effective as of 25 February 2022
Content of the Privacy Policy
Government Decree 60/2021. (12 February) on the certifying immunity to coronavirus (hereinafter: Decree) Section 4 regulates the application for certifying vaccination against coronavirus. Pursuant to the Decree, the National Directorate General for Hospitals (hereinafter: NDGH, or OKFŐ in Hungarian), as the operator of EESZT, provides the EESZT Application (hereinafter: Application) to the data subjects.
Following the identification of the data subject, the Application verifies the relevant data of the data subject based on the data queried from the EESZT in connection with the:
•Hungarian Vaccination Certificate
•EU Vaccination Certificate
•EU Test Certificate and
•EU Recovery Certificate (hereinafter collectively: Digital Covid Certificates)
The purpose of the Application is to provide information about Digital Covid Certificates. The information available in the Application is based on the data stored in the EESZT, which are queried using the Social Security Number.
The Application has the following features:
•sign-in,
•displaying the Hungarian Vaccination Certificate,
•additional functions,
•displaying the EU Vaccination Certificate,
•displaying the EU Test Certificate,
•displaying the EU Recovery Certificate
OKFŐ hereby informs the Users as Data subjects about the data processing implemented in connection with the Application.
Definitions
Application: The EESZT application provided by NDGH as the operator of the EESZT certifies the Hungarian Covid19 vaccination and EU Covid19 protection.
Personal data: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject /User: Natural person using the Application.
EESZT: Electronic Health Service System (https://www.eeszt.gov.hu/).
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller: Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law.
Processor: Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Consent of the data subject: Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data concerning health: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
The terms used in this Policy are consistent with:
- Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Privacy Act),
- Act XLVII of 1997 on the Processing and Protection of Health and Related Personal Data (hereinafter: Health Data Act),
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: GDPR),
- Act V of 2013 on the Civil Code (hereinafter: Civil Code),
- with the concepts of the Hungarian National Authority for Data Protection and Freedom of Information’s prior information recommendations on data protection requirements.
CONTACT DETAILS OF THE CONTROLLER
With regard to the data processing related to the use of the Application and the sign-in, the Controller is the National Directorate General for Hospitals (NDGH) (hereinafter: NDGH or Controller).
Address: 3 Diós árok, 1125 Budapest, Hungary
E-mail: helpdesk.eeszt@okfo.gov.hu
Telephone: (+36 1) 356-1522
Web: https://e-egeszsegugy.gov.hu/
Contact details of the data protection officer
Name: Dr. Sebestyén Kálmán
e-mail: sebestyen.kalman@okfo.gov.hu
The place of the processing is Hungary.
CONDITION, LEGAL BASIS, PURPOSE, TYPE AND PERIOD OF DATA PROCESSING
In order to install the Application, the User does not need to record any of her/his personal data, but the use of the Application is subject to sign-in.
To log in, User must first identify herself/himself with her/his Digital Gateway credentials and then enter her/his social security number. The Digital Covid certificates will be queried from the EESZT using this social security number. Sign-in without a social security number is not permitted.
Pursuant to Section 4 (3) of the Decree the Application displays:
a) the name of the data subject,
b) the social security number (‘TAJ’) of the data subject,
c) time of vaccination,
d) the fact or lack of protection against infection.
The Application also displays the EU Digital Covid Certificates detailed in Section 2.
The data processing activity specified below is based on the following legal bases.
- Data processed in order to display the Hungarian Vaccination Certificate
Under Hungarian Vaccination Certificate section in the menu of the Application, User can find information on how to verify her/his vaccination.
The User can turn simplified sign-in on and off at any time. When using the simplified sign-in, the Application stores the previously downloaded Hungarian Vaccination Certificate’s data in the memory of the User’s phone which enables to view them even without internet connection. Without turning on simplified sign-in, the Application only stores the TAJ. The data processing in these cases is as follows:
Types of processed personal data | Purpose of the processing | Duration of the processing | Legal basis of processing |
TAJ | To display the Hungarian Vaccination Certificate. | The Application stores the TAJ until the User logs out of the Application or deletes the Application. | The processing is based on GDPR Article 6 (1) e): processing is necessary for the performance of a task carried out in the public interest. |
name; target; vaccination(s) date; vaccination(s) type | To display the Hungarian Vaccination Certificate in offline mode. | The Application stores additional data - except TAJ - until the withdrawal of consent, whereby the User turns off the simplified sign-in. | The processing is based on GDPR Article 6 (1) a) and GDPR Article 9 (2) a): consent of the Data subject. |
- The EU Digital Covid19 Certificate system
The EU Digital Covid19 Certificate system covers three different types of Covid19 certificates: a vaccination certificate (point 2.1.), a test certificate (point 2.2.), and a certificate of recovery (point 2.3.). The processing related to EU Digital Covid19 Certificates has been designed in accordance with the provisions of the Regulation (EU) 2021/953 of the European parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interoperable COVID19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID19 pandemic.
2.1 Data processed in order to display the EU Vaccination Certificate
Under EU Vaccination Certificate section in the menu of the Application, User can find information on how to verify her/his vaccination in the EU.
The User can turn simplified sign-in on and off at any time. When using the simplified sign-in, the Application stores the previously downloaded EU Vaccination Certificate’s data in the memory of the User’s phone which enables to view them even without internet connection. Without turning on simplified sign-in, the Application only stores the TAJ. The data processing in these cases is as follows:
Types of processed personal data | Purpose of the processing | Duration of the processing | Legal basis of processing |
TAJ | To display the EU Vaccination Certificate. | The Application stores the TAJ until the User logs out of the Application or deletes the Application. | The processing is based on GDPR Article 6 (1) e): processing is necessary for the performance of a task carried out in the public interest. |
name; date of birth; unique certificate identifier; disease or agent targeted: COVID19 (SARS-CoV-2 or one of its variants); COVID19 vaccine or prophylaxis; COVID19 vaccine product name; COVID19 vaccine marketing authorisation holder or manufacturer; number in a series of doses as well as the overall number of doses in the series; date of vaccination, indicating the date of the latest dose received; Member State or third country in which the vaccine was administered; certificate issuer | To display the EU Vaccination Certificate in offline mode. | The Application stores additional data - except TAJ - until the withdrawal of consent, whereby the User turns off the simplified sign-in. | The processing is based on GDPR Article 6 (1) a) and GDPR Article 9 (2) a): consent of the Data subject. |
2.2. Data processed in order to display the EU Test Certificate
Under EU Test Certificate section in the menu of the Application, User can find information on which Covid19 test (s) have been recorded.
The User can turn simplified sign-in on and off at any time. When using the simplified sign-in, the Application stores the previously downloaded EU Test Certificate’s data in the memory of the User’s phone which enables to view them even without internet connection. Without turning on simplified sign-in, the Application only stores the TAJ. The data processing in these cases is as follows:
Types of processed personal data | Purpose of the processing | Duration of the processing | Legal basis of processing |
TAJ | To display the EU Test Certificate. | The Application stores the TAJ until the User logs out of the Application or deletes the Application. | The processing is based on GDPR Article 6 (1) e): processing is necessary for the performance of a task carried out in the public interest. |
name; date of birth; unique certificate identifier; disease or agent targeted: COVID19 (SARS-CoV-2 or one of its variants); the type of test; test name (optional for NAAT test); test manufacturer (optional for NAAT test); date and time of the test sample collection; result of the test; testing centre or facility (optional for rapid antigen test); Member State or third country in which the test was carried out; certificate issuer | To display the EU Test Certificate in offline mode. | The Application stores additional data - except TAJ - until the withdrawal of consent, whereby the User turns off the simplified sign-in. | The processing is based on GDPR Article 6 (1) a) and GDPR Article 9 (2) a): consent of the Data subject. |
2.3. Data processed in order to display the EU Recovery Certificate
Under EU Recovery Certificate section in the menu of the Application, User can find information on on whether the fact of recovery from Covid19 infection has been recorded.
The User can turn simplified sign-in on and off at any time. When using the simplified sign-in, the Application stores the previously downloaded EU Recovery Certificate’s data in the memory of the User’s phone which enables to view them even without internet connection. Without turning on simplified sign-in, the Application only stores the TAJ. The data processing in these cases is as follows:
Types of processed personal data | Purpose of the processing | Duration of the processing | Legal basis of processing |
TAJ | To display the EU Recovery Certificate. | The Application stores the TAJ until the User logs out of the Application or deletes the Application. | The processing is based on GDPR Article 6 (1) e): processing is necessary for the performance of a task carried out in the public interest. |
name; date of birth; unique certificate identifier; disease or agent from which the holder has recovered: COVID19 (SARS-CoV-2 or one of its variants); date of the holder’s first positive NAAT test result; Member State or third country in which test was carried out; certificate issuer; certificate valid from; certificate valid until (not more than 180 days after the date of first positive NAAT test result) | To display the EU Recovery Certificate in offline mode. | The Application stores additional data - except TAJ - until the withdrawal of consent, whereby the User turns off the simplified sign-in. | The processing is based on GDPR Article 6 (1) a) and GDPR Article 9 (2) a): consent of the Data subject. |
3. Data processed for the registration.
The registration is a part of login to the application. To log in, User must identify herself/himself with her/his Digital Gateway credentials as the first step, and then enter her/his social security number. The Digital Covid certificates will be queried from the EESZT using this social security number (TAJ).
The Device number is a unique identification number generated by the operating system of the device, and it is used for identifying the assigned device and application.
The system assigns the Application to the social security number that was entered at the first login, bound by the following terms and purposes.
Types of processed personal data | Purpose of the processing | Duration of the processing | Legal basis of processing |
TAJ Device number | The individual identification of the applications, to prevent unauthorized access and to manage reported errors if necessary. | The Application stores the data until the User deletes the registration, which can be done at the EESZT Citizen Portal, under the „Mobile applications” tab | The processing is based on GDPR Article 6 (1) e): processing is necessary for the performance of a task carried out in the public interest. |
DATA PROCESSOR
In order to operate the Application, NDGH as the Controller uses the following data processors.
Nemzeti Infokommunikációs Szolgáltató Zrt. (NISZ Zrt.)
Address: 3 Csokonai str, 1081 Budapest, Hungary
Postal address: 133 Pf. 1389 Budapest, Hungary
Telephone: +36 1 459 4200,
e-mail: info@nisz.hu
Web: http://www.nisz.hu
NISZ Zrt. performs its tasks as a processor as the operator of EESZT based on the 7/2013. (26 February) NFM Decree.
Egészséginformatikai Szolgáltató és Fejlesztési Központ Nonprofit Korlátolt Felelősségű Társaság (ESZFK Nonprofit Kft.)
Address: 11/B. 1st floor, Könyves Kálmán boulevard, 1097 Budapest, Hungary
Fax No.: +3687580053
Telephone: +3687580054
e-mail: iroda@eszfk.hu
Web: www.eszfk.hu
ESZFK Nonprofit Kft. performs its tasks as a processor as the developer, operator, and customer service provider of the EESZT, based on the 29/2022. (31 January) Government Decree. It adheres to the applicable national and EU data protection laws.
DATA TRANSFER
The court, the prosecutor, the investigating authority, the police, the administrative authority, the National Authority for Data Protection and Freedom of Information or other bodies authorised by law may request the Controller to provide information, to disclose or transfer data, or to provide documents. The Controller shall disclose to public authorities - provided that the public authority has indicated the precise purpose and scope of the data - personal data only to the extent strictly necessary for the purpose of the request.
RIGHTS OF THE DATA SUBJECT
The rights of Users as data subjects are provided by the Controller as follows.
The User may exercise her/his rights in accordance with the rules applicable to the EESZT system, either in person at any Government Window or electronically by submitting the corresponding dedicated e-Paper form.
- Information and access to personal data
The data subject has the right to access his or her personal data held by the Controller and information about their processing, and to ask for the data to be provided to him or her at any time, and to check the data that the Controller holds about him or her, and to have access to the personal data.
- Right to rectification and completion of personal data processed
At the request of the data subject, the Controller shall, without undue delay, rectify inaccurate personal data corrected by the data subject in writing or complete the incomplete data with the content indicated by the data subject.
- Right to erasure
At the request of the data subject, the Controller shall delete personal data concerning the data subject without undue delay where one of the grounds specified applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Controller;
- the data subject withdraws the consent on which the processing is based and there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed by the Controller;
- personal data are collected in relation with the provision of information society services directly to children.
- Right to restriction of processing
The data subject shall have the right to obtain, upon written request, restriction of processing by the Controller if:
- the data subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the Controller to verify the accuracy of the personal data,
- the data processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
- The Controller no longer needs the personal data for the purposes of processing but they are required by the data subject for the establishment, exercise or defence of legal claims,
- the data subject has objected to the processing.
- Right to data portability
The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to a Controller in a structured, commonly used, machine-readable format and have the right to transmit such data to another Controller without hindrance from the Controller to which he or she has provided the personal data, where:
the processing is based on consent by the data subject or the data subject has given his or her explicit consent to the processing, or is based on a contract; and
the processing is carried out by automated means.
- The right to protest
Data subjects have the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on legitimate interest or in the public interest, including profiling. In such a case, the Controller shall no longer process the personal data, unless the Controller demonstrates compelling legitimate grounds for the processing which override the rights of the data subject or are necessary for the establishment, exercise or defence of legal claims.
- Deadline for fulfilling the request
The Controller shall inform the data subject of the action taken without undue delay, but within one month of receipt of the request. Taking into account the complexity of the request and the number of requests, this period may be extended by a further two months where necessary, but in that case the Controller shall inform the data subject within one month of receipt of the request, together with the reasons for the delay. Where the data subject has made the request by electronic means, the information shall be provided by the Controller by electronic means, unless the data subject requests otherwise.
The data subject cannot enforce his or her rights if the Controller proves that he or she is not in a position to identify the data subject. If the data subject's request is manifestly unfounded or excessive (in particular in view of its repetitive character), the Controller may charge a reasonable fee for complying with the request or refuse to act. The burden of proof shall lie with the Controller. If the Controller has doubts as to the identity of the natural person making the request, it may request further information necessary to confirm the identity of the data subject.
ENFORCING RIGHTS
Any questions, comments or complaints about data management can be addressed to the Controller's staff via the Contact Centre of the EESZT. The data subject may exercise her/his rights by sending a request via e-mail or post. No rights can be exercised via telephone.
The data subject shall enforce her/his rights under the GDPR, the Privacy Act and the Civil Code as well as he/she:
- can contact the National Authority for Data Protection and Freedom of Information (9-11 Falk Miksa str, 1055 Budapest, Hungary; 1363 Budapest, Pf. 9.; ugyfelszolgalat@naih.hu; www.naih.hu) or
- enforce her/his rights in court.
DATA SECURITY
The Controller undertakes to ensure the security of the data, to take technical measures to ensure that the data recorded, stored or processed are protected and to take all necessary measures to prevent their destruction, unauthorized use or unauthorized alteration. It also undertakes to require any third party to whom it may transfer or disclose the data to comply with its obligations in this respect.
OTHER PROVISIONS
The Controller reserves the right to unilaterally amend this Privacy Policy. After the amendment has entered into force, the Controller shall ensure that the amended Privacy Notice is made available and accessible to the data subjects.