Data Protection Notice

1. Purpose of this Data Protection Notice

The purpose of present data protection notice is to record the data protection and data management policy applied by 

Zenon Medical Korlátolt Felelősségű Társaság

Seat: 1052 Budapest, Deák Ferenc tér 3. 2nd floor

Company registration number: 01 09 401964

Tax number: 32000212-1-41

Website: www.zenonclinic.hu 

Email: info@zenonclinic.hu 

Represented by: Sárospataki Kitti, Executive Director

Data Protection Officer: Sziklai & Andrejszki Ügyvédi Iroda

Contact information of the data protection officer: dpo@drsziklai.hu

(hereinafter referred to as Zenon Medical)

and 

Zenon Beauty Korlátolt Felelősségű Társaság

Seat: 1052 Budapest, Deák Ferenc tér 3. 2nd floor

Company registration number: 01 09 401961

Tax number: 32000157-2-41

Website: www.zenonclinic.hu 

Email: info@zenonclinic.hu 

Represented by: Sárospataki Kitti, Executive Director

Data Protection Officer: Sziklai & Andrejszki Ügyvédi Iroda

Contact information of the data protection officer: dpo@drsziklai.hu

(hereinafter referred to as Zenon Beauty)

and

Zenon Product Korlátolt Felelősségű Társaság

Seat: 1052 Budapest, Deák Ferenc tér 3. 2nd floor

Company registration number: 01 09 401963

Tax number: 32000188-2-41

Website: www.zenonclinic.hu 

Email: info@zenonclinic.hu 

Represented by: Sárospataki Kitti, Executive Director

Data Protection Officer: Sziklai & Andrejszki Ügyvédi Iroda

Contact information of the data protection officer: dpo@drsziklai.hu

(hereinafter referred to as Zenon Product)

(Zenon Medical, Zenon Beauty and Zenon Product hereinafter collectively referred to as Data Controllers) to ensure that the individuals affected by the data processing are properly informed about the processing of their personal data provided for the purpose of using the services performed by the Data Controllers and purchasing from the webshop. The Data Controllers are committed to fully complying with the below-described requirements of the legislation on the processing of personal data in the course of their activities. Having regard to the fact that the processing of health data is essential in the course of health care, these data are enhanced by the Zenon Medical due to their fiduciary nature.

The Data Controllers inform the Data Subjects that this Data protection Notice contains the provisions on data processing carried out by the three controllers in a consolidated form. In relation to data processing activities where a data controller is not highlighted separately, they are carried out by the Data Controllers within the framework of joint data processing.

This data protection notice can be found on the www.zenonclinic.hu website as well as at the registered office of the Data Controllers.

When drawing up the present rules the Data Controllers in particular took into account the following legislation:

• The Fundamental Law of Hungary; 
• Act CXII of 2011 on Informational Self-Determination and Freedom of Information of Hungary (hereinafter referred to as the Law on information); 
• Act CLIV of 1997 on Health Care (hereinafter referred to as Health Care Act), 
• Act XLVII of 1997 on the Processing and Protection of Health and Related Personal Data (hereinafter referred to as Health Data Act.),
• Act No CVIII of 2001 on certain aspects of electronic commerce and information society services (hereinafter referred to as Act on E-Commerce);
• Act VI of 1998 on the proclamation of the international convention issued on 28 January 1981 in Strasbourg on protection of the individual during mechanical processing of personal data; 
• Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).

2. Terms are used in the Data Protection Notice

Data processing: performance of technical tasks related to data processing operations.

Processing: regardless of the procedure used, any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as well as preventing further use of the data, taking photographs, audio or video recordings.

Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; makes and implements decisions on data management (including the means used) or has them executed by a data processor commissioned by the controller.

Data transmission: making the data available to a specific third party.

Erasure of data: making data unrecognizable in such a way that it is not possible to recover it.

Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Health care provider: the treating doctor, the health-care worker, any other person carrying out any activity connected with the treatment of the person concerned, the pharmacist.

eDM (electronic Direct Mail): one of the tools of direct marketing, letter advertising, marketing message. After the prior consent of the Data Subject, the Data Controllers send advertisements and marketing messages by e-mail to the E-mail inbox of the Data Subject.

Data concerning health: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Health records: any record, register or other record of health and identity data that has come to the attention of the patient care provider during treatment, regardless of its carrier or form.

Data Subject: the natural person whose personal data are affected by the processing.

Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Medical treatment: any activity aimed at preserving health and preventing, detecting, diagnosing, treating, maintaining or improving the level of deterioration in health resulting from disease, and concerns the direct examination, treatment, care, medical rehabilitation of the Data Subject or the processing of his/her medical records for the purpose of such examination, including the provision of medicines, medical aids, medical care, rescue and patient transport, and obstetric care.

Third party: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent: any freely given, specific, informed and unambiguous indication of the Data Subject's wishes, which based on proper information and by which the data subject gives his or her unequivocal consent to the processing of his or her personal data – comprehensive or covering certain operations.

Close member: spouses, direct ascendants, adopted children, children and stepchildren, adoptive parents, stepparents, foster parents, as well as brothers, sisters and partners.

Joint controllership: Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.

Medical confidentiality: Health and identity data obtained by the data controller during the course of the treatment, as well as data related to the necessary or ongoing or completed medical treatment, as well as other data obtained in connection with the treatment.

Urgent need: A sudden change in the state of health which, in the absence of immediate medical care, would put the Data Subject in imminent danger to his or her life or suffer serious or permanent damage to his or her health.

Personal data: Data which may be associated with a specific natural person, in particular his or her name, identification number and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, as well as any inferences which may be drawn from the data concerning the Data Subject and which do not constitute public information or information of public interest. Personal data includes (but is not limited) name, address and e-mail address.

Objection: Statement by the Data Subject objecting to the processing of his or her personal data and requesting the termination of the data processing or the deletion of the processed data.

Webshop: is a webshop operated by Zenon Product, from which Data Subjects have the opportunity to order products distributed by Zenon Product. 

3. Principles relating to processing of personal data

The data processing carried out by the Data Controllers complies with the data processing principles of the GDPR, which are as follows:

Principle of lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Principle of purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Principle of data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Principle of accuracy: Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Principle of storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Principle of integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Principle of accountability: The controller shall be responsible for, and be able to demonstrate compliance with the principles.

In addition to the principles of data processing, the requirement of proper information can be identified as a common requirement, since the Data Controllers must inform the Data Subjects about the data processing in case of any legal basis for data processing.

4. Definition of the activities associated with individual data management, the processed data, the legal basis and purpose of the data processing, and the duration of the data processing

4.1. Contact

The Data Controllers provide the opportunity to the Data Subject to contact the Data Controllers by e-mail or telephone inquiry at the contact details on their website. 

Purpose of data processing: contacting the Data Subject and the Data Controllers

The legal basis of data processing: The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) a) of the GDPR

Duration of data processing: until the Data Subject's request for cancellation or the general 5-year limitation period according to the provisions of the Hungarian Civil Code

Data controller: Zenon Medical, Zenon Beauty and Zenon Product

Within the framework of the health service provided by the Zenon Medical, the Zenon Medical processes personal data and health data for several different purposes.

Scope of data processed: name, date of birth, social security number, health data and medical complaints of the Data Subject

Purpose of data processing: In connection with the healthcare service, the Data Controller performs the following activities involving data processing:

• carrying out medical examinations, 
• fulfilment of record-keeping and reporting obligations, 
• identification and differentiation of Data Subjects, 
• registration, monitoring and performance of contracts for health services

The legal basis of data processing:

• carrying out medical examinations: The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) a) of the GDPR, as well as
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract - Article 6 (1) b) of the GDPR
• fulfilment of record-keeping and reporting obligations: az processing is necessary for compliance with a legal obligation to which the controller is subject - Article 6 (1) c) of the GDPR
• identification and differentiation of Data Subjects: processing is necessary in order to protect the vital interests of the data subject or of another natural person - Article 6 (1) d) of the GDPR
• registration, monitoring and performance of contracts for health services: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract - Article 6 (1) b) of the GDPR

Duration of data processing: The Zenon Medical shall keep the following information on the Data Subject:

• medical records of the Data Subject for 30 years, 
• the final medical report for 50 years, 
• an image made with diagnostic imaging for 10 years, 
• the diagnostic report based on the image for 30 years from the date of its production
• shall be kept by the Zenon Medical for eight (8) years from the date of performance of the contract between the Data Controller and the Data Subject

Data controller: Zenon Medical

4.5. Newsletter, telephone marketing and eDM subscription

Data Subjects can subscribe to the Data Controllers’ newsletter, telephone marketing and eDM service by ticking a separate checkbox, with which they can be informed about up-to-date information, current promotions and other offers relevant to them in the form of letter advertisements, phone calls and marketing messages (e-mails).

Scope of data processed: name, e-mail address and phone number of the Data Subject

Purpose of data processing: contacting the Data Subject and the Data Controllers, sending newsletter and eDM, providing continuous and up-to-date information to the subscriber

The legal basis of data processing: The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) a) of the GDPR

Duration of data processing: The Data Controllers shall send the newsletters and eDM materials to the Data Subjects until revocation or until the Data Subjects unsubscribe from the eDM service, or until they request the deletion of their data and the cessation of data processing. If the Data Subject does not wish to receive any more newsletters, he or she may unsubscribe from it at any time or request the deletion of his or her personal data. In case of unsubscribing and deletion request, the data processing will be terminated.

Data controller: Zenon Medical, Zenon Beauty and Zenon Product

4.6. Cookies

A cookie is a small text file that is stored on the hard drive of the Data Subject's computer or mobile device for the expiry date set in the cookie and is reactivated on subsequent visits. Its purpose is to record information about the visit and personal settings, but these are data that cannot be associated with the visitor. It helps to create a user-friendly website and mobile application, as well as to enhance the online experience of the Data Subject. If the Data Subject does not consent to the use of cookies by the Data Controllers when browsing the website or using the mobile application, the website and the mobile application may not function fully.

Scope of data processed: The Data Controllers store all analytical information without name or other personal data

Purpose of data processing: Storage of the personal settings of the Data Subject

The legal basis of data processing: The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) a) of the GDPR

Duration of data processing: The Data Subject can delete the cookies stored on his or her computer or mobile phone at any time through the settings of his or her browser 

Data controller: Zenon Medical, Zenon Beauty and Zenon Product

4.7. Recording telephone calls

The Data Controllers record phone calls for quality assurance reasons. The caller, as the Data Subject, can give his or her consent to the data processing at the beginning of the call.

Scope of data processed: name and voice of the Data Subject and other personal data provided during the telephone conversation

Purpose of data processing: data processing is carried out for quality assurance reasons

The legal basis of data processing: The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) a) of the GDPR

Duration of data processing: the Data Controllers store the recording for 2 years from the date of the phone call

Data controller: Zenon Medical, Zenon Beauty and Zenon Product

4.8. Social media activities

The Data Controllers operate the following social media sites:

• process the Zenon Clinic page on Facebook;
• process the zenonclinic page on Instagram;
• process the zenonclinic page on a TikTok;
• process the Zenon Clinic page on LinkedIn;
• process the Zenon Clinic channel on YouTube;
• process the zenonclinic profile on BeReal

Scope of data processed: name and personal portrayal of the Data Subject

Purpose of data processing: notification about current information, news relating to the Data Controllers

The legal basis of data processing: The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) a) of the GDPR

Duration of data processing: The Data Subject may voluntarily unsubscribe from following the pages or delete unwanted news on the message board with the use of the message board settings.

Data controller: Zenon Medical, Zenon Beauty and Zenon Product

4.9. Presentation of doctors, assistants, beauticians and other employees

On www.zenonclinic.hu website, users using the services can get to know the doctors, assistants, beauticians and other employees under the contract with Zenon Medical and Zenon Beauty. These doctors, assistants, beauticians and other employees in this case are the Data Subjects of data processing.

Scope of data processed: name and personal portrayal of the Data Subject, his or her field of expertise and other data voluntarily provided by him or her during the presentation.

Purpose of data processing: The purpose of data processing is to enable the users of the Data Controllers’ service to get to know the doctors involved in the services. 

The legal basis of data processing: The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) a) of the GDPR

Duration of data processing: After the termination of the cooperation between the Data Controllers and the employees or contributors, the data processing ceases.

Data controller: Zenon Medical, Zenon Beauty and Zenon Product

4.10. Data processing during invoicing

Data processing is carried out in order to issue an invoice in accordance with the law and to fulfill the obligation to retain accounting documents. In the course of data processing activities related to invoicing, no joint data processing takes place, each data controller processes only its own billing data.

Scope of data processed: name, address and/or place of residence of the Data Subject, telephone number, e-mail address

Purpose of data processing: in order to issue an invoice and to fulfill the obligation to retain accounting documents

The legal basis of data processing: fulfilment of record-keeping and reporting obligations: processing is necessary for compliance with a legal obligation to which the controller is subject - Article 6 (1) c) of the GDPR

Duration of data processing: according to the Act C of 2000 on Accounting, 8 years

Data controller: Zenon Clinic, Zenon Medical, Zenon Beauty and Zenon Product

4.11. Data processing during the conclusion and performance of contracts

If a contract is concluded between the Data Controllers and Data Controller’s partners, the parties indicate (may mark) the contact individuals and their contact details in the contract.

Scope of data processed: name, phone number, e-mail address and position of the Data Subject

Purpose of data processing: Contact between businesses, fulfilment of the contractual obligations 

The legal basis of data processing: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract - Article 6 (1) b) of the GDPR

Duration of data processing: Based on the contractual relationship between the Data Controllers and the Data Subject, the duration of data processing lasts for eight (8) years from the termination of Data Controllers’ legal obligation.

Data controller: Zenon Medical, Zenon Beauty and Zenon Product

4.12. Operation of security camera systems

The Zenon Medical and Zenon Beauty may operate a camera system for the purpose of protecting human life and physical integrity, as well as property protection. Due to the fact that the healthcare provider and the beauty salon operate a common reception, joint data processing takes place. The location of each camera is presented in the table below.

Camera number / Field of vision:

1. Reception

2. Reception

3. Waiting room 1.

4. Corridor 1. (Medical department)

5. Corridor 2. (Beauty department) 

6. Corridor 3. (Beauty department) 

7.  Utility corridor

8. Front door staircase

Scope of data processed: personal portrayal of the Data Subject

Purpose of data processing: to protect human life, physical integrity, personal freedom, as well as property protection

The legal basis of data processing: The legitimate interest of the Data Controllers in ensuring the protection of persons and property at its registered office Article 6 (1) f) of the GDPR

Duration of data processing: The Data Controller shall destroy the recorded video and audio recording no later than 3 weeks after the recording, unless further storage is justified by an accidental event.

Data controller: Zenon Medical, Zenon Beauty and Zenon Product 

4.13. Data processing for marketing purposes

Data Subjects, have the opportunity to give their express consent for Zenon Medical and Zenon Beauty to publish anonymized photos of the Data Subjects containing some of the Zenon Medical’s and Zenon Beauty’s services on the www.zenonclinic.hu website.

Scope of data processed: An anonymized photo taken of the Data Subject (or the Data Subject’s body surface) before or after the medical aesthetic, physical well-being, other human health care, or other service.

Purpose of data processing: Marketing activities related to the healthcare services performed by the Data Controllers.

The legal basis of data processing: The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) a) of the GDPR

Duration of data processing: Until the Data Subject's request for deletion

Data controller: Zenon Medical and Zenon Beauty 

4.14. Job advertisements

The Data Controllers do not post anonymous job advertisements, and immediately deletes applications received without a request, if their further processing is not justified. If the applicant is hired, the Data Controllers will ask the applicant for consent for further data processing. In the event of an unsuccessful application, with the separate consent of the job applicants, the Data Controllers may keep the individual applications in order to be able to contact the previous applicants with a job offer later. There is no joint processing of data in connection with job advertisements, each controller only processes data relating to its own applicants.

Scope of data processed: name, phone number, e-mail address, address, spoken languages, education, former employment of the Data Subject, as well as the Data Subject’s voluntarily given personal data included in a CV

Purpose of data processing: Establishing contact between the Data Subject and the Data Controllers, establishing the employment relationship.

The legal basis of data processing: The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) a) of the GDPR

Duration of data processing: If the further processing of the received CVs is not justified immediately, but for a maximum of 6 months, in the event of an unsuccessful application, the duration of data processing will last, with the consent of the applicant, until the general 5-year limitation period in accordance with the provisions of the Civil Code or until the data subject's request for deletion.

Data controller: Zenon Medical and Zenon Beauty 

4.15. Purchases made through web shop

Zenon Product operates a webshop, which processes data for four different purposes: registration, login, ordering and invoicing.

Scope of data processed:

• registration – the name and email address of the Data Subject; and the telephone number, address, delivery address of the Data Subject and other information voluntarily provided in connection with the delivery, which may be recorded in advance of the order
• login – e-mail address, password
• ordering – the Data Subject's name, email address, telephone number, address, delivery address and other information voluntarily provided by the Data Subject in connection with the delivery
• invoicing – the name, address and tax number of the Data Subject

Purpose of data processing:

• registration - creating a user account for using the webshop
• login – access to the webshop
• ordering – placing orders with Zenon Product
• invoicing - ensuring compliance with applicable law

The legal basis of data processing:

• registration – voluntary consent of the Data Subject (Article 6 (1) a) of the GDPR)
• login - voluntary consent of the Data Subject (Article 6 (1) a) of the GDPR)
• ordering - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6 (1) b) of the GDPR)
• invoicing – processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6 (1) c) of the GDPR)

Duration of data processing:

• registration – until the Data Subject's request for erasure
• login - until the Data Subject's request for erasure
• ordering – Zenon Product will store the data specified in the Accounting Act for 8 years, as defined by law, and the additional data until the contract is fulfilled
• invoicing – according to the Act C of 2000 on Accounting, 8 years

Data controller: Zenon Product 

5. Regulations of data processing for the purpose of medical treatment

5.1. As a healthcare provider, Zenon Medical also process health data. The Zenon Medical and the Data Processor, which used by Zenon Medical are bound by medical confidentiality. Zenon Medical shall be exempted from the obligation of confidentiality if the transfer of medical and personal data has been agreed in writing by the Data Subject or the Data Subject's legal representative, and also if the transfer of the medical and personal data is legally required.

5.2. The Data Subject has the right to be informed about the processing of data in relation to medical treatment, to be informed of the medical and personal data concerning him or her, and also to inspect and obtain copies of medical records.

5.3. On the basis of a written request, during the patient's lifetime or after his/her death, the spouse, direct relative, brother or sister and life partner of the Data Subject shall be entitled to access the Data Subject's health data. The designated persons are also entitled to exercise the right of access to the medical records if the health data is necessary for the purpose of discovering a cause affecting the life or health of the spouse, relative, brother or sister, or life partner, or their descendants, or for the purpose of providing healthcare to those persons, and it is not possible to obtain or infer the health data by any other means. In such cases, only health data which are directly related to the identified cause may be disclosed.

5.4. In the event of the death of the Data Subject, his/her legal representatives, close relatives and heirs are entitled to access the health data on the basis of a written request. The designated persons may access, inspect and obtain a copy of medical data relating to the cause of death or which may be related to the cause of death, and also to the treatment provided prior to his/her death.

5.5. With the exception of the Data Subject's chosen general practitioner and the forensic expert, Zenon Medical is also bound by confidentiality towards other healthcare providers who did not take part in the medical examination, the diagnosis, the treatment or the surgery, unless the disclosure of the data is necessary for the diagnosis or the further treatment of the Data Subject.

5.6. In the case of processing and managing for the purposes listed in detail below, health and personal data may be transferred or combined within the healthcare network:

• promoting the preservation, improvement and maintenance of health,
  
• to promote effective patient care, including specialist supervision,
• monitoring the health status of the Data Subject,
• taking measures necessary in the interests of public health, public health and epidemiology, 
• enforcing patients' rights,
• facilitating the work of bodies carrying out official or legal controls, professional or legal supervision of bodies or persons handling health data, where the purpose of the controls cannot be achieved by other means, as well as the tasks of bodies financing health care,
• the award of social security or social benefits, where it is based on health status,
• in Act XXXIV. of 1994 on the Police, crime prevention under the powers conferred on it by law, and also to carry out the tasks specified in Act CXXV. of 1995 on the National Security Services, within the scope of the authorisation granted therein, as well as during administrative authority proceedings, infringement proceedings, prosecution proceedings, and court proceedings,
• the determination of fitness for employment, whether such activity is performed within the framework of an employment, civil service, government service, public service, professional service or other legal status, 
• unemployment benefits, employment promotion and related control, 
• the continuous and safe supply of prescribed medicines, medical aids and medical care to persons entitled to health care,
• investigating and recording occupational accidents and illnesses, including cases of increased exposure, and taking the necessary occupational health and safety measures, and conducting ethics procedures for health care workers, 
• establishing the effectiveness of medicines and medical devices receiving performance-based funding, the funding of such medicines and the procedures for financing the treatment of such diseases,
• patient pathway management,
• evaluation and improvement of the quality of health services, and regular review and development of evaluation criteria for health services,
• a monitoring, measuring and evaluating the performance of the health system,
• facilitating the effective and safe administration of medicines and the development of cost-effective drug therapy for those entitled to health care,
• enforcing rights to cross-border healthcare within the European Union.

5.7. Health and personal identification data from different sources may be linked only to the extent and at the time strictly necessary for the purposes of prevention, treatment, public health, and epidemiological measures. In the case of data processing and treatment in accordance with point 5.6., any health data relating to the illness of the Data Subject may be transmitted if the treating doctor or general practitioner decides that it is important for the purposes of treatment. Exceptions to this are made if the Data Subject prohibits this in writing or in a statement registered in the self-consent registry.

5.8. The Data Subject or his/her legal representatives shall provide health and personal identification data upon request of the healthcare provider if it is probable or confirmed that he or she is infected by a pathogen of a disease listed in Annex 1 of the Health Data Act, or is suffering from poisoning or infectious diseases.

5.9. In case of urgent need, all health and identity data known to the treating doctor that may be related to the treatment may be transmitted.

5.10. The provision of health and identity data by the Data Subject is voluntary. Exceptions to the voluntary rule are the personally identifiable data required for receiving health care and the cases provided for in the paragraph 13 in the Health Data Act.

5.11. Consent to data processing shall be deemed to be given if the Data Subject voluntarily turns to the healthcare network. In the event of an urgent need and a lack of discretionary ability on the part of the Data Subject, voluntary consent to the processing of data should be presumed.

5.12. The transfer of de-identified medical data without a time or area limit is permitted.

5.13. Apart from the doctor providing the treatment and other caregivers, only persons who may be present during the treatment are those to whose presence the Data Subject has consented to. In addition to the persons specified in Paragraph 17 (2) of the Health Data Act., persons who have previously treated the Data Subject for the disease in question, and who have been authorised to do so by the head of the institution or the person responsible for data protection for professional-scientific purposes, may be present without the Data Subject's consent, unless the Data Subject has expressly objected to this.

5.14. The medical and personal identification data collected from the Data Subject that are necessary for the purposes of treatment and their transmission shall be kept on file. The record of the transfer must include the recipient of the transfer, the method and time of the transfer and also the scope of the data transferred. The treating doctor shall keep a record of the medical data recorded by him/her or by the other healthcare providers and of his/her own activities and actions in relation thereto.

5.15. Health records must be kept for a minimum of 30 years from the date of recording and the final report for a minimum of 50 years. An image made with diagnostic imaging shall be kept for 10 years from the date of its production, a diagnostic report based on the image for 30 years from the date of its production, and prescriptions for 5 years.

6. Data Processors

6.1. The Data Controllers use the following data processors when processing personal data:

6.2. The activities of the Data Processors related to data processing are the provision of technical background. The Data Processors shall not take any substantive decision concerning data processing, they may process the personal data they have become aware only in accordance with the provisions of the Data Controllers, they may not carry out data processing for their own purposes, and they are obliged to store and retain the personal data in accordance with the provisions of the Data Controllers.

6.3. During the services provided by Zenon Medical, the doctors contracted with the Data Controller act as data processors. Doctors are not allowed to make decisions affecting data processing, they only provide advice and consultation to the Data Subjects as patients. 

The contact details of the doctors as Data Processors are included in Annex No. 1 of the data protection notice.

6.4. Collection of data protection notices of Data Processors:

Facebook's data processing policy can be found at the link below:

https://www.facebook.com/privacy/explanation 

Instagram’s data processing policy can be found at the link below:

https://help.instagram.com/519522125107875 

TikTok’s data processing policy can be found at the link below:

https://www.tiktok.com/legal/privacy-policy-eea?lang=hu

LinkedIn’s data processing policy can be found at the link below:

https://www.linkedin.com/legal/privacy-policy 

BeReal’s data processing policy can be found at the link below:

https://bere.al/en/privacy 

YouTube’s data processing policy can be found at the link below::

https://www.youtube.com/intl/ALL_hu/howyoutubeworks/our-commitments/protecting-user-data/ 

Mailerlite’s data processing policy can be found at the link below:

https://www.mailerlite.com/gdpr-compliance 

7. Transmission 

As a general rule, the Data Controllers shall not pass on the personal data obtained by the Data Controllers to third parties in any way without the prior consent of the Data Subject. In the case of data controlling and processing for the purposes detailed in Chapter 5, health and personal data may be transferred or combined within the healthcare network.

8. Data security

The Data Controllers store the above-mentioned personal data at their seat, in their own IT system, and on the servers of the Data Processors responsible for hosting services.

The Data Controllers undertake to ensure the security of the data in accordance with the GDPR and the Law on Information, while taking into account the rights of the Data Subjects.

The Data Controllers shall keep a record of possible personal data breaches, if necessary, inform the Data Subject and, if necessary, the National Authority for Data Protection and Freedom of Information about the incidents that arise. (NAIH).

Access to personal data is granted to persons acting in the interest of the Data Controllers, in particular agents and employees, who need it for the performance of their activities and who are aware of and are familiar with the obligations relating to the processing of the data.

The Data Controllers shall take all necessary measures to ensure the secure and non-damaging processing of data and the establishment and operation of the necessary data management systems. The Data Controllers shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons.

The Data Controllers undertake to ensure the security of the data using the most advanced and appropriate equipment and security rules, in particular to ensure that the data cannot be unlawfully disclosed, deleted, destroyed or accessed by unauthorised persons. The Data Controllers shall take every reasonable steps to ensure that the data are not accidentally damaged or destroyed. This commitment shall also be imposed on the employees of the Data Controllers, who are involved in the processing activities.

Zenon Beauty and Zenon Product do not collect any special data, and Zenon Medical only collects special data within the scope of this notice, , i.e. data concerning racial or ethnic origin, membership of national or ethnic minorities, political opinions or party affiliations, religious or philosophical beliefs, membership of representative associations, health, pathological addiction, sex life or criminal records.

9. Data Protection Officer

Zenon Medical is required to appoint a Data Protection Officer under Article 37. (1) c) of the GDPR, given the large number of special categories of personal data processed.

In the course of providing health services within the scope of his/her main activities, Zenon Medical acquires health and related personal data, and during the course of diagnostic tests, additional sensitive data gets generated, therefore the Zenon Medical has appointed a permanent Data Protection Officer to ensure effective protection of personal data and also effective accountability, which Data Protection Officer provides its services to all Data Controllers.

The Data Protection Officer shall provide the Data Controllers with professional advice on data protection, monitor data management activities and assist the Data Controllers in its operations by liaising with the competent authority and Data Subjects.

Name: Sziklai & Andrejszki Ügyvédi Iroda

Contact: dpo@drsziklai.hu 

Data Subjects can contact the Data Protection Officer for all matters relating to the processing of their personal data and the exercise of their rights. The DPO is bound by confidentiality or data protection obligations in the performance of his/her duties.

10. The rights of Data Subject

During the period of data processing, the Data Subject is entitled to the following rights:

Rights of information:

The Data Controllers must provide information on the relevant aspects of the processing in an appropriate manner, in simple and accessible language that is easy to find (online or offline). At the time of obtaining the personal data, or if the Data Subject subsequently requests information, the Data Subject must be provided with the Privacy Policy and be asked to sign a declaration of acknowledgement, understanding and acceptance of the information contained therein.

The Data Subject has the right to request information at any given time about the personal data concerning him/her processed by the Data Controllers. The information can also be requested by e-mail (dpo@drsziklai.hu), by post (1052 Budapest, Petőfi Sándor utca 11. IV/20. - Sziklai & Andrejszki Ügyvédi Iroda) or by contacting the Data Controllers at the e-mail address of the Data Protection Officer indicated in the Notice. Data Controllers are obliged to provide the requested information within 30 days of the request. 

Right to erasure:

The data subject shall have the right to obtain from the Data Controllers the erasure of personal data concerning him or her without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay. If the Data Controllers have allowed third parties access to the data requested to be erased, they must inform all those to whom it has disclosed the data concerned so that all references or personal data stored with them will be erased. The purpose of this is to ensure that, unless there is a legal or reasonable impediment to it, the data concerned 'disappears' from the databases that can be found.

The data erase does not have to be fulfilled if the processing is necessary:

• for exercising the right of freedom of expression and information;
• for the establishment, exercise or defence of legal claims;
• to the fulfillment of a legal obligation;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes and data erase would make it impossible or seriously jeopardize the fulfillment of the purpose of data procession

The Data Controllers shall also erase the personal data contained in its documentation relating to the Data Subject if the purpose related to the processing of the personal data has ceased to exist. In the case of paper documents, they shall be destroyed in the protocol on the grounds that they can subsequently be proved to the competent authority.

Right to rectification:

The Data Subject may indicate that the processed data are inaccurate and may request what data be indicated instead. The Data Controllers are responsible for the accuracy of the data, so it is necessary to check their accuracy from time to time.

Right to restriction of processing:

The Data Subject may request the Data Controllers to restrict the processing of his or her personal data, for example in the event of an unresolved legal dispute. If the processing is subject to restriction, such personal data may be processed only - with the exception of storage purposes - with the consent of the Data Subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the European Union or of a Member State.

Right to data portability:

The Data Subject may request to receive the data processed concerning him or her in a structured, commonly used, machine-readable format (e.g. .doc, .pdf, etc.) and has the right to transfer these data to another Data Controller without hindrance from the original Data Controllers. It makes it easier for the Data Subject to transfer his/her personal data from one data controller to another.

Right to object:

If the Data Subject has not given his/her consent to the processing of his/her personal data, the Data Subject has the right to object at any time to the processing of his/her personal data for a specified reason.

If the Data Subject wishes to exercise his/her rights, he/she will be identified and communicated with by the Data Controllers as a necessary part of the identification procedure, and will therefore be required to provide personal data for identification purposes, while the Data Subject's complaint about the processing will be available in the email account within the time period indicated in this Policy in relation to complaints. The Data Controllers shall respond to complaints about the data processing without delay and at the latest within 30 days.

11. Legal redress

The Data Subject is entitled to lodge a complaint with the NAIH (1055 Budapest, Falk Miksa u. 9-11.; www.naih.hu, Phone: +36 (1) 391-1400, Fax: +36 (1) 391-1410, E-mail: ugyfelszolgalat@naih.hu) or to enforce his/her rights regarding the processing of personal data before the court of competent jurisdiction pursuant to Act CXXX. of 2016 on the Code of Civil Procedure.

12. Final provisions

12.1. If the Data Controllers intend to carry out further processing of personal data for a purpose other than the purpose of this Data Protection Notice, the Data Controllers shall inform the Data Subject of the new purpose of the processing prior to the further processing. The processing for the new purpose may only be started thereafter - if the legal basis for the processing is consent - if the Data Subject consents to the processing in addition to the information.

12.2. The data protection notice is valid until revoked, its personal scope extends to the entire organizational unit of the Data Controllers, data processors, employees, officers, employees and any person who is in a contractual relationship with the Data Controllers.

12.3. The data protection notice must be reviewed annually or in the event of changes in community or domestic legislation. Only the Data Controllers are entitled to amend the data protection notice.

This Privacy Policy is valid from 1 January 2023.

Annexes:

1. Doctors as Data Processors 

Annex No. 1.

Doctors as Data Processors