Information according to § 5 TMG
(1) The purpose of this data protection declaration (hereinafter: “declaration”) is to
legal order of the use of the directories/databases maintained by Dr Wicker Tímea and DDr Feher Akos (hereinafter:
“Responsible Parties”), to ensure the effectiveness of the constitutional principles
principles of constitutional law, the right to informational self-determination and the
data security requirements, as well as to ensure that, within the scope of the legal
and that everyone has access to their personal data and is aware of the circumstances of the
circumstances of the processing and that unauthorised access, alteration and disclosure of the data are prevented.
unauthorised disclosure are prevented. Furthermore, this declaration is intended to provide the
data subjects about the data processing practices of the controller.
(2) The scope of the declaration covers the processing of personal and sensitive data carried out by the controller on all services.
2. Relevant legislation
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of individuals with regard to the processing of personal data
data, on the free movement of such data and repealing Directive 95/46/EC
(General Data Protection Regulation; hereinafter: “GDPR”)
Act No. CXII of 2011 on the Right to Informational Self-Determination and
Freedom of Information (hereinafter: “InfoG”)
Act No. V of 2013 on the Hungarian Civil Code (hereinafter:
Act No. CXXX of 2016 on the Hungarian Code of Civil Procedure (hereinafter:
Act No. XLVII of 1997 on the Protection and Processing of
Health Data and the Personal Data Related thereto
Regulation No. 62/1997 (XII. 21.) of the Minister of National Welfare on Certain
Matters concerning the processing of health data and related
personal data (hereinafter: “VGD”)
Act No. XLVIII of 2008 on the Basic Conditions and Individual
Restrictions on Commercial Advertising Activities (hereinafter: “Advertising Act”)
Act No. I of 2012 on the Hungarian Labour Code (“ungAGB”)
3. Details of the person responsible
The current details of the person in charge are as follows:
Name: Dr. Wicker Tímea and DDr. Feher Akos
Registered office: Börseplatz 6/1/8, 1010 Vienna
Telephone number: +36 99 339 349
E-mail address: firstname.lastname@example.org
4. Scope of personal data processed, purpose, duration and legal title of processing
(1) Data providers are obliged to provide all personal data on the basis of
best efforts to provide factually accurate information.
(2) Insofar as the data supplier does not provide his own personal data, he shall be
obliged to obtain the consent of the data subject.
(3) If the data controller transfers the data to processors or third parties, the data controller shall keep a register.
the controller shall keep a register thereof. The register of transfers should indicate the
recipient, the manner and time of the transfer and the scope of the personal data
the personal data transferred.
(4) Data processing in the context of certain activities of the controller:
a. Patient data
Legal basis of the data processing: consent of the data subject or
Scope of personal data processed: Name, date of birth, profession,
Health insurance company, place of residence (country, settlement, postcode, street, house number),
telephone, e-mail address, source of information about the services of the
responsible person; questions on general state of health and previous
treatments; data on dental medical history, smoking and daily oral care; oral cavity
daily oral care; oral cavity photographs before, during and after treatment;
X-rays of part or all of the oral cavity, if required; and
whole of the oral cavity;
Purpose of the data processing: to promote the maintenance, improvement
maintenance of health: promotion of successful medical
treatments, including professional supervision activities; monitoring of the
health status of the data subject; implementation of patients’ rights.
Deletion period of personal data: According to § 30 paragraph 1 GSchVDG
the time limit is 30 years from the date of data collection, in the case of epicrises 50 years, in the case of
10 years in the case of diagnostic imaging; the billing data, which is deleted after 6
years, are an exception to this, as are the e-mail address and telephone number, which are
and telephone number, which are deleted by the responsible person after 5 years,
as well as data on the source of information on the services provided by the responsible person,
which will be deleted after 30 days.
The possible consequences of withholding the data: In relation to health and
basic billing data and identification data, the impossibility of providing medical
provision of medical services; after the service has been provided, the health data cannot be
health data cannot be deleted due to legal obligation;
with regard to the e-mail address and telephone number, the impediment of the
contact that may be necessary; with regard to the data concerning the source
of information about the services of the responsible person, the less effective
realisation of the advertising activity
The data controller shall process the health data of which he/she has become aware, taking into account
b. Registration of the implants
Legal basis for data processing: legal obligation (§ 22/B
Scope of the personal data processed: from the data specified in the Act on the
protection and processing of health data and the related
related personal data, the following personal data are processed
first name and surname, the name at birth, the date of birth, the name at birth of the
mother, place of residence or domicile, other contact details of the person concerned by the
treatment, the date of implantation, removal or replacement, in respect of the
the date of implantation, removal or replacement, the designation, type and
lot code of the implant – if available – the serial number, the name of the
the name of the manufacturer, the name and location of the distributor from which the healthcare
the health care provider acquired the implant, the name of the
implanting physician, its stamp number, the name of the implanting healthcare
health care provider and its operating licence number.
Purpose of data processing: central registration of implants.
Deletion period of personal data: 50 years from the date of registration in the
central implant register
Possible consequences of withholding the data: required by law, there is no possibility to withhold the data.
therefore no possibility exists to withhold the information
c. Contacting the website of the data controller
Legal basis of the data processing: consent of the data subject through
Group of data processed: Name; e-mail address; telephone number; text of the
Purpose of the data processing: contacting the data controller
Deadline for deletion of personal data: If, in the opinion of the
the controller considers that the content of the message imposes an obligation on the
the data controller, or if the data controller considers that the data
necessary for the exercise or protection of his rights or the rights of a third party, the data
the rights of third parties, the data shall be deleted after 5 years, otherwise within
within 30 days of receipt of the communication
The possible consequences of withholding the data: the establishment of a
connection in the event of incomplete provision of the data fails or becomes
Legal basis of data processing: Fulfilment of legal obligation
Group of data processed: Name; Residence
Purpose of the data processing: fulfilment of the legal obligation
Processor: the invoices issued are processed by the booking agency
Orbán & Partners Audit Kft. and stored for 1 year, after which they are transferred to the
then they are stored in the branch office of the data controller at the address H-9400
Sopron, Hátsókapu 8. I. em. 7.
Legal title of the data transfer: fulfilment of legal obligations
Time limit for deletion of personal data: 9 years after invoicing.
Possible consequences of withholding data: due to legal obligation, there is no possibility to withhold data.
There is no possibility to withhold data due to legal obligation
Legal basis of data processing: Consent of the data subject.
Group of data processed: Name; e-mail address
Purpose of the data processing: to provide information about the
activities and actions of the data controller
Time limit for erasure of the personal data: until revoked
Possible consequences of withholding the data: Impossibility of subscribing
of the newsletter and notification of the latest information and
benefits in connection with the data controller
f. Security camera
A camera surveillance and recording system operates in the responsible person’s building.
recording system. The cameras are directed at the corridors and premises open for customer
and premises open to customer traffic, with the exception of the toilets and smoking areas.
The details of the operation of the cameras are set out in the separate document.
“Data protection information on video surveillance”.
5. rights of the persons concerned, legal remedies
(1. Data subjects shall have the right to obtain from the controller, at any time and in writing
information on the manner in which their personal data are processed, and may request their
request erasure or modification, as well as to revoke any consent previously
consent given at the contact details indicated in point 3.
(2) The data subject may not exercise his or her right to erasure in relation to the data processing operations
processing prescribed by the law.
(3) Content of the right to information: At the request of the data subject, the
controller to provide the data subject with all the information listed in Articles
13 and 14 of the GDPR and all notifications pursuant to Articles 15 to 22 and Article 34 that are
relating to the processing of personal data in a precise, intelligible and easily accessible
and easily accessible form.
(4) Content of the right of access: The data subject shall have the right to obtain from the controller
information as to whether personal data relating to him or her are being processed by the controller.
processed by the controller. Where personal data are processed by the
controller, the data subject shall have the right of access to the following information
the following information:
a. Personal data concerning you;
b. The purpose(s) of the data processing;
c. the categories of personal data being processed;
d. the persons to whom the data of the data subject have been or will be communicated;
e. the duration for which the personal data will be stored;
f. the right to rectification, erasure as well as restriction of processing;
g. the right to apply to the court or a supervisory authority;
h. the source of the personal data processed;
i. Profiling and/or automated decision making or the details and practical implications of these;
j. the transfer of the processed data to a third country or to an international
(5) In the case of the above-mentioned data request, the data controller shall provide the data subject
data subject a copy of the data processed by him or her, as requested. The
electronic delivery may be requested by the controller in a separate request.
(6) The responsible person shall charge an administrative fee for all further copies in the amount of 500
HUF per page.
(7) The transmission period of the requested data is 30 days from the receipt of the request.
(8) Right to rectification: The data subject may request the controller to rectify any inaccurate personal
of any inaccurate personal data concerning him or her.
(9) Right to erasure: Where one of the following grounds applies, the data subject may request the erasure of his or her
erasure of his or her personal data from the controller without undue delay and in any event within
and in any case within 5 working days:
a. The personal data have been processed unlawfully (without normative authorisation or personal consent); or
b. the processing of personal data is not necessary for the original purposes; or
c. the data subject revokes his/her consent and the controller lacks an otherwise
other legal basis for the processing;
d. the personal data were collected in relation to information society services offered; or
information society services;
e. the personal data must be erased in order to comply with the legal obligations of the
be deleted in order to comply with the legal obligations of the controller.
(10) The controller is not in a position to delete the personal data if the
data processing is still necessary for the purposes of the following:
a. The continued processing is necessary for compliance with the relevant legal provisions of the
b. for the exercise of the right to freedom of expression and information;
c. for reasons of public interest;
d. for archival, scientific research or statistical purposes;
e. for the exercise or defence of legal claims.
(11) Right to restriction of processing: Processing shall be restricted by the controller
at the request of the data subject where one of the following conditions is met
a. The accuracy of the personal data is contested by the data subject, in which case the
in which case the restriction shall be valid for a period of time which permits the controller
to verify the accuracy of the personal data sufficiently;
b. the processing is unlawful and the data subject objects to the erasure of the
data and instead requests the restriction of the processing of the personal data; or
the personal data instead;
c. the personal data are no longer necessary for the purposes of the processing,
the data subject needs them for the exercise or defence of legal claims; c. the personal data are no longer needed for the purposes of the processing and the data subject needs them for the exercise or defence of legal claims.
(12) Should the controller impose a restriction on any data processed, the data
the data concerned shall be processed during the restriction only if and to the extent that,
a. The data subject gives consent;
b. the processing is necessary for the exercise or defence of legal claims;
c. processing is necessary for the exercise or defence of the rights of third parties;
d. processing is necessary to protect the public interest.
(13)Right of withdrawal: The data subject shall have the right to withdraw at any time – in writing – his or her
consent given to the controller – in writing – at any time. If this is the case, the controller shall immediately and permanently delete
immediately and permanently erases all data which he has processed in relation to the data subject
and whose further retention is not required by law or necessary for the exercise of
or the protection of rights in respect of legitimate interests. By
revocation of consent shall not affect the lawfulness of the processing carried out until the
processing carried out until the withdrawal.
(14) Right to data portability: the data subject has the right to obtain from the controller
the transfer of personal data concerning him or her to another controller in a
data controller in a commonly used and machine-readable format. The
controller shall comply with the request without undue delay and in any event within 30 days.
comply with the request.
(15) Automated decision-making and profiling: The data subject has the right not to be subject to
(15) Automated decision-making and profiling: The data subject shall have the right not to be subject
decision which produces legal effects concerning him or her or similarly significantly affects him or her.
or similarly significantly affects him or her. This right does not apply if:
a. the processing is necessary for the conclusion or performance of a contract between the data subject and the controller.
the data subject and the controller;
b. the data subject expressly consents to the application of such a procedure;
c. the application is authorised by a legal provision;
d. the processing is necessary for the exercise or defence of legal claims.
6. how and how to ensure storage
(1) The controller shall keep the personal data processed by it – both on paper and
on paper and electronically – at his registered office. The electronic data of the
data is processed by the DentAdmin3 software, the service provider of which is Medadmin Kft.
Medadmin Kft. (trade register number: 06-09-009409; tax number: 13336695-2-06; registered office:
H-6721 Szeged, Juhász Gyula utca 36. 1. em. 1.) is.
(2) The website http://www.feherdentalteam.com of the responsible person is physically stored at a server provider.
server provider. The server provider is MediaCenter Hungary Kft (address: H6000 Kecskemét, Sosztakovics u. 3. II/6. telephone: +36 21 201 0505; e-mail:
(3) The data stored by the data processors of the controller are an exception to point 1.
exception to point 1, as they are stored at the registered office of the processors.
(4) The controller shall use an IT system for its activities which ensures that:
a. the integrity of the data is verifiable (data integrity);
b. the authenticity of the data is ensured (authenticity of data processing);
c. the data are available to authorised persons (availability);
d. or the data are protected against unauthorised access (data confidentiality).
(5) Data protection extends in particular to:
a. the unauthorised access;;
b. the alteration;
c. the transmission;
d. the deletion; e;
e. the disclosure; and
f. the inadvertent infringement
g. the accidental destruction
h. or unavailability as a result of a change in the technology used.
(6) The controller shall use a solution to protect the electronically processed data,
which provides adequate security in accordance with the state of the art. In the course of the
adequacy assessment, particular emphasis shall be placed on the level of risk arising during the data
data processing carried out by the data controller. The information technology
protection ensures that the stored data cannot be directly attributed to or linked with the data subjects
data subjects (unless this is permitted by law).
permitted by a legal provision).
(7) The controller shall ensure in the course of data processing that:
a. authorised persons have access to the data when they need it;
b. only the person who is authorised has access to information;
c. the accuracy and completeness of the information and the processing method are
(8. The controller and its processors, where used, shall provide
respective protection against fraud, espionage, viruses, intrusion, damage and
natural disasters directed against the information systems. The responsible person (or
processor) uses security procedures at server level and at application level.
(9) The messages forwarded to the responsible person via the Internet – in all forms – are
are increasingly exposed to network threats that lead to the alteration of the
information, unauthorised access or other illegal activities. To
the responsible party shall make every possible effort to eliminate such threats.
reasonable efforts that can be made according to the state of the art and that are
and are reasonable for the responsible party. To this end, the systems used are
systems are under supervision so that the security deviations are recorded, evidence relating to the security incident is
evidence relating to the security incident and to verify the effectiveness of the precautions taken.
can be examined.
7. procedural requirements
(1. The controller shall provide the data subject with information on the measures taken upon request pursuant to
Articles 15 to 22 of the GDPR without undue delay, and in any event within
in writing within 30 days of receipt of the request.
(2. That period may be extended by 60 days where, taking into account the
complexity of the request or other objective circumstances. The
Page | 9
controller shall inform the data subject in writing of any extension of time,
together with the reasons for the delay.
(3) The information shall be provided by the controller free of charge, unless
a. the data subject requests the information/measures in respect of essentially unchanged
content that is essentially unchanged;
b. the request is manifestly unfounded;
c. the request is excessive.
(4) In the cases listed in item 3, the responsible person is entitled to:
a. reject the application;
b. make the execution of the request subject to the payment of a reasonable fee.
(5) Should the applicant request the transmission of the data in paper form or on an
electronic data carrier (CD or DVD), the data controller shall provide a copy of the data
of the data concerned in the manner requested free of charge (unless the platform chosen would be technically
chosen platform would represent a technically disproportionate effort). For all
copies requested, he shall charge an administrative fee of HUF 500 per page/CD-DVD.
(6. The controller shall communicate any rectification, erasure or restriction to all recipients to whom personal data have been disclosed.
disclosed, of any rectification, erasure or restriction unless this proves impossible or involves a disproportionate effort.
impossible or involves a disproportionate effort.
(7. At the request of the data subject, the controller shall provide information about the group of
persons to whom his or her data have been disclosed.
(8. The controller shall provide its response to the request in electronic form unless:
a. the data subject expressly requests the response in another form that does not
does not involve disproportionate additional costs for the controller;
b. the controller does not know the electronic contact details of the data subject.
(1. Any data subject who, by reason of a breach of the General Data Protection Regulation, has suffered
data protection regulation has suffered material or non-material damage, shall be entitled to compensation
against the controller and/or the processor. The controller and
processor(s) shall be jointly and severally liable for the damage suffered if they are both involved in the breach.
involved in the breach.
Page | 10
(2) A processor shall be liable for the damage caused only if it has complied with the legal provisions specifically imposed on the
processors or if the damage was caused by a failure to comply with the instructions of the controller.
the instructions of the controller.
(3) The controller or processor shall only be liable if they cannot prove that they have
prove that they are not responsible in any respect for the event giving rise to the damage.
for the circumstance giving rise to the damage.
9. legal remedy
(1) If you have any objections, problems with the data processing of the data controller,
please contact the data protection officer of the data controller in confidence,
Dr. POZSGAY Péter (contact details: email@example.com; +36205574860).
(2) The data subject shall have the right to bring an action before the competent court under the Hungarian Code of Civil Procedure (ungZPO).
court with subject-matter jurisdiction under the Hungarian Code of Civil Procedure if he or she considers that his or her rights have been infringed by the
rights have been violated. The court shall proceed in the case out of turn.
(3) If the data subject wishes to lodge a complaint in relation to the data processing, he or she may
data processing, he or she may lodge the complaint with the Nemzeti Adatvédelmi és
Információszabadság Hatóság (National Authority for Data Protection and
Freedom of Information) at the following contact details: registered office: H-1055 Budapest, Falk
Miksa utca 9-11; postal address: H-1363 Budapest, Pf. 9. telephone: +36 1 391 1400; fax: +36
1 391 1410; e-mail address: firstname.lastname@example.org; website: www.naih.hu.
10. cooperation with the authorities
(1) At the official request of the competent authority, the controller must compulsorily provide the
the specified personal data.
(2) In the cases listed in point 1, the data controller shall only transmit data that is
data that are strictly necessary to achieve the stated purposes of the requesting authority.