Privacy Policy

1. The purpose and the scope of the privacy policy
 

The purpose of the present privacy policy is to define the data protection and processing principles applied by Telehealth Innovation Kft., as well as our data protection and processing policy, which we accept as binding upon ourselves.

 

Further, the purpose of this privacy policy is to provide all natural persons making available their data to our Company with such information on basis of which they can clearly determine how we control their data, and that enable them to ensure that we respect their fundamental freedoms and their rights to the processing and protection of their personal data and their privacy at all times, regardless of their nationality, or the place where they reside either permanently or temporarily.

 

The scope of the present privacy policy covers all data processing activities and operations performed by our Company, irrespective of the form thereof. 

2. Information of data controller
 

Our Company shall be considered as data controller in relation to data processing activities specified in the present privacy policy. We process personal data of data subjects mentioned in Section 6 of the present Privacy Policy jointly with the Dentist who evaluates data submitted by the User.

 

If you may have any questions or remarks in connection with processing of your personal data, you can contact us:

 

Company name: Telehealth Innovation Távmedicina Megoldásokat Szolgáltató Korlátolt Felelősségű Társaság

Seat: H-8598 Pápa, Tóradűlő utca 9075/2., Hungary

Postal address: H-8598 Pápa, Tóradűlő utca 9075/2., Hungary 

E-mail: [email protected]

3. Terms used in the present privacy policy 
 

  • Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly by reference to one or more identifier.
  • Data concerning health: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his/her health status.
  • Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
  • Joint controllers: two or more controllers jointly determine the purposes and means of processing. Joint controllers determine their respective responsibilities for compliance with the obligations in a separate agreement.
  • Data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Data processor: a natural or legal person, which processes personal data on behalf of the data controller. Processor may perform technical tasks on personal data, regardless of the method and means used and the place of application.
  • Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.
  • GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council; which contains the binding rules on processing of personal data and exercise of data subjects’ rights in relation to the processing of their personal data.
  • Restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future.
  • Recipient: natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
  • Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • Supervisory authority: an independent public authority which is established to protect the rights and freedoms of natural persons with regard to the processing of personal data and to facilitate the free movement of personal data within the Union; in Hungary the National Authority of Data Protection and Freedom of Information.
  • Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
    • Cookie: so-called anonymous visit ID, which Controller places and reads back on the computer, browser of the data subjects using the web Application. cookie is a unique series of data that can be used to save settings applied to the website and to track which users visited the website and what actions were performed on the website.
  • Application: mobile app can be uploaded from Google Play Store and web app can be available at https://clinic.dentalive.org/. By using the Application users can upload and submit their personal data.
  • Consumer: any natural person acting for purposes outside his trade, business or profession.
  • Dentist: a natural person or business organization entitled to provide healthcare service that is in a contractual relationship with the Provider
4. The manner and principles of data processing
 

Our Company controls, stores and uses such personal data, for the purposes specified in the present privacy policy, that data subjects themselves provide for us or that they make available to us or permit access to for our Company. We do not collect personal data from public databases or other sources, and no third parties forward the personal data of data subjects to us, except such data which are provided by the Dentists.

 

We devote special attention to ensuring that only such authorised persons have access to the personal data processed by us for whom such access is indispensable for the performance of their tasks, and only to the extent and for the duration necessary. 

 

The personal data of data subjects may also be accessed and processed by our data processors identified in Section 11 of the present privacy policy, in compliance with the mandatory provisions of the relevant data processing agreements concluded with such data processors. In Sections 12 the present privacy policy, we also provide detailed information on when – other than in case of data processing – third parties may access the personal data of data subjects, including, in particular, the case where official authorities contact us and we perform our statutory obligation by way of disclosing the personal data to them.

 

We control personal data only in compliance with the relevant provisions of law, in the interest of achieving the specific purposes as defined before the commencement of data processing, and in line with such purposes. We control all personal data coming into our possession lawfully and fairly, and in such a way that our data processing activities remain transparent to the natural person data subjects during the entire duration of such activities. We only collect personal data for the lawful purposes as clearly defined in the present privacy policy. We devote particular attention to ensuring that we do not control any personal data in a way that is not reconcilable with the purposes detailed in this privacy policy. 

 

We find it important to emphasise that the data processing activity performed by us is not aimed at either the tracking of data subjects, or monitoring their activities and conduct; further, we do not use the personal data processed by us for the purpose of creating profiles of data subjects.

 

The appointed data protection officer of our Company, whose contact information can be found in Section 16 of the present privacy policy, has full access to the personal data processed by us, in course of the performance of the tasks of the data protection officer.

 

When determining the method of data processing and during the entire data processing process, we perform all technical and organisational measures with the help of which the principles of data protection can be enforced, and the rights of data subjects can be protected. The measures implemented at our Company, as a responsible controller, have been determined in line with the state of the art in science and technology, also taking into consideration the costs of implementation, as well as reckoning with and assessing the risks pertaining to personal data of natural persons.

 

We hereby inform data subjects that we only control personal data that are appropriate and relevant from the point of view of the specific purpose of the data processing, as well as necessary for achieving those purposes. We strive to ensure that the personal data stored and processed by us are always accurate and up-to-date and take all reasonable measures in the interest of ensuring that any inaccurate or incorrect data be rectified or erased as soon as possible. We ask data subjects to assist us in the performance of this obligation, and to notify us, in the manner indicated in the present privacy policy, if their data changed in the meantime, or such data need to be updated for any other reason.

 

We only store personal data until it is absolutely necessary for the attainment of the specific purpose of data processing. In course of the processing of the data, we apply all technical and organisational measures that are necessary to safeguard the security of the personal data, including in particular, but without limitation, the protection of the data against unlawful processing, accidental loss, destruction or damage.

 

In all such cases where we intend to use the data for any purpose other than the original purpose specified in the present privacy policy, we notify data subjects in advance, in writing, by providing the new purpose of data processing and any supplementary information concerning the processing of the data, and shall also ensure that in such cases also we have the legal grounds that enable us to control the personal data of data subjects.

 

It is especially important for us to integrate such technical and organisational measures into data processing processes whereby we can ensure that the processing of personal data only takes place to the extent and for the duration necessary for achieving the specific purpose of data processing, and that access to personal data is also in line with the above. In the interest of the performance of the above obligations, our Company integrated such regulatory points in its data processing processes which are suitable for ensuring that our operations continuously stay within the above frameworks.

 

We also devote particular attention to insuring that the personal data with respect to which the purpose has already been achieved, or for which the duration for the processing of the data has expired, or the erasure of which was requested by data subject, shall be erased without delay, and in case the further processing of such data is necessary, we pseudonymize such data in order to ensure that the link between the data and data subjects cannot be restored any more.

5. Processing of personal data provided in course of the use of the Mobile Application
 

Our Company, as an intermediary service provider, operates the ’DentaLive’ mobile application (hereinafter: the Mobile App), which may be downloaded by data subjects, and through which, after completing the registration, they can directly contact the Dentists using the web interface of the ’DentaLive’ Application and ask them for advice in connection with their dental health.

 

If the data subject decides to register in the Mobile App, as a first step, we ask that the following data be entered: e-mail address and password. Processing of the above data is necessary to create an account for the data subject as a user and to be able to provide access to his/her account. Further, it is also the purpose of the processing of these data to identify data subjects and to keep in contact with them.

 

Once the data subject has successfully registered and logged into his or her user account, in the framework of the creation of his or her profile (on-boarding process), it is necessary to provide the following data: full name (family and given names), date of birth, sex, and city. For the use of the Mobile App, it is also necessary that the data subject enter certain health-related data; such data are included, on the one hand, in the answers given to the questionnaires to be completed in the Mobile App and in the questions sent to the Dentist; on the other hand, the photographs, taken by the data subject, of his or her teeth, mouth and, in certain cases, parts of his or her face, using the camera of his or her own mobile device, and then uploaded to the Mobile App also constitute such data concerning health. If the data subject wishes to share with the Dentists x-rays images of his or her teeth, these can also be uploaded to the Mobile App; in such a case, we also control such data of the data subject that are included in these x-ray images.

 

The data provided in the interest of creating the data subject’s profile, as well as the data concerning health listed above are necessary for the performance of the contract entered into by way of the registration between our Company and the data subject; further, in the absence of such data, we are unable to provide the information society service, and the processing of the data of data subjects is necessary for the exercise of our rights and the performance of our obligations arising from the contract.

 

In course of the use of the Mobile App, the legal grounds for processing of the data provided by data subjects is the contract between our Company and the data subject, which was entered into upon the registration and the acceptance of the GTC. With respect to personal data that are considered as data concerning health, in addition to the above contractual relationship as legal grounds, the expressly given consent of the data subject is also needed for the processing of the data. Such consent is provided by way of ticking the check box on the registration page.

 

We hereby inform data subjects that we control their personal data until such time when they delete their user accounts. If a data subject decides not to maintain his or her user account in the future, the deletion of the user account must be requested in writing at [email protected]. The deletion request shall be processed without undue delay after receipt, and we shall take the appropriate steps for the deletion of the account and the erasure of the personal data stored, or in case erasing the data is not possible, for the anonymization of such data. We ask data subjects that, simultaneously with submitting their request, they should also delete Mobile App from all smart devices on which they installed it. We call the attention of data subjects to the fact that after the deletion of the user account, it is not possible to restore the data; therefore, if the data subject wishes to use the service again, he or she must complete the registration procedure again.

 

We inform data subjects that the data concerning health uploaded to the Mobile App shall be anonymized at the time of the deletion of the user account, which means that the data are subjected to such procedures as a result of which the data subject can no longer be identified on basis of the data. The data thus anonymized shall be stored and used, in an aggregated form, for the development and optimisation of the Mobile App, as well as for making it operate more efficiently.

 

We call the attention of data subjects that in case they do not provide the data necessary for the registration and the on-boarding process, or provide such data deficiently, then – in the absence of fundamental information necessary for the provision of the service – we are unable to accept the registration and the data subject will not be able to use the Mobile App. Further, we also call the attention of data subjects that in case they do not provide their data concerning health, or they fail to supplement such data despite the request of the Dentist, it may lead to the Dentist being unable to evaluate the data and provide a well-founded answer or any answer to the question raised. 

 

We hereby inform data subjects that we also control as personal data the e-mail address provided in course of the registration for the purpose of sending public-interest information related to the use of the App; among other things, for notifying the data subject of the successful registration, or sending the link necessary for activation. We call the attention of data subjects that such notification e-mails do not qualify as newsletters, or as contacting for marketing or advertising purposes, and therefore, we are entitled to send these to data subjects also without their separate consent.

 

With a view to the fact that we control the data of data subjects on basis of their contracts concluded with our Company, they have the right to data portability. On basis of the above, data subjects may request the forwarding of their personal data to another controller identified by them. We indicate already at this time that we shall not examine the person of the controller identified as the recipient of the data, nor the procedures followed by such controller or the lawfulness of such procedures for processing of the personal data, and therefore, we hereby exclude our liability of any damage or other legal consequences suffered by data subjects as a result of the activities of such other controller to which we forwarded the personal data pursuant to the request of the data subject.

6. Personal data processed by the Dentists 
 

The purpose of the operation of the Web Application developed by our Company (hereinafter: Web App) is to provide an online interface for establishing contacts between the users installing it on their smart devices and Dentists registering on the web interface of the Application.

 

We inform data subjects that, in course of the use of the Web App, from among the personal data detailed in Section 5, the Dentists may access and shall therefore control such data without which the Dentists could not answer the questions raised or adopt a position concerning the problems outlined by data subjects. 

We call data subjects’ attention that only those Dentists may have access to and control their personal data with whom the data subject gets into a direct contact with the use of the Mobile App. In case data subject does not chose a specific Dentist from whom a response is expected for the questions raised, as well as the evaluation of data submitted, then the Dentist automatically selected by the system will receive the request and personal data of the user. Data subject will be informed at latest at the time of receiving the result of the evaluation, which Dentist has processed his/her data. 

 

From among the personal data of the data subject, the Dentist selected by the data subject or – in the absence of a specific selection – automatically selected by the system is only entitled to receive and control the data subject’s sex and age, as well as the data concerning health, provided by the data subject in the Mobile App. The Dentists may only access and control the data of data subjects via the interface of the DentaLive Web App, after logging into their own accounts, which system and the database in it is also used for storing the data of data subjects. The Dentists may only access the names and contact information of data subjects if the latter contact them in person and make available such data to the Dentists directly.

 

We hereby inform data subjects that we control their personal data jointly with the Dentists who are entitled to have access to such data in accordance with the above. Such joint controllership means that our Company determined the purpose and means of processing of personal data in cooperation with the individual Dentists, and the rules applicable to the performance of our obligations as data controllers, as defined by the GDPR, as well as the division of our liability, is set forth in a separate agreement. We call the attention of data subjects that the fact of joint controllership shall not affect their right as data subjects, as detailed in the present privacy policy, which they may exercise vis-à-vis our Company and the given Dentist.

7.  The use of cookies in the Web Application
 

We inform data subjects that, in course of the use of the Web App, we use anonymous visit identifiers also known as cookies, the main purpose of which is to simplify the use of the App; in addition, cookies also serve system administration, statistical, and in certain cases marketing purposes. A cookie is an individual line of data with the use of which the settings used in the Web App can be saved, and it can be determined that the data subject carried out operations.

 

In case of those who registers in the Web App and expressly consents to the use of cookies with the help of buttons on the so-called cookie panel popping up, we will place cookies in their browsers, stored in their computers, and read those cookies back, in the interest of customising the service provided. The legal basis for processing of the data collected by the cookies is the freely given, specific, informed and unambiguous indication of consent by data subjects. 

 

We use the following types of cookies in the Web App:

  • transitory (session) cookies: session cookies are automatically deleted after the visit. These cookies serve the purpose of ensuring the efficient and safe operation of the website; further, some of them are essential for the proper operation of certain functions of the website or the applications running on the site;
  • permanent (persistent) cookies: we also use persistent cookies in the interest of providing an improved user experience (e.g. optimised navigation, providing access to the secure interfaces of the website, analysing the activity on the website). These cookies are stored in the cookie file of the user’s browser for a longer period. The duration of such cookies depends on the settings of the internet browser;
  • security cookies: these types of cookies are used to protect the user’s data against unauthorised access.

 

We always call the attention of data subjects to the fact that we apply cookies in course of the use of the Web App. Detailed information on the exact type of the cookies used by us, the purposes they serve, and the duration of time for which they are stored on data subjects’ computers, smart devices or in their browsers, as well as information on what third parties, in addition to our Company, may have access to the data recorded and processed by the cookies, can be found in the cookie panel by clicking on the individual types of cookies. 

 

Cookies are only saved on the computer, smart device or in the browser of data subjects if they expressly consent to the processing of data collected and stored by the cookies by clicking on the appropriate button of the cookie panel popping up when logging into the Web App. 

 

We call the attention of data subjects that they can delete the cookies from their computers or smart devices, and further that they can restrict the use of cookies in their browsers; however, it may happen in such cases that, for technical reasons, certain functions of the Web App do not operate or only in a limited way. The controls for the handling of cookies can be generally found in the Tools/Settings menu of browsers, in the Privacy sub-menu, under the menu items on cookies or tracing. 

8. Personal data processed in connection with the social media pages of the Company
 

When data subjects follow or “like” social media pages operated by our Company –  in particular but not limited to Facebook (https://www.facebook.com/dentaliveapp), Instagram (https://www.instagram.com/dentalive_app/), Twitter (https://twitter.com/livedenta), Linkedin (https://hu.linkedin.com/company/dentaliveapp?trk=public_profile_topcard_current_company), Tiktok (https://vm.tiktok.com/ZSP6VqtS/), and they engage in any activities on any of these pages that involves the disclosure of their data – including, in particular, but without limitation, “like”-ing content on the page, commenting on content, sending messages to the Company via the social media pages – then we control such personal data on basis of the legitimate interest of our Company.

 

Our data processing activities extend to such data that the data subject disclosed in his or her own profile on the given social media platform or that the data subject shares with us voluntarily, in course of his or her activities on the social media pages of our Company, including, among other things, in comments to the content or in messages sent to us. The processing of such data shall take place for the purpose of ensuring that we can operate and handle our social media sites efficiently, and we can ensure their continuous maintenance and operation.

 

In order for us to be able to control the personal data of data subjects on basis of the legitimate interest of our Company, we have conducted a balancing test, in course of which we have examined the legitimate interests on the side of our Company serving as grounds for the processing of the data, as well as the interests of the natural persons affected by the same, as well as their rights and fundamental freedoms related to the processing of data. Having contrasted and balanced these interests, we have come to the conclusion that our legitimate interest enabling us to control the data of data subjects actually exists and is stronger than the interest of data subjects invested in us not processing their data published in their profiles created on the various social media platforms or otherwise disclosed to our Company for the abovementioned purpose. 

 

The processing of personal data is indispensable for us, as we would not be able to operate and maintain our social media sites without it, as it is the organic and indispensable part of such social media platforms, following from their very structure and nature ó, that we have access to the data of persons engaged in activities on those platforms.

 

The data subjects whose data we control on basis of our legitimate interest may object to the above at any time. We call the attention of data subjects, however, that submitting their objection shall not automatically mean the end of the data processing and the erasure of their data, as this shall only happen if, upon the examination of the objection, we find that the processing of the data is not justified by such compelling legitimate grounds that override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. 

 

We inform data subjects that, in case we control their personal data for another reason and/or without the existence of legal grounds outside of legitimate interest, the acceptance and our compliance with their objection will only apply to our data processing activity described in this section. If requested from us in writing, we provide an opportunity to become familiar with the detailed balancing test for legitimate interest. 

 

We control the personal data of data subjects until such time that the data subject objects to such data processing, but in any case not later – also in line with the purpose of the data processing – than the termination of the given social media site in connection with which the data of the data subject are processed, or until the data subject decides to delete his or her own profile/account that he or she previously created on the given social media platform.

9. Personal data processed in course of handling complaints
 

Data subjects who registered in the Mobile App and were not satisfied with our services for any reason can file a complaint with us. We control the data subject’s data related to the handling of complaints for the purpose of performing our legal obligations pursuant to Sections 17/A and 17/C of Act CLV of 1997 on Consumer Protection (hereinafter: Consumer Protection Act), as the processing of data subjects’ data is necessary in order for us to examine and respond to the complaint. If the data subject submits a quality complaint related to the service, then we control his or her personal data until the performance of our obligations pursuant to Act V of 2013 on the Civil Code and Government Decree 45/2014. (II.26.), i.e. in the interest of evaluating the complaint. We ask data subjects to take into consideration that they need to provide certain data, as necessary for ascertaining their personal identities, in order for us to be able to assess the complaint and/or objection and, if found well-founded, to take the necessary measures, and to notify data subjects concerned in due time. 

 

We control the data of data subjects submitting complaints for 5 years after responding to their request, on basis of the statutory requirement in Section 17/A (6) of the Consumer Protection Act.

10. Processing of personal data of the Dentists using the Web Application
 

Our Company controls the personal data of those natural person Dentists who registered in the Web App. In course of the registration, the following personal data need to be provided: full name, e-mail address, phone number, website, physical address (country, state, city), estimated number of clients. After the registration, the data subject must also provide the name and address of his/her dental practice, his/her license number, photo, qualification/specialization.

 

In the interest of ensuring that the Dentist who registered in the Web App has the necessary professional qualifications and can provide suitable advice to the users, it is necessary to control the license number of the Dentist as personal data. 

 

All registered Dentists must upload a short introduction to the Web App in order to provide the users of Mobile App with a preliminary info of Dentists they can contact in connection with their problems. Our Company also controls the personal data that are included in the introductory text of the Dentist. 

 

In the interest, on the one hand, of ensuring the proper operation of the Web App, and on the other hand, to make it easier for users of Mobile App to contact Dentists, we display full name, photo, specialization, city of his/her place of operation, as well as personal data included in their introduction for users of the Mobile App. We call the attention of the Dentists to the fact that the Mobile App users cannot have access to their e-mail addresses and license numbers, and such information is not forwarded to third parties either and are only processed by the Company.

 

The purpose of processing the contact data is to make it possible to cooperate with the Dentists, to be able to perform our contractual obligations to notify them, and to make all legal declarations becoming necessary under the contract in an effective way. 

 

The processing of the above data of the Dentists essential for users of the Mobile App to obtain a preliminary information on the Dentists they can contact in connection with their questions and problems.

 

The legal basis of the processing of the data is the contract concluded between our Company and the Dentists. If the contract with the Company was not concluded by the natural person Dentist, the basis of the data processing is the legitimate interest of our Company. In order to be able to control the personal data on basis of our legitimate interest, we have conducted a balancing test. In course of the balancing test, we have examined the legitimate interests on the side of our Company serving as grounds for the processing of the data, according to the purposes of the same and the interests of the natural persons affected by the same, as well as their rights and fundamental freedoms related to the processing of data, and we have come to the conclusion that our legitimate interest enabling us to control the data of data subjects actually exists and is stronger than the interest of data subjects invested in us not processing their data provided during the Web App registration and thereafter. If requested from us in writing, we provide an opportunity to become familiar with the detailed balancing test for legitimate interest. 

 

The data subjects whose data we control on basis of our legitimate interest may object to the above at any time. We call the attention of data subjects, however, that submitting their objection shall not automatically mean the end of the data processing and the erasure of their data, as this shall only happen if, upon the examination of the objection, we find that the processing of the data is not justified by such compelling legitimate grounds that override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

 

We control the personal data of the Dentists until the contract with the Dentist is in effect, while in case of data processing based on legitimate interests, until such time that the data subject objects to the data processing, but in any case not later than the termination of the given contract with the Dentist. 

11. The use of data processors
 

We inform data subjects that there are certain data processing operations that are not performed by our Company itself, but – on basis of a separate contract, drawn up in writing – for which our Company uses the following processors’ contributions and assistance. In connection with the above, we ensure that the processors used by us provide the necessary safeguards ensuring the protection of the effective rules of data protection and the enforcement of the measures for the protection of the rights of data subjects. We call the attention of data subjects that processors shall not make any substantial decision affecting the control of their data, since processors may only process the personal data handed over to them pursuant to the instructions and provisions of our Company, and may not perform any controlling or processing of such data for their own purposes.

 

Our Company is in a contractual relationship with the following businesses engaged in data processing, to which businesses the following personal data are forwarded for processing pursuant to the instructions and provisions of our Company.

 

  • KBOSS.hu Kft. (registered seat: 1031 Budapest, Záhony utca 7.)
  • personal data: the invoicing name, invoicing address and e-mail address of data subjects paying the service fee of the Web App as self-employed (other than a company). 
  • activity: issuing the invoice for the fee paid and sending the same to the data subject

 

  • SZINTÉZIS-NET Kft. (registered seat: H-9024 Győr, Vasvári Pál út 1/C.)
  • personal data: all personal data of the users registered in the Mobile App, all personal data of the Dentists registered in the Web App
  • activity: the provision of services for IT support to the mobile and the Web Apps (development, troubleshooting, repair, etc.), the provision of server operation service related to the mobile and the Web Apps

 

  • DigitalOcean LLC. (registered seat: 101 Avenue of the Americas, 10th Floor, New York, NY 10013, USA)
  • personal data: all personal data of the users registered in the Mobile App, all personal data of the Dentists registered in the Web App
  • activity: the provision of cloud-based solutions for the storage of personal data.
13. Access to and transmission of personal data
 

We hereby inform data subjects that our Company is not the sole controller of data that we receive as a result of data subjects’ activities on the social media sites operated by our Company; the data shared with our Company are jointly processed in such cases with the social media operators as co-controllers. Such joint controllership occurs in case of the following controllers: 

 

Facebook Ireland Ltd. (registered seat: 4 Grand Canal Square, Grand CanalHarbour, D2 Dublin, Ireland);

Twitter International Company (registered seat: One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland);

LinkedIn Ireland Unlimited Company (registered seat Wilton Place, Dublin 2, Ireland),

TikTok Information Technologies UK Limited (registered seat: Aviation House, 125 Kingsway Holborn, London, WC2B 6NH, UK)

 

We call the attention of data subjects that both our Company and the controllers listed above shall, in course of conducting their own data processing activity, comply with the provisions of the GDPR, as well as the effective data protection laws of Hungary, ensure the safe processing of personal data, and provide suitable information to data subjects in connection with their data processing activities. 

 

Privacy policies of the above joint controllers are available at the following links:

https://www.tiktok.com/legal/static/privacy#privacy-eea

https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy

https://twitter.com/en/privacy

https://www.facebook.com/privacy/explanation/ 

 

Further, we hereby inform data subjects that they can exercise their rights related to the processing of personal data both vis-à-vis our Company and the co-controllers, in such a way that requests may be submitted to our Company in accordance with Section 14 of the present privacy policy, while in case of requests addressed to any of the co-controllers, the provisions of the own privacy policy of the given controller shall be applicable.

 

policy In case our Company receives an official request from a duly authorised court or other authority for the disclosure of the personal data processed by us or any part thereof – with the reason for the disclosure of data also identified – then, in the interest of performing our obligation, we are required to transfer such data requested by the court or other authority to these bodies.

 

We hereby inform data subjects that we do not transmit any of their data other than those mentioned in the present privacy policy either within the European Union or to third countries to any other controller, or international organisation or other recipient, except when such transmission is specifically requested by the data subject by way of exercising his or her right of data portability.

14. The rights of data subjects, their exercise of rights
 

In course of our data processing activity, we guarantee for all data subjects that they can exercise their rights related to the personal data processed for any of the reasons listed in the present privacy policy fully, without any unreasonable restriction or obstruction.

 

Further, we also ensure that the owners of the personal data can exercise their right of access to the data, the right of erasure, rectification and the restriction of processing, as well as, in case of data processing on basis of legitimate interest, the right to object, the right to revoke consent, the right to data portability, and further the right to legal remedy in connection with the data processing activities, as follows.

 

  • Right of access to the data

 

The data subjects can request information from us at any time concerning what data we control on data subjects, as well as why and how such processing of data takes place. In case of a written request to this effect, we make available to the data subject copies of the data processed on them, we inform them of the purpose of the data processing, the recipients to whom the data are transmitted, the planned duration of the data processing, as well as the rights of data subjects during the data processing and rules applicable to the exercise of such rights. processing.

 

We hereby inform data subjects that we can perform their requests concerning making available copies of their data free of charge only for the first copy of the document including such data. If the data subject, after the original request, requests further copies and/or resubmits a request with the same content within a short time, we may charge a fee for performing such request, with information on the extent of such fee being provided in our reply to the request. 

 

For the avoidance of doubt, we hereby indicate that we are only able to perform requests for the issuance of copies including data in case and to the extent it does not violate the rights and freedoms of other natural persons.

 

  • Right to the accuracy, completeness and currency of the data processed

 

All data subjects shall have the right that the data processed and stored concerning the data subject satisfy the requirements of accuracy, and currency. We ask data subjects to help us in the performance of our obligation by way of updating their data in their own accounts in case of any change in their personal data earlier provided for our Company.

 

  • Right to the rectification of personal data

 

If it comes to the attention of the data subject that his or her data processed is inaccurate, he or she may request the rectification of such data, by way of providing the accurate or missing data at the same time. What they need to do in such case is indicate their request in writing at [email protected].

 

  • Right to the erasure of personal data

 

In case of any of the following situations, the data subject may request that we erase the personal data processed by us without any undue delay:

  • the purpose of the data processing discontinued;
  • the data subject has revoked his or her consent, and no further legal grounds for the processing of data can be established;
  • in case of data processing based on legitimate interest, the data subject has objected against the data processing, and there are no overriding legitimate grounds that would justify the further data processing;
  • there was an occurrence of unlawful data processing;
  • a provision of law requires us to erase the data.

 

We call the attention of data subjects that they are entitled to the so-called “right to be forgotten”, which ensures the possibility of rendering their data inaccessible in a wider scope. In case the data subject chooses to exercise this right, we shall use all possible IT solutions to ensure that the personal data is no longer available to our Company in any form in the future. In this respect, we shall delete the electronic files including the data from the stored backup archives, and in case we also processed data in hard copy, we shall destroy the documents containing such data, and/or carry out the operations necessary for the anonymization of the personal data. On basis of the request of the data subject, we also require data processors in a contractual relationship with us to erase and/or destroy the personal data transmitted to them, and in the interest of further measures to be taken, we notify all independent and joint data controllers cooperating with us that we have received such a request.

 

We ask data subjects to take into consideration that we cannot fulfil a request for the erasure of data if the further processing of the data is necessary for the enforcement and protection of a legal interest, the exercise of the right of freedom of expression and information; for compliance with a legal obligation or for the performance of a task, for statistical or research purposes, or on the grounds of public interest in the area of public health. We call the attention of data subjects that in case the request for erasure has been performed, we can no longer restore the personal data previously processed.

 

  • Right to the restriction of data processing

 

We hereby inform data subjects that they can also request the restriction of the processing of their personal data in the following cases and for the following durations:

  • if it comes to the attention of the data subject that his or her personal data processed is inaccurate, until the checking of the accuracy of such personal data;
  • if, in the opinion of the data subject, we are engaged in unlawful data processing, for which reason the data subject specifically requests us not the erase his or her personal data;
  • if we no longer need the data subject’s personal data for the purpose defined by us, but the data subject needs such data for the establishment, exercise or defence of legal claims; 
  • if the data subject has objected to his/her personal data being processed on the grounds of legitimate interests, but we rejected this objection; in such a case, the restriction shall be for the duration of time until it is established if the legitimate interests of our Company or a third party override those of the data subject.

 

If the request of the data subject is well-founded, we shall notify the recipients to whom the personal data was lawfully transmitted previously concerning the restriction of the data processing. We call the attention of the data subject that in such cases, we shall no longer control the data subject to the restriction but continue to store such data. In such cases, however, where the data subject consented to the further processing of the data, or such processing is necessary for the establishment, exercise or defence of legal claims or for the protection of the rights, of for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State, we shall continue to control the data subject’s personal data despite the restriction. 

 

If the grounds for the restriction of the data processing is no longer in place, we shall notify data subjects, in writing, of the termination of the restriction and the date thereof, not later than 15 days before such termination of the restriction.

 

  • The right to data portability

 

On basis of the right to data portability, the data subject shall have the right to request and receive information from our Company on the personal data that we control on basis of the consent of or a contract with the data subject, in a structured, commonly used and machine-readable format, and shall also have the right to request that such data be transmitted directly to one or several other controller(s) identified by the data subject.

 

If the data subject exercises the above right, we shall transmit the data in pdf format. We hereby call the attention of data subjects that our Company does not check the person of the controllers to whom, on basis of the data subject’s request, we transmit the data, and therefore, we exclude our liability for any damage or other adverse legal consequence affecting the data subject in connection with the activities of such other controller(s). 

 

  • The right to revoke the consent to data processing

 

As indicated before, where the processing of data is based on the consent of the data subject, the latter may decide at any time to revoke such consent. We call the attention of data subjects that the revocation of consent is only valid in writing, sent to [email protected]. We hereby inform data subjects that in case they revoke their consent, this shall not affect the lawfulness of the data processing activities by our Company prior to the receipt of this revocation, in possession of the consent of the data subject.

 

After the revocation of consent, we shall no longer control the personal data (we shall erase or anonymize them), except where our Company also controls such data based on some other legal grounds (e.g. contract, legitimate interest, statutory provision), or where we control the data affected by the revocation of consent on basis of the consent of the data subject, but for another purpose also.

 

  • Objection to the processing of personal data

 

If we control the data on basis of the legitimate interests of our Company or a third party, the data subject shall have the right to object, on grounds relating to his or her particular situation, to the processing of his or her personal data at any time. We call the attention of data subjects that in such a case we no longer control their personal data (we shall erase or anonymize them), provided that there are no other legal grounds allowing our Company to control the data or the data processing is justified by such compelling legitimate grounds that override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

 

  • Decision on data subjects’ requests

 

The processing of requests related to the processing of personal data, for the exercise of the rights of data subjects, as listed in points A to H above, shall be started immediately after the receipt of the requests, and data subjects shall be informed of the decision in writing, without undue delay, but in any case within 30 days after the receipt of the request.

 

With a view to the complexity of the request or the large number of requests received by our Company from other data subjects, the above deadline for responding may be extended by a maximum of 2 additional months. If the deadline prescribed for responding to the request is extended, we shall inform the data subject of such extension within 30 days after the receipt of the request, in writing, also informing them of the reason for such delay. No extension of the deadline is possible if, on basis of the data subject’s request, there is no need for taking a data protection measure in our opinion. In such a case, we shall reply to the request without undue delay, but in any case within 30 days after receiving the same, and at the same time, we shall inform the data subject as to why no further measures were taken, and shall also inform the data subject of the possibilities for legal remedy against our decision.

 

We shall not charge a fee for responding to and complying with the requests, nor for taking any measure in the interest of the above, except where the data subject submits an unfounded request, or re-submits the request after the decision with the same content, in which case we may charge a reasonable free, in proportion to the administrative costs incurred in connection with complying with the request, the exact extent of which shall be notified to the data subject at the time of replying to the request.

 

  • Legal remedies

 

In all cases, we strive to ensure that the processing of the personal data should comply with the requirements of lawfulness, fairness and data security, and therefore, if the data subject is not satisfied, for any reason, with the way we control his or her data, we kindly ask them to notify our colleagues at [email protected] or to directly contact our data protection officer, whose contact information can be found in Section 16 of the privacy policy.

 

In all cases, we shall send a written confirmation of the commencement of the investigation of the data subject’s complaint, and we shall inform the data subject in our reasoned decision adopted and sent without undue delay, but in any case, within 30 days after the receipt of the request, concerning the results of our investigation.

 

If, in the opinion of the data subject, the processing of his or her personal data was not lawful, a complaint may also be lodged with the National Authority for Data Protection and Freedom of Information (postal address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c., e-mail address: [email protected]). The rules applicable to lodging and evaluating complaints, as well as to conducting the procedure by the Authority can be found on website www.naih.hu. Further, we inform data subjects that in case they disagree with the decision of the Authority, or the Authority fails to review their complaint within the relevant deadline, they may seek legal remedy from the competent court of jurisdiction according to the registered seat of the Authority (Metropolitan Court of Budapest, address: 1055 Budapest, Markó u. 27, mailing address: 1363 Budapest, P.O. Box 16). 

 

If, in the opinion of the data subject, we have violated his or her rights related to the processing of personal data, the data subject may seek legal remedy from the Veszprém Court of Law (address: 8200 Veszprém, Vár utca 19, mailing address: 8210 Budapest, P.O. Box 1029), or may initiate proceedings to be conducted by a Court of Law according to his or her own permanent or temporary address of residence. Further information on the competent courts of Hungary can be found at the following link: https://birosag.hu/birosag-kereso. We call the attention of data subjects to the fact that using legal representation is mandatory at Courts of Law, and therefore, they can only enforce their claims through the Courts of Law if using suitable legal counsel.

 

In case our Company or our data processors should control or process the personal data of data subjects not in compliance with the relevant provisions of data protection in effect, and the data subject suffers any damage in connection with the above, then a claim for damages, or in case of suffering non-pecuniary damages, a claim for restitution to be paid my be submitted against our Company or our data processors; provided, however, that a data processor shall be liable for damage only in case it failed to comply with the relevant provisions of law applicable to data processing or the instructions of the controller. The data subject my enforce a claim, at his or her option, at the competent court with jurisdiction according to the registered seat of our Company or our breaching data processor, or according to the data subject’s own permanent or temporary address of residence. The list of competent Hungarian courts, along with their contact information, can be found at the following link: https://birosag.hu/birosag-kereso.

 

We expressly call the attention of data subjects that, in the interest of avoiding unlawful access to data, their requests related to the exercise of rights related to the processing of personal data can only be performed if the personal identity of the data subject can be clearly established by us on basis of the request. We ask data subjects to always identify in their requests at least their name and their e-mail address provided at the time of registration, on basis of which – by way of comparison with the data available to us – we can check if the request is indeed from the data subject.

15. Data security measures
 

We make all reasonable efforts to guarantee the security of all personal data from data subjects at a suitable level. The selection of the most suitable data security measure at our Company always takes place on a case-by-case basis, with attention to and based on an evaluation of the existing and likely risks in connection with processed data. 

 

In the interest of the secure processing of personal data, we shall ensure the confidentiality of electronic records and programmes making the processing of personal data possible for the entire duration of data processing, and further ensure that the electronic records and files including the data shall have the necessary protection and be resistant against any unauthorised intervention or attack, as well as against accidental destruction or loss of the data. Our Company guarantees that the records and programmes used for the processing of data always be available to the necessary extent for the performance of the data processing operations and for the exercise and enforcement of the rights of data subjects.

 

In the interest of ensuring full compliance with the requirements of data security, our Company regularly checks the efficiency of all measures introduced for the protection of the security of data.

 

We have selected the systems and tools to be used in course of the data processing activities in such a way that in case of the occurrence of a personal data breach, they should be suitable for ensuring access to the data, or in case of the loss or destruction of the data, their restoration, within reasonable time. Prior to the commencement of, as well as during any and all data processing activity, we continuously monitor and evaluate, in terms of the personal data, the risk factors likely to be in place at the given time, with particular attention to such risks that may involve the accidental or unlawful destruction, modification or loss of the data recorded, stored or otherwise processed by our Company or access by unauthorised persons to such data. 

 

The information technology systems and networks of our Company and our processing partners are protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flooding, as well as computer viruses, computer hacking and denial of service attacks. 

 

In course of our data processing activities, we ensure the security and protection of personal data with the following measures, among other things: 

 

  • with respect to the IT system and network used in connection with the operation of the Mobile App and the Web App, protection against fraud, espionage, computer viruses and other malicious software, unauthorised entry and denial of service attacks (use of firewall, anti-virus software); 
  • regularly updating our systems, programmes used for the electronic processing of personal data;
  • saving daily backup copies of all electronic files containing personal data;
  • the systems used for the electronic processing of personal data are designed in such a way that they register, in a continuous and traceable way, the dates and times of access to the data, as well as the identity of the person performing operations with the data; 
  • access to personal data is only possible to persons duly authorised for this purpose, after identification (use of unique username and password);
  • we use suitable technical measures to ensure that the personal data of data subjects cannot be linked with other data;
  • the personal data are only stored in electronic format; if personal data are recorded in paper form for any reason, such documents are stored in lockable filing cabinets in such a way that only persons having due authorisation may have access to these documents, and only to the extent that is indispensable for the performance of their tasks.

 

The enforcement of the data protection provisions is checked at our Company by a data protection officer, who offers professional advice related to the processing of data, as well as provides information to our employees and to our contractual data processors and such other partners who control the personal data of data subjects as independent or joint controllers. Our appointed data protection officer cooperates with the National Authority for Data Protection and Freedom of Information, serves as a point of contact between our Company, data subjects and the supervisory authority, as well as continuously monitors and check compliance with the requirements of data protection, as well as the enforcement of such requirements during the entire data processing procedure.

16. Handling of personal data breaches
 

We call the attention of data subjects that, even despite the data security measures introduced by our Company and enforced during the entire process of processing the personal data, such unfortunate and undesirable events may still occur that violate or endanger the protection or security of the personal data processed by us.

 

In case of a personal data breach concerning the personal data processed by us, we shall – in accordance with the requirements of the GDPR – ensure that the personal data breach is reported to the National Authority for Data Protection and Freedom of Information without delay, but in any case within 72 hours after the discovery of the same.  

 

We kindly ask data subjects not to be surprised if they receive a notification letter concerning a personal data breach from us; in such cases, we perform our statutory obligations, on basis of which we must inform data subjects of all such personal data breaches that are likely to mean a high risk to the rights and freedoms of the owners of the data. Such high risks include, in particular, where the scope of data affected by the personal data breach involves data that could be considered as sensitive (e.g. sensitive data, information concerning the financial status of the data subject, data suitable for identity theft or for the social valuation of data subjects. In our notification letter we shall described in detail the nature and possible consequences of the personal data breach, as well as the measures already taken or proposed to be taken by us in the interest of eliminating the consequences and ending any possible adverse effects.

 

We demand from all of our staff members working with personal data that, in the interest of the earliest possible detection and elimination of personal data breaches, they should follow the action plan determined by our Company. In the interest of minimising the occurrence of personal data breaches during the processing of data and to ensure the enforcement of the above rules at highest possible level, we have incorporated regular verification operations into our internal processes. 

 

We hereby inform data subjects that, in addition to reporting personal data breaches, we also draw up a written protocol and maintain separate records of such incidents, which documents include the descriptions and qualification of the personal data breaches, their impact on data subjects, as well as the measures taken by our Company in the interest of their elimination and ending any possible adverse effects they may have. Naturally, we also ensure that all such data processors within which we cooperate in course of our data processing activities shall, similarly to us, also comply with their obligations concerning the reporting and the documentation of personal data breaches in accordance with the applicable provisions of law. In addition to the above, we also demand from all independent and joint controllers cooperating with us to ensure the prevention of personal data breaches, as well as the handling of any such incidents that may nevertheless occur.

17. Data protection officer
 

We hereby inform data subjects that our Company has a data protection officer, who can be directly contacted by data subjects with questions or requests related to processing of data, by writing to [email protected].

 

All data subjects whose personal data we control may contact our data protection officer directly, in writing, regardless of whether they wish to exercise their rights as data subjects or have any questions or comments in connection with the data processing activities of our Company. The data protection officer has the knowledge and information concerning all data processing activities performed by us and can thus provide data subjects with suitable information as well.

18. Changes to this privacy policy
 

We call the attention of data subjects that we reserve the right to change this privacy policy unilaterally, without any limitation of time. 

 

If we make any such change, we shall notify all natural person who are affected by any of our data processing activity. In addition to separately calling the attention of data subjects, we shall also publish the notifications on such changes – in which the sections affected by the change as well as the date when such changes enter into effect are also identified – on websites https://dentalive.org/ and https://clinic.dentalive.org/, where our privacy policy, drawn up in a consolidated structure with all changes, is also made available to data subjects on a continuous basis.

19. Applicable laws 
 

In the preparation of the present privacy policy, we have taken into consideration all mandatory requirements governing the performance of data processing activities, including, in particular, the following provisions of law: 

 

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (“general data protection regulation”, “GDPR”)
  • Act CXII of 2011 on the right to informational self-determination and on the freedom of information (‘Information Act”)
  • Act XLVII of 1997 on the processing and protection of health care data and associated personal data (“Health Care Data Processing Act”); 
  • Act V of 2013 on the Civil Code (”Civil Code”);
  • The Fundamental Law of Hungary (“Fundamental Law”);
  • Act CLV of 1997 on consumer protection (“Consumer Protection Act”);
  • Act LVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity (“Business Advertising Act”);
  • Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (“E-commerce Act”);
  • Government Decree 45/2014 (II.26.) on the Detailed Rules of Contracts between Consumers and Businesses;
  • Act CXXX of 2016 on the Code of Civil Procedure (“Code of Civil Procedure”);
  • Act XC of 2017 on the Code of Criminal Procedure (“Code of Criminal Procedure”);
  • Act VI of 1998 on the Promulgation of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on 28 January 1981 (“Strasbourg Convention”).