A PRO GYNO-MED KFT ADATKEZELÉSI TÁJÉKOZTATÓJA

 

  1. 1. GENERAL PROVISIONS

As the operator of Villa Medicina, Pro gyno-med Kft., 1126 Budapest, Szendi utca 16. ensures in all cases the legality and expediency of data management with regard to the personal data it manages. The purpose of this information is that patients who make an appointment and provide their personal data can receive appropriate information about the conditions and guarantees and for how long their data will be processed by our company before making the reservation or providing their personal data. Our company adheres to the contents of this information sheet in all cases involving personal data management, and we consider what is described here mandatory for us.

At the same time, we reserve the right to change what is described in this unilateral legal statement, in which case we will inform the affected parties in advance ( www.villamedicina.hu) . Please, if you have any questions about the contents of this information sheet,write a letter (www.info@villamedicina.hu) to us. The data management of our company's activities is based on voluntary consent and legal authorization (cf. health legislation. (see point 3), and in some cases data management is necessary to take steps at the request of the data subject before concluding the contract.

Legal references for institutions providing health services:Legal references for institutions providing health services:

  • year CXII. Act on the right to self-determination of information and freedom of information (infotv.)
  • Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC (general data protection regulation, GDPR);
  • Legal references for institutions providing health services:
  • Act V of the year on the Civil Code (Ptk.); CLIV of 1997 on health care. law
  • XLVII of 1997 on the management and protection of health and related personal data. law (Eüak)
  • Government Decree 44/2008 (II.29.) on the appointment of the body performing data management tasks in the event of the termination of the health documentation manager without a legal successor
  • 381/2016. (XII.2.) Government Decree on the Integrated Legal Protection Service
  • year CLXXII. Act on the amendment of certain laws on health and health insurance
  • Constitutional Court No. 15/1991 (IV.13.) decision
  • XXV of 2000 on chemical safety. law
  • XCV per year. Act - Medicines Act

The details and contact details of the data controller are as follows:
Name: Pro gyno-med Kft. (Villa Medicina)
Head office: 1126 Budapest, Szendi utca 16. (1124 Bp. Németvölgyi út 68.)
Company registration number: 01 09 717455
Phone number: +36 70 625 7975
E-mail:info@villamedicina. en

Name of data protection officer: Vanda Hajdinák.

Email address of Data Protection Officer: vhajdinak@villamedicina.hu

House rule

GENERAL TERMS AND CONDITIONS

Sweepstakes Rules

  1. Concept definitions

 

  1. "personal data": any information relating to an identified or identifiable natural person ("data subject"); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;
  2. "data management": any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as the collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or by making it available in other ways, coordinating or connecting, limiting, deleting or destroying;
  3. "data controller": the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law;
  4. "data processor": the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller;
  5. "recipient": the natural or legal person, public authority, agency or any other body to whom the personal data is communicated, regardless of whether it is a third party. Public authorities that have access to personal data in accordance with EU or Member State law in the context of an individual investigation are not considered recipients; the management of said data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of data management;
  6. “consent of the data subject”: a voluntary, specific and well-informed and clear declaration of the will of the data subject, with which the data subject indicates by means of a statement or an unmistakable act of confirmation that he/she consents to the processing of personal data concerning him/her;

"data protection incident": a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled. 3. Principles for handling personal data:

 
 

Personal data:

Personal data:

  1. it must be handled lawfully and fairly, as well as in a transparent manner for the data subject ("legality, fair procedure and transparency");
  2. should be collected only for specific, clear and legitimate purposes, and should not be handled in a manner incompatible with these purposes; in accordance with Article 89 (1), further data processing for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes is not considered incompatible with the original purpose ("purpose limitation");
  3. they must be appropriate and relevant in terms of the purposes of data management, and must be limited to what is necessary ("data economy");
  4. they must be accurate and, where necessary, up-to-date; all reasonable measures must be taken to promptly delete or correct personal data that is inaccurate for the purposes of data management ("accuracy");
  5. its storage must take place in a form that allows the identification of the data subjects only for the time necessary to achieve the goals of personal data management; personal data may be stored for a longer period only if the personal data will be processed in accordance with Article 89 (1) for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, the rights of the data subjects and subject to the implementation of appropriate technical and organizational measures required to protect your freedoms ("restricted storage");
  6. its handling must be carried out in such a way that adequate security of personal data is ensured through the application of appropriate technical or organizational measures, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage of data ("integrity and confidentiality").

 

The data controller is responsible for compliance with the above, and must also be able to prove this compliance ("accountability").

We provide the following information regarding our individual data management.

 

  1. DATA MANAGEMENT RELATED TO ONLINE APPOINTMENT

Our company provides the opportunity to book an appointment online so that you can book an appointment with our doctors working at Villa Medicina in a quick, convenient and cost-free way.

Controller of personal data: Pro gyno-med Kft. 1126 Budapest, Szendi u. 16.

  1. The purpose of data management is: to make appointment booking easier, cost-free, and more efficient.
    Legal basis for data management: prior consent of the person booking the appointment.
    Scope of processed personal data: address; surname and first name; telephone number; e-mail address
    Duration of data management: two years after the date of the reservation (in some cases, due to legal obligations, it is not possible to delete health data. 30 or 50 years retention obligation - see Eüak.).
    Use of a data processor: our company uses the help of an IT service provider for the online accommodation system as follows.

Data processor name

Address

Data processing task description

Salonic International Kft.

1054 Budapest, Honvéd utca 8. 1. em. 2.

Providing the possibility of online appointment booking thanks to the Salonic system

By accepting this data management information, the data subject gives her express consent to the Data Processor using additional data processors in order to make the service more convenient and customized as follows:

Data processor name

Address

Data processing task description

KARDI-SOFT Orvosi Rendszerek Kft.

9024 Győr

Táncsics Mihály utca 43.

When using the DOKIREX medical system, performing customer management tasks

Possible consequences of failure to provide data: no contract for booking an appointment or regarding medical care.

The rights of the data subject: the data subject (the person whose personal data is managed by our company)

  1. you can request access to your personal data,
  2. you can request their correction,
  3. you can request their deletion,
  4. you can apply to limit the processing of personal data if the conditions set out in Article 18 of the GDPR exist (that is, that our company does not delete or destroy the data until a court or authority is consulted, but for a maximum of thirty days, and does not process the data for any other purpose beyond that) ,
  5. can object to the processing of personal data,
  6. you can exercise your right to data portability. Pursuant to the latter right, the data subject is entitled to receive his/her personal data in word or excel format, and is also entitled to have this data forwarded to another data controller by our company upon request.

Other information related to data management: our company takes all necessary technical and organizational measures in the event of a possible data protection incident (e.g. damage, disappearance of files containing personal data, unauthorized to avoid becoming accessible to him). In the event of an incident that does occur, we keep a register for the purpose of checking the necessary measures and informing the person concerned, which includes the range of personal data concerned, the range and number of persons affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, as well as the other data specified in the legislation prescribing data management.

Our company has entered into a data processing contract for the data processing tasks, in which Salonic International Kft. undertakes to obligatorily apply the data protection and data management guarantees required by the data processing contract in the case of using an additional data processor, in view of this, we also ensure the legal processing of personal data in the case of the data processor.

Date cancellation: If the Patient does not show up for the appointment or cancels it within 24 hours, the previously paid deposit (50% of the treatment price) no will be refunded!

 

 5. DATA MANAGEMENT IN CONNECTION WITH MEDICAL SERVICES

Our clinic enables appropriate medical care after providing various personal data.

Personal data manager: Pro gyno-med Kft., 1126 Budapest, Szendi u. 16.

Purpose of data management: medical care

Legal basis for data management: prior consent of the patient, GDPR Article 6 (1) point a), and data management prior to the conclusion of the contract by the data subject necessary to take steps at your request - GDPR Article 6 (1) point b
Scope of processed personal data: address; surname and first name; residential address (country, postal code, city, street, house number; telephone number; e-mail address; in the case of a business company, company name and seat, bank card number, EP card data (identification, name on the card), TAJ number
Duration of data management: thirty years after the date of medical care.
Use of a data processor: our company is the medical to operate the system, it uses the help of an IT service provider as follows.

Data processor name

Address

Data processing task description

KARDI-SOFT Orvosi Rendszerek Kft.

9024 Győr

Táncsics Mihály utca 43.

When using the DOKIREX medical system, performing customer management tasks, recording medical histories, and reporting findings

By accepting this data management information, the data subject gives her express consent to the Data Processor using additional data processors in order to make the service more convenient and customized as follows:

Data processor name

Address

Data processing task description

KBOSS.hu Kft.

1031 Budapest

Záhony utca 7.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, ensuring the traceability of transactions for trading partners

Spektrum Lab Kft.

1038 Budapest, Papírgyár utca 58-59.

Human health laboratory service

Istenhegyi Géndiagnosztika Kft.

1125 Budapest Zalatnai u.2.

Human health laboratory service

Preventrend Diagnosztika Központ Kft.

HU-1148 Budapest, Bolgárkertész u. 56.

Other human health care screening test

HUMANCELL MCC Kft

1087 Budapest

Fiumei út 7.

Other human health care screening test

MEDSERV Egészségügyi Szolg. És Ker. Kft.

1112 Budapest, Süveg u. 10/B.

Provision of healthcare services, histological examination

New Era Genetics Kft.

1026 Budapest

Gábor Áron u. 74-78.

Other human health care screening test

Vascular Diagnostics Kft.

1095 Budapest, Lechner Ödön fasor 3. C. lház. 3. em. 1.

Other human health care screening test

Possible consequences of failure to provide data: no contract for booking an appointment or regarding medical care

The rights of the data subject: the data subject (the person whose personal data is managed by our company)

  1. you can request access to your personal data,
  2. you can request their correction,
  3. you can request their deletion,
  4. you can apply to limit the processing of personal data if the conditions set out in Article 18 of the GDPR exist (that is, that our company does not delete or destroy the data until a court or authority is consulted, but for a maximum of thirty days, and does not process the data for any other purpose beyond that) ,
  5. can object to the processing of personal data,
  6. you can exercise your right to data portability. Pursuant to the latter right, the data subject is entitled to receive his/her personal data in word or excel format, and is also entitled to have this data forwarded to another data controller by our company upon request.

Other information related to data management: our company takes all necessary technical and organizational measures in the event of a possible data protection incident (e.g. damage, disappearance of files containing personal data, unauthorized to avoid becoming accessible to him). In the event of an incident that does occur, we keep a register for the purpose of checking the necessary measures and informing the person concerned, which includes the range of personal data concerned, the range and number of persons affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, as well as the other data specified in the legislation prescribing data management.

Our company has entered into a data processing contract for the data processing tasks, in which KARDI-SOFT Medical Systems Kft. undertakes to obligatorily apply the data protection and data management guarantees required by the data processing contract in the case of using an additional data processor, taking into account the legal processing of personal data in the case of the data processor we also provide.

 

6. DATA MANAGEMENT IN CONNECTION WITH DIFFERENT MEDICAL SERVICES

Our clinic enables appropriate medical care after providing various personal data.

Controller of personal data: Pro gyno-med Kft. 1126 Budapest, Szendi u. 16.

Purpose of data management: medical care

Legal basis for data management: prior consent of the patient, GDPR Article 6 (1) point a), and data management prior to the conclusion of the contract by the data subject necessary to take steps at your request - GDPR Article 6 (1) point b

Scope of processed personal data: address; surname and first name; residential address (country, postal code, city, street, house number; telephone number; e-mail address; in the case of a business company, company name and registered office, bank card number, EP card data (identification, name on the card), TAJ number, medical history

Duration of data management: thirty years after the date of medical care. (In some cases, due to legal obligations, there is no way to delete health data. 30 or 50 years retention obligation - see Eüak.).
Use of a data processor: our company uses the help of an IT service provider to operate the medical system as follows.

Data processor name

Address

Data processing task description

KARDI-SOFT Orvosi Rendszerek Kft.

9024 Győr

Táncsics Mihály utca 43.

When using the DOKIREX medical system, performing customer management tasks, recording medical histories, and reporting findings

By accepting this data management information, the data subject gives her express consent to the Data Processor using additional data processors in order to make the service more convenient and customized as follows:

 

Data processor nameAddressData processing task description
Pro gyno-med kft.1124 Bp. Szendi u. 16.Management of data required for health care, medical examinations, and preparation of medical recommendations
Medical Express Betéti Társaság2053 Herceghalom, Széchenyi u. 5.Management of data required for health care, medical examinations, and preparation of medical recommendations
H P Diagnózis Bt.2890 Tata, Toldi Miklós u. 19. A ép.Management of data required for health care, medical examinations, and preparation of medical recommendations
Intermed Bt.1027 Bp. Horvát u. 28. fsz. 1.Management of data required for health care, medical examinations, and preparation of medical recommendations
Infertility Betéti Társaság4800 Vásárosnamény Dózsa György út 30.Management of data required for health care, medical examinations, and preparation of medical recommendations
INFENDO-med kft.2721 Pilis, Tölgyfa u. 15.Management of data required for health care, medical examinations, and preparation of medical recommendations
ZOÉ-MED Egészségügyi Kft.2330 Dunaharaszti, Fő út 84. A. ép. Fsz. 1. ajtóManagement of data required for health care, medical examinations, and preparation of medical recommendations

 

Possible consequences of failure to provide data: no contract for booking an appointment or regarding medical care

The rights of the data subject: the data subject (the person whose personal data is managed by our company)

  1. you can request access to your personal data,
  2. you can request their correction,
  3. you can request their deletion,
  4. you can apply to limit the processing of personal data if the conditions set out in Article 18 of the GDPR exist (that is, that our company does not delete or destroy the data until a court or authority is consulted, but for a maximum of thirty days, and does not process the data for any other purpose beyond that) ,
  5. can object to the processing of personal data,
  6. you can exercise your right to data portability. Pursuant to the latter right, the data subject is entitled to receive his/her personal data in word or excel format, and is also entitled to have this data forwarded to another data controller by our company upon request.

Other information related to data management: our company takes all necessary technical and organizational measures in the event of a possible data protection incident (e.g. damage, disappearance of files containing personal data, unauthorized to avoid becoming accessible to him). In the event of an incident that does occur, we keep a register for the purpose of checking the necessary measures and informing the person concerned, which includes the range of personal data concerned, the range and number of persons affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, as well as the other data specified in the legislation prescribing data management.

Our company has entered into a data processing contract for the data processing tasks, in which KARDI-SOFT Medical Systems Kft. undertakes to obligatorily apply the data protection and data management guarantees required by the data processing contract in the case of using an additional data processor, taking into account the legal processing of personal data in the case of the data processor we also provide.

 

 7. DATA MANAGEMENT IN CONNECTION WITH FINANCIAL SERVICES FOLLOWING MEDICAL CARE

Our clinic enables appropriate medical care after providing various personal data.

Controller of personal data: Pro gyno-med Kft. 1126 Budapest, Szendi u. 16.

Purpose of data management: performance of financial services following medical care

Legal basis for data management: prior consent of the patient, GDPR Article 6 (1) point a), and data management prior to the conclusion of the contract by the data subject necessary to take steps at your request - GDPR Article 6 (1) point b

Scope of processed personal data: surname and first name; residential address (country, postal code, city, street, house number; in the case of a business company, company name and registered office, bank card number, EP card data (identifier, name on the card), e-mail address in the case of an e-invoice

Duration of data management: eight years after the date of issue of the invoice

Using a data processor: our company uses the help of an IT service provider to operate the invoicing program as follows.

Data processor name

Address

Data processing task description

KBOSS.hu Kft.

1031 Budapest

Záhony utca 7.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, ensuring the traceability of transactions for trading partners

By accepting this data management information, the data subject gives her express consent to the Data Processor using additional data processors in order to make the service more convenient and customized as follows:

Data processor name

Address

Data processing task description

2PM Bt. 

2093 Budajenő, Füzes utca 9.

Use of the accounting service following payment transactions

Generali Egészség- és Önsegélyező Pénztár

1066 Budapest, Teréz krt. 42-44.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

TEMPO Egészség- és Önsegélyező Pénztár

1025 Budapest II. Nagybányai út 92.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

Patika Zrt.

1022 Budapest, Bimbó út 18.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

OTP Országos Egészség és Önsegélyező Pénztár

1051 Bp. Mérleg u. 4.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

MKB-Pannónia Egészség és Önsegélyező Pénztár

1056 Bp. Váci u. 38.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

Prémium Egészségpénztár

1138 Bp. Dunavirág u. 2-6.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

Allianz Hungária Egészség- és Önsegélyező Pénztár

1087 Bp. Könyves Kálmán körút 48-52.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

Vitamin Egészségpénztár

1023 Budapest, Bécsi út 4.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

Medicina Egészségpénztár

1037 Bp. Montevideó u. 5.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

Vasutas Egészségpénztár

1144 Bp. Kőszeg u. 26.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

Dimenzió Egészségpénztár

1119 Budapest, Fehérvári út 84. A. épület III

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

Card Consulting Kft.

 

1033 Budapest, Kárpát u. 52.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

OTP Pénztárszolgáltató Zrt.

1051 Budapest, Mérleg u. 4.

Conducting the data communication required for payment transactions between the merchant and the payment service provider's system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

Possible consequences of failure to provide data: no contract regarding medical care is created

The rights of the data subject: the data subject (the person whose personal data is managed by our company)

  1. you can request access to your personal data,
  2. you can request their correction,
  3. you can request their deletion,
  4. you can apply to limit the processing of personal data if the conditions set out in Article 18 of the GDPR exist (that is, that our company does not delete or destroy the data until a court or authority is consulted, but for a maximum of thirty days, and does not process the data for any other purpose beyond that) ,
  5. can object to the processing of personal data,
  6. you can exercise your right to data portability. Pursuant to the latter right, the data subject is entitled to receive his/her personal data in word or excel format, and is also entitled to have this data forwarded to another data controller by our company upon request.

Other information related to data management: our company takes all necessary technical and organizational measures in the event of a possible data protection incident (e.g. damage, disappearance of files containing personal data, unauthorized to avoid becoming accessible to him). In the event of an incident that does occur, we keep a register for the purpose of checking the necessary measures and informing the person concerned, which includes the range of personal data concerned, the range and number of persons affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, as well as the other data specified in the legislation prescribing data management.

Our company has entered into a data processing contract for the data processing tasks, in which KBOSS.hu Kft. undertakes to obligatorily apply the data protection and data management guarantees required by the data processing contract in the event of the use of an additional data processor, in view of this, we also ensure the legal processing of personal data in the case of the data processor. .

 

8. DATA MANAGEMENT RELATED TO FINDINGS AND RESULTS FOLLOWING MEDICAL CARE

Our clinic makes it possible to provide information about the results of medical care electronically, by phone or by post.

Controller of personal data: Pro gyno-med Kft. 1126 Budapest, Szendi u. 16.

Purpose of data management: information about the results of medical findings
Legal basis for data management: the patient's prior consent, Id. Eüak., GDPR Article 6 (1) point a) or data processing is necessary to take steps at the request of the data subject prior to the conclusion of the contract - GDPR Article 6 (1) point b)
The range of personal data handled: surname and first name; residential address (country, postal code, city, street, house number; in the case of a business company, company name and registered office, bank card number, telephone number, e-mail address
Duration of data management: 30-50 years after the date of issue of the invoice.
ld:
"The medical documentation and the findings of the imaging diagnostic procedure must be kept for at least 30 years from the date of data collection, and the final report for at least 50 years must be kept for 10 years. The pharmacy will keep prescriptions for 3 years. Exceptions to this are prescriptions containing narcotic and psychotropic substances, which have a retention period of 5 years."
Use of a data processor: our company uses the help of an IT service provider to operate the program related to medical care as follows.

Data processor name

Address

Data processing task description

KARDI-SOFT Orvosi Rendszerek Kft.

9024 Győr

Táncsics Mihály utca 43.

When using the DOKIREX medical system, performing customer management tasks, recording medical histories, and reporting findings

By accepting this data management information, the data subject gives her express consent to the Data Processor using additional data processors in order to make the service more convenient and customized as follows:

Data processor name

Address

Data processing task description

Pro gyno-med Kft. (06 70 625 7975)

1126 Budapest

Szendi u. 16.

Telephone information

Possible consequences of failure to provide data: the patient will not be informed about the results of the examination after the medical treatment

The rights of the data subject: the data subject (the person whose personal data is managed by our company)

  1. you can request access to your personal data,
  2. you can request their correction,
  3. you can request their deletion,
  4. you can apply to limit the processing of personal data if the conditions set out in Article 18 of the GDPR exist (that is, that our company does not delete or destroy the data until a court or authority is consulted, but for a maximum of thirty days, and does not process the data for any other purpose beyond that) ,
  5. can object to the processing of personal data,
  6. you can exercise your right to data portability. Pursuant to the latter right, the data subject is entitled to receive his/her personal data in word or excel format, and is also entitled to have this data forwarded to another data controller by our company upon request.

Other information related to data management: our company takes all necessary technical and organizational measures in the event of a possible data protection incident (e.g. damage, disappearance of files containing personal data, unauthorized to avoid becoming accessible to him). In the event of an incident that does occur, we keep a register for the purpose of checking the necessary measures and informing the person concerned, which includes the range of personal data concerned, the range and number of persons affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, as well as the other data specified in the legislation prescribing data management.

Our company has entered into a data processing contract for the data processing tasks, in which KARDI-SOFT Medical Systems Kft. undertakes to obligatorily apply the data protection and data management guarantees required by the data processing contract in the case of using an additional data processor, taking into account the legal processing of personal data in the case of the data processor we also provide.

 

9. SERVICES OF THE ELECTRONIC HEALTH SERVICE AREA (EEST), MANAGEMENT OF PERSONAL DATA 

Brief introduction and purpose of the EESZT

Hungary's new e-health system is the Electronic Health Services Area (EESZT). The goal of the Hungarian e-health care reform system is to provide the population with faster, more efficient and service-centric care. The key to this is continuous contact between care institutions, treating doctors and pharmacies, through which information is uniform and accessible.

The EESZT is basically a system that facilitates the flow of information, with the help of which the data sent to the Space reaches the right person more easily and quickly. These data include personal data and health data for health care purposes. The manager of the data is the State Health Care Center (ÁEEK), which operates the EESZT.

If you would like to receive more extensive information about the operation of the EESZT and data management than this information, visit https://e-egeszsegugy.gov.hu to the information portal, where you can read the EESZT's data management information by clicking on the Data protection menu item.

Personal data managed in the EESZT

Uploading data to the EESZT starts with patient admission. The data generated in the course of health care are recorded in the EESZT in the following cases and in the following ways:

The central event catalog contains up-to-date data on your health care.

For the central event catalog, the data of the following events, the date of the event, the date of recording in the healthcare institution's system and the identifier of the person responsible for recording the event must be indicated:

  • start/end of inpatient care and other data
  • commencement/completion of outpatient specialist care and other data
  • initiation/completion of primary care by family doctor, family pediatrician and dentist and other data
  • Start/completion of CT/MR examination and other data

Data retention period: 5 years after the Data Subject's death.

You can access the data:

  • court, authorities (acting in their duties)
  • The Data Subject's treating physician, family doctor in relation to health care, in accordance with the Data Subject's digital self-determination settings.

Record of health documents

The purpose of the register is to enable treating physicians to access their patients' medical documents, the register contains these documents (e.g. outpatient card, findings, final report, etc.). The documents included here are stored according to the rules for health documentation and for a certain period of time.

Data retention period: 5 years after the Data Subject's death.

You can access the data:

  • the health care facility
  • Affected

eProfile

The register related to the health profile contains data describing the Data Subject's general state of health (current illnesses, general health data). The purpose of the record is

Provision of up-to-date and comprehensive health information for the attending physician for the benefit of the patient.

Data retention period: 5 years after the Data Subject's death.

You can access the data:

  • the attending physician or general practitioner of the person concerned

Where can you view the data entered into the EESZT regarding the Health Care of the Data Subject?

EESZT's Resident Portal is https://www.eeszt.gov.hu> can be found on the website. By clicking on the Login button, the person concerned can access his or her own personalized EESZT user account after entering the customer gatekeeper identification and TAJ number. With the help of this, you can easily get to know and at any time access or download the health documents and data related to the Affected person that are sent to the EESZT.

If the Data Subject does not have a customer portal, she can create one in the following ways:

  1. In person at any document office, government office customer service office, tax authority customer service or foreign representation;
  2. Electronically, if you have a valid identity card issued after January 1, 2016.

More EESZT services offered by digital options can also be used by the Data Subject:

Under the SUPPLIES tab, the You can track your care events in your event catalog and in your e-Disease History ;"> find your patient documents created during your care and uploaded to EESZT.

You can query your own your electronic referrals filtered for a specific period, you can view their data content and print them out.

Under the RECIPES tab, you can inquire about the electronic recipes, also a list of your already triggered recipes, going back for a specified period. All prescription content is also available to the Data Subject, however, this does not replace the prescription certificate, which can be used to substitute the preparations prescribed for the Data Subject, so the prescription printed from here cannot be used to substitute medication.

Your traditional paper prescriptions only appear among triggered prescriptions, because they are added to the system by the pharmacy when the prescription is triggered.

You can request a notification under the SELF DETERMINATION tab if data or documents related to a Contact will be entered into the system. You can keep track of who and when, and what kind of data and documents you requested from the system. It is also in a position to provide for the accessibility of the data and documents of the EESZT.

 

10. DATA MANAGEMENT RELATED TO NEWSLETTER SUBSCRIPTION AND OTHER MARKETING ACTIVITIES

Our company keeps in touch with its guests by means of a newsletter, to whom it recommends its services, and informs about news and special offers related to its operation.

Controller of personal data: Pro gyno-med Kft. 1126 Budapest, Szendi u. 16.

Purpose of data management: contact with potential patients

Legal basis for data management: consent of the data subject - Article 6 (1) point a) GDPR.
Indication of legitimate interest: maintaining and developing relationships with patients

Scope of processed personal data: name, e-mail address

Duration of data management: our company manages e-mail addresses until you unsubscribe from the newsletter.
Use of a data processor: our company uses the help of an IT service provider for the online newsletter sending system as follows.

Data processor name

Address

Data processing task description

The Rocket Science Group LLC (MailChimp)

 

675 Ponce de Leon Ave NE, Suite 5000
Atlanta, GA 30308 USA

 

Mailchimp newsletter database storage

By accepting this data management information, the data subject gives her express consent to the Data Processor using additional data processors in order to make the service more convenient and customized as follows:

Data processor name

Address

Data processing task description

KARDI-SOFT Orvosi Rendszerek Kft.

9024 Győr

Táncsics Mihály utca 43.

When using the DOKIREX medical system, performing customer management tasks, recording medical histories, and reporting findings

Possible consequences of failure to provide data: The person concerned will not receive a newsletter from our company.

The rights of the data subject: the data subject (the person whose personal data is managed by our company)

  1. you can request access to your personal data,
  2. you can request their correction,
  3. you can request their deletion,
  4. you can apply to limit the processing of personal data if the conditions set out in Article 18 of the GDPR exist (that is, that our company does not delete or destroy the data until a court or authority is consulted, but for a maximum of thirty days, and does not process the data for any other purpose beyond that) ,
  5. can object to the processing of personal data,
  6. you can exercise your right to data portability. Pursuant to the latter right, the data subject is entitled to receive his/her personal data in word or excel format, and is also entitled to have this data forwarded to another data controller by our company upon request.

You can unsubscribe from the newsletter at any time by sending a letter to our company at info@villamedicina.hu or by clicking on the unsubscribe icon in the newsletter. In this case, we will immediately delete your e-mail address from our database.

Other information related to data management: our company takes all necessary technical and organizational measures in the event of a possible data protection incident (e.g. damage, disappearance of files containing personal data, unauthorized to avoid becoming accessible to him). In the event of an incident that does occur, we keep a register for the purpose of checking the necessary measures and informing the person concerned, which includes the range of personal data concerned, the range and number of persons affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, as well as the other data specified in the legislation prescribing data management.

Our company has entered into a data processing contract for the data processing tasks, in which GrandSoft Kft. undertakes to obligatorily apply the data protection and data management guarantees required by the data processing contract in the event of the use of an additional data processor, in view of this, we also ensure the legal processing of personal data in the case of the data processor.

 

11. COOKIE MANAGEMENT

In order to provide customized service, the Data Controller stores a small data package on the user's computer, the so-called it places a cookie and reads it back during the next visit. If the browser returns a previously saved cookie, the cookie management service provider has the opportunity to link the user's current visit with previous ones, but only with regard to its own content.

Purpose of data management: identification, tracking and differentiation of users, identification of users' current session, storage of data provided during it, data loss prevention, web analytics measurements, personalized service.

Legal basis for data management: consent of the data subject.

Scope of managed data: ID number, date, time, and previously visited page.
Duration of data management: maximum 90 days

Additional information about data management: The user can delete cookies from his computer or disable the use of cookies in his browser. Cookies can usually be managed in the Tools/Settings menu of browsers under the Data protection/History/Personal settings menu under the names cookie, cookie or tracking.

Possible consequences of failure to provide data: the impossibility of using the service is described in 2-5 above. with regard to the services described in points.

 

12. WEBSITE SERVER LOGGING

When visiting the villamedicina.hu website, the web server automatically logs the user's activity.

Purpose of data management: during visits to the website, the service provider records visitor data in order to check the operation of the services and prevent abuse.

Legal basis for data management: point f) of Article 6 (1) of the GDPR. Our company has a legitimate interest in the safe operation of the website.

Type of personal data handled: ID number, date, time, address of the page visited.
Duration of data management: maximum 90 days.

Data processor name

Address

Data processing task description

Pro gyno-med Kft.

1126 Budapest, Szendi u. 16.

Recording of visitor data and information necessary for the operation of the server

Further information: Our company does not connect the data generated during the analysis of the log files with other information, and does not seek to identify the user. The address of the pages visited, as well as the date and time data, are not in themselves suitable for identifying the data subject, however, combined with other data (e.g. provided during registration), they are suitable for drawing conclusions about the user.

Logging-related data management by external service providers: The html code of the portal contains links to and from an external server independent of our company. The server of the external service provider is directly connected to the user's computer. We draw our visitors' attention to the fact that the providers of these links are able to collect user data (e.g. IP address, browser, operating system data, mouse pointer movement, address of the page visited and the time of the visit) due to the direct connection to their server and direct communication with the user's browser. The IP address is a series of numbers with which the computers and mobile devices of users accessing the Internet can be clearly identified.
IP addresses can even be used to locate the visitor using a given computer geographically. The address of the pages visited, as well as the date and time data, are not in themselves suitable for identifying the data subject, however, combined with other data (e.g. provided during registration), they are suitable for drawing conclusions about the user.

 

13. INTERNAL DATA PROTECTION

Controller of personal data: Pro gyno-med Kft. 1126 Budapest, Szendi u. 16.
Purpose of data management: fulfillment of contract
Legal basis of data management: legitimate interest of the data controller
Duration of data management: in accordance with § 169 (2) of Act C of 2000 on accounting - December 31 of the 7th year following the given year.

Possible consequences of failure to provide data: no contract for medical services will be created
The rights of the data subject: the data subject (the person whose personal data is managed by our company)

  1. you can request access to your personal data,
  2. you can request their correction,
  3. you can request their deletion,
  4. you can apply to limit the processing of personal data if the conditions set out in Article 18 of the GDPR exist (that is, that our company does not delete or destroy the data until a court or authority is consulted, but for a maximum of thirty days, and does not process the data for any other purpose beyond that) ,
  5. can object to the processing of personal data,
  6. you can exercise your right to data portability. Pursuant to the latter right, the data subject is entitled to receive his/her personal data in word or excel format, and is also entitled to have this data forwarded to another data controller by our company upon request.

Other information related to data management: our company takes all necessary technical and organizational measures in the event of a possible data protection incident (e.g. damage, disappearance of files containing personal data, unauthorized to avoid becoming accessible to him). In the event of an incident that does occur, we keep a register for the purpose of checking the necessary measures and informing the person concerned, which includes the range of personal data concerned, the range and number of persons affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, as well as the other data specified in the legislation prescribing data management.

 

14. OTHER DATA MANAGEMENT

We provide information on data management not listed in this information when the data is collected. We inform our customers that certain authorities, bodies performing public duties, and courts may contact our company for the purpose of communicating personal data. If the relevant body has specified the exact purpose and the scope of the data, our company will only release personal data to these bodies to the extent and to the extent that is absolutely necessary to fulfill the purpose of the request, and if the fulfillment of the request is required by law.

 

15. METHOD OF STORING PERSONAL DATA, SECURITY OF DATA MANAGEMENT

Our company's IT systems and other data storage locations are located at the headquarters and on servers rented by the data processor. Our company selects and operates the IT tools used in the provision of the service to manage personal data in such a way that the processed data:

  1. accessible to those authorized to do so (availability);
  2. its authenticity and authentication are ensured (authenticity of data management);
  3. its immutability can be verified (data integrity);
  4. be protected against unauthorized access (data confidentiality).

We pay particular attention to the security of the data, we also take the technical and organizational measures and develop the procedural rules that are necessary to enforce the guarantees according to the GDPR. We protect the data with appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage, and inaccessibility resulting from changes in the technology used.

The IT system and network of our company and our partners are protected against computer-assisted fraud, computer viruses, computer intrusions and denial-of-service attacks. The operator ensures security with server-level and application-level protection procedures. Daily data backup is done. In order to avoid data protection incidents, our company takes all possible measures, in the event of such an incident - according to our incident management policy - we take immediate action to minimize risks and prevent damages.

 

16. RIGHTS OF THE PERSONS CONCERNED, LEGAL REMEDIES

The data subject can request information about the management of his personal data, and can request the correction of his personal data, or - with the exception of mandatory data management - deletion or withdrawal, he can exercise his right to data portability and protest as indicated when the data was collected, or at the above contact details of the data controller.

At the request of the data subject, we provide the information in electronic form without delay, but within 30 days at the latest, in accordance with our relevant regulations. We fulfill the requests of those concerned to fulfill the rights below free of charge.

Right to information:

Our company takes appropriate measures in order to provide the data subjects with all the information mentioned in Articles 13 and 14 of the GDPR and Articles 15-22 regarding the processing of personal data. and provide each piece of information according to Article 34 in a concise, transparent, comprehensible and easily accessible form, clearly and comprehensibly worded, and at the same time precise.

The right to information can be exercised in writing, via the contact details given in point 1. At the request of the person concerned, information can also be provided orally after proof of identity. We inform our customers that if our company's employees have doubts about the identity of the data subject, we can request the provision of the information necessary to confirm the identity of the data subject.

The data subject's right to access:

The data subject has the right to receive feedback from the data controller as to whether his personal data is being processed. If personal data is being processed, the data subject is entitled to access the personal data and the following information in the list.

  • Purposes of data management;
  • categories of personal data concerned;
  • the recipients or categories of recipients to whom or to which the personal data has been or will be communicated, including in particular recipients from third countries (outside the European Union) and international organizations;
  • the planned period of storage of personal data;
  • the right to rectification, deletion or limitation of data processing and the right to protest;
  • the right to submit a complaint to the supervisory authority;
  • information about data sources; the fact of automated decision-making, including profiling, as well as comprehensible information about the applied logic and the significance of such data management and the expected consequences for the data subject.

In addition to the above, if personal data is transferred to a third country or an international organization, the data subject is entitled to receive information about the appropriate guarantees for the transfer.

Right of rectification:

Pursuant to this right, anyone can request the correction of inaccurate personal data managed by our company and the addition of incomplete data.

Right to erasure:

If one of the following reasons exists, the data subject has the right to have his or her personal data deleted without undue delay upon request:

  1. personal data are no longer needed for the purpose for which they were collected or otherwise processed;
  2. the data subject withdraws her consent, which is the basis of the data management, and there is no other legal basis for the data management;
  3. the data subject objects to data processing and there is no overriding legal reason for data processing;
  4. unlawful processing of personal data can be established;
  5. the personal data must be deleted in order to fulfill the legal obligation prescribed by the EU or Member State law applicable to the data controller;
  6. the collection of personal data took place in connection with the offering of services related to the information society.

Data deletion cannot be initiated if data management is necessary for the following purposes:

  1. for the purpose of exercising the right to freedom of expression and information;
  2. for the purpose of fulfilling the obligation under the EU or Member State law applicable to the data controller requiring the processing of personal data, or for the execution of a task performed in the public interest or in the context of the exercise of public authority conferred on the data controller;
  3. affecting the field of public health, or for archival, scientific and historical research purposes or for statistical purposes, based on public interest;
  4. or to submit, assert or defend legal claims.

The right to restrict data processing:

At the request of the data subject, we restrict data processing in the case of conditions in Article 18 of the GDPR, i.e. if:

  1. the data subject disputes the accuracy of the personal data, in which case the limitation applies to the period that allows checking the accuracy of the personal data;
  2. the data processing is illegal and the data subject opposes the deletion of the data and instead requests the restriction of its use
  3. the data controller no longer needs the personal data for the purpose of data management, but the data subject requires them to present, enforce or defend legal claims; obsession
  4. the data subject objected to data processing; in this case, the restriction applies to the period until it is established whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject.

If data management is subject to restrictions, personal data may only be processed with the consent of the data subject, with the exception of storage, or to submit, enforce or defend legal claims, or to protect the rights of another natural or legal person, or in the important public interest of the European Union or a member state. The data subject must be informed in advance of the lifting of the restrictions on data management.

Right to data portability:

The data subject has the right to receive the personal data concerning him/her provided to the data controller in a segmented, widely used, machine-readable format, and to transmit this data to another data controller. Our company can fulfill such a request of the person concerned in word or excel format.

Right to protest:

If personal data is processed for the purpose of direct business acquisition, the data subject has the right to object at any time to the processing of his personal data for this purpose, including profiling, if it is related to direct business acquisition. In case of objection to the processing of personal data for the purpose of direct business acquisition, the data cannot be processed for this purpose.

Automated decision-making in individual cases, including profiling:

The data subject has the right not to be covered by the scope of a decision based solely on automated data management, including profiling, which would have legal effects on him or affect him to a similar extent. The above authorization cannot be applied if the data management

  1. necessary for the conclusion or fulfillment of the contract between the data subject and the data controller;
  2. is made possible by EU or Member State law applicable to the data controller, which protects the rights and freedoms and legitimate interests of the data subject
  3. also establishes appropriate measures for its protection; obsession
  4. based on the express consent of the data subject.

Right of withdrawal:

The data subject has the right to withdraw his consent at any time. Withdrawal of consent does not affect the legality of data processing based on consent prior to withdrawal.

Procedural rules:

The data controller informs the data subject without undue delay, but in any case within one month of receipt of the request, in accordance with Articles 15-22 of the GDPR. on measures taken following a request pursuant to Art. If necessary, taking into account the complexity of the application and the number of applications, this deadline can be extended by another two months. The data controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request.

If the data subject submitted the request electronically, the information will be provided electronically, unless the data subject requests otherwise.

If the data controller does not take measures following the data subject's request, it shall inform the data subject without delay, but at the latest within one month of the receipt of the request, of the reasons for the failure to take action, as well as of the fact that the data subject may file a complaint with the supervisory authority and exercise his right to judicial redress.

The data controller informs all recipients of all corrections, deletions or data management restrictions carried out by them, to whom or to whom the personal data was communicated, unless this proves to be impossible or requires a disproportionately large effort. At the request of the data subject, the data controller informs about these recipients.

Compensation and damages:

Any person who has suffered material or non-material damage as a result of a violation of the data protection regulation is entitled to compensation from the data manager or data processor for the damage suffered. The data processor is only liable for damages caused by data processing if it has not complied with the obligations set out in the law, specifically burdening the data processors, or if it has ignored or acted contrary to the legal instructions of the data controller. If several data managers or data processors or both data managers and data processors are involved in the same data management and are liable for damages caused by data management, each data manager or data processor is jointly and severally liable for the entire damage.

The data manager or the data processor is exempted from liability if it proves that it is not responsible in any way for the event that caused the damage.

Right to go to court and official data protection procedure:

In the event of a violation of their rights, the data subject may appeal to the court against the data controller. The court acts out of sequence in the case.

You can file a complaint with the National Data Protection and Freedom of Information Authority.

Address of the authority: 1055 Budapest, Falk Miksa utca 9-11.
Phone: +36-1-391.1400

E-mail: ugyfelszolgalat@naih.hu

* We would like to inform you that in accordance with the General Data Protection Regulation ("GDPR"), which entered into force on May 25, 2018, we cannot start medical care without your consent.

 

 

 

 

 

 

 

 

 

 

 

 

 

CAMERA RULES

The Camera Regulations enter into force:

Budapest, on September 14, 2020

 

1. Purpose of the policy

These regulations (hereinafter: "Regulations") aim to ensure that , that Pro Gyno-Med Kft., as a data controller and as an employer (hereinafter: "Institution") at its headquarters installed electronic image surveillance system by the affected persons (including employees of the Institution and persons in a legal relationship with the Institution for other work purposes, hereinafter: "Employees"; as well as patients and other visitors to the Institution, as the persons affected by camera surveillance, hereinafter collectively: "Affected") in accordance with the European Union and Hungarian legal regulations regarding the right to self-determination of information, applies transparently and fully respects the constitutional and personal rights of the Data Subjects.

The regulation also aims to define in detail the data management rules related to the operation of the surveillance camera system, in particular:

  • the rules regarding data recording,
  • regulations for the use of recorded data,
  • the order of data transmission and access rights,
  • the data deletion obligation.

 

2. Scope of the policy 

The territorial scope of this regulation covers the areas of VILLA MEDICINA monitored by camera.

The personal scope of these regulations applies to persons in a legal relationship for employment at the VILLA MEDICINA institution , as well as patients and natural persons visiting the Institution.

The material scope of these regulations covers all data management and data processing that applies to data recorded by the Institute’s cameras.

 

3. The purpose of camera surveillance 

 

The purpose of camera surveillance is to protect the security of the building used by the Institution and the assets, equipment, technical items, and valuables of the building used by the Institution and affected by the surveillance, to protect their value and condition, as well as to protect and ensure the life, physical integrity and property of the persons staying in the monitored area, prevention of unlawful actions, detection of detected violations, and proof within the framework of official or court proceedings.

The camera system operated for these purposes is a safety technology solution that serves to prevent accidents, as well as illegal acts involving damage, as well as to detect detected violations and prove them in the framework of official or court proceedings.

The scope of the processed data: the likeness of the persons concerned, the behavior affected by the surveillance, as well as the data that can be obtained with the camera image (place of stay, time of stay).

 

4. The regulations to be considered

Member State or EU legislation considered when preparing the regulations:

  • CXII of 2011 on the right to information self-determination and freedom of information. law, (hereinafter: Infotv.)
  • CXXXIII of 2005 law on personal and property protection, as well as the rules of private detective activity (hereinafter: Szvtv.)
  • Act I of 2012 on the Labor Code (hereinafter Mt.)
  • Regulation No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, as well as on the repeal of Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR)
  • Information from the National Data Protection and Freedom of Information Authority on the basic requirements for data management in the workplace
  • Recommendation of the National Data Protection and Freedom of Information Authority on the basic requirements of the electronic monitoring system used in the workplace

 

5. Interpretative provisions

Surveillance camera system: The surveillance camera system: the devices and solutions that, by placing and operating cameras, enable remote monitoring of the area, with the cameras taking pictures, storing the pictures, and transmitting the data.

Territory: An area within the jurisdiction of the Institution that can be identified in the real estate register as a plot of land used by the Institution (or as an operational area within it). span>

Personal data: GDPR Article 4. "personal data": any information relating to an identified or identifiable natural person ("data subject"); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable.

Data controller: GDPR Article 4.2 "data processing": any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such the collection, recording, systematization, segmentation, storage, transformation or change, query, insight, use, communication through transmission, distribution or otherwise making it available, coordination or connection, restriction, deletion or destruction.

Data processing: GDPR Article 4.2 "data processing": any operation or set of operations performed on personal data or data files in an automated or non- automated manner, such as the collection, recording, systematization, segmentation, storage, transformation or change, query, insight, use, communication through transmission, distribution or otherwise making it available, coordination or connection, restriction, deletion or destruction.

Data transmission: Data transmission - Infotv. Data transfer according to § 3.11: making the data available to a specific third party.

Adattörlés: Adattörlés – az Infotv. 3. § 13. pontja szerinti adattörlés: az adat felismerhetetlenné tétele oly módon, hogy a helyreállítása többé nem lehetséges.

Data destruction: Data destruction - Infotv. Data erasure according to Section 3.16: complete physical destruction of the data carrier containing the data.

Data processor: Data processor - Infotv. Data processor according to Section 3, point 18: a natural or legal person, or an organization without legal personality, who processes data on the basis of a contract, including a contract concluded under the provisions of the law.

 

6. The area surveillance camera system

6.1. Structure of the system

The area surveillance camera system consists of the following parts:

  • from the cameras placed in the area,
  • from the central monitoring and recording room with the necessary tools and technical solutions.

6.2. Cameras placed in the area

A camera may be placed and operated in the area only in accordance with the provisions of these regulations and in accordance with the decision to place the camera. The cameras can therefore be placed in the place specified by the regulations in such a way that they are suitable for monitoring the area included in the regulations.

The inspection service decides on the exact location of the cameras, considering the visibility of the area to be monitored. In justified cases, you can make a proposal to the head of the Institution for the placement of several cameras to accurately monitor a given area.

The cameras must be placed in a clearly visible location. Information on the fact of the operation of the posted cameras must be posted at all monitored locations.

The information must include at least:

  • the location of the cameras,
  • the order of data management.

The information must be placed in such a way that the information becomes visible to persons wishing to enter the area before the observation. The information must be displayed in a clearly visible place or places.

In the surveillance system, cameras with technical certificates suitable for the purpose of surveillance must be used.

 

7. Information

CXXXIII of 2005 on the rules for the protection of persons and assets, as well as private detective activities. in accordance with the provisions of Article 28, paragraph (2) point c) of the Act, the Institution places a warning sign on the fact that an electronic surveillance system is operating in the given area for third parties who wish to enter the building. Employees are informed in accordance with the Data Protection and Data Management Regulations. 

 

8. The central room

The central monitoring and recording and data management room of the area surveillance camera system is located in the premises of the Institution provided for this purpose.

The images transmitted by the external cameras:

  • the possibility of continuous monitoring is provided by a monitor,
  • the images are recorded on a central storage unit (server).

     

9. Viewing recordings

The surveillance system used by the Institution can be used for direct observation (live image), only employees employed in the position according to these regulations have the right to direct observation, and only to the extent necessary for the performance of their duties. The monitor for viewing and possibly reviewing the images must be placed in such a way that during the broadcast of the images they cannot be seen by persons outside the scope of authorization.

 

10. Operating order of the system

10.1. The purpose of operating the system

Monitoring of employees may be carried out in accordance with § 9 and § 11 of the Labor Code. Infotv must be observed during operation. the provisions of § 4.

The primary purpose of the operation of the area surveillance camera system is the Szvtv. Define. The Szvtv. enables the use of the electronic monitoring system in four cases:

  1. a) protection of human life, physical integrity, personal freedom,
  2. b) storage of dangerous substances,
  3. c) protection of business, payment, banking and securities secrets,
  4. d) asset protection

The Institution is the Szvtv. You may act in accordance with § 26, paragraph (1) when guarding your facilities, except that pursuant to paragraph (2), you may not use an electronic surveillance system in public areas either.

10.2. Owner and operator of the system

The territorial surveillance camera system is the property of the Institution. The unit and personnel determined by the Institution are authorized to use, manage and operate the system.

10.3. Operation of the Surveillance camera system

Images transmitted by the surveillance camera system:

  • are constantly monitored;
  • are monitored regularly.

Duration of monitoring: Monday-Friday, from 8:00 a.m. to 7:00 p.m.

  • are occasionally observed
  • they are not monitored.

Recording the images of the surveillance camera system:

  • happens continuously – 24 hours a day,
  • happens regularly.

Duration of recording: Monday-Friday, from 8:00 a.m. to 7:00 p.m.

The purpose of recording the images is that, if necessary, they can be used as evidence in individual proceedings.

10.4. Viewing recorded footage

Reviewing the images recorded by the CCTV system:

  • regurarly
  • if possible
  • the day after the picture is taken,
  • takes place at the time of the event giving rise to the review.

It must be isolated on the viewed recordings:

  • the parts of the recordings that contain an exceptional occurrence (i.e. a reason for the processing of the recordings, the initiation or initiation of proceedings),
  • recordings that do not contain an exceptional occurrence.

     

The area supervisor is obliged to:

In the case of recordings of an incident, the area supervisor must, within two working days of the recording of the images, sounds and images and sounds:

  •  to initiate the procedure that falls within the scope of his duties,
  • in the case of procedures falling within the competence of another body or authority (e.g., police), to initiate the initiation of the procedure.

     

12. Data management related to the area surveillance camera system

12.1. Footage recorded by the camera system as personal data

Recordings recorded in the area surveillance camera system are considered personal data, therefore the data management rules defined in the Information Act and these regulations must be enforced.

12.2. Basic principles of data management

The main principles of data management:

  • personal data can only be processed for specific purposes, in order to exercise rights and fulfill obligations,
  • during data management, the collection and handling of data must be fair and legal,
  • personal data can only be processed to the extent necessary to achieve the purpose.

The purpose of processing personal data on the part of those entitled to control:

  1. a) protection of human life, physical integrity, personal freedom,
  2. b) storage of dangerous substances,
  3. c) protection of business, payment, banking and securities secrets,
  4. d) asset protection

12.3. Legal basis for data management

The legal basis for the data management of those entitled to control is the Szvtv. It is defined by § 26, paragraph (1) and § 30.

12.4. Limitations of data management

Recordings recorded by the area surveillance camera as personal data in the area affected by the recording:

  •  in proceedings initiated due to a committed crime,
  • in proceedings initiated due to a violation of the rules,
  • it can be used in proceedings initiated by the person in the recording in order to exercise his rights.

The footage recorded by the area surveillance camera must be issued as evidence:

  • at the request of the authorized body in court or other official proceedings, or
  • in an official procedure, to request the acting authority (within the framework of domestic legal aid), if the requesting body justified its request in accordance with the law.

The justification is appropriate if it contains:

  • the basic legal reference establishing the authority of the requesting body,
  • the subject of the procedure,
  • the file number of the procedure,
  • the fact to be proven by the recorded recording.

The request must be refused if:

  • the justification of the request is not adequate,
  • if the recorded image, sound, and image and sound recording are not suitable for proving the fact specified in the request.

12.5. Time content of data management, deletion of data

The General Data Protection Regulation. during data processing, personal data can only be processed for the time necessary to achieve the purpose.

Data management period for recordings that do not contain extraordinary events

Recordings that do not contain extraordinary events can be processed for three working days after recording, after which they must be deleted immediately.

Time content of data management of recordings containing extraordinary events

The data processing time of recordings containing extraordinary events may not exceed 30 days. Data management may last longer than 3 working days after the recording, if during the procedure initiated by the supervision, the person entitled to initiate the procedure has informed the supervision of the fact of the initiation of the procedure within 3 working days after the recording.

If data has been forwarded to the body conducting the procedure or to a private individual in a procedure initiated to exercise their rights, the data must be deleted.

Extension of the data management period upon request

The person whose right or legitimate interest is affected by the recording of the image, sound, or image and sound recording, or other personal data, within three working days from the recording of the image, sound, image and sound recording, or other personal data by proving your right or legitimate interest, you can request that the data is not destroyed or deleted by its manager. At the request of a court or other authority, the recorded image, sound, image and sound recording, as well as other personal data must be sent to the court or authority immediately. If an inquiry is not made within 30 days of the request not to be destroyed, the recorded image, sound, and image and sound recording, as well as other personal data, must be destroyed or deleted. Information on data transfer to the person included in the recorded recording is free of charge.

12.6. Right of inspection

On the part of those entitled to control, it must be ensured for the private individuals concerned that the person in the recording can view the recording made of him/her during the time available for data management, typically within 3 working days of the recording of the recorded image, sound, and image and sound. The data subject has his rights in accordance with Article III of the General Data Protection Regulation. can practice according to the provisions of chapter.

 

13. Data security 

On the part of those entitled to control, the protection of the personal data of those concerned must be ensured. The protection must cover private secrets and the circumstances of private life, so that they do not come to the knowledge of an unauthorized person.

The data must be protected in particular:

  • unauthorizied access
  • the unauthorized change,
  • unlawful transmission,
  • unlawful disclosure,
  • unlawful deletion or destruction, as well as
  • against accidental destruction and damage.

     

14. Organizational measures

14.1. Persons

The person authorized to check may be in the central room of the area surveillance camera system.

The recordings recorded by the area surveillance camera system can only be managed by a specific person, the person authorized to check.

The person designated in these regulations is entitled to:

  • to monitor the images transmitted by the cameras, as well as
  • to review the images recorded by the camera system,
  • to separate recorded recordings and recording parts according to extraordinary and non-extraordinary events,
  • to save the data,
  • for data transmission,
  • for data deletion.

Only persons who are entrusted with data management or who have the right to access may enter the central room. They must prove their access rights.

Only the person performing personal and asset protection activities is entitled to see the recorded image, sound, image and sound recording, as well as other personal data, for whom this is necessary to enforce their obligations arising from the contract and is indispensable in order to prevent or interrupt the illegal act. The name of the person handling the recorded image, sound, and image and sound recording, as well as personal data, or the person carrying out personal and property protection activities entitled to access it for other reasons, as well as the reason and time of access to the data, must be recorded in a protocol.

14.2. Operational safety

Those authorized to check regularly, but at least at the beginning of the working day, check the operation of the system. During operation, it is necessary to ensure that the data is continuously backed up to a separate device.

Devices suitable for serving the system and other data carriers – except for legal data transmission – cannot be taken out of the central room.

Compliance with data protection regulations must also be ensured when IT devices are maintained. Maintenance and repairs may only be carried out in the presence of an authorized person.

Strangers may stay in the central room only in the presence of those authorized to check.

In the presence of strangers, the review of the recordings must be interrupted, if it is not possible to exclude the possibility of the review data being read by strangers in any other way.

An operational diary must be kept about the operation and the stay of strangers in the central room.

14.3. Data transfer

Data may only be forwarded in the cases specified in these regulations – and in the legislation. The data is transferred to a data carrier provided by the representative of the body or authority authorized for the procedure.

 

15. Technical measures

Uninterruptible power source

By providing an uninterrupted power source, it is necessary to ensure that the system can operate continuously and that malfunctions do not occur due to power outages.

IT protection

The management of data files must be organized in such a way that their content can be reconstructed in the event of partial or total destruction. At least one backup of the original data files must be made so that the original data is still available in case of destruction or damage of one of them. In the computer system operating the IT system enabling data recording of the area surveillance camera system, it must be ensured that:

  • access can be done with a personal code,
  • data management events are automatically logged.

Identification of data carrier

Only registered data carriers can be used in the system so that the location and destruction of the managed data can be tracked. Apart from data transmission, only a storage space that is not separated from the computer can be used as a data carrier.

 

16. Other data security measures

The central room of the area surveillance camera system:

  • the building is protected by an alarm,

The data stored in the central room is protected by:

  • the room can be locked.

     

17. Obligation to keep records

Records must be kept in connection with the operation of the area surveillance camera system:

  • about the deployed cameras and the area they monitor (camera register),
  • about the daily monitoring of the system status (operational log),
  • about the observations carried out in the system (observation log, as part of the operation log),
  • about reviewing and saving the recordings recorded in the system (as part of the review log, operation log),
  • about the data carriers used to store the recordings in the system (data carrier register, as part of the operation log),
  • about making a copy of the data stored in the system (data copy log, as part of the operation log),
  • about data transfer (as part of data transfer log, operation log)
  • on the destruction of recordings,
  • about the data protection incident (in a separate register).

17.1 Camera records

Camera records must include at least:

  • the location of the cameras,
  • the number of cameras used,
  • the area covered by the cameras.

17.2. Operating log

During the operation of the system, an operational log must be kept on regular, daily checks of the system’s condition, as well as on the presence of strangers in the central room. The operation log contains:

  • a) data relating to the system status check:
    • the exact date of the inspection,
    • a note on the status of certain elements of the system,
    • the action taken in case of improper operation of the system,
    • the name of the person performing the inspection,
  • b) data on the stay of strangers staying in the central premises:
    • the time of entry and departure,
    • the name and position of the entrant,
    • reason for entry, activity performed.

17.3 Observation log

In the case of surveillance in a central room of footage broadcast by the surveillance camera system, the data relating to the surveillance must be recorded in the surveillance log. The monitoring log must include:

  • the day of the observation,
  • the start and end time of the observation,
  • extraordinary events that have occurred,
  • the initiated measures,
  • name of the observer.

17.4 Look back log

In the case of viewing the footage recorded by the surveillance camera system in a central room, the data relating to the viewing and the saving of image details of extraordinary events must be recorded in a log.

The lookback log should include:

  • the day of looking back
  • the data necessary to identify the viewed recordings: camera number, the start and end time of the recorded image, sound, and image and sound recording,
  • extraordinary events that have occurred,
  • extraordinary events that have occurred,
  • the initiated measures,
  • data for saving recording parts containing extraordinary events (save location)

17.5 Register of data carriers

The data carrier register must contain:

  • identification data of the data carrier used,
  • the start and end time of using the data carrier for data recording,
  • after the application, the storage location of the data carrier,
  • data on the destruction of the data carrier.

17.6. Data copy log

The data copying log must contain the following from recorded recordings, recorded image, sound, and image and sound recording parts:

  • the date of making the copy,
  • identification data of copied recorded images, sounds, and image and sound recordings,
  • the reason for making a copy,
  • the identifier of the copy data carrier, the place of storage,
  • the name of the copy maker.

17.7. Data transfer log

The data transfer register must be kept annually and the register must be kept for 5 years.

The register must include:

  • when the data transfer took place,
  • to whom, to which body, authority, private individual, the recordings were forwarded,
  • for what purpose the data was transferred,
  • what was the legal basis for data transfer.

17.8 Record of destruction of recordings

Records must be kept of the destruction of recordings. The register must include:

  • the date of destruction,
  • the data necessary to identify the destroyed data, /e.g.: camera number and numbers, the date of the recorded recordings (from to) /,
  • the reason for the destruction (within 3 working days or other)
  • method of destruction,
  • the name of the person performing the destruction.

17.9. Incident record

The register must include:

  • the range of personal data involved in the incident,
  • the scope and number of those affected by the data protection incident,
  • the date of the data protection incident,
  • the circumstances of the incident,
  • the effects of the incident,
  • the measures taken to prevent the incident,
  • other data defined by law.

     

18. Duties and powers

Exercises data management tasks and powers:

  • the head or representative of the Institution.

18.1. The data management duties and powers of the person (manager) performing the task of inspection

The manager’s data management task is to:

  •  develops these regulations,
  • review these regulations at least once a year,
  • appoint the persons responsible for the performance of the tasks, ask for continuous information about the completion of the task.

18.2. Data management tasks and powers of the area supervisor

The data management tasks of the Head of the Institution or his representative:

  • compliance with the rules laid down in the defining internal regulations,
  • performing registration tasks.


19. Introducing the content of the regulations

The persons concerned are obliged to acknowledge the fact that they have read the content of the regulations by signing.

The contents of the regulations must be made known:

  • at least annually, respectively
  • if there has been a change in the regulation or its annexes.


20. Final provisions

The regulations are annexed to:

  • employee information on the operation of the camera system
  • register of persons with access and save rights
  • protocol for locking camera recording
  • protocol on inspection of camera footage
  • the camera registry

     

Dr. Kiarash Bahrehmand
managing director