatically), you also have the right to be informed about specific rights recorded by us that pertain to you. You are entitled to dispose with your health data, while our provides disposes with the database storing the same. You receive oral information, may consult our records after prior consultation (as a rule, within 1 month of the receipt of your request) and may request a written copy thereof (in the case of health data, we obviously aim to provide it within the shortest possible time).
In the special care, you receive findings or a final report, unless you waive this right, which you can make once you have turned 16 years of age. (In the case of certain psychiatric disorders, this right may be restricted by the attending physician.) You may also access certain healthcare data through the client portal in the systems of the EESZT and the NEAK. Please note that you should involve a specialist, preferably your attending physician to interpret the findings. According to the rules of the profession, findings are not required to be directly interpretable by lay persons.
Once you have turned 16, you may authorise another person, making use of the two witnesses, whom we can inform about your data, who can consult the records about you and may request a copy thereof. Unless precluded from the age of 16, the parent/guardian is also informed about the minor. (You can independently consult the data of persons between 14 and 18 years of age and persons under guardianship due to limited capacity.) If you become incapacitated (unable to decide) or the court placed you under guardianship precluding ability, the person you have authorized earlier or, in the absence of such, your legal representative (guardian) or the persons in the order defined by the law (usually by the degree of relationship) may receive information and consult the data of their relative. If you wish and are in need, we inform the persons assisting you in the context of the so-called advocated decision-making. The patient’s rights representative may also act based on the authorisation of your relatives in case you are permanently handicapped.
You and the authorised persons on your behalf in the given case (they may include e.g. your agent, certain relatives (not automatically) or heir) may submit their request after identification: then we give them oral information about your data stored by us, allow consulting the same at the agreed place and time and issue electronic or paper-based copies thereof upon request. (Because we are not permitted by the law to release the original paper-based/physical health documents and cannot accept your own data carriers for IT security reasons and because of reasons of confidentiality concerning other patients, you can request a copy of the data concerning you only from us. Nevertheless, it is possible that you make photo or video documentation about the paper-based or displayed or optically displayed information concerning you by using your own device.) The issue of a copy is free of charge.
If the medical documentation concerning you includes data of others as well, as a rule, neither you nor the person authorised to act on your behalf may come to know them. Where the data request concerns a different patient’s documentation in which your data are also included (e.g. in the family anamnesis of your family, in the parent-child relationship, in reproductive processes or any other case where the patient concerned mentioned any information about you as a third person in any respect, which was recorded due to its importance), your written consent is required to transfer or release that part of the documentation. Otherwise, we must remove the data concerning you from the datasets to be released in such a manner. However, this is not possible in the case of certain official requests and mandatory data supply (exception: in a civil law litigation, data concerning sexually transferred infectious diseases may not be disclosed without your consent).
We seek the most accurate and high quality data processing but, if necessary, you may request rectification of your data.
If your request involves your health data and competent health worker disagrees with it on professional grounds, your request and his/her professional opinion will be recorded in your documentation. (If we have lawfully transferred certain of your data to somewhere else lawfully, e.g. to other health providers who also attend to you, we notify those data controllers of the necessary rectification as well, however they are required to make the necessary or possible modifications.) The rectification must be done in the medical documentation in a way that the original data can be determined based on specific legal requirements.
You may also request restriction of data processing (data blocking) concerning you, so that we can carry out only certain operations on your data. In this case, as a rule, we only store your data during the restriction and will inform you once the restriction has been lifted. (If we have lawfully transferred certain of your data to somewhere else lawfully, e.g. to other health providers who also attend to you, we notify those data controllers of the necessary restriction as well, however they are required to make the restrictions necessary or possible there.)
You may request this in respect of your health data only subject to certain conditions (e.g. if you object to the processing or have requested erasure of your data, or there is a dispute if the processing is lawful): the health worker who recorded the data is authorised to decide what data need to be processed in order to provide appropriate healthcare service to you.
You are entitled to prohibit the flow of your data, whether in whole or in part, in particular with respect to the healthcare providers attending to you; your family doctor; the so-called patient pathway system of the health insurer (NEAK) or the National e-Health Infrastructure (EESZT) (see the relevant sections for details).
4. Withdrawal of consent
You may withdraw the consent you have given to processing, provided, that your consent to earlier processing or the lawfulness of earlier processing will not be affected thereby.
You may withdraw your earlier consent to processing health data if you do not use any of the (voluntary) services of our service provider any more (as the absence of your data supply can make your healthcare services impossible). The validity of the consents to previous services will not be affected by this measure (we are permitted to stop processing your earlier data basically only after the expiry of the time limit provided for by law).
You may request data complete and final erasure of your data as well. (If we have lawfully transferred certain of your data to somewhere else lawfully, we notify those data controllers of the necessary data erasure as well, however they are required to make the data erasure necessary or possible there.)
You may request erasure of your data in relation to your health data only with limitations: Basically, if the mandatory retention period required by the law has already expired. We must carry put the deletion in the medical documentation in a way that the original data can be established on the basis of a special legal requirement.
You may object to the processing of your data that you believe in unlawful at our service provider.
As regards your healthcare service, please note that our data processing obligations are set out by a wide range of strict legal regulations. Hence, your objection can be considered with respect to services used voluntarily and may prevent the provision of subsequent services. The methods of data processing and documentation are determined by the service provider within the confines of law.
For more information about the possibilities to object, please proceed to the section on data transfer.
7. Data portability
Your right to data portability may only be enforced if automated data processing takes place.
As regards health data and, in addition, necessarily only if the healthcare providers concerned use compatible computer systems that are able to directly send and receive data between them electronically or via data carriers. In such cases, the designated and dataset based on your express request and consent will be transferred (which does not affect the obligation of the transferring service provider to retain the data). If certain healthcare providers who attend to you have joined the National e-Health Infrastructure (EESZT), they may reciprocally process the data contained therein within certain limits be defined by you.
8. Legal redress
Where it is legally possible, your requests above will be fulfilled within one month, which may be extended by two months where appropriate. In case of failure or in case or a violation of your rights above, you may seek legal redress as well: You may submit your complaint to our service provider (data protection officer), of the National Authority for Data Protection and Freedom of Information (NAIH, www.naih.hu, email@example.com, 1125 Budapest, Szilágyi Erzsébet fasor 22/c., Phone .: +36 1 391 1400). You may seek legal redress against our response rejecting your request at the regional court competent for your home address or place of stay within 30 days of the receipt thereof (in case of a violation of your personal rights, you may claim restitution).
9. Non-disclosure. Confidentiality
We are subject to a confidentiality obligation with respect to your data produced by us or delivered in any manner to us. We process them in an integrated manner and confidentially. Confidentiality may be lifted only be you or the (written) instruction of any other person authorised to make a declaration on your behalf or the law. (Confidentiality also applies to the service conditions.) Such a requirement lifting confidentiality can be, in particular, the official notification of (suspected) certain occupational diseases or infectious diseases, the official notification of the result of certain mandatory screening tests, the notification of acute poisoning, response to the requests of the competent authorities; the interests to attend to the foetus or the child.
We may provide information to you or another person enquiring on your behalf by telephone or through other electronic channels basically only if we can ascertain that it is indeed an authorised person who asks for the data. Otherwise, data and findings may be disclosed based on a written power of attorney given in the presence of two witnesses where a person other than you asks for the same (please attach your identify card showing your signature or a copy thereof; we will return and not keep it). If you request data from us in writing (e.g. by mail), we also ask that you send us a copy of your identification document, which we will return and not keep.
Obviously, in your interest, there is no obligation of confidentiality between the various service providers patient providers treating you, but you may prohibit this (however, this may prevent your treatment).
Unfortunately, for organisation and technical reasons, we are unable to ensure that you do not meet other patients we you visit our service provider (e.g. in the waiting rooms).
Such obligation may be lifted also by emergency (or the assumption thereof that has not been conclusively rebutted); the dangerous condition of you or other people; the protection of the life, physical integrity and health of other (in proportionate to the interests), by applying the principle of good faith data processing. However, we will not be responsible, if, in spite of our lawful data processing and due to factors and circumstances independent of us, you and your data become suitable for being combined by third parties on the basis of the “data pattern” created about you.
If you are in need of care, we may disclose data to your close relatives or any persons obliged to provide care to you, without which your health status would deteriorate.
Your spouse, partner, lineal relative or sibling may request disclosure of certain data concerning you based on the law, but only for reasons affecting the health of such persons or their descendants or it is necessary for the healthcare of such persons and it is not possible to access the required information otherwise (e.g. in the case or certain hereditary or infectious diseases).
Any of your attending physicians can access data concerning your publicly finances treatments in the IT system of NEAK (this is the so-called patient’s pathway). You can prohibit this, inter alia, through the client portal or the health insurer.
Should we want to present your case for training or retraining purposes, we can do it anonymously without your express consent.
If we issue a certificate, form, document, instrument or opinion as required by the law or at your request, which is forwarded to other persons/organisations, they may process the data contained therein, including your health data, only within the confines or law and your consent given to them (e.g. by presenting at your workplace the form issued by us that certifies your disability to work, the employer will necessary come to know, based on the code therein, whether you are on sick leave because of pregnancy, sickness or accident; the codes the must be indicated in the vehicle driver’s aptitude test informs the authority/policeman that you wear contact lenses because of impaired vision). Our service provider is not responsible for such separate data processing.
For the exceptions to confidentiality, see also the section on mandatory data transfer.
For your safety, we take various measures to ensure your protection against accidental data modification or deliberate data modification, destruction, damage, public disclosure or unauthorized access. You can obtain more information on them in our policies to be made available upon request.
10. Access to Information of public interest
Our service provider has a valid and effective third-party liability insurance contract and an indefinite term operating licence.
Name and contact data of patient rights representative: Ingrid Lengyel, firstname.lastname@example.org +36 20 4899 609
Supervisory body: Government Office of Budapest-Capital, District XIV Office, Department of Public Health
Body competent in health mediation proceedings: Hungarian Chamber of Judicial Experts (1095 Budapest, Mester u. 30-32., Phone: +36 1 614 7739, e-mail: email@example.com).
You are required to verify your personal data in a credible way in order to make use of healthcare services.
If the right to access your data is based on a relationship with a relative or (co)habitation in the same household, the declaration required from him/her should be submitted in writing, witnessed by two persons. The rights of the person authorized to act on your behalf or along with you should be verified by presenting the appropriate documents if necessary and possible. [Pursuant to the law (Section 6:18 (2) of Act V of 2013), any person who, relying on his conduct and on the acts of the principal, is presumed under reasonable grounds to be authorized to make legal statements on behalf of the principal shall be construed as a representative.]
Based on the law, you are required to inform us, in the expectable manner and extent, however, realistically about everything that is necessary for establishing a diagnosis or preparing the appropriate treatment plan and carry out the therapy and interventions, particularly, about any previous illness, medical treatment, the taking of any medicine or medicinal products, health risk factors, risk factors and other relevant circumstances affecting your treatment. In conjunction with their medical condition, you should also inform us about everything that could jeopardize the life or physical safety of others, especially communicable diseases and diseases and conditions precluding the performance of specific occupations. In the case of certain contagious diseases, it is necessary to name the persons from whom you may have received the infectious disease to whom you may have infected.
You must also inform us about all prior legal statements affecting your healthcare services.
In certain situations, you may also become a data controller of health data with respect to (sensitive) information concerning other persons, e.g. discovery of inherited diseases in the family, search for the contacts of infectious diseases, psychotherapeutic couple and group therapies, when several patients/injured people are treated at the same time together with you in an emergency, and the conditions of confidential (data processing) conditions cannot be ensured for objective reasons. In these cases, you will also be under a non-disclosure and confidential data processing obligation with respect to the secrets of other persons.
You must obtain explicit permission for any of our patient service providers if you wish to record any communication with it in person or through any other info-communication channel (e.g. telephone call) by means of a (motion) picture and/or audio recording or if you want to broadcast it to other persons. The purposes for which such recordings would be used must also be clarified in advance. You may only formulate an opinion before other people, particularly the public, the press, mass media or social media, which is well-founded and does not infringe the reputation of our service or the (professional) prestige, integrity or privacy rights of our healthcare workers without reason or foundation. You may not share the personal and sensitive data of our workers (that are not considered public for reasons in the public interest) without their prior consent.
Two or more healthcare service providers (patient service providers) that provide or contribute to the provision of treatment or healthcare service to you may directly transfer between each other, directly and reciprocally, information that is required for your care, is related thereto or can be professionally combine therewith either in hard copy or through electronic info-communication channels (e.g., referral, request for a consultation, by means of findings returned in any form and manner; by telephone, e-mail or other electronic data transmission) (obviously, the requesting patient care/attending physician is entitled to come to know the results of the service and the findings). You may prohibit such dataflow in writing (in this case, healthcare to you may become impossible). Your data unrelated to your care may be accessed only to the extent, in the manner and until it is necessary to verify if the information is linked to your current care. Based on the prescription/order form/job sheet issued to you, the pharmacy, entities engaged in the manufacture/repair/distribution of medicinal products and entities providing medicinal care (e.g. spa service), dental prosthetist provider, etc., and the healthcare worker lawfully employer there and also being under a confidentiality obligation, as well as those working in the healthcare, may also process your data as applicable. The separate healthcare service providers are considered separate data controllers, each of which has its own data processing policy. As a rule, they are not responsible for the processing of each other, and each service provider is required to inform you about his order of processing separately.
Also for your care, we record on medical prescriptions, referrals, orders, vouchers, etc. data required or permitted by the law and necessary for professional purposes. Any data may be indicated that does not violate the patient’s rights.
Dataflow between providers not involved in your care is permitted, exceptionally and in the necessary manner and extent, only where it is still required for your care.
Any organs, tissues or other biological matters removed from your organisation (e.g. blood sampling), except for genetic matters, for quality assurance purposes, which can no longer be used in your interest after its processing or the failure thereof (e.g. for setting up the diagnosis), may be used on an anonymous manner for testing compliance with the quality assurance requirements of diagnostic laboratories (reference, calibration tests), as well as for research or educational purposes. You may, however, object to this in writing.
Of the services received from us, we electronically upload data in the National e-Health Infrastructure, to which you may object with respect to all or certain data processing (see below).
- In many cases, the law provides for the mandatory data transfer.In particular:
- Official notification of accidents at work, certain occupational diseases or ailments.
- Official notification of (suspected) infectious diseases. (In some cases, you are obliged to undergo HIV screening. In the case of a positive result, your data must be transferred at the request of the competent health authority. Until it is not mandatory, data are not transferred even in the case on anonymous screening, either.) In the case of infectious diseases of international significance, data about you must be transferred to the World Health Organisation (WHO) as well, which can lead to data transfer outside Europe. Some compulsory vaccinations are claimed from the competent authority and their use is reported by using your data.
- The results of certain mandatory screening tests must be notified to the authority and acute poisonings must also be reported to the competent bodies.
- We are obliged by the law transfer your data combined with your identification data to the National Register of Congenital Disorders, the National Cancer Register and the National Heart Attack Registry if you have a disease related thereto.
- In case of violence or the threat of violence between relatives, we must notify the court of guardians (for minors, the consent of the parent is not necessary).
- If the condition of a minor is at risk/in order to prevent such risk, we must notify the child welfare service/guardianship authority (the parent’s consent is not required).
- If the injury/illness of the minor is believed to be a consequence of neglect/abuse (even if it is not considered serious), we must notify the child welfare service (the parent’s consent is not required).
- In the case of a serious injury (healing beyond 8 days), where it is suspected to be a consequence of a crime, we must notify the policy (for minors, the parent’s consent is not required).
- In the case of social vulnerability or event of crisis, we must notify the family support service.
- As a rule, we must transfer your data to the following key bodies and persons at their written request, for legitimate purposes, if the scope of the requested data is specified:
- Public prosecutor’s office, Court, judicial expert.
- In criminal proceedings, the investigating authority (under certain conditions); the petty offence authority; public administration authority.
- National security service, counter-terrorist service.
- In order to establish certain social/social security benefits/subsidies or discounts, the medical expert body may address your attending physician (basically, they process your data for 5 years).
- For ethics proceedings, the competent body of the professional chamber.
In the case of a (presumed) adverse drug reaction, we must report your personal data, replaced by a code, to the pharmaceutical authority, the medicine distributor, who forward them to the European database (you may also submit a report).
Some authorities, bodies or entities are authorised to process personal data linked to health data only in a specific scope or case: e.g. ombudsman, State Audit Office, competition authority, home defence force, teaching/educational institutional system.
As a rule, we supply data anonymously for statistical purposes required by the law.
In addition, we may transfer data about you in relation to your personal data only based on your appropriate consent.
National e-Health Infrastructure (EESZT)
The EESZT a high security electronic system managed centrally by a state body, which can be remotely accessed and allows IT-based healthcare data processing. The EESZT is operated by the National Healthcare Services Centre (ÁEEK, contact: 1125 Budapest Diós árok 3., Phone: +36 1 356 1522, firstname.lastname@example.org, https://e-egeszsegugy.gov.hu): they store on computer servers a number of data concerning any of domestic your healthcare services in order to allow eligible patient service providers to access and mutually come to know such data. (We may also transfer data at the request of the data protection officer of EESZT.) As a rule, the system stores data created after 1 November 2017, and the healthcare service providers operating in the public domain are obliged to connect to it.
You may prohibit uploading your data, whether in whole or in part, access by any or all healthcare service providers or patient care providers, or access to any or all your data, or data processing related to any or all your medical conditions in the Self-determination Record through the client portal or in person at a Government Window (the prohibition may adversely affect your healthcare owing to the lack of information) – your instruction is set within a day. he general prohibition can be lifted in an ad hoc written declaration made in the presence of the attending physician (which will be valid for 1 day). In addition, the necessary data may be known to the patient care providers in case or emergency or mandatory data processing (the patient care provider referring to such a condition is responsible for that such conditions prevails, as well as that it accesses data unrelated to your care only to the extent, in the manner and for the time as required to allow the determination whether the information is related to your current care). The data in the Self-determination Record are erased 5 years after the death of the data subject.
Your attending physician may enter in the Health Profile records, inter alia, warnings, your anamnesis, current problems or remarks concerning your way of life, possible pregnancy, blood-type, which can also be prohibited.
The documents of certain types of care are uploaded in the Medical Documentation Records within a few hours (final reports, findings, etc.). Your service providers may transfer the diagnostic imaging recordings made about you between each other, of which you may request notice in your client portal. The system keeps these for 30 days.
The technical data of the Central Event Catalogue records the technical details of your care (with the exception of primary dental care) for 5 years after the patient’s death.
As a rule, your attending physician will prescribe medicines to you on electronic prescriptions, which are retained by the pharmacy for 5 years and the ÁEEK for 30 years. Where appropriate, it is also possible to issue electronic referrals, which are retained by the system for 5 years. Data collected about certain types of diseases are transferred, in an anonymised form, to the Electronic Disease Register.
You can inspect the data concerning you in your client portal, as well as who retrieved them and when.
In the case of mandatory data transfers at the request of the authorities, which we receive and affect the dataset of EESZT, we notify the ÁEEK for the purpose of legal protection.
The ÁEEK is responsible for the regular functioning of the EESZT. And the Hungarian State is responsible for developing an operating framework that does not violate your fundamental rights and right set out in international conventions.
Processing of genetic data
In order to process data related to the performance of so-called human genetics tests and clinical genetics tests, we request a written consent made in the presence of two witnesses.
In relation to your test data, you will receive information about any possible consequences affecting your relatives and the method of storing the genetic samples and the data that can be derived from them, as well as if they can be combined with you (if you can be identified).
Your genetic samples and the resulting information are processed and stored in a way allowing identification. Such human genetics (clinical genetics) test and the related data processing can, in respect of you, have disease-prevention, diagnostic, therapeutic or rehabilitative purposes. You may withdraw your consent given to the processing of your genetic data at any time. You can also request that the sample and all resulting data be destroyed, provided, that the samples and the data may be further processed in the interest of certain close relatives of yours.
If your (genetic) test data suggest that your relatives are (may be) affected by the risk of any inherited or inheritable disease or your conditions can put others at risk, (certain close relatives of yours) are entitled to be informed about this to the strictly necessary extent, which can inevitably affect your own health (genetic) data as well. They may come to know such data in the framework of genetic consulting (to prevent their illness, to learn about the nature or treatment of the disease, as well as to judge the risk of sickness concerning their offsprings).
You may waive becoming aware of your genetic data, whether in whole or in part, in a written declaration at any time. However, if you change your mind, this statement may also be withdrawn at any time without restriction.
You can object to taking and examining genetic samples from your body after your death, or carrying out a research from them.
In case service providers outside Europe (the EEA) are used, your data will be transferred in coded form only and only if the law of the given country provides adequate data protection (the code key necessary form encoding the data, respectively decoding, which makes them suitable for identification, will remain in our possession).
The persons and service providers listed in Appendix 1 perform data processing activities of a technical nature for the purposes of the data processing carried out by us and data are transferred to them, so there necessarily is a two-way personal and health data flow through they have their own data protection policies that we propose to consult).
If you provide and consent, we send you an electronic notice/reminder to your e-mail address or an SMS to your mobile telephone number about your appointments and we also send you training and support information/fact sheets related to your service/care.
All the above intermediary service providers their own data protection policies – please consult them on their own websites.
We call your attention to the possibilities and limits of data processing and the risks of data security/data distortion/data loss through the electronic info-communication channels, especially the Internet, in particular with regard to technical performances and the errors that can occur. Our service provider disclaims liability in these respects as well as for any unforeseen technical problems and data breaches that may occur during the IT processes, as we are unable to fully control these processes and they are not fully within out control. In particular, any communications by electronic mail, telephone or other (electronic or tele)communications shall be exclusively at your own risk if you use these. After checking the eligibility, our service provider may reasonably rely on that the information comes from you or a person designated by you who is authorised to make a statement/disposal on your behalf, respectively that the information we send is received only by you or a person so authorised. We disclaim liability for any damage or disadvantage arising from that any personal data or information considered sensitive data become public or accessible, as well as for any data distortion caused by any technical error of the data transfer.
The data processors named above are liable for their own activities carries out in the context of data processing, as we are unable to accept liability for the activities of other data processors used by you (your mailing system, your Internet service provider, your phone company, etc.) (remember e.g. when you first contact us e-mail and voluntarily disclose health data about yourself or attach your findings).
The regularity of data processing by our service provider is not affected by that you, your relative or any other person acting in your interest or any third party does not process data concerning you in a confidential manner or does not use such data professionally or as intended (including the failure the meet the obligation to given adequate good faith information or cooperate), or if the data processing is influenced by any third party (by any unlawful or negligent or abusive act or behaviour). We do not accept responsibility in these cases.
Data processing notice concerning the Internet website
Our website is using so-called “cookies” that are processed for Web analytics purposes as well. A cookie is a small file that contains a string and is placed on your computer when the user visits a Website. When visiting a given website (homepage), the website is able to detect the user’s browser by using the cookie. Cookies can store user preferences and other information as well. You can set your browser to reject all cookies or to prompt you when the system is sending a cookie. However, some Website features or services may not function properly without cookies. Later, you can delete the cookies in your browser, respectively, when browsing in the incognito mode, they are usually automatically deleted when you stop browsing.
Our website uses the Google Analytics web analytics service provided by Google. Google Analytics uses “cookies”, that is, text files placed on your computer in order to assist analysing the use of the website. The information concerning the use of the website generated by the cookies (including your IP address) is forwarded to and stored on the Google servers located in the United States of America. Google uses this information to evaluate your use of the website, compile reports on the activities carried out on the website to the websites’ operators , as well as provide other services related to the activities performed on the website and the use of the Internet, which also improve the usability of the website you visited. Google may also transfer this information to third parties, or where this is required by the law. For details about Google’s processing, visit thewww.google.comsite.
The website may also use so-called web beacons (pixel tags), which is a technological solution placed on the website (homepage) or the text of the e-mail to track certain activities (such as website views or the time of opening an e-mail). Web beacons are often used in combination with cookies as well.
The website can store browsing data in the browser’s Internet hosting location on the given device. Thus, the data are accessible also after the browser is closed and re-opened, unless you delete them in your browser settings.
*The site may also use a so-called cache. The application data cache is a data storage location on the device. For example, you can run a web application without an Internet connection. In addition, it improves the application performance by loading the content faster.
Your visit will be logged on the computer server serving the site. This log will automatically record the sites retrieved by the users by visiting our websites. These “server logs” typically contain a web request, the so-called Internet Protocol address, the type and the language of the browser, the date and time of the retrieval and one or more cookies that can uniquely identify the browser. Each device with an Internet connection has a number, which is known as the Internet Protocol (IP) address. These numbers are generally allocated in blocks on the basis of geographical factors. Often, the IP address is used to determine the location from which a specific device (i.e. you) connect to the Internet. The website can manage as well.
By using this Internet site, you accept, by implied conduct, our data protection notice as well and voluntarily consent to the processing and transfer of your data in the manner and for the purposes defined above. Your consent does not trigger any fee or cost.
- The attending physician who prescribed medicine or medical aids to you informs you about other healing methods that can substitute the medication or the use of medical devices; about available lower priced medicines with the same active agent or similar therapeutic effect or lower-cost medical aids belonging to the same functional group, as well as the differences between the price, social security subsidy and usage fee of the given product, and their substitutability with each other.
- During the payment of the fees for the services we provide: regardless of the method of payment, we may access your banking/financial data only to the extent and in the manner required for the transaction (e.g. when paying by card, your name and certain data of your banking card obviously appear on our service provider’s bank account statement; if the health fund asks for an invoice, we come to know the fund in which you are a member, etc.). We call your attention to that, in such cases, your bank will be necessarily informed about the fact of the payment and the identity of our service provider (i.e. that you obviously used some service at us, from which additional information may be deducted depending on the name of our service provider). If your care is financed through a health fund or a private insurer, we may process your data related to your status as a fund member/insured person there to the extent it is necessary to provide the service (e.g. what are you entitled based on your insurance package, is there any insurance exclusion affecting your health status, etc.). If necessary, the performance certificate or invoice we issue informs the fund/private insurer about all the personal and health data related to the treatment at us, which it may process about you in this respect (health funds are independent data controllers with their own data protection policies – all this is regulated by relevant laws and the contract made with them).
If the invoice is paid by another entity instead of you (e.g. sponsor, charity organization), it will necessary learn the contents of the invoice, but we may disclose information about your condition only based on your written authorisation.
We use a data processor to issue to you and book regular accounting receipts (invoices) required by the law (which typically contains your name and address). Pursuant to the law, the tax authorities may have access to such accounting documents. As a rule, the invoice does not contain itemised data concerning your care (which show the specific services, from which conclusions regarding your condition/illnesses could be drawn), unless you expressly request us to do so in writing.
Accounting records must be retained for 8 years based on the law.
- In order to settle any possible future (legal) dispute initiated by you, i.e. in your interest, our service provider, contributors, the healthcare workers involved in healthcare services are not subject, in the spirit of and to the extent required by good faith and the obligation to cooperate, to confidentiality in respect of your health data linked to your personal identification data before the competent official bodies and persons authorised to judge these matters, acting duly, and any liability insurer necessarily involved in such procedures, as well as any judicial expert and/or (legal) representative possibly invited by our service provider. To do this, we request your express consent.
List of our processors:
- Rendszerinformatika zRt(registered address: 1134 Budapest, Váci út 19. IV. em.; tax number: 23095942-2-41)
- Synlab Hungary Kft(registered address: 1065 Budapest, Bajcsy-Zsilinszky út 53. I. em.; tax number: 14872925-2-42)
- CORDEN INTERNATIONAL(Magyarország) Kft (registered address: 1117 Budapest, Fehérvári út 84/a.; tax number: 13270162-2-43
- KARDI-SOFT INFORMATIKA Kft(registered address: 9024 Győr, Táncsics Mihály u. 43.; tax number: 23279526-1-08)
- Norbert Kriller, EV(registered address: 9061 Vámosszabadi, DUNA UTCA 51.; tax number: 67365069-1-28)