Effective from 10.01.2025 until revocation
1. Content of the Privacy Policy
The Ministry of Interior, as Data Controller, informs Users as Data Subjects about data processing in connection with the EgészségAblak mobile application. The EgészségAblak application (hereinafter: Application) has the following functions, depending on the technical possibilities and the published version:
- EESZT services available in the Application:
- Digital COVID certificates
- Health documents
- Prescriptions (Medicine and Medical Device prescriptions)
- Electronic referrals
- Access to the data of the represented person recorded in the EESZT
- Appointment booking by the User, modification and cancellation of booked appointments
- Viewing booked appointments, adding them to User device's calendar, and delete booked appointments
- Accessing pregnancy care book data
- Token generation
- Family doctor details
- Notifications
- Favorites
- TB-lamp
- Pharmacies
- Patient Satisfaction Survey
As stated in the General Terms of Use, the use of functions is subject to the User's login to the Application.
The General Terms of Use are available: https://e-egeszsegugy.gov.hu/adatvedelem/EgészségAblak
The Data Controller, as the operator of the EESZT and the data controller of the data stored in the EESZT only showing the data contained in the EESZT / recording the data provided during the use of the function in the EESZT.
Therefore, this Privacy Policy does not contain a detailed description of data processing in the EESZT, which is detailed in the EESZT's Privacy Policy. The EESZT's Privacy Policy is available at: https://e-egeszsegugy.gov.hu/adatvedelem. Data and documents taken over from the EESZT are available in the mobile application until the application is deleted.
The Data Controller - based on the authorisation received under Article 35/A (2a) of Act XLVII of 1997 on the processing and protection of personal data concerning health and related matters (hereinafter: Eüak.) - processes for the purpose of providing the services available in the Application, to the extent necessary for the provision of the services - unless otherwise provided by law – the personal data (the identification data of the data subject in the EESZT, the identification of the device of the Data Subject, the time of death of the data subject) in accordance of the provision of the 35/F, paragraph (1) of the Eüak, until it’s necessary for the provision of the services.This Privacy Policy only covers data processing cases related to the functions available in the Application in addition to the EESZT services.
2. Concepts
Personal data:
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject/User:
The natural person using the Application.
EESZT:
The National eHealth Infrastructure (in Hungarian: Elektronikus Egészségügyi Szolgáltatási Tér) (https://www.eeszt.gov.hu/).
Application:
The EgészségAblak mobile application.
Data processing:
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller:
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor:
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Consent of the data subject:
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Health data:
Personal data concerning the physical or mental health of a natural person, including data relating to the provision of health care services to a natural person which reveal information about that natural person's state of health.
The terms used in this Privacy Policy are in harmony:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as GDPR),
- Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Privacy Act),
- Act XLVII of 1997 on the processing and protection of health and related personal data (hereinafter: Eüak),
- Act V of 2013 on the Civil Code (hereinafter: Civil Code),
- the concepts of the recommendations of the National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information
3. NAME, CONTACT DETAILS AND PLACE OF DATA PROCESSING OF THE DATA CONTROLLER
Data Controller:
Ministry of Interior
Address: 1051 Budapest, József Attila utca 2-4.
E-mail: ugyfelszolgalat@bm.gov.hu
Phone number: (+36 1) 441-1000
Website: https://www.kormany.hu/belugyminiszterium/
Data Protection Officer:
Name: Dr. Erika Dominica Tarczi-Abraham
E-mail: dominika.abraham@bm.gov.hu
Place of data processing: Hungary.
With regard to data processing related to the use of the Application, the available functions and login, the data controller is the Ministry of Interior.
4. USE OF DATA PROCESSORS
In order to operate the Application, the Ministry of Interior, as Data Controller, uses the following data processors.
ESZFK Egészséginformatikai Szolgáltató és Fejlesztési Központ Nonprofit Kft. (hereinafter: ESZFK)
Address: 1097 Budapest, Könyves Kálmán körút 11. B. ép. 1. floor
Fax number: +3687580053
Phone number: +3687580054
E-mail address: iroda@eszfk.hu
Website: https://www.eszfk.hu
The IT implementation and operating framework of the Application is provided by the ESZFK.
The ESZFK performs the application operation, development and customer service tasks of the EESZT and the EgészségAblak framework and mobile application in accordance with Act No. 29/2022 on central health information technology services. (I. 31.) Government decree. It shall act in relation to the personal data concerned in accordance with the applicable Hungarian and European Union data protection rules.
NISZ National Infocommunication Services Ltd. (NISZ Zrt.)
Address: 1149-HU Budapest, Róna utca 52-80.
Postal address: 1389-HU Budapest, P.O. Box 133.
Phone number: (+36 1) 459-4200,
E-mail adress: info@nisz.hu
Website: http://www.nisz.hu
The operation of the EESZT and the EgészségAblak takes place in the Government Data Center, Section 13/A (1) of Government Decree 467/2017 (XII.28.) on the operation of the Government Data Center. The primary task of the data processor is to provide an information technology infrastructure. NISZ Zrt. is entitled to comply with Government Decree 341/2024. (XI. 14.) 341/2024. (XI. 14.) in accordance with points Article 3 (1) and (3) and Articel 9. § (1) of the Government Decree, it ensures the operation of the EESZT and the EgészségAblak application infrastructure.
5. CIRCUMSTANCES OF DATA PROCESSING, LEGAL BASIS, PURPOSE OF DATA PROCESSING, SCOPE OF PROCESSED DATA AND RETENTION PERIOD
With regard to data processing related to the use of the Application, the available functions and login, the data controller is the Ministry of Interior.
The purpose and peculiarity of the Application is that after logging in with the appropriate personal identification, certain personal data related to the given person stored in the EESZT become available, and the data provided during the use of the functions of the Application are also synchronized with the EESZT system.
Data and documents taken over from the EESZT are available in the Application until the Application is deleted.
5.1 Login
In order to install the Application, the User does not need to record any of his/her personal data, but the use of the Application is subject to login.
The information available in the Application is based on personal data stored in the EESZT, and is queried by social security number (TAJ).
In order to log in, after accepting the Privacy Policy and the General Conditions of Use, the User must identify himself or herself after 15.01.2025 with the login data of Client Gate+ or the Digital Citizenship Mobile App (DÁP) ) in the first step in order to access full functionality. During the use of the functions, the relevant personal data is retrieved from the EESZT by social security number.
Type of personal data processed | Purpose of data processing | Duration of data storage, date of deletion | Legal basis for data processing |
Social Security number | Making certain services of the EESZT available, querying certain personal data concerning the Data Subject from the EESZT. | Until the registration is cancelled, which the User can do through the EESZT Residential Portal under the "Mobile applications" menu item, or by logging out of the Application the registration data will also be deleted. | Performance of a task carried out in the public interest (Article 6 (1) (e) GDPR) pursuant to the Section 35/A. (2a) of Eüak |
Registration is part of logging in to the Application. In order to log in, the User must first identify himself or herself with his/her Client Gate+ or the Digital Citizenship Mobile App (DÁP) login data. In connection with the functions available in the Application, the retrieval of personal data from the EESZT will be done with a Social Security number.
The device ID is a unique identifier for the device-app pair generated by the app installed on the mobile device.
The System will assign the Application to the Social Security number provided when you first log in for the following purpose and under the following conditions.
Type of personal data processed | Purpose of data processing | Duration of data storage, date of deletion | Legal basis for data processing |
Social Security number Device ID | Making certain services of the EESZT available, querying certain personal data concerning the Data Subject from the EESZT. | Until the cancellation of the registration, which can be done by the User through the EESZT Residential Portal under the "Mobile applications" menu item, if he or she has logged in with a Client Gate+ or the Digital Citizenship Mobile App (DÁP) , or his exit from the mobile application will also delete the registration data. | Performance of a task carried out in the public interest (Article 6 (1) (e) GDPR) pursuant to the Section 35/A. (2a) of Eüak |
5.2 Access EESZT services
The purpose of the Application is to ensure that the User can access certain services of the EESZT more easily through the Application. Within this framework, depending on, among other things, the technical possibilities of the Application and the current software version
- the User's digital COVID certificates are available in digital form,
- The User may access the medical records generated during previous treatments,
- The User may access the valid, issued and expired prescriptions prescribed during his/her previous benefits and the barcodes required for the replacement of valid prescriptions , furthermore – after selecting several valid recipes – a QR code for multiple redemption can be generated,
- The User may access active and previous electronic referrals issued,
- In the case of representation rights recorded in the EESZT, the data relating to the represented person can be viewed,
- you can also book an appointment through the Application in the digital booking system, as well as modify and cancel the booking,
- the User can view the appointment booked by himself/herself and the doctor, add or cancel the booked appointment to the calendar of his mobile phone,
- the User can easily access the data of her pregnancy care book
In addition to the services specified above, additional EESZT services are available.
Data processing related to the available EESZT services shall be governed by the provisions of the EESZT's Privacy Policy, which is available at: https://e-egeszsegugy.gov.hu/adatvedelem, with the following derogations for certain services. The data taken over from the EESZT are available in the Application until the Application is deleted.
5.3 Digital COVID certificates
After identifying the Data Subject, the Application certifies on the basis of the personal data retrieved from the EESZT:
- Vaccination Certificate,
- Test Certificate, and
- Recovery Certificate
(hereinafter collectively referred to as Digital COVID Certificates).
The Data Controller's data processing in connection with the Application is carried out as follows.
The Digital COVID Certificate system comprises three different types of COVID-19 certificates: vaccination certificates, test certificates and recovery certificates. Data processing related to Digital COVID certificates has been established in accordance with the provisions of Section 74/C, Section 74/D (1) and Section 74/G of Act CLIV of 1997 on Health Care and Government Decree 604/2023 (XII.22) on the detailed rules necessary to maintain the issuance of the Digital COVID Certificate.
Pursuant to Government Decree 604/2023 (XII.22.) on the detailed rules necessary for maintaining the issuance of the digital COVID certificate, the data subject with a social security number may request the Digital COVID Certificate in the Application and in a downloadable format on the EESZT portal after identification with the electronic identification service provided by the Government on a mandatory basis.
I. Data processed to display the Vaccination Certificate
In the "Vaccination Certificate" menu item of the application, the User can find information on how to prove his/her vaccination status.
The User can turn simplified login on and off at any time. If simplified login is activated, the Application stores the data related to the previously downloaded vaccination certificate and the User can view the information contained here even without an internet connection. Without enabling simplified login, the Application only processes the social security number for the purpose of querying and returning the ID card from the system.
In these cases, data processing is as follows:
Type of personal data processed | Purpose of data processing | Duration of data storage, date of deletion | Legal basis for data processing |
Social Security number | Show vaccination certificate. | The Application stores the Social Security Number until the User logs out of the Application or deletes the Application. | Performance of a task carried out in the public interest (Article 6 (1) (e) GDPR) pursuant to the Section 35/A. (2a) of Eüak. |
name; date of birth; unique certificate identifier; targeted disease or pathogen; vaccine or prophylaxis; name of vaccine product; marketing authorisation holder for a vaccine or manufacturer of a vaccine; dose number; date of vaccination; Member State of vaccination; Certificate issuer | Show vaccination certificate offline. | The App stores the data until you turn off offline mode or delete the App. | Performance of a task carried out in the public interest (Article 6 (1) (e) GDPR) pursuant to Article 3(1) of Government Decree 604/2023 (XII. 22.) on the detailed rules for the maintenance of the digital covid certificate |
II. Data processing related to the display of the Test Certificate
In the "Test certificate" menu item of the Application, the User can find information about which COVID-19 test(s) have been recorded.
The User can turn simplified login on and off at any time. If simplified login is enabled, the Application stores the data related to the previously downloaded "Test Certificate" and the User can view the information contained here even without an internet connection. Without enabling simplified login, the Application only processes the social security number for the purpose of querying and returning the ID card from the system.
In these cases, data processing is as follows:
Type of personal data processed | Purpose of data processing | Duration of data storage, date of deletion | Legal basis for data processing |
Social Security number | Display your test certificate.
| The Application stores the Social Security Number until the User logs out of the Application or deletes the Application. | Performance of a task carried out in the public interest (Article 6 (1) (e) GDPR) pursuant to the Section 35/A. (2a) of Eüak |
name; date of birth; unique certificate identifier; targeted disease or pathogen; type of test; test name; test manufacturer; date and time of sampling; test result; test centre or testing institution; Member State or third country in which the test was carried out; Certificate issuer | Display the test certificate offline | The App stores the data until you turn off offline mode or delete the App. | Performance of a task carried out in the public interest (Article 6 (1) (e) GDPR) pursuant to Article 3(1) of Government Decree 604/2023 (XII. 22.) on the detailed rules for the maintenance of the digital covid certificate |
III. Recovery Certificate
In the "Recovery Certificate" menu item of the Application, the User can find information on whether the fact of recovery from COVID-19 infection has been recorded.
The User can turn simplified login on and off at any time. If simplified login is turned on, the Application stores the data related to the previously downloaded Certificate of Recovery, and the User can view the information contained here even without an internet connection. Without enabling simplified login, the Application only processes the social security number for the purpose of querying and returning the ID card from the system.
In these cases, data processing is as follows:
Type of personal data processed | Purpose of data processing | Duration of data storage, date of deletion | Legal basis for data processing |
Social Security number | Display the certificate of recovery. | The Application stores the Social Security Number until the User logs out of the Application or deletes the Application. | Performance of a task carried out in the public interest (Article 6 (1) (e) GDPR) pursuant to the Section 35/A. (2a) of Eüak. |
name; date of birth; unique certificate identifier; disease or agent from which the holder has recovered; date of the holder's first positive NAAT test result; date and time of sampling; Member State or third country in which the test was carried out; certificate issuer; Date of commencement of validity of the certificate; Last day of validity of the certificate | Display the certificate of recovery offline. | The App stores the data until you turn off offline mode or delete the App. | Performance of a task carried out in the public interest (Article 6 (1) (e) GDPR) pursuant to Article 3(1) of Government Decree 604/2023 (XII. 22.) on the detailed rules for the maintenance of the digital covid certificate |
5.4 Show, add or delete booked appointments
Appointments can be booked with a publicly funded healthcare provider providing outpatient care, for an offered order, which can currently be initiated through the digital appointment booking system for oneself or, if there is a right of representation, for the represented person after switching User accounts, or at the healthcare institution or general practitioner.
At the same time as issuing the referral, the referring doctor can book an appointment with the healthcare provider providing outpatient care on the dedicated internet interface of the EESZT. You can view the appointment booked for you by your doctor and the details of your reservation in the App.
In the case of care available without a referral, the patient's general practitioner or attending physician may undertake to book an appointment with the healthcare provider providing outpatient specialist care in the digital appointment booking system at the patient's request, if it is medically necessary. However, the patient's general practitioner or attending physician is not obliged to accept and comply with the patient's request for booking an appointment.
In the App you have the option to cancel the appointment booked for you by your doctor. The cancellation of the appointment will also be transferred to the EESZT system.
The User has the opportunity to book an appointment with an eReferral or, in the case of health services not subject to referral, by selecting the desired examination, both in the Application and on the EESZT Residential Portal and the unified telephone appointment booking center. You can also change or cancel booked appointments. Booking, modification and cancellation made through the Application will also be transferred to the EESZT system.
You can also add appointment bookings to your device's calendar to manage all booked appointments in one. Through the shareable link, they can also be added to external calendar applications (e.g. Apple calendar, Google Calendar). Thus, the test appointments stored in the EESZT can be tracked not only in the Calendar menu item of the application, but also in other calendar applications used by the User and in an online calendar. During this operation, the Application requires access to the calendar of your device, from which the Application does not collect any personal data.
Type of personal data processed | Purpose of data processing | Duration of data storage, date of deletion | Legal basis for data processingg |
The Data Controller keeps records of the dates. The records shall show the dates booked, and (a) the identity of the referral, its content and information on the usability of the referral, (b) details of transmission, amendment and withdrawal of the referral, and (c) data on the use of the referral; Contains. [Act LXXXIII of 1997 on compulsory health insurance benefits (Ebtv.) Section 18/A (3).] | The Data Controller, as the operator of the EESZT, ensures that the person entitled to referral and the insured person submit their request for the use of the referred healthcare service at a specific healthcare provider and at a specific time through the EESZT, and the healthcare provider informs the person entitled to referral or the insured person through the EESZT (via the Population Portal and the Application). [Ebtv. Section 18/A (2)] [Government Decree 217/1997 (XII. 1.) Sections 5/E - 5/H.] | The Data Controller, as the operator of the EESZT, deletes the appointment records data after 5 years from the date of bookings. [Ebtv. Section 18/A (4).] The data taken over from the EESZT are available in the mobile application until the application is deleted. | Performance of a task carried out in the public interest (Article 6 (1) (e) GDPR) pursuant to the Section 35/A. (2a) of Eüak., Section 18/A (2)-(3) of the Ebtv. and Section 5/E - § 5/H of Government Decree 217/1997 (XII. 1.) on the implementation of Act LXXXIII of 1997 on the benefits of compulsory health insurance |
5.5 Prescriptions
Within the framework of the Application, the User may access valid, expired and replaced electronic prescriptions (both pharmaceutical and medical device prescriptions) prescribed during previous benefits.
Prescriptions can be replaced one by one by presenting the barcodes displayed in the Application in the pharmacy.
The Application provides the User with the opportunity – after selecting several recipes – to trigger the selected recipes simultaneously using the QR code generated by the Application by presenting the QR code in a pharmacy. The QR code is visible until you navigate to the QR code generation recipe redemption page in the Application.
The Data Controller, as the operator of the EESZT and the data controller of the data stored in the EESZT, only the data contained in the EESZT are shown back and synchronized with the EESZT system. The legal background for this function is laid down in the Section 35/A. (2a) of Eüak. and Decree No 44/2004 of 28 December 2004 on the prescription and dispensing of medicinal products for human use. SRB Regulation 11/B(3).
You can find detailed information about the electronic prescription register (ePrescription) in the EESZT's Privacy Policy, which is available on https://e-egeszsegugy.gov.hu/adatvedelem page. The data taken over from the EESZT are available in the mobile application until the application is deleted.
5.6 Notifications
EESZT may send notifications to the User's device regarding the services provided by the functions available in the Application. Notifications, regardless of when they are opened, are stored for one month.
The so-called "push notifications" arriving on the mobile device can be enabled or disabled by the User on the device, nevertheless, the already received messages remain viewable under the Notifications menu item.
Information on the data entering the EESZT and the notifications requested about related events can be found in the EESZT's Privacy Policy, which is available at: https://e-egeszsegugy.gov.hu/adatvedelem page.
If the User opens the Application simultaneously on several devices, the Application will always send a separate notification about this.
5.7 Notifications
Using the token (unique number sequence) generated through the Application and valid for 1 minute, the User may log in to the appointment booking interface of the EESZT Residental Portal.
5.8 Favorites
The User may collect from the Favourites (hereinafter: Favourites) the Digital COVID Certificates, documents and recipes already viewed by the User. If you delete the original, already viewed documents from your device, they will no longer be available through the Favorites function.
The Data Controller, as the operator of the EESZT and the data controller of the data stored in the EESZT, only the data contained in the EESZT are shown back and synchronized with the EESZT system pursuant to the Section 35/A. (2a) of Eüak.
The EESZT's Privacy Policy is available at: https://e-egeszsegugy.gov.hu/adatvedelem
5.9 General practitioner details
Data Controller, as the operator of the EESZT, has adopted Decree No. 39/2016 of 21 December 2016 on the detailed rules related to the Electronic Health Service Space In accordance with Annex 2, point 8 of the EMMI Regulation, the data of the general practitioner service are made available to the User in the Application within the framework of master data publication. Thus, the name, medical seal number, telephone number and office hours of the User's registered general practitioner are displayed in the Application. The legal basis for data processing is the performance of a task carried out in the public interest (Article 6 (1) (e) of the GDPR) pursuant to the Section 35/A. (2a) of Eüak.
The source of the data is provided and kept up-to-date by the National Health Insurance Fund Management and the National Public Health and Pharmacy Centre, the Application provides and maintains the return of the data provided.
The EESZT's Privacy Policy is available at: https://e-egeszsegugy.gov.hu/adatvedelem. The data taken over from the EESZT are available in the mobile application until the application is deleted.
5.10 TB-lamp
The User may check the validity of his/her social security number (TAJ) and the status of his/her social security (TB) status. The data is for informational purposes only and does not replace the Social Security Card.
The relevant data is provided and kept up-to-date by the National Health Insurance Fund Management (NEAK). After querying the data in question from NEAK, the Data Controller performs the return of the data provided in the Application. The Application does not store any personal data during the representation. Data on the social security status and the validity of the social security number are not displayed in the EESZT.
5.11 Pharmacies
Using the Pharmacies menu item, you can view the list of pharmacies with normal, on-call and standby hours.
When you use this feature for the first time, your device's operating system will pop up asking you to choose whether to enable location. If you enable location tracking, you can turn it off at any time in your device's menu.
The Application does not collect or store data related to your location, but only uses it to list pharmacies closest to you when you use the function currently. The legal basis for data processing is the User's consent (Article 6 (1) (a) of the GDPR). The Application processes the data until the function is used.
If you don't allow location, you can manually set it up to find pharmacies close to you or to the location you specify. In this case, too, the Application does not collect or store the information provided, it only uses it to list the pharmacies closest to you or to the location specified by you. The legal basis for data processing is the User's consent (Article 6 (1) (a) of the GDPR). The Application processes the data until the function is used.
The distances indicated in the Application are for reference only.
It is possible to navigate to the selected pharmacy. Within this framework, the Application transmits the coordinates of the pharmacy of your choice to the application selected by you in the pop-up window of one of the navigation services available on your smart device. Data relating to your situation will not be transmitted. Route planning and navigation to the pharmacy takes place entirely within the framework of the navigation application chosen by you, over which the Data Controller has no influence.
Data on pharmacies are provided and kept up-to-date by the National Centre for Public Health and Pharmacy.
5.12 Pregnancy Care Book
In the Pregnancy Care Book menu, you can find information, events, examinations and results related to pregnancy and care of the expectant mother. The data are recorded by the professionals involved in pregnancy care general practitioners in the relevant specialist system – National Information System for Health Visitors (VOIR) – which data are entered into the EESZT as health documents.
The Data Controller, as the operator of the EESZT and the data controller of the data stored in the EESZT only performs a structured presentation of the information contained in the EESZT pursuant to the Section 35/A. (2a) of Eüak.
Type of personal data processed | Purpose of data processing | Duration of data storage, date of deletion | Legal basis for data processing |
Data of the documentation of pregnancy care from VOIR [EMMI Decree No 26/2014 (IV.8.) on maternity care);
| To show back the Pregnancy Care Book and to ensure its simple and transparent accessibility. | The Data Controller, as the operator of the EESZT, keeps pregnancy care books in accordance with the rules applicable to health documents. The data taken over from the EESZT are available in the mobile application until the application is deleted. | Performance of a task carried out in the public interest (Article 6 (1) (e) GDPR) pursuant to the Section 35/A. (2a) of Eüak. and EMMI Decree No 26/2014 (IV.8.) on maternity care); and |
You can find detailed information about the registration of health records in the data management information of the EESZT, which is available at: https://e-egeszsegugy.gov.hu/adatvedelem page. Data and documents taken over from the EESZT are available in the Application until the Application is deleted.
5.13 Patient Satisfaction Survey
Patients can provide anonymous feedback regarding certain outpatient services they have used and their experiences at the facility. Completing the survey is voluntary, and the feedback is stored anonymously, only information related to the facility and the care provided is processed. Feedback can only be given once for each healthcare service. Only Users over the age of 18 are entitled to submit evaluations.
Type of personal data processed | Purpose of data processing | Duration of data storage, date of deletion | Legal basis for data processing |
device ID; Event Catalog ID of the healthcare service to be evaluated; evaluation | TDevelopment of health care and patient satisfaction. | The evaluation submitted by the registered Data Subject is immediately anonymized at the moment of submission. After that, only the date of care, the organizational unit of the institution concerned, the doctor's seal number and the given evaluation are stored - anonymously. | Consent of the Data Subject (Article 6 (1) (a) GDPR) |
6. RIGHTS OF THE DATA SUBJECT
The rights of Users as Data Subjects are provided by the Data Controller as follows.
The User may exercise his/her rights in accordance with the rules applicable to the EESZT system in person at any Government window or electronically by submitting the appropriate, dedicated iForm electronic form.
6.1 Favourites
- information about the processing of your personal data (prior to the commencement of data processing and during data processing),
- access to your personal data (provision of your personal data by the Data Controller),
- rectification or completion of your personal data,
- erasure or restriction of your personal data,
- object to the processing of your personal data,
- exercise your right to withdraw consent.
The Data Controller shall comply with the Data Subject's lawful request within a maximum of one month (taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months in justified cases) and shall notify the Data Subject thereof at the contact details provided by him.
The Data Controller provides the requested data in writing (electronically, by e-mail or by post), so providing one of these contact details is mandatory. The Data Controller does not provide oral information in connection with the processed data. The identity of the Data Subject shall be verified by the Data Controller.
6.2 Right to request information (pursuant to Articles 13-14 of the General Data Protection Regulation)
The Data Subject may request information from the Data Controller in writing, in any Government window, by submitting the appropriate request form or via the iForm service (https://magyarorszag.hu/szuf_ugyleiras?id=97cca781-3bca-4421-8c88-0cabff569336 ).
- what personal data,
- on what legal basis,
- for what purpose of data processing,
- from what source,
- how long he treats,
- whether it employs a data processor, if so, the name, address and activities related to data processing of the potential processor,
- to whom, when, on what legal basis, to which personal data did the Data Controller grant access or to whom it transferred its personal data,
- the circumstances, effects and measures taken to remedy a possible personal data breach.
The Data Subject or his/her authorized representative or his/her duly authorised legal representative may also act in connection with requests for information on processed data. In the case of non-face-to-face proceedings, proof of powers of representation shall be provided during the procedure.
6.3 Right of access (pursuant to Art. 15 GDPR)
The Data Subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where such processing is in progress, access to his or her personal data processed and to request this in writing from the Data Controller. This can be done in any Government window by submitting the appropriate request form or via iForm service:
https://magyarorszag.hu/szuf_ugyleiras?id=97cca781-3bca-4421-8c88-0cabff569336
The Data Controller shall provide the Data Subject with a copy of the personal data undergoing processing. If the Data Subject makes the request electronically, the information shall be provided in a commonly used electronic format, unless otherwise requested by the Data Subject.
6.4 Right to rectification and completion (pursuant to Article 16 of the General Data Protection Regulation)
The Data Subject may request in writing that the Data Controller modify any of his or her personal data. Taking into account the purpose of data processing, the Data Subject shall have the right to have incomplete personal data processed by the Data Controller completed accordingly. If the correction of the data is requested, the Data Subject must prove the reality of the data requested to be amended and prove that it is indeed the authorized person who requests the modification of the data.
Requests for correction or completion can be made in any Government window by submitting the appropriate request form or by means of the iForm service (https://magyarorszag.hu/szuf_ugyleiras?id=689987ef-0f31-4073-8feb-9421d9cf24d6&_n=elektronikus_egeszsegugyi_szolgaltatasi_terrel_kapcsolatos_adatmodositas_iranti_kerelem ).
The Data Subject or his/her authorized representative or his/her authorized representative or his/her duly documented legal representative may also proceed with the correction or completion of processed data. In the case of non-face-to-face proceedings, proof of authority to represent must be provided during the procedure.
After submitting the request, the fact of the request is recorded, and the Data Controller restricts the availability of the data in question in the EESZT upon request. If the request is submitted in respect of data recorded by a connected data controller, the Government window or the Data Controller shall provide information to the Data Subject about the institution or person recording the data, to whom the Data Subject may request the correction or completion of the data in his or her request.
6.5 Right to erasure (pursuant to Article 17 GDPR)
Personal data in accordance with the relevant legislation are processed by the Data Controller for the duration of data processing specified in this Privacy Policy.
The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the Data Subject withdraws consent on which the processing is based pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) GDPR and there is no other legal basis for the processing;
- the Data Subject objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing pursuant to Article 21 (2) GDPR;
- the personal data have been unlawfully processed;
- the personal data must be erased for compliance with a legal obligation to which the controller is subject and provided for in a binding act of the European Union or by law.
Data cannot be deleted if data processing is necessary:
- for exercising the right to freedom of expression and information;
- for the performance of a task to which the controller is subject and which is subject to the controller in a binding act of the European Union or by law, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- in accordance with Article 9(2)(h) and (i) GDPR and Article 9(3) GDPR for reasons of public interest in the area of public health;
- in accordance with Article 89 (1) GDPR, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of this processing; or
- for the establishment, exercise or defence of legal claims.
6.6 Right to restriction of processing (pursuant to Article 18 of the General Data Protection Regulation)
The Data Subject may request in writing in any Government window or via iForm service the appropriate request form for the following cases that the Data Controller restrict the processing of his or her personal data in connection with his or her personal data if one of the following applies:
- the accuracy of the personal data is contested by the Data Subject, in which case the restriction applies for a period enabling the Data Controller to verify the accuracy of the personal data;
- the processing is unlawful and the Data Subject opposes the erasure of the data and requests the restriction of their use instead;
- the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims; or
- the Data Subject has objected to the processing pursuant to Article 21 (1) GDPR; in this case, the restriction applies for the period until it is established whether the legitimate reasons of the Data Controller override those of the Data Subject.
Where processing has been restricted on the basis of the above, such personal data shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
The Data Controller shall inform the Data Subject – at whose request processing has been restricted – in advance of the lifting of the restriction of processing.
6.7 Right to object (pursuant to Art. 21 GDPR)
The Data Subject may object to processing of his or her personal data pursuant to Article 6(1)(e) and (f) GDPR , including profiling based on those provisions. In this case, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
The Data Subject may also object to access to data by pharmacists via EESZT, which objection does not affect the right to access the products exchanged in the given pharmacy and to query products not through the EESZT.
The Data Subject may object to the processing of his or her personal data in the Government Window or via the iForm service (https://magyarorszag.hu/szuf_ugyleiras?id=ae493161-9de4-4e2c-8755-5306effe8eff&_n=tiltakozas_tovabbitasa_az_elektronikus_egeszsegugyi_szolgaltatasi_terben_tarolt_szemelyes_adatok_kezelese_ellen) and with the help of the functions of the EESZT assigned for this purpose.
The objection may also be dealt with by the Data Subject or his/her authorized agent or his/her authorized legal representative certified by a written authorisation. In the case of non-face-to-face proceedings, proof of powers of representation shall be provided during the procedure.
The right to object should not be confused with the prohibition on uploading data to the EESZT, since while the right to object declared in the GDPR can be applied in the case of existing data processing, the issue of the declaration on the commencement of data processing is a completely different case.
6.8 Right to withdraw consent (pursuant to Article 7 GDPR)
The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
7. ENFORCEMENT OPTIONS
Initiation of legal proceedings
The Data Subject may turn to court against the Data Controller or, in connection with data processing operations falling within the scope of activity of the data processor, against the data processor if, in his or her opinion, the Data Controller or the data processor entrusted by him or acting on his or her behalf processes his or her personal data in violation of the provisions on the processing of personal data laid down by law or by a binding act of the European Union.
The trial falls within the jurisdiction of the tribunal. The lawsuit may also be initiated – at the choice of the Data Subject – before the competent court of the place of residence or residence of the Data Subject.
The Data Controller shall compensate for any damage caused by the unlawful processing of the Data Subject's data or by the breach of the requirements of data security, but shall be exempted from liability if the damage was caused by an unavoidable cause outside the scope of data processing. The Data Controller shall not compensate the damage to the extent that it resulted from the intentional or grossly negligent conduct of the injured party. In case of violation of the personality rights of the Data Subject, the Data Subject may claim grievance fees.
Initiation of administrative proceedings
The Data Subject may initiate an investigation or an official procedure at the National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa utca 9-11, website: http://naih.hu; postal address: 1363 Budapest, Pf.: 9.; phone: +36-1-391-1400; fax: +36-1-391-1410; e-mail: ugyfelszolgalat@naih.hu) in order to enforce his or her rights, on the grounds that a violation of rights has occurred in connection with the processing of his or her personal data, or that it is direct in particular,
- if, in its opinion, the Data Controller restricts the enforcement of the rights of the Data Subject or rejects his or her request to enforce these rights (initiation of an investigation), and
- if you consider that, during the processing of your personal data, the Data Controller or the data processor entrusted by it or acting on its behalf violates the provisions on the processing of personal data laid down by law or by a binding act of the European Union (request for an official procedure).
8. DATA SECURITY
The Data Controller undertakes to ensure the security of the data, and to take the technical measures to ensure that the recorded, stored or processed data are protected, and to do everything possible to prevent their destruction, unauthorized use and unauthorized alteration. It also undertakes to call upon all third parties to whom the data may be transmitted or transferred to fulfil their obligations in this regard.
9. OTHER PROVISIONS
The Data Controller reserves the right to unilaterally modify this Privacy Policy. After the entry into force of the amendment, the Data Controller shall ensure that the amended Privacy Policy is made available and accessible to the Data Subjects.