On data processing related to medical treatment
Tiba-Med Egészségügyi Szolgáltató Betéti Társaság (Based: 9028, Győr Röppentyű u. 14/b; Trade register No.: 08-06-013420; Tax No.: 22380362-1-08), as operator of domain name https://www.utazasioltopont.hu/ and its subsites (altogether „website”) as data controller hereby publishes its policy regarding its data processing activity in connection with medical treatment and the related services. Natural persons (‘data subjects’) can access this Privacy Policy on the website of the data controller, and on the service locations.

1. Notion definition
1.1. For the purposes of this Privacy Policy, medical treatment shall be any activity related to the direct examination, treatment and medical rehabilitation of the data subject, and for that purpose, the processing of the examination materials of the data subject, including the provision of medicines, medical tools, medical care, rescue and patient transportation and obstetric care, performed for the preservation of health and for the prevention, detection, early diagnosis and curing of illnesses, improving or maintaining the condition resulting from the illness.
1.2. For the purposes of this Privacy Policy, medical data is any data related to the bodily, mental and psychological condition, pathological passions and the circumstances of the illness or death of the natural person as the data subject, the cause of death, as reported by him or her or by any other person about him or her or any data resulting from tests, measurements, imaging or any derived data recorded by the health care network; and any data affecting the abovementioned details (e.g. behaviour, environment, occupation).
1.3. The terms “personal data”, “data controller”, “data processing”, “personal data breach”, “supervisory authority” and “third party” are used in their meaning defined in Article 4 of the General Data Protection Regulation referred to in section 1.4, and shall be interpreted accordingly.
1.4. “General Data Protection Regulation”: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46 (General Data Protection Regulation, hereinafter referred to as “GDPR”).

2. The legal basis for the processing of personal data
The legal basis of the processing of personal data depends on purpose.
2.1. With regard to the personal and medical (special category) data of the data subject, the legal basis for data processing is Article 6 (1) (b) of the General Data Protection Regulation, i.e. data processing is necessary for the performance of a contract in which the data subject is a party, or necessary to take steps at the request of the data subject prior to the conclusion of the contract.
2.2. Regarding contact details of the data subject (e-mail address and phone number), the legal basis for data processing is the consent of the data subject to the
processing of his or her personal data for one or more concrete purposes, in line with Article 6 (1) (a) of the General Data Protection Regulation.

3. The subjects of data processing
The subjects of data processing are the natural persons in contract related to medical treatment with the data controller.

4. Purpose and duration of data management, scope of data processed
4.1.1.Period of data processing at least 30 years from the date of the recording as part of the health documentation:
Identification data (name, place and date of birth, mother’s birth name)- Purpose of data processing: Identification of the natural person concerned, Patient security Social Security Number- Purpose of data processing: Identification of the natural person concerned, Patient security
Adress – Purpose of data processing: Communication with the data subject, the mandatory data content of the accounting document
Medical data supplied by the data subject and collected by a data controller- Purpose of data processing: Promoting effective treatment; health monitoring; taking measures necessary in the interests of public health and epidemiology
4.1.2. Period of data processing until the consent of the data subject is withdrawn or the purpose of data processing is terminated (optional):
Phone number, email address – Purpose of data processing: Communication with the data subject

5. Additional provisions for the period of data processing
The medical records shall be stored for at least 30 years from the date of the data collection, and the final report shall be stored for at least 50 years. If justified for medical or scientific research purposes, the data may be stored after the expiry of the mandatory retention period; if further storage is not justified, the records should be destroyed.

6. Storage and security of personal data
6.1. If the records are stored in printed form, the data controller shall store the medical records of the data subjects in lockable cabinets located at the outpatient clinic that the 31. Nagysándor József street Győr 9027.
6.2.The electronically recorded medical records are stored on limited access computer owned by the data controller. For the transfer of medical data on the open public network of the Internet, data protection is ensured by SSL (Secure Socket Layer) protocol-based encryption.
6.4. The data controller uses the Viktória patient management system to record personal and health data in such a way as to facilitate the administration of treatment by physicians and natural persons involved in treatment.

7. Use of data processors
7.1. In case of laboratory testing:
Synlab Hungary Kft. (seat: Floor 1, 53 Bajcsy-Zsilinszky út, Budapest, Hungary, H- 1065; tax number: 14872925-2-42; e-mail: hungary@synlab.com);
7.2. The data controller reserves the right to involve in the future a further data processor in the data processing, which will be communicated to the data subjects by amending this Privacy Policy.

8. The persons authorized to know the data and the conditions of transfer
8.1. Only the data controller and natural persons in the employment of or other legal form of working relationship with the data controller, and involved in medical treatment are entitled to access the data.
8.2. Data transfer is possible only if it is required by the law; the data controller can transfer the personal data in his possession to governmental agencies only in exceptional cases. These include the case when the data subject is suffering from a serious infectious disease for which epidemiological rules require the notification of appropriate health care facilities (e.g. the National Public Health Centre).

9. Rights of data subjects in relation to data processing
9.1.Information on the data processing by the data controller can be requested from the data controller’s data protection officer.
Name: Dr. Asztalos Tímea
Postal address: H-9028 Győr, Röppentyű utca 14/b.
Telephone: +36 70 583 9999
E-mail: kapcsolat@utazasioltopont.hu
9.2. The data subject may request information in writing from the data controller on the contact details defined in section 9.1 on the personal and medical health data managed by the data controller, and may request the indication, purpose and source of the legal basis, and the period of the data processing; and may also request information on when, to whom, and by what authorization the data controller provided access to or transferred his or her personal or medical data.
9.3. The data subject has the right to object to the processing of his/her personal data contained in the health documentation, to have access to his/her medical records and to have the right to be informed of his/her health data provided that the health records shall be controlled by the data controller as a health care provider and the data contained therein shall be controlled by the patient as the data subject.
9.4. Furthermore, the data subject has the right to
-access the medical documentation, and to make an extract or a copy of it;
-receive an outpatient care sheet upon completion of the outpatient care;
-obtain a summary or an extract of the medical opinion on his or her medical data. 9.5. The data is not automatically processed, so the right to data transfer is not applicable for the data processing.
9.6. No automated decision-making occurs.

10. Limitations and special cases of the right to access
10.1. Where the medical records of the data subject also contain data relating to the rights of another person to private data, the data subject may exercise his/her right of access only in respect of the part concerning himself or herself.
10.2. Only a person defined in Act CLIV of 1997 on Health Care may have the right

to access the documentation of an incapacitated patient.
10.3. On the basis of a written request from the spouse, immediate relative, brother, and partner of the data subject, the data controller shall grant access right to the health records if the conditions specified in the law are met, and if the medical data is required for the purpose of diagnosing a cause affecting the life or health of the applicants, or their medical care; and it is not possible to directly or indirectly acquire the medical data in any other way.
10.4. Upon the death of the data subject, his/her legal representative, close relative and heir shall be entitled, on the basis of his/her written request, to obtain medical information related to the cause of the death, to the medical treatment prior to the occurrence of death, to access the health documentation and to make extracts and copies thereof at his or her own expense.

11. Medical Confidentiality
11.1. The persons participating in the medical treatment may disclose the medial secrets – which are a set of medical and personal data – only to those having access rights to them, and to treat them as confidential.
11.2. The data subject has the right to declare which natural persons may be informed of his or her illness and its expected outcome, and which natural persons are excluded from gaining partial or complete information of his or her medical data. 11.3. The data controller provides enhanced protection for the medical secrets he has become aware of; he is entitled to release the medical secrets to a third party only if the data subject, in full knowledge of the scope of confidential data to be disclosed, grants his or her consent to the disclosure of the data or if the data controller is authorized or obliged to disclose the data by the law.
11.4. The medical data of the data subject shall be disclosed in the absence of his or her consent, if it is required by law; it is necessary for the protection of the lives and health of others; a person caring for the data subject may be provided with the medical data which, if they remain unknown, may lead to a deterioration of the data subject’s health.

12. Remedy options available for the data subject
12.1.Complaints can be made on the activities of the data controller and a procedure of the data protection authority can be initiated under section 52 of Act CXII of 2011 at the Supervisory Authority.
Name: Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Seat: 22/c Szilágyi Erzsébet fasor, Budapest, Hungary, H-1125 Postal address: Pf. 834, Budapest, Hungary, H-1534 (PO Box) Phone: +36 (1) 391-1400
Telefax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
12.2. In case of violation of his/her rights, the data subject apply to a court against the data controller. A civil lawsuit shall be initiated at the Regional Court of Budapest. The lawsuit may – at the discretion of the data subject – be initiated also before the regional court with jurisdiction at permanent or temporary residence of the data subject (the contact details and list of regional courts can be found on the following link: http://birosag.hu/torvenyszekek).
In matters not covered by this privacy policy, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, Act XLVII of 1997 on Processing and Protection of Medical and Other Related Personal Data, Act CLIV on Health, Government Decree 89 of 1995 (VII. 1.4) on the Occupational Health Service and the Classification of Employees by Categories, Act XCIII of 1993 on Work Safety, and Act CXII of 2011 the Right of Informational Self-Determination and Freedom of Information shall govern.
In addition, the data controller undertakes to act in accordance with the relevant contract executed with the data subject, the applicable rules and the legal practice in the course of its data processing activities and in exercising its confidentiality obligations, and to comply with the provisions of applicable law.
Date: Győr, 08 February 2022.