Data Protection Declaration

PRIVACY AND DATA MANAGEMENT INFORMATION

The HP-Medical limited liability company, as data manager, respects the privacy of all person from whom private information is given, and is committed to their protection, and hereby asks for your attention for the reading of the following informative document.

 

I. PRESENTATION OF THE DATA MANAGER

The HP-Medical limited liability company (in the following referred to as the Company, Data Manager, Healthcare Provider) creates the following privacy notice in order to ensure the rights of its data subjects and for the lawfulness of its internal data management processes:

 

The HP-Medical limited liability company data manager

Name: HP-Medical limited liability company

Company register number: 01-09-284640

Seat of the company: Kárpát utca 37., Budapest, 1133

Electronic address: gabor.molnar@hairpalace.fr

Company representative: Gábor Molnár managing director

 

The Data Manager handles personal data in compliance with all applicable, but primarily the following legal regulations:

  • the Law CXII. of 2011 on the Right to Information Self-Determination and Freedom of Information (in the following Info. Law)
  • Regulation 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing of the Regulation 95/46/EC (general data protection regulation – in the following Regulation or GDPR),
  • The Health Act CLIV. of 1997. (in the following Health Act)
  • the Act XLVII. Of 1997. on the Processing and Protection of Health and Related Personal Data (in the following Health and Data Act)
  • the Act CVIII. Of 2001. on Certain Issues of Information Society Services
  • the Civil Code Act V. of 2013. (in the following Civil Code)

 

II. DATA SAFETY

The Data Manager treats personal data confidentially, and in order to preserve data – while maintaining data management principles – will take all technical and organizational measures related to IT and other secure data management related to data storage and data management, in particular, the following:

  • sealing of paper-based files and medical records
  • access control
  • proper education of our employees
  • technical measures (encryption related to access to our systems, anti-virus software, password protection)

We consider it important to emphasize that as part of the (online) process in which you provide your personal information to us – despite taking all necessary measures – some data may be leaked due to the transmission of data on the website. We cannot take responsibility for these, so you must accept that such transmission is at your own risk.

 

III. COOKIE TREATMENT

The website uses cookies to adapt to users’ preferences and to optimize the website. In order for you to connect to the website and to personalize the site and services, the servers of the website may install cookies on your computer. These cookies facilitate the use of websites and surfing. Cookies are not suitable for personal identification. We would like to inform you that we use the following cookies on our website: Cookies that are essential for the operation of the site, setting cookies, cookies for statistical purposes, marketing cookies.

 

Cookie management information

The purpose of data management: It is essential to use (some) cookies to ensure the proper functioning of the site; other cookies help to improve our website; to navigate you on the Internet; collection of information about the use of our website.

Legal basis for data management

For cookies that are indispensable for the functioning of the site:

The legal basis for data processing is the article 6, paragraph (1) point f) of the GDPR, data processing is necessary to enforce the legitimate interests of the Data Manager or a third party.

In case of other cookies:

Consent of the data subject – the data subject has consented to the processing of his or her personal data for one or more specific purposes based on the paragraph (1) of article 6. of the GDPR;

Legal basis

The existence and acceptance of cookies is necessary for the operation of the website, and the use of cookies is necessary to protect the website from possible attacks.

Source of personal data – data subjects:

Natural persons visiting the website

Treated personal data:

Cookies are not suitable for personal identification.

The online ID (IP address) of users visiting the website, as well as other personal data generated in connection with browsing (time of browsing, type of browser, some features of the operating system of the device used for browsing, thus operating system type and set language)

Automated decision making and profiling:

It is expected to be implemented by the Data Manager.

 

IV. DATA HANDLING

4.1.When designing our data management, we always make sure that the data management complies with the principles set out in the legislation.

Meaning/interpretation of the following terms used in this informative document:

 

“data manager”: a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the data controller/manager or the specific criteria for the designation of the data controller/manager may also be determined by Union or Member State law;

“personal data”: any information relating to an identified or identifiable natural person (“data subject”); identifiable is a natural person who, directly or indirectly, can be identified based on one or more factors, such as name, number, location data, online identification, or physical, physiological, genetic, mental, economic, cultural or social identity of a natural person;

“data management”: any operation or set of operations on personal data or files, whether automated or non-automated, thus collecting, recording, organizing, sorting, storing, transforming or altering, retrieving, viewing, using, communicating, transmitting or otherwise making available, coordinating or linking, restricting, deleting or destroying;

“profiling”: any form of automated processing of personal data in which personal data are evaluated for the purpose of assessing or predicting certain personal characteristics of a natural person, in particular his/her performance, economic situation, state of health, personal preferences, interests, reliability, behaviour, location or movement;

“data processor”: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

addressee”: the natural or legal person, public authority, agency or any other body to whom or with which the personal data are disclosed, whether a third party or not. Public authorities that may have access to personal data in the context of an individual investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;

third party”: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or persons who have been authorized to process personal data under the direct control of the data manager or processor;

“the consent of the data subject”: a voluntary, specific and duly informed and clear statement of the will of the data subject, by which he or she indicates his or her consent to the processing of personal data concerning him or her by means of a statement or an act which unequivocally expresses the confirmation;

“health data”: personal data relating to the physical or mental health of a natural person, including data on health services provided to a natural person that provide information on the natural person’s state of health; 

“health service”: all health activities that can be performed in possession of an operating license issued by the state health administration body or – in a case specified by law – on the basis of registration by the state health administration body;

“healthcare provider”: all individual health care contractors, legal persons or organizations without legal personality, regardless of the form of ownership and maintainer, entitled to provide health services and on the basis of an operating license issued by a public health administration body;

“health documentation”: a record, register or other data, in whatever form, containing health and personal data relating to the treatment of the patient which come to the attention of the healthcare professional in the course of the healthcare service;

patient”: the person or group of persons who use the service of the health care provider

 

4.2. As a data manager, we perform the following data management activities:

  • Data management for online marketing (e-mail), newsletter (contacting those interested in the service)
  • Management of data necessary for concluding a contract (preparation, request for information, interest)
  • Management of data related to healthcare services
  • Billing and other accounting data management
  • Handling of complaints

 4.3. Provision of personal data – Obligations for patients

In all cases, our Company handles the data provided voluntarily by the person concerned (data owner).

The provision of health and personal data by the data subject is voluntary, with a few exceptions, which is mandatory for access to health care. (Health and Data Act, paragraph 12.)

We would like to draw the attention of the esteemed stakeholders (patients) to the fact that, given that the Data Controller provides health care services, Patients are also subject to certain obligations –as it is said in the Health and Data Act, according to which Patients are obliged to cooperate with the assisting healthcare professionals in their care and, in our case, during the provision of the healthcare service, according to their best abilities and knowledge, most importantly about the following:

  • all that is necessary to make a diagnosis, prepare an appropriate treatment plan and carry out the interventions, in particular all previous relevant illnesses, treatments, taking of medicines or medicinal products, risk factors to health, (allergies)
  • in connection with his/her own illness, anything that could endanger the lives or physical integrity of others, in particular venereal diseases or conditions which makes impossible the pursuit of an occupation,
  • in addition, he/she is obliged to provide credible proof of his/her personal data required by law

 

V. DATA MANAGEMENT ACTIVITIES (OBJECTIVES)

5.1. DATA MANAGEMENT FOR ONLINE MARKETING (E-MAIL), ELECTRONIC COMMUNICATION, NEWSLETTER (CONTACT WITH PARTIES INTERESTED IN THE SERVICE)

The objective of e-mail marketing: identification and differentiation of Patients / affected, answering questions from potential Patients, giving a price offer in preparation for a later contract, contacting, sending newsletters.

 

Legal basis for data management:

Point b), paragraph (1), article 6 of the GDPR

à „necessary to take steps at the request of the data subject before concluding the contract”, that is, the voluntary contribution of the data subject, and the paragraph 13/A. of the CVIII law of 2001 on certain issues of information society services and the paragraph (5) article 6 of the XLVIII law of 2008. on the basic conditions and certain restrictions of economic advertising.

In addition, the point f), paragraph (1) article 6 of the Regulation (legitimate interest) also gives legal basis to the Data Manager for data management.  It is in the Data Controller’s legitimate interest to process the personal data necessary to respond to a matter if they are contacted about it.

Source of personal data – data subjects:

Information requesters, those interested in the service, price requesters

Scope of data managed: name, e-mail address, phone number, fax number, newsletter subscription consent, date and time of registration, as well as any other information that the data subject considers relevant in the case initiated by him/her.

Duration of processing of personal data:

If a contract (obligation) of any kind is concluded between the Data Controller and the data subject, we will process the personal data obtained during the communication in connection with the concluded contract, at the latest until the expiry of the limitation period.

If no contract or agreement is concluded between the Data Manager and the data subject after the pre-contractual data management and the communication cannot have any future legal effect, the message(s) will be deleted after the communication is closed.

The objective of the data management: sending e-mail newsletters containing commercial advertising to those who are interested, message on current information and products.

Legal basis of data management: the voluntary contribution of the person concerned and the paragraph (5) of article 6 of the XLVIII law of 2008 on the basic conditions and certain restrictions of commercial advertising

The scope of data managed: name, e-mail address, date and time.

Deadline for deleting data: until the withdrawal of the statement of consent.

 

It is possible to request the prohibition of the transmission of newsletters and the deletion or modification of personal data by clicking on the link in the newsletters or by sending a request to the address of the Data Manager’s registered office.

The Data Manager will not pass on the provided data to other third parties.

 

5.2 MANAGEMENT OF DATA REQUIRED FOR THE COMPLETION OF THE CONTRACT

The objective of data management:

Concluding a contract (necessary data, differentiating patients) and fulfilling the obligations undertaken in the contract, exercising contractual rights.

Legal basis of data management:

Completion of contracts – Paragraph (2) of article 6 of the GDPR “the data processing is necessary for the performance of the contract in which the data subject is one of the parties or in order to take steps at his/her request prior to the conclusion of the contract”

Source of personal data – the data subject.

Personal data is provided by the data subject. As person concerned is the source of the personal data, our Company will provide direct information on any changes in the scope of the processed data upon their collection.

Categories of concerned people:

Natural people, contracting parties.

The scope of (personal) data managed: name, address, date and place of birth, mother’s name, phone number, e-mail address, other information specified in the contract.

Transfer of personal data:

Data transferred for this purpose will not be transferred to a third country or international organization. The recipients of the data can be:

Accountant, post office, courier service, E-mail service provider, sms service provider, other performance assistants involved in the performance with prior information given,

Duration of processing of personal data:

Until the performance of the contract, in case of termination of the contract for any reason, until the termination of the contract.

Automated decision making and profiling:

None of this happens during data management.

 

5.3. DATA PROCESSING FOR HEALTHCARE

The purpose of data management: Fulfilment of the obligation undertaken in the contract for the health service (hair implantation), exercise of contractual rights, performance of the health services, fulfilment of the legal obligations of the Data Manager, enforcement of legitimate interests, prevention, investigation and detection of abuses.

Legal bases of data management:

Personal and special data will also be processed during the provision of healthcare services.

  • The legal basis for processing personal data is the paragraph (2) of article 6 of the GDPR “the data processing is necessary for the performance of a contract in which the data subject is one of the parties or in order to take steps at the request of the data subject prior to the conclusion of the contract” (Data processing is necessary for the fulfilment of the contract concluded between our Company and the person affected regarding the provision of healthcare services)
  • An exception justifying the processing of a special category of personal data (health data) is contained in point h) paragraph (2) article 9 of the GDPR, that is, data processing is necessary for preventive health purposes and to establish a medical diagnosis to provide health care. The guarantee condition provided by paragraph (3) article 9 of the GDPR is ensured, because our company always provides the medical service by a doctor and the medical activity is subject to professional secrecy under Hungarian national law.

The personal data of the affected are entitled to be disclosed to the employees of the Data Manager whose job involves the processing of personal data.

 

Source of personal data – the data subject.

Consent of the data subject – DGPR Article 6. the data subject has consented to the processing of his or her personal data for one or more specific objectives;

  • Disclosure of images taken of the data subject during the treatments is lawful until the written consent is withdrawn.

Given that the data subject is the source of the personal data, we will provide information directly on the final scope of the data processed when they are collected.

 

Categories of concerned people:

Natural people, contracting parties.

 

The scope of personal data managed:

Name, address, date and place of birth, mother’s name, phone number, e-mail address, other information specified in the contract.

In case of medical treatment: social security number

 

Please note that the treating physician will decide which health data – in addition to the mandatory data – should be included in accordance with professional rules to achieve the desired goal.

The physician can handle the personal data necessary to provide health care in accordance with the rules of the profession.

Other data provided for the performance of the treatment in advance and during the treatment, or otherwise known to the Data Manager, as well as during the post-operative treatment, including data classified into special categories of personal data.

During our treatments, photos can be taken before, during and at the end of the treatment.

 

Transfer of personal data:

Data transferred for this purpose will not be transferred to a third country or international organization.

The recipients of the data can be:

Accountant, post office, courier service, E-mail service provider, sms service provider, other performance assistants involved in the performance with prior information given,

 

Duration of processing of personal data:

If no contract is concluded between our Company and the affected for the use of our healthcare service, we will delete the personal data after the data subject informs our Company that he or she does not wish to use our services.

If the data subject uses health care services from our Company, the data is part of the health care documentation and is stored as follows:

In case of hair transplantation (medical aesthetic and cosmetic treatments) until the end of the treatment.

If the hair implant is happening on multiple occasions/ curative, then until the end of the treatment / cure.

 

In the case of medical treatments (treatments qualifying as medical treatments) according to paragraph 30 of the Health and data Act:

Medical documentation must be kept for at least 30 years from the date of data collection and the final report for at least 50 years. After the mandatory registration period, the data can still be recorded for medical treatment or scientific research (if justified). If further registration is not justified, the registration shall be destroyed (except in case of paragraph 3)

(2) An image made with an imaging diagnostic procedure shall be kept for 10 years from the time it was taken, and a diagnostic based in the image shall be kept for 30 years from the time the image was taken.

(3)  If the medical record is of scientific significance, it must be handed over to the competent archives after the mandatory keeping period.

 

Automated decision making and profiling:

None of this happens during data management.

 

5.4. INVOICING AND OTHER ACCOUNTING DATA MANAGEMENTS

The objective of data management:

To fulfil the obligation written in the Accounting Law, to keep invoicing data

 

Legal basis of data management:

Paragraph (1) article 6 of the GDPR

The Data Manager legally handles invoicing and other accounting data under the GDPR because it has a legal obligation to do so based on paragraphs (1) – (6) of article 169 of the C. Law on Accounting from 2000.

 

Source of personal data – the data subject.

The data subject/affected. Given that the data subject is the source of the personal data, we will provide information directly on the final scope of the data processed when they are collected.

 

Data subject categories:

Patients – Customers, participants in other accounting processes (e.g.: actual payer)

 

Personal data treated:

Name, data required by other legislation or shown at the request of a customer. (paragraph 169 of the CXXVII. Law of 2007 – in the following V.A.T. law).

 

Transfer of personal data:

Data transferred for this purpose will not be transferred to a third country or international organization.

 

The recipients of the data can be:

Personal data is processed only by the employees of the Data Manager who are responsible for the administration of invoicing.

Accountant, authorities (e.g.: NAV – Hungarian National Tax and Customs Office)

Duration of processing of personal data:

The enterprise is obliged to keep the report on the business year, the business report and the supporting inventory, valuation, general ledger extract, as well as the logbook or other records in accordance with the requirements of the law in a legible form for at least 8 years.

 

Automated decision making and profiling:

None of this happens during data management.

 

Provision of personal data

The processing of all data is based on the law and is mandatory

 

5.5. COMPLAINT (DATA MANAGEMENT)

In the event of an oral complaint, if the user does not agree with the immediate handling of the complaint or it is not possible to investigate the complaint immediately, the Data Manager shall immediately take records of the complaint and its position on it – as per the paragraph (3) article 17/A of the Consumer Protection Act.

Objective of data management:

Fulfilment of legal obligations arising from warranty and guarantee claims, and handling of any other complaints

 

Legal basis of data management:

Point c) paragraph (1) article 6 of the GDPR

The controller lawfully handles it in accordance with the GDPR because it has a legal obligation to do so based on paragraph (7) of article 17/A of the C. Law on Accounting from 2000.

 

Source of personal data – the data subject

Consent of the data subject – Paragraph (1) article 6 of the GDPR – the data subject has consented to the processing of his or her personal data for one or more specific purposes.

 

Data subject categories:

People with a complaint, alleging defective performance, people with a warranty and guarantee claim

 

Personal data treated:

Name, address, the processing of data required by other legislation and provided by the complainant may also take place, of which the complainant may not be informed in advance, however, the information shall be provided in the complaint handling report.

 

Transfer of personal data:

Data transferred for this purpose will not be transferred to a third country or international organization.

The recipients of the data can be: post office, courier service, court, authorities, email provider

 

Duration of processing of personal data:

It is required by paragraph (7) article 17/A of the Consumer Protection Act to be kept for 5 years.

 

Provision of personal data

The provision of personal data for the purpose of handling complaints cannot be missed.

 

Automated decision making and profiling:

None of this happens during data management.

 

VI. RIGHTS OF THE AFFECTED/DATA SUBJECT WITH REGARD TO DATA PROCESSING

Secrecy

Based in the Health Act, the Data Manager and the data processor shall be bound by medical secrecy.

 

Right to information

The data subject has the right to appropriate information (in plain language) related to data management, which the Data Manager provides by making this information available in this notice.

You can read more about the right to information in Articles 13-14 of the GDPR.

 

Consent – based data management

In the case of data processing based on the data subject’s consent, he or she has the right to withdraw his or her consent to data processing at any time. It should be emphasized that the withdrawal of consent applies only to data for which there is no other legal basis for processing. In the absence of other legal basis for data processing, personal data will be permanently and irrevocably deleted after the withdrawal of consent. It does not affect the lawfulness of the data processing that happened on the basis of the consent prior to the withdrawal (article 14 of the GDPR).

 

Access right

The affected has the right to receive feedback from the Data Manager as to whether the processing of his / her personal data is in progress and, if any data processing is in progress, he / she has the right to access the personal data and the following information:

  1. objective of data processing
  2. categories of personal data affected
  3. the recipients or categories of recipients to whom or with whom the personal data have been or will be communicated, in particular recipients in third countries or international organizations;
  4. when possible, the intended period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;
  5. the data subject’s right to request the rectification, deletion or restriction of the processing of personal data concerning him or her and to object to the processing of such personal data;
  6. the right to send a complaint to a supervisory authority;
  7. if the data was not collected from the affected, all information about the source of the data;
  8. when automated decision-making, including profiling, takes place, and at least in such cases, comprehensible information on the logic used and the significance of such data processing and the expected consequences for the data subject.

You can read more about access right in article 15 of the GDPR.

 

Right to rectification:

The affected has the right to have inaccurate personal data concerning him or her rectified at his or her request without any non-justifiable delay. The affected has the right to request the completion of incomplete personal data. You can read more about the right to rectification in articles 16 and 19 of the GDPR.

Right to deletion:

The affected has particular right to have his or her personal data deleted and not further processed if the collection or processing of personal data is no longer necessary for the original purposes of the processing, or if the affected has withdrawn his or her consent or otherwise does not comply with this regulation.

In order to exercise the right of deletion, the Data Manager has to immediately delete the personal data of the affected if

a) data processing is illegal, especially if the data processing

aa) is contrary to the principles set out in the Info. Law

ab) the purpose of the data has ceased to exist or the further processing of the data is no longer necessary for the purpose of the data processing,

ac) a period of time specified by law, international treaty or binding act of the European Union has elapsed, or

ad) its legal basis has ceased to exist and there is no other legal basis for the processing of the data,

b) the affected withdraws his or her consent to the processing or requests the deletion of his or her personal data

c) the erasure of the data has been ordered by law, an act of the European Union, an Authority or a court

You can read more about the right to deletion in articles 17 and 19 of the GDPR.

 

Right to restrict data processing

The data subject has the right to restrict the data processing of the Data Manager on his or her demand if one of the following is met:

  1. if the affected disputes the accuracy, correctness or completeness of the personal data processed by the data controller or by a data processor acting on his or her behalf
  2. the data processing is illegal and opposes the deletion of the data, instead requesting a restriction on the use of the data
  3. the Data Manager no longer needs the personal data for the purpose of data processing, but the affected requires them in order to submit and protect his / her legal claims,
  4. the affected has objected to the processing, in which case the restriction applies for as long as it is established whether the legitimate reasons of the Data Manager take precedence over the legitimate reasons of the data subject

You can read more about the right to restrict data processing in articles 18 and 19 of the GDPR.

 

Right to protest

The affected has the right to object at any time to the processing of his or her personal data based on points e) or f) of paragraph (1) of article 6, including profiling based on those policies, for reasons related to his or her situation. In that case, the Data Manager can’t process the personal data unless the Manager demonstrates that the processing is justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the affected or which are necessary to bring, assert or defend legal claims.

Where personal data are processed for the purpose of direct business acquisition, the affected has the right to object at any time to the processing of personal data concerning him or her for that purpose, including profiling, if it relates to direct business acquisition. You can read more about the right to protest and on automatic decision making in articles 21-22 of the GDPR.

 

Right to data transfer

The affected has the right to receive personal data concerning him or her made available to a data manager in a structured, widely used, machine-readable format and to transfer such data to another data manager without being blocked by the manager who provided personal data if:

  1. the processing is based on the data subject’s consent or a contract based on point b) paragraph (1) article 6, and
  2. data management is automated.

You can read more about the right to data transfer in article 20 of the GDPR.

 

VII. PROCEDURE FOR ENFORCING THE RIGHTS OF THE AFFECTED/PERSON CONCERNED

If you have any problems or request, please feel free to contact our Company (if you may, firstly) in the form of an e-mail sent to gabor.molnar@hairpalace.fr or by post to the registered office of our Company. Our Company will start investigating and fulfilling the request of the person concerned without any unjustifiable delay upon receiving it.

Our Company will inform the person concerned of the measures taken on the basis of the request within 30 days after receiving it. If our Company is unable to fulfil the request, it will inform the data subject of the reasons for the refusal and the right of appeal within 30 days.

 

 

Legal remedies in relation to data management

In order to enforce the right to a judicial remedy, the person concerned can go to court against our Company. The court acts out of turn in the case. The trial falls within the jurisdiction of the tribunal. The lawsuit may be brought before court at the domicile or residence of the affected or at the registered office of the Company (Metropolitan Court of Budapest).

 

By filing a complaint with the Hungarian National Data Protection and Freedom of Information Authority (NAIH – Nemzeti Adatvédelmi és Információszabadság Hatóság), anyone can initiate an investigation against the Company on the grounds that a personal data breach has occurred, or there is an imminent threat thereof, or that the Company restricts the exercise of its rights related to data processing or rejects an application for the enforcement of these rights. The complaint can be made at one of the following contacts:

 

Hungarian National Data Protection and Freedom of Information Authority (NAIH – Nemzeti Adatvédelmi és Információszabadság Hatóság)

Postal address: Pf.: 5. Budapest, 1530 (P.O.B.)

Address: Szilágyi Erzsébet fasor 22/c, Budapest, 1125

Phone number: +36 (1) 391-1400

Fax number: +36 (1) 391-1410

E-mail address: ugyfelszolgalat@naih.hu

Website: http://naih.hu