EESZT Information portal 
Thank you for visiting our website. Here you will find information regarding data protection concerning the website and the modules within the National eHealth Infrastructure, as advertised on the portal.
Click here to read our Data Management and Cookie Management Policy:
The EESZT Data Management Policy for Sectorial Users (HU)
The EESZT Data Management Policy for Public (HU)
COVID vaccination appointment booking - Privacy Policy (HU)
EESZT Data Protection and Data Security Policy (HU)
effective as of 25 February 2022
Content of the Privacy Policy
Government Decree 60/2021. (12 February) on the certifying immunity to coronavirus (hereinafter: Decree) Section 4 regulates the application for certifying vaccination against coronavirus. Pursuant to the Decree, the National Directorate General for Hospitals (hereinafter: NDGH, or OKFŐ in Hungarian), as the operator of EESZT, provides the EESZT Application (hereinafter: Application) to the data subjects.
Following the identification of the data subject, the Application verifies the relevant data of the data subject based on the data queried from the EESZT in connection with the:
•Hungarian Vaccination Certificate
•EU Vaccination Certificate
•EU Test Certificate and
•EU Recovery Certificate (hereinafter collectively: Digital Covid Certificates)
The purpose of the Application is to provide information about Digital Covid Certificates. The information available in the Application is based on the data stored in the EESZT, which are queried using the Social Security Number.
The Application has the following features:
•sign-in,
•displaying the Hungarian Vaccination Certificate,
•additional functions,
•displaying the EU Vaccination Certificate,
•displaying the EU Test Certificate,
•displaying the EU Recovery Certificate
OKFŐ hereby informs the Users as Data subjects about the data processing implemented in connection with the Application.
Definitions
Application: The EESZT application provided by NDGH as the operator of the EESZT certifies the Hungarian Covid19 vaccination and EU Covid19 protection.
Personal data: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject /User: Natural person using the Application.
EESZT: Electronic Health Service System (https://www.eeszt.gov.hu/).
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller: Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law.
Processor: Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Consent of the data subject: Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data concerning health: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
The terms used in this Policy are consistent with:
CONTACT DETAILS OF THE CONTROLLER
With regard to the data processing related to the use of the Application and the sign-in, the Controller is the National Directorate General for Hospitals (NDGH) (hereinafter: NDGH or Controller).
Address: 3 Diós árok, 1125 Budapest, Hungary
E-mail: helpdesk.eeszt@okfo.gov.hu
Telephone: (+36 1) 356-1522
Web: https://e-egeszsegugy.gov.hu/
Contact details of the data protection officer
Name: Dr. Sebestyén Kálmán
e-mail: sebestyen.kalman@okfo.gov.hu
The place of the processing is Hungary.
CONDITION, LEGAL BASIS, PURPOSE, TYPE AND PERIOD OF DATA PROCESSING
In order to install the Application, the User does not need to record any of her/his personal data, but the use of the Application is subject to sign-in.
To log in, User must first identify herself/himself with her/his Digital Gateway credentials and then enter her/his social security number. The Digital Covid certificates will be queried from the EESZT using this social security number. Sign-in without a social security number is not permitted.
Pursuant to Section 4 (3) of the Decree the Application displays:
a) the name of the data subject,
b) the social security number (‘TAJ’) of the data subject,
c) time of vaccination,
d) the fact or lack of protection against infection.
The Application also displays the EU Digital Covid Certificates detailed in Section 2.
The data processing activity specified below is based on the following legal bases.
Under Hungarian Vaccination Certificate section in the menu of the Application, User can find information on how to verify her/his vaccination.
The User can turn simplified sign-in on and off at any time. When using the simplified sign-in, the Application stores the previously downloaded Hungarian Vaccination Certificate’s data in the memory of the User’s phone which enables to view them even without internet connection. Without turning on simplified sign-in, the Application only stores the TAJ. The data processing in these cases is as follows:
| Types of processed personal data | Purpose of the processing | Duration of the processing | Legal basis of processing |
| TAJ | To display the Hungarian Vaccination Certificate. | The Application stores the TAJ until the User logs out of the Application or deletes the Application. | The processing is based on GDPR Article 6 (1) e): processing is necessary for the performance of a task carried out in the public interest. |
| name; target; vaccination(s) date; vaccination(s) type | To display the Hungarian Vaccination Certificate in offline mode. | The Application stores additional data - except TAJ - until the withdrawal of consent, whereby the User turns off the simplified sign-in. | The processing is based on GDPR Article 6 (1) a) and GDPR Article 9 (2) a): consent of the Data subject. |
The EU Digital Covid19 Certificate system covers three different types of Covid19 certificates: a vaccination certificate (point 2.1.), a test certificate (point 2.2.), and a certificate of recovery (point 2.3.). The processing related to EU Digital Covid19 Certificates has been designed in accordance with the provisions of the Regulation (EU) 2021/953 of the European parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interoperable COVID19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID19 pandemic.
2.1 Data processed in order to display the EU Vaccination Certificate
Under EU Vaccination Certificate section in the menu of the Application, User can find information on how to verify her/his vaccination in the EU.
The User can turn simplified sign-in on and off at any time. When using the simplified sign-in, the Application stores the previously downloaded EU Vaccination Certificate’s data in the memory of the User’s phone which enables to view them even without internet connection. Without turning on simplified sign-in, the Application only stores the TAJ. The data processing in these cases is as follows:
| Types of processed personal data | Purpose of the processing | Duration of the processing | Legal basis of processing |
| TAJ
| To display the EU Vaccination Certificate. | The Application stores the TAJ until the User logs out of the Application or deletes the Application. | The processing is based on GDPR Article 6 (1) e): processing is necessary for the performance of a task carried out in the public interest. |
| name; date of birth; unique certificate identifier; disease or agent targeted: COVID19 (SARS-CoV-2 or one of its variants); COVID19 vaccine or prophylaxis; COVID19 vaccine product name; COVID19 vaccine marketing authorisation holder or manufacturer; number in a series of doses as well as the overall number of doses in the series; date of vaccination, indicating the date of the latest dose received; Member State or third country in which the vaccine was administered; certificate issuer | To display the EU Vaccination Certificate in offline mode. | The Application stores additional data - except TAJ - until the withdrawal of consent, whereby the User turns off the simplified sign-in. | The processing is based on GDPR Article 6 (1) a) and GDPR Article 9 (2) a): consent of the Data subject. |
2.2. Data processed in order to display the EU Test Certificate
Under EU Test Certificate section in the menu of the Application, User can find information on which Covid19 test (s) have been recorded.
The User can turn simplified sign-in on and off at any time. When using the simplified sign-in, the Application stores the previously downloaded EU Test Certificate’s data in the memory of the User’s phone which enables to view them even without internet connection. Without turning on simplified sign-in, the Application only stores the TAJ. The data processing in these cases is as follows:
| Types of processed personal data | Purpose of the processing | Duration of the processing | Legal basis of processing |
| TAJ | To display the EU Test Certificate. | The Application stores the TAJ until the User logs out of the Application or deletes the Application. | The processing is based on GDPR Article 6 (1) e): processing is necessary for the performance of a task carried out in the public interest. |
| name; date of birth; unique certificate identifier; disease or agent targeted: COVID19 (SARS-CoV-2 or one of its variants); the type of test; test name (optional for NAAT test); test manufacturer (optional for NAAT test); date and time of the test sample collection; result of the test; testing centre or facility (optional for rapid antigen test); Member State or third country in which the test was carried out; certificate issuer | To display the EU Test Certificate in offline mode. | The Application stores additional data - except TAJ - until the withdrawal of consent, whereby the User turns off the simplified sign-in. | The processing is based on GDPR Article 6 (1) a) and GDPR Article 9 (2) a): consent of the Data subject. |
2.3. Data processed in order to display the EU Recovery Certificate
Under EU Recovery Certificate section in the menu of the Application, User can find information on on whether the fact of recovery from Covid19 infection has been recorded.
The User can turn simplified sign-in on and off at any time. When using the simplified sign-in, the Application stores the previously downloaded EU Recovery Certificate’s data in the memory of the User’s phone which enables to view them even without internet connection. Without turning on simplified sign-in, the Application only stores the TAJ. The data processing in these cases is as follows:
| Types of processed personal data | Purpose of the processing | Duration of the processing | Legal basis of processing |
| TAJ | To display the EU Recovery Certificate. | The Application stores the TAJ until the User logs out of the Application or deletes the Application. | The processing is based on GDPR Article 6 (1) e): processing is necessary for the performance of a task carried out in the public interest. |
| name; date of birth; unique certificate identifier; disease or agent from which the holder has recovered: COVID19 (SARS-CoV-2 or one of its variants); date of the holder’s first positive NAAT test result; Member State or third country in which test was carried out; certificate issuer; certificate valid from; certificate valid until (not more than 180 days after the date of first positive NAAT test result) | To display the EU Recovery Certificate in offline mode. | The Application stores additional data - except TAJ - until the withdrawal of consent, whereby the User turns off the simplified sign-in. | The processing is based on GDPR Article 6 (1) a) and GDPR Article 9 (2) a): consent of the Data subject. |
3. Data processed for the registration.
The registration is a part of login to the application. To log in, User must identify herself/himself with her/his Digital Gateway credentials as the first step, and then enter her/his social security number. The Digital Covid certificates will be queried from the EESZT using this social security number (TAJ).
The Device number is a unique identification number generated by the operating system of the device, and it is used for identifying the assigned device and application.
The system assigns the Application to the social security number that was entered at the first login, bound by the following terms and purposes.
|
|
|
|
|
|
TAJ Device number |
|
|
|
DATA PROCESSOR
In order to operate the Application, NDGH as the Controller uses the following data processors.
Nemzeti Infokommunikációs Szolgáltató Zrt. (NISZ Zrt.)
Address: 3 Csokonai str, 1081 Budapest, Hungary
Postal address: 133 Pf. 1389 Budapest, Hungary
Telephone: +36 1 459 4200,
e-mail: info@nisz.hu
Web: http://www.nisz.hu
NISZ Zrt. performs its tasks as a processor as the operator of EESZT based on the 7/2013. (26 February) NFM Decree.
Egészséginformatikai Szolgáltató és Fejlesztési Központ Nonprofit Korlátolt Felelősségű Társaság (ESZFK Nonprofit Kft.)
Address: 11/B. 1st floor, Könyves Kálmán boulevard, 1097 Budapest, Hungary
Fax No.: +3687580053
Telephone: +3687580054
e-mail: iroda@eszfk.hu
Web: www.eszfk.hu
ESZFK Nonprofit Kft. performs its tasks as a processor as the developer, operator, and customer service provider of the EESZT, based on the 29/2022. (31 January) Government Decree. It adheres to the applicable national and EU data protection laws.
DATA TRANSFER
The court, the prosecutor, the investigating authority, the police, the administrative authority, the National Authority for Data Protection and Freedom of Information or other bodies authorised by law may request the Controller to provide information, to disclose or transfer data, or to provide documents. The Controller shall disclose to public authorities - provided that the public authority has indicated the precise purpose and scope of the data - personal data only to the extent strictly necessary for the purpose of the request.
RIGHTS OF THE DATA SUBJECT
The rights of Users as data subjects are provided by the Controller as follows.
The User may exercise her/his rights in accordance with the rules applicable to the EESZT system, either in person at any Government Window or electronically by submitting the corresponding dedicated e-Paper form.
The data subject has the right to access his or her personal data held by the Controller and information about their processing, and to ask for the data to be provided to him or her at any time, and to check the data that the Controller holds about him or her, and to have access to the personal data.
At the request of the data subject, the Controller shall, without undue delay, rectify inaccurate personal data corrected by the data subject in writing or complete the incomplete data with the content indicated by the data subject.
At the request of the data subject, the Controller shall delete personal data concerning the data subject without undue delay where one of the grounds specified applies:
The data subject shall have the right to obtain, upon written request, restriction of processing by the Controller if:
The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to a Controller in a structured, commonly used, machine-readable format and have the right to transmit such data to another Controller without hindrance from the Controller to which he or she has provided the personal data, where:
the processing is based on consent by the data subject or the data subject has given his or her explicit consent to the processing, or is based on a contract; and
the processing is carried out by automated means.
Data subjects have the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on legitimate interest or in the public interest, including profiling. In such a case, the Controller shall no longer process the personal data, unless the Controller demonstrates compelling legitimate grounds for the processing which override the rights of the data subject or are necessary for the establishment, exercise or defence of legal claims.
The Controller shall inform the data subject of the action taken without undue delay, but within one month of receipt of the request. Taking into account the complexity of the request and the number of requests, this period may be extended by a further two months where necessary, but in that case the Controller shall inform the data subject within one month of receipt of the request, together with the reasons for the delay. Where the data subject has made the request by electronic means, the information shall be provided by the Controller by electronic means, unless the data subject requests otherwise.
The data subject cannot enforce his or her rights if the Controller proves that he or she is not in a position to identify the data subject. If the data subject's request is manifestly unfounded or excessive (in particular in view of its repetitive character), the Controller may charge a reasonable fee for complying with the request or refuse to act. The burden of proof shall lie with the Controller. If the Controller has doubts as to the identity of the natural person making the request, it may request further information necessary to confirm the identity of the data subject.
ENFORCING RIGHTS
Any questions, comments or complaints about data management can be addressed to the Controller's staff via the Contact Centre of the EESZT. The data subject may exercise her/his rights by sending a request via e-mail or post. No rights can be exercised via telephone.
The data subject shall enforce her/his rights under the GDPR, the Privacy Act and the Civil Code as well as he/she:
DATA SECURITY
The Controller undertakes to ensure the security of the data, to take technical measures to ensure that the data recorded, stored or processed are protected and to take all necessary measures to prevent their destruction, unauthorized use or unauthorized alteration. It also undertakes to require any third party to whom it may transfer or disclose the data to comply with its obligations in this respect.
OTHER PROVISIONS
The Controller reserves the right to unilaterally amend this Privacy Policy. After the amendment has entered into force, the Controller shall ensure that the amended Privacy Notice is made available and accessible to the data subjects.
Effective as of 28 June 2021.
Introduction
Under Governmental regulation 60/2021. of 12 February 2021 about the certification of immunity against Covid19, the official certificate (hereinafter: Immunity Certificate) and application (hereinafter: EESZT application) in accordance with the regulation are dedicated to officially verify immunity against Covid19.
On the Immunity Certificate, data specified in the legal regulations are displayed in the form of a readable QR code, moreover the EESZT application presents the certification of vaccination (Hungarian vaccination certificate) with a digital QR code.
The framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic is set in REGULATION (EU) 2021/953 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 June 2021. To ensure the interoperability of and equal access to the certificates making up the EU Digital COVID Certificate for all citizens, in Hungary such certificates are issued in both digital and paper-based format, both with QR codes incuded. In digital format EU Covid19 Vaccination Certificate, EU Covid19 Test Certificate and EU Covid19 Recovery Certificate data are presented in the EESZT application.
The National Directorate General for Hospitals (hereinafter: Service Provider) provides a mobile application (hereinafter: Application or EESZT Covid Control application) to read the above mentioned QR codes, so the content of the Covid19 certificates can be authentically verified.
About the Application
Internet connection is needed to download the Application. To install the Application, the user of the Application (hereinafter: the User or You) does not need to add any personal data, the Application is not subject to registration.
By scanning the QR code on the above mentioned certificates, the Application displays data specified in Hungarian and EU regulations in order to authentically verify the content of the certification.
Query process
To check the content of the Covid19 immunity certification (hereinafter: query), User needs to scan the QR code by clicking the Scan button.
To scan the QR codes, You will need to allow access to the camera on your mobile device. When using the camera, no photo is taken, the camera image is not stored or transmitted, it only allows you to scan the QR code.
Therefore in the case of allowing access to the camera, there is no data processing by the Service Provider.
QR codes do not contain personal data by themselves, they function as verification keys. After scanning the QR code it is checked and in the case of a valid QR code, the Application presents data in a built-in browser.
Checking the content of the Covid19 immunity certificate does only require internet access if the verification keys were updated more than 24 hours ago. Without an update the Application cannot guarantee that the validity of the EU standard QR codes will be displayed correctly. To update the Application automatically, You should connect your device to the Internet, or if automatic update is unsuccessful, please click on the Refresh button.
Data storing, data processing
The application does not store or transmit data about queries or their results, therefore there is no data processing.
In the case of allowing access to the camera, due to the above mentioned there is no data processing.