Privacy Policy

Geomedical Medical Ltd.
Regulations on Personal Data Processing and Protection

Privacy Policy

PREAMBLE

The head of the medical service provider providing specialist medical care determines the procedure for data processing related to medical data carried out by the organizational units of the medical service provider as follows.

GENERAL PROVISIONS

1.1. GENERAL PROVISIONS

The purpose of these Regulations is to determine the legal order of managing records kept at the medical service provider providing specialist medical care, to ensure the implementation of constitutional principles of data protection and data security requirements, and to prevent unauthorized access, modification of data and unauthorized disclosure.

1.2 Purpose of medical data processing

Medical and personal identification data may be processed for the following purposes:

– promoting the preservation, improvement, and maintenance of health,
– facilitating effective treatment activities of the healthcare provider, including supervisory activities,
– monitoring the patient’s health condition,
– taking measures necessary for public health and epidemiological interests,
– enforcement of patient rights.

Medical and personal identification data may be processed for purposes other than those specified above if, following appropriate information, the data subject or their legal or authorized representative (hereinafter together: legal representative) gives their consent – based on appropriate information, voluntary, clearly expressed will, and made in a way that credibly proves the making of a proper declaration.

Only as much medical and personal identification data may be processed for data processing purposes as is indispensably necessary to achieve the data processing purpose.

2. RIGHTS OF DATA SUBJECTS AND THEIR ENFORCEMENT

The data subject has the right to:
– request information about the processing of their personal data,
– request correction and – except for legally mandated data processing – deletion of their data,
– object to the processing of their personal data,
– seek legal remedy in case of violation of their rights.

2.1. Right to Information

Upon request of the data subject, the data controller shall provide information about the data it processes, the purpose, legal basis, and duration of data processing, and who receives the data and for what purpose. Additionally, the data subject may request a copy of their processed data.

The data controller shall provide the information in writing, in an easily understandable form, within the shortest possible time but no later than 30 days from the submission of the request.

2.2. Rectification

The data controller must correct any data that does not correspond to reality. The data subject may request restriction of processing if they dispute the accuracy of the processed personal data; in this case, the restriction applies to the period that allows the data controller to verify the accuracy of the personal data.

2.3. Data Deletion

The data subject may request the deletion or restriction of use of their processed personal data if no treatment has previously occurred, or if in their opinion the personal data is no longer necessary for the purpose for which it was collected or otherwise processed, or if in their opinion the personal data is being processed unlawfully.

At the same time, the data subject acknowledges that if the service provider has a legal obligation to retain data, it must continue to store and process the data in the manner and for the period specified in the legislation.

2.4. Right to Object

The data subject may object to the processing of data at any time for reasons related to their own situation if the legal basis for processing is the legitimate interest of the data controller or others. In case of objection, the data controller may no longer process personal data for marketing purposes at all, and for other purposes only if it proves that the processing is justified by compelling legitimate reasons that take precedence over the interests, rights, and freedoms of the data subject, or that are related to the submission, enforcement, or defense of legal claims. Along with the objection, restriction of processing may also be requested.

2.5. Legal Enforcement

In case of violation of their rights, the data subject may take legal action against the data controller. The court shall handle the case as a matter of priority. The Metropolitan Court having jurisdiction over the data controller’s registered office, or – at the data subject’s choice – the court having jurisdiction over the data subject’s place of residence or workplace shall proceed. Legal representation is mandatory in the proceedings. The data controller must prove that the data processing complies with legal requirements.

2.6. Compensation

Any person who has suffered material or non-material damage as a result of a breach of data protection requirements is entitled to compensation for material damage from the data controller and to compensation for non-material damage. All data controllers involved in the data processing are liable for any damage caused by unlawful data processing.

The data controller is also liable to the data subject for damage caused by the data processor it uses. The data controller or data processor shall be exempt from this liability if it proves that it is in no way responsible for the event causing the damage.

3. DATA PROCESSING BY THE HEALTHCARE NETWORK

Within the healthcare network, unless otherwise provided by law, the following are authorized to process medical and personal identification data:
– the healthcare provider,
– the head of the service provider, and
– the person authorized by the head of the service provider.
– During the processing of medical and personal identification data, data security must be ensured against accidental or intentional destruction, loss, alteration, damage, disclosure, and unauthorized access.

3.1. Data Collection

During data collection, the time of data collection and the identity of the person collecting the data must be recorded in the medical documentation.

Every note and entry in the patient’s documentation must be authenticated with a signature or initials, and if necessary, a date. In case of electronic data processing, clear identification of the person making the entry must also be ensured.

3.2. Data Modification

If data needs to be modified due to error or other reasons, this can only be done in a way that allows the original data to be determined. Modifications must also be initialed; in case of electronic data processing, the system must ensure clear identification of the person making the entry and logging of the entry.

3.3. Data Deletion

Data may only be deleted based on these Regulations. During deletion, data protection regulations must be observed, particularly regarding unauthorized access. During deletion, manually processed data must be physically destroyed, and electronically stored data must be irreversibly altered. Deletion can only be performed with the permission of the clinic manager.

4. DATA PROCESSING FOR SPECIALIST MEDICAL CARE

The collection of medical data is part of specialist medical care. The provision of medical and personal identification data by the treated person (legal representative) – including the provision of personal identification data required for accessing medical care – is voluntary. In cases where the treated person voluntarily turns to the service provider, their consent for processing medical and personal identification data related to the treatment shall be considered given in the absence of a contrary statement, and the data subject (legal representative) must be informed of this.

The data subject (legal representative) is obliged to provide their medical and personal identification data upon request of the healthcare provider:
– if it is probable or confirmed that they are infected by a disease pathogen, or suffering from infection-based poisoning or infectious disease,
– if necessary for screening and fitness examinations,
– in case of acute poisoning,
– if it is probable that the data subject suffers from an occupational disease,
– if data provision is necessary for the treatment, preservation, or protection of the health status of a minor child,
– if ordered by the competent authority for law enforcement, crime prevention purposes, or during prosecution, court proceedings, or administrative proceedings,
– if necessary for checks under the law on national security services.

In cases of emergency and lack of capacity for insight of the treated person, voluntariness shall be presumed.

During treatment, data must be recorded in the medical documentation according to professional rules. The treating specialist decides which medical data needs to be collected – beyond the mandatory data – in accordance with professional rules.

Recording of data not directly related to the patient’s treatment should be avoided.

During treatment, the management of medical documentation must be organized so that only those involved in the treated person’s treatment have access to the documentation and the patient’s personal data.

4.1. Protection of Medical Confidentiality

The healthcare provider and other persons employed by the service provider are bound by confidentiality obligations without time limit regarding data related to the patient’s health condition and other information learned during work. The confidentiality obligation is independent of how the data was learned.

The healthcare provider is bound by confidentiality obligation even towards another healthcare provider who did not participate in the patient’s treatment, except if the data is necessary for the treated person’s further treatment.

Release from the confidentiality obligation can be given in writing by the patient, or based on a legal obligation to provide data.

For the protection of medical confidentiality, it is necessary that all employees of the service provider commit to maintaining medical confidentiality. This obligation must be included in or attached to the employee’s job description.

4.2. Persons Present During Treatment

During treatment, the treating physician and other persons participating in patient care may be present, as well as those whose presence the patient has consented to.

While respecting the patient’s human rights and dignity, the following may be present during treatment without the data subject’s consent:
– another person if the treatment routine requires simultaneous care of multiple patients,
– a professional member of the police force if treatment is being provided to a detained person,
– a member of the penitentiary organization in service relationship if treatment is being provided to a person serving a custodial sentence in a penitentiary institution, and this is necessary for the security of the treating healthcare provider or to prevent escape,
– if required for law enforcement interests regarding the patient’s personal security, and the patient is in a state incapable of making a statement.

In addition to the above, the following may be present:
– someone who has previously treated the patient for the given illness,
– someone who has been given permission by the service provider’s head for professional reasons. The treated person’s explicit objection must be respected in this case.

For the purpose of medical professional training, the following may be present: physician, medical student, healthcare professional, healthcare college or vocational school student, provided that the specified person’s training is designated to the healthcare provider. In this case, the treated person’s consent is not required, but patients must be informed in the patient information about the provider’s teaching nature and professional training.

The treated person may give their consent verbally to the treating physician.

4.3. Right and Obligation to Information, Patient’s Right to Information

Before beginning treatment, the patient must be informed about the service provider’s data protection policy. Informing the patient about data protection is the duty of the treating specialist. The patient confirms receipt of information with their signature. The signed information document must be attached to the patient’s medical documentation. Any restrictive statement by the patient must also be attached to the patient’s documentation.

Information about the treated person’s treatment is provided by the specialist treating the patient. The healthcare professional providing care may also give information about nursing aspects of the patient’s treatment. Healthcare professionals or other staff may not provide information about the patient’s treatment unless authorized by the treating physician for the specific patient. Information is provided in person.

No substantive information about the patient’s treatment may be given by telephone.

The patient’s rights regarding their personal data are governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), the law on the processing and protection of medical and related personal data, and the law on healthcare. In the case of psychiatric patients, the patient’s right to access medical documentation may be exceptionally restricted if there is reasonable cause to believe that accessing the medical documentation would greatly endanger the patient’s recovery or violate another person’s personality rights. Only the physician is authorized to order such restriction. The patient rights representative and the patient’s legal or authorized representative must be immediately notified of the restriction order.

4.4. Information to Relatives and Other Persons

The patient may specify, at the time of registration with the service provider or later, which persons may receive partial or complete information about their illness, its expected outcome, changes in their health condition, and who should be excluded from such information.

4.5. Right to Access Medical Documentation

The patient (legal representative) is entitled to receive information about their personal identification and medical data and may inspect the medical documentation.

During their medical care for a specific illness, the patient is entitled to authorize in writing a specified person to inspect their medical documentation and make copies of it. After the completion of the patient’s medical care, only a person authorized by the patient in a private document with full probative value is entitled to inspect the medical documentation and make copies of it. During the patient’s life and after their death, their spouse, direct relative, sibling, and domestic partner – based on written request – are also entitled to access medical data if the medical data is needed to discover causes affecting the life or health of these persons and their descendants, or for their medical care purposes; and the medical data cannot be accessed or inferred in any other way.

In specialist medical care, the patient acknowledges and accepts the completion of the given care process. The specialist is responsible for the definitive care process. The treating physician records in the patient documentation the fact and reasons for any interruption or modification of the care process.

5. DATA PROCESSING FOR PUBLIC HEALTH AND EPIDEMIOLOGICAL PURPOSES

The healthcare provider immediately forwards medical and personal identification data to the health administration authority if they detect or suspect an infectious disease.

The epidemiological authority may request the data subject’s identification data citing public health or epidemiological public interest.

6. REGISTRATION OF MEDICAL AND PERSONAL IDENTIFICATION DATA

Medical and personal identification data collected about the data subject necessary for treatment, as well as their transfer, must be registered. Records of data transfer must include the recipient, method, time of transfer, and the scope of transferred data.

The registration tool can be any data storage device that ensures protection of data against intentional destruction, loss, alteration, damage, disclosure, and ensures that unauthorized persons cannot access it.

The healthcare provider’s own notes form part of the registration.

6.1. Storage and Archiving Rules for Medical Documentation

Data related to the patient’s examination and treatment is contained in the medical documentation. Medical documentation must be maintained in a way that accurately reflects the care process.

The medical documentation must include:
– the patient’s personal identification data,
– for capable patients, the contact person to be notified; for minors or patients under guardianship, the name, address, and contact details of the legal representative,
– medical history,
– results of the first examination,
– diagnosis and examination results supporting the care plan, dates of examinations,
– name of the illness justifying care, underlying illness, accompanying illnesses and complications,
– name of other illnesses not directly justifying care, and risk factors,
– times and results of performed interventions,
– data regarding the patient’s drug hypersensitivities,
– name of the healthcare worker making the entry and time of entry,
– recording of information provided to the patient or other person entitled to information,
– fact of consent or refusal and their times,
– any other data and fact that could influence the patient’s recovery.

As part of medical documentation, the following must be preserved:
– test results,
– documents created during treatment and consultation,
– imaging diagnostic procedure recordings.

For medical documentation, special attention must be paid to ensuring it is detailed, professional, legible, and retrievable.

According to Section 30(1) of Act XLVII of 1997 on the Processing and Protection of Medical and Related Personal Data, medical documentation must be preserved for at least 30 years from data collection (50 years for final reports, 10 years for diagnostic imaging recordings, 30 years for reports made about recordings).

6.2. General Guidelines for Documentation Storage and Organization

The medical service provider providing specialist care establishes its own documentation storage rules, taking into account possibilities.

Documents must be protected against unauthorized access, theft, falsification, and physical destruction. When removing documents from the storage system, a simple but trackable system must be used.

7. DATA PROTECTION

7.1. Regulation of Data Protection Training

The leader is responsible for ensuring annual data processing and protection training for the service provider’s employees. The training must be documented.

The leader conducts and documents data protection preparation for new employees.

7.2. Data Security and Protection

The data controller, and the data processor within its scope of activities, must ensure data security and must take technical and organizational measures and establish procedural rules necessary for enforcing the Data Protection Act and other data and confidentiality protection rules.

Data must be particularly protected against unauthorized access, modification, transfer, disclosure, deletion or destruction, and accidental loss and damage. To ensure technical protection of personal data, special protective measures must be taken by the data controller, data processor, or telecommunications or IT equipment operator if personal data is transferred via network or other IT equipment.

Every person involved in data processing must proceed with the greatest possible care during their work to ensure data authenticity, preservation, and prevention of unauthorized access.

General accident and fire safety regulations must be considered during data storage and transfer.

7.3. Manually Processed Data

Data must be recorded on appropriate quality data carriers (traditional paper, forms) at creation. The person collecting the data is responsible for data legibility.

7.4. Electronically Stored Data

For electronically stored data, only registered data processors on the access list may process data. The data processor must log into the system with an individual, secret password. They must log out of the system after completing data processing. The data processor is responsible for password-protected data processing in the system. To prevent potential misuse, it is the data processor’s duty to ensure the secrecy of their individual password.

7.5. Procedure in Case of Data Damage

In case of damage to or destruction of medical and personal data, attempts must be made to restore the damaged data to the extent possible from other available data sources.

7.6. Planned Measures for Data Processing System Damage or Failure

The specialist medical service provider performs automatic backup of the computer system at specified intervals, thus ensuring continuous data backup.

7.7. Data Protection Officer

A data protection officer operates at the data controller.

7.8. Data Processors

Data processors related to diagnostic examinations:

SYNLAB Hungary Limited Liability Company
Headquarters: 1211 Budapest, Weiss Manfréd út 5-7.
Activity: 8622 Specialist outpatient care

AlpinMedix Healthcare Provider Limited Partnership
Headquarters: 2000 Szentendre, Rózsakert lakótelep 6. 1st floor 6.
Activity: 8622 Specialist outpatient care

MEDSERV Healthcare, Service and Commercial Limited Liability Company
Headquarters: 1047 Budapest, Fóti út 56. Building A
Activity: 8622 Specialist outpatient care

Semmelweis University Laboratory Medicine Institute Immunology Laboratory
Headquarters: 1083 Budapest Üllői út 78/a. 1st floor
Activity: 8622 Specialist outpatient care

Medicover Health Center Private Limited Company
Headquarters: 1134 Budapest, Váci út 29-31.
Activity: 8622 Specialist outpatient care

Wáberer Medical Center Limited Liability Company
Headquarters: 1055 Budapest, Kossuth Lajos tér 18. A. building 6th floor 1/A.
Activity: 8622 Specialist outpatient care

Positron-Diagnostics Healthcare Provider Ltd.
Headquarters: 1117 Budapest, Hunyadi János út 9-11.
Activity: 8622 Specialist outpatient care

Affidea Hungary Healthcare Provider Limited Liability Company
Headquarters: 1083 Budapest, Bókay János utca 44-46. 8th floor
Activity: 8622 Specialist outpatient care

Data processors related to health insurance care organization:

Foglaljorvost Online Ltd.
Headquarters: 2013 Pomáz, Mikszáth Kálmán u. 36/4.
Activity: 6312 Web portal services

Teladoc Hungary Consulting and Service Provider Limited Liability Company
Headquarters: 1083 Budapest, Szigony utca 26-32. 3rd floor
Activity: 8299 Other business support service activities n.e.c.

Global Assistance Ltd.
Headquarters: 1082 Budapest, Baross u 1.
Activity: 8299 Other business support service activities n.e.c.

Europ-Assistance Hungary Ltd.
Headquarters: 1132 Budapest, Váci út 36-38.
Activity: 6629 Other activities auxiliary to insurance and pension funding

Premium Fund Service Provider Limited Liability Company
Headquarters: 1138 Budapest, Dunavirág utca 2-6. Tower 3. building 5th floor
Activity: 8211 Combined office administrative service activities

Generali Insurance Plc.
Headquarters: 1066 Budapest, Teréz krt. 42-44.
Activity: 8211 Combined office administrative service activities

MP Health Ltd.
Headquarters: 1117 Budapest, Irinyi József utca 4-20. B2. building ground floor
Activity: 8622 Specialist outpatient care

HUNMED Partners Limited Liability Company
Headquarters: 1077 Budapest, Rózsa utca 38. Building A
Activity: 6209 Other information technology service activities

8. DATA CONTROLLER INFORMATION AND CONTACT DETAILS

Name: Geomedical Medical Ltd.
Data Controller Representative: Dr. Horváth Zsófia, Managing Director
Headquarters: 1066 Budapest Jókai utca 6.
Site: Geomedical Health Center 1066 Budapest Jókai utca 6.
Company Registration Number: 01-09-194235
Tax Number: 25005442-2-42
Phone: +3619999500
Email: info@geomedical.hu

Data Protection Officer: Antal Krisztina
Contact Details
Phone: +36308490517
Email: antal.krisztina@geomedical.hu

9. LEGAL REMEDIES

Legal remedies and complaints can be filed with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Website: http://www.naih.hu
Email: ugyfelszolgalat@naih.hu

This Data Protection Policy is effective from December 1, 2024.

Approved by:
Dr. Horváth Zsófia
Managing Director