DEB HAIR CLINIC Ltd.

Data processing information

Privacy and data management information.

 DEB HAIR CLINIC Limited Liability Company, as a data controller, respects the privacy of all persons to whom personal data is provided and is committed to protecting them, therefore we ask you to read the following information carefully.

  1. Introduction of the data controller:

DEB HAIR CLINIC Limited Liability Company (hereinafter referred to as: Company, Data Controller, Healthcare Service Provider) has created the following data protection information in order to ensure the legality of its internal data management processes and to ensure the rights of the data subjects:

 

The data controller DEB HAIR CLINIC Limited Liability Company

The abbreviated name of the company is: DEB HAIR CLINIC Ltd.

Company registration number: 09 09 035753

Tax number: 32459166-2-09

11600006-00000001-99354160 Erste Bank Ltd.

Headquarters: 4002 Debrecen, Mészáros Gergely kert 55.

Location: 4033 Debrecen, Tűztövis Street 2.

Electronic contact information: mistvan@debhair.hu

Representative: István Monus executive

 

 

 

Our Domain and Hosting provider:

DotRoll Ltd.

1148 Budapest, Fogarasi Street 3-5.

+36 – 1 – 432 – 3232

+36 – 1 – 432 – 3231

support@dotroll.com

11713005-20406563 (OTP Bank)

Company registration number: 01-09-882068

Tax number: 13962982-2-42

 

 

 

The Data Controller processes personal data in accordance with all applicable laws, but primarily the following:

  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the Info. Act)
  • Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation – hereinafter referred to as the Regulation or GDPR),
  • Act CLIV of 1997 on Health Care (hereinafter referred to as the Health Care Act)
  • Act XLVII of 1997 on the processing and protection of health and related personal data (hereinafter referred to as the Eüaktv.)
  • Act CVIII of 2001 on certain issues of information society services
  • Act V of 2013 on the Civil Code (hereinafter referred to as the Civil Code)
  1. Data security:

The Data Controller treats personal data confidentially and, in order to preserve the data, takes all technical and organizational measures related to data storage and data management to facilitate IT and other secure data management, in particular the following:

  • paper-based files, health documentation closure,
  • access control,
  • proper training of our employees,
  • technical measures (encryption related to access to our systems, anti-virus software, password protection)

We consider it important to highlight that as part of the (online) process during which you provide us with your personal data - despite taking all necessary measures - it is possible that certain data may be leaked due to data transmission on the website.
We cannot accept responsibility for these, so you must accept that any transmission in this way is at your own risk.

 

III. Cookie management:

The website uses cookies to adapt to user preferences and optimize the website. In order to connect with and personalize the website and services, the website servers may install cookies on your computer. These cookies make browsing and using the website easier.
Cookies are not suitable for personal identification.

We inform you that we use the following cookies on our website: Cookies essential for the operation of the website, cookies for configuration purposes, cookies for statistical purposes, cookies for marketing purposes

 

Cookie management information

Purpose of data processing

The use of (some) cookies is essential to ensure the proper functioning of the site, other cookies help us develop our website, help you navigate the internet, and collect information about the use of our website.

Legal basis for data processing

For the site to function essential cookies in case of:

The legal basis for data processing is Article 6 (1) (f) of the GDPR.

the data processing is necessary for the purposes of the legitimate interests of the data controller or a third party

Other cookies in case of:

Consent of the data subject – Article 6(1) of the GDPR the data subject has given his consent to the processing of his personal data for one or more specific purposes;

The legal basis

The existence and acceptance of cookies is necessary for the website to function, and the use of cookies is necessary to protect the website from possible attacks.

Source of personal data – data subjects:

Natural persons visiting the website

The personal data processed:

Cookies are not suitable for personal identification.

The online identifier (IP address) of users visiting the website, which is considered personal data, as well as other personal data generated in connection with browsing (time of browsing, browser type, some characteristics of the operating system of the device used for browsing; such as operating system type and set language)

Automated decision-making and profiling:

 It is expected to be implemented by the data controller.

 

  1. Data management:

4.1. When designing our data management, we always ensure that the data management complies with the basic principles set out in the legislation.

The following terms used in this information are defined/interpreted as follows:

 

"data controller": the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;

"personal data": any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"data processing": any operation or set of operations which is performed on personal data or data files, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

"profiling": any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics relating to a natural person, in particular to analyse or predict characteristics relating to performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

"data processor": the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

"addressee": the natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law shall not be considered recipients; the processing of such data by such public authorities shall be in accordance with the applicable data protection rules in accordance with the purposes of the processing;

"third party": the natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct control of the controller or processor, are authorised to process personal data;

"the data subject's consent": a freely given, specific, informed and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her;

"health data": personal data relating to the physical or mental health of a natural person, including data relating to healthcare services provided to the natural person which contain information about the health status of the natural person;

"health service": the totality of healthcare activities that can be performed in possession of an operating license issued by the healthcare state administrative body or – in cases specified by law – based on registration by the healthcare state administrative body

"healthcare provider": any individual healthcare entrepreneur, legal entity or organization without legal personality, regardless of the form of ownership and maintainer, authorized to provide healthcare services and based on an operating license issued by the healthcare state administrative body;

"health documentation": a record, register or any other recorded data, regardless of its medium or form, containing health and personal identification data related to the treatment of a patient, which comes to the attention of a healthcare worker during the provision of healthcare services;

"Patient": The person or persons who use the services of the healthcare provider

 

4.2. As a data controller, we carry out the following data processing activities:

  • Data processing for online marketing (e-mail), newsletter (contacting those interested in the service)
  • Processing of data necessary for concluding a contract (preparation, request for information, inquiry).
  • Management of data related to healthcare services.
  • Billing and other accounting data management.
  • Complaint handling.

4.3. Provision of personal data – obligations for Patients 

Our Company is always informed by the person concerned (data owner) voluntarily manages the data provided.

Provision of health and personal identification data by the data subject – personal identification data required for the provision of health care, with some exceptions volunteers. (Eüak. Act. § 12)

We would like to draw the attention of the esteemed data subjects (patients) to the fact that, given that the Data Controller provides healthcare services, certain obligations – set out in the Health Care Act – also apply to Patients, according to which Patients are obliged to cooperate with the healthcare workers involved in their care, or in our case, in the provision of healthcare services, according to their abilities and knowledge, and thus to inform the healthcare provider in particular:

  • all that is necessary to establish the diagnosis, prepare the appropriate treatment plan and carry out the interventions, in particular any previous relevant illnesses, medical treatments, taking medicines or medicinal products, health risk factors (allergies)
  • in connection with one's own illness – both those that may endanger the life or physical integrity of others, especially about infectious diseases and diseases and conditions that prevent the performance of the profession,
  • Furthermore, he/she is obliged to provide credible proof of his/her personal data as required by law.
  1. Data processing activities (PURPOSES)

5.1. Data processing for online marketing (e 4-mail), Electronic communication, newsletter (contacting those interested in the service)

The Purpose of e-mail marketing data processing: identifying and distinguishing Patients/data subjects from each other, answering questions from potential Patients, providing a quote in preparation for a later contract, contacting them, sending a newsletter.

 

Legal basis for data processing:

GDPR Article 6(1)(b)

"necessary to take steps at the request of the data subject prior to entering into a contract”, i.e. the voluntary consent of the data subject, as well as Section 13/A of Act CVIII of 2001 on certain issues of information society services and Section 6 (5) of Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities.

In addition, Article 6(1)(f) of the Regulation (legitimate interest) also provides the Data Controller with a legal basis for data processing. The Data Controller has a legitimate interest in processing personal data necessary to respond to a request for information.

Source of personal data – data subjects:

Those requesting information, those interested in services, those requesting quotes.

The scope of the data processed:

name, e-mail address, telephone number, company name, newsletter subscription consent, date and time of registration, and any other information that the data subject considers relevant in the matter initiated by the data subject.

Duration of processing of personal data:

If any type of contract (obligation) is concluded between the Data Controller and the data subject, we will process the personal data that we have learned during the communication in connection with the given contract, at most until the expiration of the limitation period.

 

If no contract is concluded following pre-contractual data processing, or

agreement between the Data Controller and the data subject, and the communication will not be used for any future purposes

cannot have legal effect, then your message(s) will be deleted after the communication is closed.

 

The purpose of newsletter data processing is: sending e-mail newsletters containing commercial advertising to interested parties, providing information about current information, products, services and treatments.

Legal basis for data processing: the voluntary consent of the data subject and Section 6 (5) of Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities.

Scope of processed data: name, email address, date, time.

Deadline for deleting data: until the consent declaration is withdrawn.

 

You can request the prohibition of forwarding newsletters and the deletion or modification of personal data by clicking on the link in the sent newsletter or by sending a letter to the Data Controller's registered office - by post or electronically - at the address below.

The Data Controller will not transfer the provided data to any third party.

 

5.2. Processing of data necessary for the performance of the contract

Purpose of data processing:

Conclusion of a contract (required data, differentiation of patients) and fulfillment of obligations assumed in the contract, exercise of contractual rights.

Legal basis for data processing:

Performance of contracts – GDPR Article 6 (2) “processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the data subject’s request prior to entering into a contract”

The source of personal data – the data subject.

The personal data is provided to us by the data subject. Since the data subject is the source of the personal data, our Company will provide information directly about any changes to the scope of the processed data upon their collection.

Categories of stakeholders:

Natural person contracting parties

The scope of processed (personal) data: Name, address, place of birth, time, mother's name, telephone number, e-mail address, other data specified in the contract

Transfer of personal data:

The data provided for this purpose will not be transferred to a third country or international organization. The recipients of the data may be the following:
Accountant, post office, courier service, E-mail service provider, SMS service provider, Hosting service provider, other fulfillment assistants involved in the fulfillment with prior notification,

Duration of processing of personal data:

Until the contract is fulfilled, or until the contract is terminated in the event of termination of the contract for any reason.

Automated decision-making and profiling:

None of this happens during data processing.

 

5.3. Data processing related to healthcare services

The purpose of data processing:

Fulfillment of the obligation assumed in the contract for healthcare services (hair transplantation, hair tattooing, hair therapy), exercise of contractual rights, provision of healthcare services, fulfillment of the Data Controller's legal obligations, enforcement of its legitimate interests, prevention, investigation and detection of abuse.

Legal basis for data processing:

During the provision of healthcare services personal and special data treatment is also carried out.

  • The legal basis for data processing with regard to personal data is Article 6(2) of the GDPR. "the data processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the data subject's request prior to entering into such a contract" (The data processing is necessary for the performance of a contract concluded between our Company and the data subject for the provision of healthcare services.)
  • The exception that establishes the processing of special categories of personal data (health data) is contained in Article 9(2)(h) of the GDPR, i.e. the processing is necessary for preventive health purposes, for making a medical diagnosis, and for providing health treatment.
    The guarantee condition under Article 9(3) of the GDPR is ensured because our Company always provides healthcare services through a doctor and medical activities are subject to professional confidentiality obligations under Hungarian national law.

The Data Controller's employees whose job involves the processing of personal data are entitled to access the personal data of the data subject.

The source of personal data – the data subject.

Consent of the data subject – Article 6(1) of the GDPR the data subject has given his consent to the processing of his personal data for one or more specific purposes;

  • The publication of images taken of the data subject during treatments is lawful with their written consent until the consent is withdrawn in writing.

Given that the data subject is the source of the personal data, we will provide information directly about the final scope of the processed data upon collection.

 

Categories of stakeholders:

Natural person contracting parties

 

The personal data processed:

Name, address, place of birth, date, mother's name,

telephone number, e-mail address, other data specified in the contract

In case of medical treatment: Tajsama

 

Please note that the treating physician decides which health data, in addition to the mandatory data, is necessary to achieve the goal, in accordance with professional rules.

The doctor may process personal data necessary for the provision of healthcare services in compliance with professional rules.

Other data provided in advance of and during the processing, or otherwise made available to the data controller, and also made available to the controller during post-processing, including data classified as special categories of personal data.

During our treatments, photographs may be taken before, during and at the end of the treatment.

 

Transfer of personal data:

We will not transfer the data provided for this purpose to a third country or to an international organization.

The recipients of the data may be:

Accountant, post office, courier service, E-mail service provider, SMS service provider, Hosting service provider, other fulfillment assistants involved in the fulfillment with prior notification,

 

Duration of processing of personal data:

If no contract is concluded between our Company and the data subject for a healthcare

to use the service, we will delete the personal data after the data subject

informs our Company that you do not wish to use our services.

If the data subject uses healthcare services from our Company, the personal data will be part of the healthcare documentation and will be stored as follows:

 

In the case of hair transplantation (medical aesthetic and cosmetic treatments), until the end of the treatment.

If the hair transplant is more than one treatment/cure, then the treatment/cure is complete.

 In the case of medical treatments (treatments that qualify as medical treatments), pursuant to Section 30 of the Medical Treatment Act:

The medical documentation must be kept for at least 30 years from the date of data collection, and the final report for at least 50 years. After the mandatory registration period, the data may continue to be registered for the purposes of medical treatment or scientific research, if justified. If further registration is not justified, except for paragraph (3), the registration must be destroyed.

(2) A recording made using an imaging diagnostic procedure must be preserved for 10 years from the date of its creation, and the report prepared from the recording must be preserved for 30 years from the date of the recording.

(3) If the health documentation is of scientific significance, it must be handed over to the competent archive after the mandatory registration period.

 Automated decision-making and profiling

None of this happens during data processing.

 

5.4. Billing and other accounting data processing

Purpose of data processing:

To fulfill the obligation set out in the Accounting Act, we must retain billing data.

 

Legal basis for data processing:

GDPR Article 6(1)

The data controller processes billing and other accounting data lawfully under the GDPR, because it has a legal obligation to do so under Section 169 (1) – (6) of Act C of 2000 on Accounting.

 

Source of personal data – the data subject

The data subject. Since the data subject is the source of the personal data, the scope of the processed data may be limited.

The Data Controller will inform you directly about any changes to your data upon their registration.

 

Categories of stakeholders:

Patients – Customers, other participants in accounting processes (e.g. actual payer)

 

The personal data processed:

Name, address, other data required by law or provided at the request of the client. (Section 169 of Act CXXVII of 2007 (hereinafter referred to as: VAT Act))

 

Transfer of personal data:

We will not transfer the data provided for this purpose to a third country or to an international organization.

 

Recipients of the data:

Personal data is processed by the Data Controller only by those employees who are responsible for invoicing.

related administration is part of its responsibilities.

Accountant, authorities (e.g. NAV)

 

Duration of processing of personal data:

The entrepreneur shall prepare the annual report, the business report, and the supporting inventory, valuation, general ledger extract, as well as the journal ledger or other records that meet the requirements of the law in a readable form. must be kept for at least 8 years.

 

Automated decision-making and profiling

None of this happens during data processing.

 

Providing personal data

All data processing is based on law and is mandatory.

 

5.5. Complaint (data processing)

In the event of a verbal complaint, if the user of the service does not agree with the immediate handling of the complaint, or if an immediate investigation of the complaint is not possible, the Data Controller shall immediately record the complaint and its position in relation to it in accordance with Section 17/A. (3) of the Fgytv.

Purpose of data processing:

Fulfilling legal obligations arising from warranty and guarantee claims and handling other complaints

 

Legal basis for data processing:

GDPR Article 6(1)(c)

The data controller processes it lawfully under the GDPR because it has a legal obligation to do so – pursuant to Section 17/A. (7) of Act C of 2000 on Accounting.

 

Source of personal data – data subject

Consent of the data subject – Article 6(1) of the GDPR the data subject has given his consent to the processing of his personal data for one or more specific purposes.

 

Categories of stakeholders:

Those with complaints, those claiming defective performance, those with warranty and guarantee claims

 

The personal data processed:

Name, Address and other data required by law and provided by the complainant may also be processed, which the complainant cannot be informed about in advance, but will be provided in the complaint handling protocol.

 

Transfer of personal data:

We will not transfer the data provided for this purpose to a third country or to an international organization.

Recipients of the data may include: post office, courier service, court, authorities, email service provider

 

Duration of processing of personal data:

According to Section 17/A. (7) of the Data Protection Act, it is obliged to keep it for 5 years.

 

Provision of personal data:

Providing personal data is essential for complaint handling.

 

Automated decision-making and profiling

None of this happens during data processing.

 

  1. Rights of the data subject in relation to data processing

Confidentiality

According to the Eütv., the Data Controller and the data processor are obliged to maintain medical confidentiality.

 

Right to information

The data subject has the right to appropriate (plain language) information regarding data processing, which the Data Controller fulfills by providing this information.

You can read more about the right to information in Articles 13-14 of the GDPR.

 

Consent-based data processing

In the case of data processing based on the consent of the data subject, the data subject has the right to withdraw his/her consent to data processing at any time. It should be emphasized that the withdrawal of consent applies only to data for which there is no other legal basis for processing. If there is no such other legal basis for data processing, the personal data will be permanently and irretrievably deleted after the withdrawal of consent. The lawfulness of data processing carried out on the basis of consent before the withdrawal shall not be affected. (Article 14 of the GDPR)

 

Right of access

The data subject has the right to receive feedback from the Data Controller as to whether his or her personal data is being processed and, if such processing is taking place, he or she has the right to access the personal data and the following information:

a) the purposes of data processing;

(b)the categories of personal data concerned;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;

(d)where applicable, the planned period for which the personal data will be stored or, where this is not possible, the criteria for determining this period;

e) the right of the data subject to request rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data;

f) the right to lodge a complaint with a supervisory authority;

g) if we did not collect the data from the data subject, all available information about our source;

h) where automated decision-making is carried out, including profiling, and at least in such cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject. You can read about the right of access in Article 15 of the GDPR.

 

Right to rectification:

The data subject has the right to obtain from us, at his/her request, the rectification of inaccurate personal data concerning him/her without undue delay. The data subject has the right to request the completion of incomplete personal data. You can read more about the right to rectification in Articles 16 and 19 of the GDPR.

 

Right to erasure:

In particular, the data subject has the right to have his or her personal data erased and no longer processed if the collection or other processing of the personal data is no longer necessary in relation to the original purposes of the processing, or if the data subject has withdrawn their consent to the processing, or if the processing of their personal data otherwise does not comply with this Regulation.

In order to enforce the right to erasure, the Data Controller shall immediately erase the personal data of the data subject if:

  1. a) the data processing is unlawful, in particular if the data processing
  2. aa) contrary to the principles set out in Infotv,
  3. ab) its purpose has ceased to exist or further processing of the data is no longer necessary to achieve the purpose of data processing,
  4. ac) the period specified in a law, international treaty or binding legal act of the European Union has expired, or
  5. ad) the legal basis has ceased to exist and there is no other legal basis for the processing of the data,
  6. b) the data subject withdraws his/her consent to data processing or requests the deletion of his/her personal data,
  7. c) the deletion of the data is ordered by law, a legal act of the European Union, the Authority or a court

You can read about the right to erasure in Articles 17 and 19 of the GDPR.

 

Right to restrict data processing

The data subject has the right to request that the data controller restrict data processing if one of the following applies:

  1. a) if the data subject disputes the accuracy, correctness or completeness of personal data processed by the data controller or by a data processor acting on his behalf or on his instructions,
    b) the data processing is unlawful and you oppose the deletion of the data, instead requesting the restriction of the use of the data

c) the data controller no longer needs the personal data for the purpose of data processing, but the data subject requires them for the establishment and protection of legal claims,

  1. d) the data subject has objected to the data processing, in which case the restriction shall apply for the period until it is determined whether the legitimate grounds of the data controller override the legitimate grounds of the data subject

You can read more about the right to restriction in Articles 18 and 19 of the GDPR.

 

Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on point (e) or (f) of Article 6(1), including profiling based on those provisions. In such a case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling where it is related to direct marketing. You can read more about the right to object and automated decision-making in Articles 21-22 of the GDPR.

 

Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where:

(a) the processing is based on the data subject's consent or on a contract pursuant to point (b) of Article 6(1); and

  1. b) the data processing is carried out in an automated manner.

You can read more about the right to data portability in Article 20 of the GDPR.

 

VII. Procedure for enforcing the rights of the data subject

Please contact our Company with your problems, requests and rights detailed in the information (if possible, primarily) at mistvan@debhair.hu in the form of an electronic letter sent to the address or a postal letter delivered to the registered office of our Company. (4002 Debrecen, Mészáros Gergely kert 55.) Our Company will begin the investigation and fulfillment of the data subject's request without undue delay after its receipt.

Our Company will inform the data subject of the measures taken based on the request within 30 days of its receipt. If our Company is unable to fulfill the request, it will inform the data subject within 30 days of the reasons for the refusal and their right to legal remedy.

 

Legal remedies related to data processing

In order to enforce his/her right to judicial remedy, the data subject may apply to the court against our Company. The court shall proceed with the case out of turn. The adjudication of the lawsuit falls within the jurisdiction of the court. The lawsuit may be initiated - at the choice of the data subject - before the court of the place of residence or residence of the data subject or before the seat of our Company (Metropolitan Court).

 

THE At the National Data Protection and Freedom of Information Authority (NAIH)) anyone may initiate an investigation against the Company by reporting that a violation of rights has occurred in connection with the processing of personal data, or that there is an immediate threat of such a violation, or that the Company is restricting the enforcement of their rights related to data processing or rejecting a request to enforce these rights. The report can be made at one of the following contact details:

 

At the National Data Protection and Freedom of Information Authority (NAIH)

Postal address: 1530 Budapest, P.O. Box: 5.

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

E-mail: ugyfelszolgalat@naih.hu

URL: http://naih.hu

 

 

Date: 2023 DEB HAIR CLINIC Limited Liability Company.

 

en_GB
hu_HU ro_RO en_GB
Scroll to Top