Data Controller: Bujdosó-Dent Limited Liability Company
Registered Office: 4027 Debrecen, Csigekert Street 57–61
Company Registration Number: 09-09-033594
Tax Number: 27560741-1-09
Representative: Dr. Sándor Bujdosó
E-mail: info@primusdental.hu
Phone: +36 30 508 0017
Website: www.primusdental.hu
The data controller undertakes to ensure that all data processing related to its activities complies with the provisions of this notice and the applicable data protection laws.
The data controller is committed to protecting the personal data of its patients and partners, respects their right to informational self-determination, handles their data confidentially, and takes all necessary technical, organizational, and security measures to ensure data protection.
The purpose of this privacy policy is to ensure that the data controller fully complies with the applicable data protection legislation when processing the personal data of natural persons it comes into contact with.
This policy applies to all natural persons whose personal data is processed by the data controller in any manner.
The material scope of this policy covers all processing of personal data of natural persons carried out by any organizational unit of the data controller, regardless of whether the processing is performed electronically and/or on paper.
3.1 Data processing: any operation or set of operations performed on personal data, regardless of the method applied, including in particular the collection, recording, organization, structuring, storage, adaptation or alteration, use, retrieval, consultation, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data, as well as the prevention of further use of the data, and the making of photo, audio or video recordings, and the digital 3D recording of physical characteristics suitable for identifying the person (e.g. height, weight, facial or dental structure).
3.2 Data controller: the natural or legal person, or organization without legal personality, who alone or jointly with others determines the purposes and means of the processing of personal data (including the tools used), makes and implements decisions regarding data processing, or has them implemented by a data processor. The operator of the website shall be considered a data controller, who primarily provides media content services and, in connection with this main activity, ensures the availability of the Services accessible through the Website.
3.3 Personal Data or Data: any data or information that allows a natural person (User) to be identified directly or indirectly.
3.4 Data processing (technical): performing technical tasks related to data processing operations, regardless of the method and tools applied and the location of the application, provided that the technical task is performed on the data;
3.5 Data Transfer: making the data available to a specified third party;
3.6 Data Deletion: rendering data unrecognizable in such a way that it cannot be restored;
3.7 Data Processor: a natural or legal person, or organization, that processes data on behalf of the data controller under contract;
3.8 Website: the website operated by the Data Controller: https://primusdental.hu
3.9 Services: services provided at the premises operated by the Data Controller, promoted via the website
3.10 User: the natural person who registers in person or online in connection with the Services…
3.11 Notice: this privacy notice issued by the Data Controller.
3.12 Third Party: a natural or legal person, or organization, other than the data subject, the data controller, or the data processor.
3.13 Health Data: personal data concerning the physical or mental health condition of a natural person, including data related to healthcare services provided to that person, which reveals information about their health status.
3.14 External Service Provider: a third-party partner engaged by the Data Controller—either directly or indirectly—for the purpose of providing the Services available on the website, and to whom personal data may be transferred or disclosed.
3.15 Data Protection Incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data that has been transmitted, stored, or otherwise processed.
4.1 The Data Controller only collects and processes personal data that the visitor voluntarily provides. These data (especially the following: name, address, phone number, e-mail address, place of birth, date of birth) are necessary for the provision (and development) of our services to customers, as well as to achieve the purposes defined in this Privacy Policy.
4.2 Data processing is based on a declaration by the Users that is voluntary and based on adequate information, which includes the Users’ explicit consent for the processing of the personal data they provide or that is generated about them during use of the site. In the case of consent-based data processing, the User has the right to withdraw their consent at any time, which does not affect the lawfulness of data processing prior to the withdrawal.
3
4.3 Any User, when providing their e-mail address or the data provided during registration (e.g. username, identifier, password, etc.), also accepts responsibility for the fact that services will be used exclusively by them with the provided e-mail address and data. Due to this assumption of responsibility, all liability related to access made with a given e-mail address and/or data rests solely with the User who registered the e-mail address and provided the data.
4.4 Upon the User’s visit to the website, the Data Controller records the User’s IP address without separate consent, based on its legitimate interest and for the lawful provision of the Service (e.g. in order to detect unlawful use or filter unlawful content).
4.5 In the case of specific examinations or treatments, data processing is based on voluntary consent, however, in the case of medical records or discharge reports, the legal basis for processing is Act XLVII of 1997 on the processing and protection of health and related personal data.
4.6 The Data Controller will not use the personal data provided for purposes other than those specified in this Privacy Policy. Personal data may only be disclosed to third parties or authorities with the prior and explicit consent of the Data Subject – unless otherwise required by law.
Scope of processed data:
name
birth name
address
place and date of birth
mother’s maiden name
social security number
phone number
email address
data relating to the subject and fee of the service
name of health insurance fund
membership ID number of health insurance fund
health data, documentation
(The treating physician decides which health data must be recorded and stored in accordance with professional guidelines)
The purpose of data processing is to identify the User and provide appropriate services (selection of the method of dental treatment), as well as to maintain contact with the User and fulfill legal obligations.
5.1 In order to provide personalized service, the Data Controller places a small data package (“cookie”) on the User’s computer. The purpose of the cookie is to ensure the highest possible level of functionality of the given site, to provide personalized services, and to improve the user experience. The User can delete the cookie from their own computer or set their browser to disable the use of cookies. By disabling the use of cookies, the User acknowledges that the operation of the given site will not be fully functional.
5.2 During the provision of personalized services, the Data Controller uses cookies to process the following Personal Data: demographic data and information on interests, habits, and preferences (based on browsing history).
5.3 The Data Controller does not send unsolicited messages to visitors. With your explicit consent, you may agree that your data will be included in the Data Controller’s DM database and used for research and direct business acquisition purposes without further permission, pursuant to Act CXIX of 1995 on the processing of name and address data for research and direct marketing purposes. By giving your consent, you explicitly agree that the Data Controller may send advertisements for business purposes by post or electronic means (E-mail, SMS, MMS), and use your data for opinion and market research for the improvement of its own services. The provision of data is voluntary and based on appropriate legal information. You have the right to request information at any time about your data processed by us, and to withdraw your consent at any time, without restriction or charge, by sending a notice to Bujdosó-Dent Ltd. by post, in person, or to the email address info@primusdental.hu.
5.4 Data – in the absence of a specific, purpose-based consent (in particular: sending DM letters) – will be used exclusively for the provision and development of our services, including the fulfillment of orders (notifications about prices), confirmation of the order, verification and control of its fulfillment and compliance, handling of potential complaints, as well as invoicing and proof of the concluded contracts.
5.5 If a User uploads an image to the website, they must avoid including EXIF data containing GPS location data. Visitors to the website can download such images and extract location information from them.
The Data Controller’s data processing is based on voluntary consent, contract, or legal obligation. This policy includes the principles of handling Personal Data provided by Users in connection with the Services available at the headquarters of Primus Dental and on its website. The use of the website, making contact, and the provision of data during patient registration at the Data Controller’s clinic are considered voluntary consent. In addition to the above, data processing is also based on legal regulations governing the doctor-patient relationship.
6.1 The Data Controller processes Personal Data in accordance with the principles of good faith, fairness, and transparency, and in accordance with applicable laws and this Policy.
6.2 Personal Data that is indispensable for using the Services is processed by the Data Controller based on the explicit consent of the concerned User, and is used exclusively for specific purposes.
6.3 The Data Controller processes Personal Data only for purposes defined in this Policy or applicable laws. The scope of processed Personal Data is proportional to the purpose of the Data Processing and does not exceed it. If the Data Controller wishes to use the Personal Data for a purpose other than the original purpose of data collection, the User will be informed and their prior, explicit consent will be obtained, or the User will be given the opportunity to prohibit such use.
6.4 The Data Controller does not verify the provided Personal Data. The adequacy of the provided Personal Data is the sole responsibility of the person providing it.
6.5 The Personal Data of a person under the age of 16 may only be processed with the consent of a parent or legal guardian. The Data Controller is not in a position to verify the authority or the content of the declaration of the consenting person; thus, the User or the parent/legal guardian guarantees that the consent complies with the law. In the absence of such consent, the Data Controller does not collect Personal Data related to minors under 16 – except for the IP address used while accessing the Service, which is automatically recorded due to the nature of internet services.
6.6 The Personal Data processed by the Data Controller may be accessed by Data Processors named in this Policy, as well as – in specific cases described herein – by certain persons who are not third parties but are considered agents of the Data Controller. The aggregated use of such data, which in no way includes any information that could identify the User, does not qualify as Data Processing or data transfer.
In certain cases – such as official court or police inquiries, legal proceedings due to copyright, property, or other legal infringements or the reasonable suspicion thereof, harm to the interests of the Data Controllers, or endangerment of the provision of Services – the Data Controllers may make the accessible Personal Data of the affected User available to third parties.
6.7 The Data Controller’s system may collect data on Users’ activity, which cannot be linked to the other data provided by the Users during registration or to data generated while using other websites or services.
6.8 The Data Controller informs the affected User of any rectification, restriction, or deletion of Personal Data, as well as those to whom the Personal Data had previously been disclosed for processing purposes. Notification may be omitted if it does not infringe the legitimate interest of the affected User in light of the purpose of the processing.
6.9 The Data Controller ensures the security of Personal Data by implementing the necessary technical and organizational measures and by establishing procedural rules that guarantee the protection of the recorded, stored, or processed data, and that prevent accidental loss, unlawful destruction, unauthorized access, unauthorized use, unauthorized alteration, or unauthorized dissemination of the data. The Data Controllers also require any third party to whom they transfer Personal Data to fulfill the same obligations.
6.10 In accordance with the applicable GDPR provisions, the Data Controller is not obliged to appoint a data protection officer.
6.2 Lawfulness of the Data Controller’s Processing
The data processing by the Data Controller is lawful if
a/ the data subject has given prior and voluntary consent to the processing of their personal data for one or more specific purposes;
b/ processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
c/ processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;
d/ processing is necessary to protect the vital interests of the data subject or another natural person;
e/ processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
f/ processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially where the data subject is a child.
6.3 Legal Basis of the Data Controller’s Processing
The legal basis for the processing is the data subject’s voluntary, explicit, and unambiguous consent provided after being informed by the Data Controller.
Consent is considered to be given voluntarily by the data subject if
a/ they provide written consent for processing
b/ they voluntarily provide personal data in person
c/ they use the Data Controller’s website or social media page and make technical settings
d/ they enter and remain in an area monitored by the Data Controller’s camera system
e/ they perform any other act or make a declaration that clearly indicates consent to the intended processing of their personal data.
A written data processing consent statement must be obtained from Users.
The consent covers all data processing activities carried out for the same purpose(s).
If the data subject is unable to give consent due to legal incapacity or other unavoidable reasons, then their personal data may be processed to the extent necessary to protect their own or another person’s vital interests, or to prevent or eliminate a direct threat to life, physical integrity, or property, for the duration of the obstacle to consent.
7.1 By providing your data, you expressly consent to their use for the purposes mentioned above. The Data Controller stores your personal data only as long as it is necessary for the achievement of the defined purposes or until you withdraw your consent to the processing of your data, in accordance with the applicable legal regulations.
7.2 The processing of personal, non-mandatory data lasts from the time of voluntary submission until deletion. Our company deletes the provided data within 25 days after the withdrawal of the corresponding consent declaration.
7.3 According to the applicable legislation on the registration of health and identification data, the data controller is obliged to retain medical documentation and health-related data for at least 30 years, discharge summaries for at least 50 years, and imaging diagnostic records for 10 years from their creation. Reports based on such records must be retained for 30 years from the date of the examination, even after the withdrawal of consent, as required by law.
7.4 In the event of the unlawful or misleading use of personal data, or if the User commits a criminal offense or attacks the system, the Data Controller is entitled to delete the User’s personal data immediately. However, if there is suspicion of a criminal act or civil liability, the Data Controller is also entitled to retain the data for the duration of the legal proceedings.
7.5 Automatically and technically recorded data during system operation are stored for the period necessary to ensure proper system functionality. The Data Controller guarantees that such technical data cannot be linked with any other Personal Data – except in cases required by law. If the User withdraws consent or unsubscribes from a service (e.g. DM newsletter), the technical data will no longer be traceable to the individual – except for investigative authorities or appointed experts.
7.6 If a court or authority legally orders the deletion of personal data, the Data Controller will comply. Instead of deletion, the Data Controller – while informing the User – may restrict the use of the Personal Data if requested by the User or if deletion would harm the User’s legitimate interests. The Personal Data will not be deleted as long as the purpose of processing still exists that justifies retaining the data.
7.7 In the case of purchases, billing data must be retained for 8 years, in accordance with mandatory legal requirements.
A data security breach is any incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data that is being processed.
Our company ensures data security measures that are appropriate to the level of risk associated with data processing. In the event of a breach, without undue delay and no later than 72 hours after becoming aware of it, our Data Protection Officer—or, in their absence, the data controller/processor or their representative—shall notify the supervisory authority and inform the affected individual as well.
Upon becoming aware of a data protection incident, our company shall immediately take the necessary security measures to eliminate and remedy the underlying issue.
The affected individual shall be informed of the measures taken and their outcomes.
9.1 In connection with the provision of Services, the Data Controller often engages External Service Providers with whom they cooperate. With respect to Personal Data processed by External Service Providers, the privacy policies of such providers shall apply. The Data Controllers take all reasonable steps to ensure that Personal Data transferred to External Service Providers is handled in compliance with applicable laws, and used exclusively for the purposes defined by the User or stated in this Privacy Notice. As of 25 May 2018, External Service Providers are required to record, process, and manage such data in accordance with GDPR, and they must confirm such compliance in writing to the Data Controllers. Data Controllers inform Users about data transfers to External Service Providers through this Privacy Notice.
9.2 External Service Providers Facilitating Registration
The Data Controller collaborates with External Service Providers that offer applications to facilitate registration and login for Users. In the course of this cooperation, certain Personal Data (e.g. IP address, email, registration name) may be transferred to such External Service Providers for processing on behalf of the Data Controllers and/or Data Processors. These providers collect, process, and transmit the data in accordance with their own privacy policies. (e.g. Mailchimp newsletter management system) External Service Providers supporting registration or login: Facebook Inc.; Mailchimp newsletter management system.
9.3 Web Analytics and Advertising External Service Providers
The Data Controllers collaborate with External Service Providers offering web analytics and advertising services in connection with their Services. These providers may access the User’s IP address and, in many cases, use cookies, web beacons (web markers placed on websites, sometimes in emails or applications that record visited sites), clicktags (markers tracking ad clicks), or other click tracking technologies to personalize services or prepare analytical statistics. Cookies placed by such External Providers can be deleted at any time from the User’s device, and their use can generally be disabled through browser settings. Cookies placed by External Providers can be identified based on the domain associated with the cookie. Web beacons, clicktags, and other click tracking tools cannot be refused.
These External Service Providers process the transferred Personal Data in accordance with their own privacy policies. External service providers cooperating with the Data Controllers in terms of web analytics and advertising: Facebook Inc., Google LLC.
9.4 Other External Service Providers
There are External Service Providers with whom none of the Data Controllers maintain a contractual relationship or do not intentionally cooperate with regarding data processing. However, regardless of this, they may still access the Website/Services—either with the User’s involvement (e.g., linking a personal account to the Service) or independently—and may collect data on Users or User activity on the Website. These data, when combined with other data collected by the External Provider, may be suitable for identifying the User. Such External Service Providers may include, but are not limited to: Facebook Ireland Inc., Google LLC, Instagram LLC., Pinterest Ltd., Infogram Software Inc, PayPal Holdings Inc., Playboyz Ltd., Twitter International Company, Viber Media LLC, Vimeo Ltd., Yahoo! EMEA Ltd., YouTube LLC.
These External Service Providers process any transferred Personal Data in accordance with their respective privacy policies.
10.1 The Data Controller is entitled and obliged to forward any lawfully stored Personal Data in its possession to the competent authorities if such data transfer is required by law or a binding legal obligation. The Data Controller cannot be held liable for such data transfers or any consequences arising therefrom.
10.2 If the Data Controller partially or entirely transfers the operation or utilization of the content and hosting services available on the website to a third party, the Personal Data it manages may be transferred in whole or in part to the new service provider without the explicit consent of the User, provided that Users are adequately informed in advance. Such data transfer must not place the User in a more disadvantageous position compared to the data protection rules set forth in the currently effective version of this Notice. In the event of such a data transfer, the Data Controller shall provide the Users with the opportunity to object to the transfer prior to its execution. If an objection is raised, the data transfer in question may not be carried out with respect to the concerned User.
11.1 The User may request that the Data Controller inform them whether their Personal Data is being processed, and if so, grant them access to such Personal Data. The Data Controller considers a written request for information authentic if the User can be clearly identified based on the submitted request. Email requests are considered authentic only if sent from the User’s registered email address, though the Data Controller may still require additional identification before providing the requested information. The request for information may cover the User’s data processed by the Data Controller, its source, the purpose, legal basis and duration of processing, the identity and address of any Data Processors, and in the event of data transfer, who received or may receive the User’s Personal Data and for what purpose.
11.2 The User may request the correction or modification of their Personal Data managed by the Data Controller. Considering the purpose of the Data Processing, the User may also request the completion of incomplete data. Once such requests are fulfilled, previously deleted data cannot be restored.
11.3 The User may request the deletion of their Personal Data managed by the Data Controller. The request for deletion may be denied if (i) it is necessary for exercising the right to freedom of expression and information; (ii) the processing is required by law; or (iii) the data is needed for asserting or defending legal claims. The Data Controller shall always inform the User if a deletion request is denied, stating the reasons. Once a deletion request is fulfilled, the deleted data cannot be restored.
11.4 The User may request the restriction of data processing if they contest the accuracy of their Personal Data. In such cases, processing is limited to the time necessary for verifying the accuracy of the data. The Data Controller will mark such data accordingly if its correctness cannot be clearly established. The User may also request restriction if the data processing is unlawful, but the User objects to deletion and instead requests limited use. Furthermore, restriction can be requested if the purpose of processing has been fulfilled but the User requires further retention for legal claims or defense.
11.5 The User may object to the processing of their Personal Data
(i) if the processing of Personal Data is solely necessary for compliance with a legal obligation of the Data Controller or for the purposes of the legitimate interests pursued by the Data Controller or a third party;
(ii) if the purpose of the Data Processing is direct marketing, public opinion polling, or scientific research; or
(iii) if the Data Processing is carried out in the public interest.
The Data Controller shall assess the legality of the User’s objection, and if the objection is found to be justified, the Data Processing shall be terminated, and the processed Personal Data shall be restricted. Furthermore, the Data Controller shall notify all parties to whom the affected Personal Data had previously been transferred about the objection and the measures taken in response.
12.1 To carry out its activities, the Data Controller uses Data Processors listed above in this Privacy Policy. The processed data is only accessible to those employees of the Company who need to know it to fulfill their specific duties (such as staff responsible for service delivery, customer service for complaints, marketing staff for campaign initiation, and finance staff for invoicing).
12.2 Data Processors do not make independent decisions and may act only based on the contract with the Data Controller and the instructions received. From 25 May 2018, all Personal Data transferred to or processed by Data Processors is handled in accordance with the GDPR.
12.3 The Data Controller monitors the work of the Data Processors.
12.4 Data Processors may engage additional processors only with the prior consent of the Data Controller.
13.1 The Data Controller reserves the right to unilaterally modify this Privacy Policy at any time.
13.2 By logging in again, the User accepts the current version of the Privacy Policy without the need for additional individual consent.
14.1 Any questions or comments regarding data processing may be directed to the Data Controller’s staff at info@primusdental.hu or by mail to 4027 Debrecen, Csige kert Street 57–61.
14.2 The User may also lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).
14.3 In the event of a violation of the User’s rights, the User may bring a case before a court. The case falls under the jurisdiction of the regional court, and, at the User’s discretion, it may be initiated before the regional court with jurisdiction over the User’s place of residence or stay. Upon request, the Data Controller will inform the User of the available legal remedies and procedures.
by
