DATA PROTECTION POLICY

Introduction

The Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC prescribes that the controller shall take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and furthermore the controller shall facilitate the exercise of data subject rights.

The Barzó-Medical Health Service Limited Liability Company (LLC.) as Controller informs the customers and the website’s and social network site’s visitors (hereinafter collectively as: the data subject(s)) that it respects the personal rights of the data subjects and therefore acts in accordance with the following data processing policy (hereinafter: the Policy). The Controller reserves the right to change the Policy due to the harmonization of the legal background and other internal regulations. The current electronic version of the Policy is available on the website www.barzopal.hu and it is also available on paper basis in the office at 6721 Szeged, Római boulevard 8., 4/8. Based on the abovementioned, the Controller considers the provisions of the Policy obligatory on himself and acts in accordance with them during its operation.

The Policy regulates the data management activities provided to the data subjects through the way or in the manner provided by the Controller and performed by the Controller.

Definitions

  • Personal data: means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • Data concerning health: according to the Article 3 point a) of the Act XLVII. of 1997, data relating to the physical and mental state of the concerned person, his/her pathological compulsive and the circumstances of the illness or death, the cause of death which is communicated by him/her or by someone else, or perceived, examined, measured or derived by the health care network; and any other data which can be related to the abovementioned. – According to the GDPS data concerning health: means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
  • Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • Dataset:The sum of the data processed in a register;
  • Recipient: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  • Consent of the data subject: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;      
  • Third party: means a natural or legal person or body without legal personality, who is other than the data subject, controller or processor;
  • Personal data breach: Unlawful processing of personal data, in particular unauthorized access, modification, transmission, disclosure, deletion or destruction, and accidental destruction and damage;
  • Partner: Legal persons using the services of the Controller under a contract relationship and/or facilitating the performance of the services of the Controller (performance assistant) to which the Controller transfers or may transfer personal data with the consent of the data subject or which perform or may perform data storage, processing, connecting informatical and other safe data processing activities;
  • Coworker: A natural person who is in a personal-service-, employment-, or other legal relationship with the Controller, who is entrusted with the performance of the Controller’s services and comes or may come into contact with personal data during data processing tasks and for whose activities the Controller assumes full responsibility towards the data subjects and third parties.

Principles relating to processing of personal data

             The personal data:

a) Lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject

b) Purpose limitation: collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes

c) Data minimisation: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

d) Accuracy: accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

e) Storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject

f) Integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

g)Accountability: the controller shall be responsible for and be able to demonstrate in compliance with the above mentioned.

Personal data:

A Barzó-Medical Health Service Limited LLC. on the basis of prior and voluntary consent and only to the necessary extent and in all cases

In some cases, data processing is based on legal provisions, consequently it is mandatory, in such cases it draws the data subject’s attention to this fact. The legal basis of the data procession is the consent of the data subject.

The Controller is allowed to retrieve the patient data from the EESZT with the patient’s consent. The statement of consent is stored in the patient record.

By registering on the website, the Customer consents to the personal data procession.

 The Controller 

Contact of the Controller:

Name: Barzó-Medical Health Service LLC.

Representative: Dr. Barzó Pál executive

Headquaters: 6721 Szeged, Római krt. 8. 4/8.

Tax number: 29138867-1-06

Email: barzo.medical@gmail.com

Phone: +3630/6925050

Profile of the Controller:

–        neurosurgical medical service (0204 job code)

The purpose of the data protection policy

The purpose of this Policy is to define and comply with the basic principles and provisions concerning the processing of the data of natural persons who meet the Barzó-Medical Health Service LLC., as the Controller, in order to ensure the protection of the privacy of natural persons.

The further purpose of this policy is to ensure that the Controller can comply with the data protection provisions of the applicable legislation in all respects, in particular, but not exclusively to the –

Act LXVI of 1995 on the protection of public documents, public archive documents and private archive documents,

Act XLVII of 1997 on the protection and processing of data concerning health and the connecting personal data,

NM Decree 62/1997 (XII.21.) on the particular issues of processing of data concerning health and the connecting personal data,

Act CLIV of 1997 on the healthcare,

Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information and,

Regulation (EU) 2016/679 of the European Parliament and of the Council.

Lawfulness and purpose of data processing

 In compliance with the purpose of this policy, data processing shall be lawful only if and to the extent that at least one of the following applies:

a. the data subject has given prior and voluntary consent to the processing of his or her personal data for one or more specific purposes;

b. processing is necessary for compliance with a legal obligation to which the controller is subject;

c. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

d. processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

g. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

Explained the a-g points, the general purposes of data processing are as follows: Preparation, conclusion and execution of contracts concluded or to be concluded with the Controller, in particular

    • recording, storing and processing the data of the data subject in order to contact with them;
    • recording, storing and processing the data of the data subject in order to conclude a contract and the proof of the concluded contract;
    • processing the data of the data subject in order to guaranteeing the rights and the fulfilment of obligations arising from the contractual relationship;
    • processing of other data sets for the use of services of the Controller;
    • transfer of the data of the data subject to the Partner, if it is unavoidable, facilitates the service to the data subject and the data subject has given a prior consent for it.

The scope of the policy

The scope of the present proceedings extends to the whole staff of Barzó-Medical Health Service LLC, who carry out activities related to the processing and storage of personal data of patients and persons whose rights or legitimate interests are affected by the processing.

The scope of this Policy covers all data processing containing all personal data in all departments of the Controller, regardless of whether it is electronically and/or on a paper basis.

This Policy shall be applied from 1st April 2021 until further notice or withdrawal.

 

Data procession required for the operation of the company 

Personal data

Purpose of the data processing

1. Family name, given name and

identification, patient admission, curative-preventive activity, promoting effective care

2.Social security number (SSN)

identification, transmission of data to the EESZT

3. Email address

contact, sending records, information (it is not necessary to contain personal data, it depends on the patient’s will, whether provides an e-mail address that contains information about the person, identity)

4. Phone number

contact, information, sending SMS

5. Address and billing name and address

contact, identification; issuing a proper invoice, furthermore concluding contracts (employment), determination of its content, modification, monitoring compliance, billing of fees resulting from it, and enforcement of connecting claims of it

6. Comment, opinion

quality assurance

7. imaging diagnostic records

establishing diagnosis, curative-preventive activity, promoting effective care

Sensitive data

Purpose of the data processing

 Data concerning health

 facilitating medical treatment, establishing a correct diagnosis, consultations

 Term of data procession

Rules regarding the archiving the patients’ data by the Barzó-Medical Health Service LLC. is regulated by the Act CLIV of 1997 on healthcare. The medical records shall be preserved for at least 30 years from the date of data survey and final reports for at least 50 years. Recordings of the imaging diagnostic process – RTG, CT, MR, … etc. – shall be preserved for 10 years from the date of the recording. Medical records of the imaging diagnostic process shall be preserved for 30 years. Patient records shall be preserved after the patient’s death as well.

According to the Article 169 (2) of the Act C of 2000 on Accounting in the case of accounting document shall be preserved for 8 years, so these documents are kept in 8 years in a retrievable form.

The identity of the potential controllers entitled to access data, the recipients of the personal data. Personal data may be processed by the executive or the coworker responsible for data management who is entrusted by the executive.

The data subject (patient) may request the controller to access, correct, delete or restrict the processing of his/her personal data and can object to the processing of the personal data, and entitled to withdraw the consent at any time. The data subject shall demonstrably declare the fact of withdrawal and cancellation, and the Barzó-Medical Health Service LLC. will notify the data subject in writing of the implementation of the measure within 15 days from the request. In case of obstruction, it shall immediately inform the applicant of the fact of the obstruction and the exact date of the possibility of cancellation.

Place and security of data processing

  • Taking into account the state of the science, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The Barzó-Medical Health Service LLC. register the proceeded data of the patients to the used healthcare IT system at the beginning of the treatment, which system’s data protection adequacy is available.

The further used data with the consent of the patients (consultation) will be primarily stored on the company’s own data repository. All data is backed up in every 3 days to an external winchester. Data are protected against unauthorized access by providing unique username and password access on the machine, storage media and, in the case of cloud-based storage.

In the case of data on paper basis, the data is stored in closed lockers in a room where unauthorized access is not possible.

Data processing, data transmission and data transferring

If the Controller entrusts a third party with accounting, payroll, delivery tasks, and/or hosting/server services, system administration or other tasks that shall be regarded as data processing tasks, the data and tasks of the Partner as data processor will be defined in a separate contract. In this case, if the Controller uses a data processor, the following rules shall be observed and enforced:

  1. The Controller is responsible for the legality of the instructions concerning the data management operations for the data processor.
  2. Within the scope of activities of the data processor and within the framework defined by the Controller, the data processor is responsible for the processing, alteration, deletion, transmission and disclosure of personal data.
  3. The data processor shall not use any other data processor in the performance of data processing activities.
  4. The data processor shall not make a substantive decision concerning data processing, can process personal data only according to the provisions of the Controller, shall not process data for own purposes, and is obliged to store and preserve personal data in harmonization with the Controller’s provisions.
  5. According to the Article 22 (2) of the 2016/679 EU Regulation the Processor shall notify the controller without undue delay after becoming aware of a personal data breach.

The transfer of data and the connection of the database operated by the Controller to another Controller requires the consent of the data subject or the authorization of legislation. The data controller can transfer personal data only in the case if the legal basis is clear, its purpose and the identity of the recipient of the data transfer is specified. In the case of a data transfer allowed by the data subject’s consent, the data subject shall provide the statement in the knowledge of all the data involved in the data transfer, the recipient of the data transfer, the purpose and the expected time of data processing. The Controller is entitled to transfer the data specified by the data subject to its contractual Partners only in the case if the Controller has named the Partner to the data subject prior to the data transfer, has determined the expected data processing time and purpose and the data subject has consented to the data transfer. The Controller can also name the Partners by informing them, by making it available to the data subjects. The Data Controller can only transfer to the Partners those data which are allowed by the prior consent of the data subject. The Controller shall do everything expected from him in order to enforce the principles of data protection and to transfer as few data to the Partners, as possible which is appropriate for the purpose,

Accounting duties of the Barzó-Medical Health Service LLC is performed by the following company: Dr. Kiss László, Szeged, Lechner tér 14.

The data processing contract concluded with the accounting company is stored on a paper basis at the premise of the Barzó-Medical Health Service and can be viewed in-situ.

Website visiting data

             References and links:

  1. The Controller’s website may also contain such links which refer to pages that are not operated by the Controller but aiming to inform visitors. The Controller has no influence on the content and security of the websites operated by the partner companies and is therefore not responsible for them. Please review the Privacy Policy and Privacy Statement of the sites you visit before providing any information on that site in any form.
  2. Cookies: According to the Article 155 Section (4) of the Act C of 2003, which states „On the electronic communication terminal equipment of a subscriber or user, information may be stored, or accessed, only upon the user’s or subscriber’s prior consent granted in possession of clear and comprehensive information about implications.” Controller provides the following information in line with the analytical tools, with other names cookies used by him. The information package consisting of cookie letters and numbers that our website sends to your browser is intended to save certain of your settings, facilitate the use of our website and contribute to the collection of some relevant, statistical information about our visitors.

The cookie is an information package consisting of letters and numbers, which is sent by our website to your browser with the purpose to save certain of your settings, facilitate the use of our website and contribute to the collection of some relevant, statistical information about our visitors.

The Controller uses the following cookies, which purposes are defined below:

    1. Definitely necessary cookies. Such cookies are essential for the proper functioning of the website. Without accepting these cookies, the Data Controller cannot guarantee that the website will function as expected, nor that the user will have access to all the information sought by the user. Without accepting these cookies, the Controller cannot guarantee that the website will function as expected, nor that the user will have access to all the information sought by the user. These cookies do not collect personal data from the data subject or data which can be used for marketing purposes. By indicating possible errors, they can help the Controller to improve the website and present which are the most popular parts of the website. These cookies are essential for the use of the website and allow to use the basic functions of the website. Without these numerous functions of the site will not be available for you. The longevity of these cookies is limited only to the duration of the session.
    2. Functional cookies. These cookies ensure the consistent appearance of the website in harmonization with the needs of the given person and remember the settings chosen by the given person (for example: colour, font size, layout). The cookie also helps to improve the ergonomics of the website, to create a user-friendly website, in order to enhance the online experience of the visitors.

The Controller draws the attention of users to the fact that most of the Internet browsers automatically accept cookies, but visitors have the option to delete them or reject them automatically. Because each browser is different, the user can set their cookie preferences individually by using the browser toolbar. The Controller draws the attention of users to the fact that they may not be able to use certain features on the website if they choose not to accept cookies.

 Personal data breach

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

 The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and shall inform about the name and contact details of the data protection officer or other contact point where more information can be obtained, describe the likely consequences of the personal data breach, describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The communication to the data subject shall not be required if any of the following conditions are met:

  • the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach,
  • the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise
  • it would involve disproportionate effort.

In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.

Notification of a personal data breach to the supervisory authority

 In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Compliant option

Complaints against possible breaches of the Controller can be filed to the Hungarian National Authority for Data Protection and Freedom of Information: Hungarian National Authority for Data Protection and Freedom of Information, 1125 Budapest, Szilágyi Erzsébet street 22/C. Postal address: 1530 Budapest, post-office box: 5. Phone:: +36 -1-391-1400 Fax: +36-1-391-1410 Email: ugyfelszolgalat@naih.hu, Web: http://www.naih.hu