PREAMBLE

The head of the healthcare provider offering specialist medical care determines the procedure for data processing of health data by the healthcare provider’s organizational units as follows.

1. GENERAL PROVISIONS

1.1 GENERAL PROVISIONS

The purpose of this Policy is to determine the legal order for managing records kept at healthcare providers offering specialist medical care, to ensure the constitutional principles of data protection, compliance with data security requirements, and to prevent unauthorized access, modification of data and unauthorized disclosure.

## 1.2 Purpose of Health Data Processing

Health and personal identification data may be processed for the following purposes:
– Promoting health preservation, improvement, and maintenance
– Facilitating effective treatment activities by the healthcare provider, including supervisory activities
– Monitoring the health status of the person concerned
– Taking measures necessary for public health and epidemiological purposes
– Enforcement of patient rights

Health and personal identification data may be processed for purposes other than those specified above if, following appropriate information, the person concerned or their legal or authorized representative (hereinafter together: legal representative) gives their consent in a manner that contains voluntary, clearly expressed will based on appropriate information and proves the making of a proper declaration in a credible way.

Only as much health and personal identification data may be processed for data processing purposes as is strictly necessary to achieve the data processing purpose.

2. RIGHTS OF DATA SUBJECTS AND ENFORCEMENT OF RIGHTS

The data subject has the right to:
– Request information about the processing of their personal data
– Request correction of their data and – except for legally mandated data processing – deletion
– Object to the processing of their personal data
– Turn to court in case of violation of their rights

2.1 Right to Information

Upon request by the data subject, the data controller shall provide information about the data it processes, the purpose, legal basis, and duration of data processing, and who receives the data and for what purpose. Additionally, the data subject may request a copy of their processed data.
The data controller shall provide the information in writing, in an understandable form, within the shortest possible time but no later than 30 days from the submission of the request.

2.2 Correction

The data controller must correct any data that does not correspond to reality. The data subject may request restriction of processing if they dispute the accuracy of the processed personal data; in this case, the restriction applies to the period that allows the data controller to verify the accuracy of the personal data.

2.3 Data Deletion

The data subject may request the deletion or restriction of use of processed personal data if, in their opinion, the personal data is no longer needed for the purpose for which it was collected or otherwise processed, or if, in their opinion, the personal data is being processed unlawfully.

2.4 Right to Object

The data subject may object to the processing of data at any time for reasons related to their own situation if the legal basis is the legitimate interest of the data controller or others. In case of objection, the data controller may not process personal data for marketing purposes at all, and for other purposes only if it proves that the processing is justified by compelling legitimate reasons that take precedence over the interests, rights, and freedoms of the data subject, or that are related to the submission, enforcement, or defense of legal claims. Restriction of processing may also be requested simultaneously with the objection.

2.5 Judicial Enforcement

In case of violation of their rights, the data subject may turn to court against the data controller. The court shall hear the case in an expedited procedure. The Metropolitan Court having jurisdiction over the data controller’s registered office, or – at the data subject’s choice – the regional court having jurisdiction over the data subject’s residence or place of work shall proceed. Legal representation is mandatory in the proceedings. The data controller must prove that the processing complies with legal requirements.

2.6 Compensation

Any person who has suffered material or non-material damage as a result of a breach of data protection requirements is entitled to compensation for material damage suffered and compensation for non-material damage from the data controller. All data controllers involved in the data processing shall be liable for any damage caused by unlawful data processing.

The data controller is also liable to the data subject for damage caused by the data processor it uses. The data controller or data processor shall be exempt from this liability if it proves that it is in no way responsible for the event causing the damage.

3. DATA PROCESSING BY HEALTHCARE NETWORK ORGANIZATIONS

Within the healthcare network, unless otherwise provided by law, the following are entitled to process health and personal identification data:
– The healthcare provider
– The head of the service provider, and
– The person authorized by the head of the service provider

During the processing of health and personal identification data, data security must be ensured against accidental or intentional destruction or loss, alteration, damage, disclosure, and to prevent unauthorized access.

3.1 Data Collection

During data collection, the time of data collection and the identity of the data collector must be recorded in the medical documentation.
Every note and entry in the patient’s documentation must be authenticated with a signature or initials, and if necessary, with a date. In case of electronic data processing, clear identification of the person making the entry must also be ensured.

3.2 Data Modification

If entered data needs to be modified due to error or other reasons, this can only be done in a way that allows the original data to be determined. Modifications must also be initialed; in case of electronic data processing, the system must ensure clear identification of the person making the entry and logging of the entry.

3.3 Data Deletion

Data may only be deleted based on this Policy. During deletion, data protection regulations must be observed, particularly regarding unauthorized access. During deletion, manually processed data must be physically destroyed; in case of electronically stored data, they must be irreversibly altered. Deletion can only be performed with the permission of the clinic head.

4. DATA PROCESSING FOR SPECIALIST MEDICAL CARE

Collection of health data is part of specialist medical care. The provision of health and personal identification data by the treated person (legal representative) is voluntary – except for personal identification data mandatorily required for accessing healthcare. In cases where the treated person voluntarily turns to the service provider, their consent for processing health and personal identification data related to the treatment shall be considered given in the absence of a contrary declaration, and the data subject (legal representative) must be informed of this.

The data subject (legal representative) is obliged to provide their health and personal identification data at the request of the healthcare provider:
– If it is probable or confirmed that they are infected by a disease pathogen or suffering from an infectious disease or infection-originated poisoning
– If needed for screening and fitness examinations
– In case of acute poisoning
– If it is probable that the data subject suffers from an occupational disease
– If data provision is necessary for the treatment, health preservation, or protection of a minor child
– If ordered by the competent authority for law enforcement, crime prevention purposes, or during prosecutor’s office, court proceedings, or administrative proceedings
– If data provision is necessary for screening purposes under the law on national security services

In cases of emergency and when the treated person lacks decision-making capacity, voluntary consent shall be presumed.
During treatment, data must be recorded in the medical documentation according to professional standards. The treating specialist physician decides which health data – beyond the mandatory data – needs to be collected according to professional standards.

Recording of data not directly related to the patient’s treatment should be avoided.
During treatment, the management of medical documentation must be organized so that only those involved in the treated person’s care have access to the documentation and the patient’s personal data.

 4.1 Protection of Medical Confidentiality

The healthcare provider and other persons employed by the service provider are bound by confidentiality obligations indefinitely regarding data about the patient’s health condition and other information learned during work. The confidentiality obligation applies regardless of how the information was obtained.
The healthcare provider is bound by confidentiality even towards other healthcare providers who did not participate in the patient’s treatment, except when the data is necessary for the treated person’s further treatment.
The confidentiality obligation may be waived in writing by the patient or based on legal data provision obligations.
To protect medical confidentiality, all employees of the service provider must commit to maintaining medical confidentiality. This obligation must be included in or attached to the employee’s job description.

4.2 Persons Present During Treatment

During treatment, the treating physician and other persons participating in patient care may be present, as well as those whose presence the patient has consented to.
While respecting the patient’s human rights and dignity, the following persons may be present during treatment without the data subject’s consent:
– Other persons if the treatment order requires simultaneous care of multiple patients
– A professional member of the police force if treatment is provided to a detained person
– A member of the prison service in service relationship if treatment is provided to a person serving a custodial sentence in a penitentiary institution, and this is necessary for the security of the treating healthcare provider or to prevent escape
– If for law enforcement purposes the patient’s personal security warrants it and the patient is in a state incapable of making declarations

Beyond those specified above, the following may be present:
– Someone who has previously treated the patient for the given illness
– Someone who has been given permission by the service provider’s head for professional reasons. In this case, the treated person’s explicit objection must be respected.

For healthcare professional training purposes, the following may be present: physician, medical student, healthcare professional, healthcare college or vocational school student, provided that the healthcare provider is designated for training the specified person. In this case, the treated person’s consent is not needed, but patients must be informed in the patient information about the provider’s teaching nature and professional training.
The treated person may give consent verbally to the treating physician.

4.3 Right to Information and Obligation to Inform, Patient’s Right to Information

Before beginning treatment, the patient must be informed about the service provider’s data protection policy. Informing the patient about data protection is the duty of the treating specialist physician. The patient confirms receiving the information with their signature. The signed information sheet must be attached to the patient’s medical documentation. Any restrictive declaration by the patient must also be attached to the patient’s documentation.
Information about the treated person’s treatment is provided by the specialist physician treating the patient. Healthcare professionals may also provide information about nursing aspects of the patient’s treatment. Healthcare professionals and other employees may not provide information about the patient’s treatment unless authorized by the treating physician for that specific patient. Information is provided in person.
No substantive information about the patient’s treatment may be given by telephone.
Regarding the patient’s rights concerning their personal data, the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), the law on the processing and protection of health and related personal data, and the healthcare law apply. In the case of psychiatric patients, the patient’s right to access medical documentation may exceptionally be restricted if there is reasonable grounds to believe that accessing the medical documentation would greatly endanger the patient’s recovery or violate other persons’ personality rights. Only the physician is authorized to order such restriction. The patient rights representative and the patient’s legal or authorized representative must be notified immediately of the restriction order.

4.4 Information for Relatives and Other Persons

When registering with the service provider or later, the patient may specify which persons may receive partial or full information about their illness, its expected outcome, changes in their health condition, and who should be excluded from such information.

4.5 Right to Access Medical Documentation

The patient (legal representative) is entitled to receive information about their personal identification and health data and may access the medical documentation.

During their healthcare treatment for a given illness, the patient has the right to authorize in writing a specified person to access their medical documentation and make copies of it. After the completion of the patient’s healthcare treatment, only a person authorized by the patient in a private document with full probative value is entitled to access the medical documentation and make copies of it. During the patient’s life or after their death, their spouse, direct-line relative, sibling, and domestic partner – based on written request – are also entitled to access health data if the health data is needed to discover causes affecting the life or health of these persons and their descendants or for their healthcare purposes; and accessing or inferring the health data in another way is not possible.

In specialist care, the patient acknowledges and accepts the completion of a given treatment process. The specialist physician is responsible for the definitive treatment process. The treating physician records in the patient documentation the fact and reasons for interrupting or modifying the treatment process.

5. DATA PROCESSING FOR PUBLIC HEALTH AND EPIDEMIOLOGICAL PURPOSES

The healthcare provider immediately forwards health and personal identification data to the health administration authority if they detect or suspect an infectious disease.

The epidemiological authority may request the data subject’s personal identification data citing public health or epidemiological public interest.

6. REGISTRATION OF HEALTH AND PERSONAL IDENTIFICATION DATA

Health and personal identification data collected about the data subject necessary for treatment, as well as their transfer, must be registered. Records of data transfer must include the recipient, method, time of transfer, and the scope of transferred data.
The registration tool can be any data storage device that ensures protection of data against intentional destruction, loss, modification, damage, disclosure, and prevents unauthorized access.
The healthcare provider’s own notes form part of the registration.

6.1 Storage and Archiving of Medical Documentation

Data related to the patient’s examination and treatment is contained in the medical documentation. Medical documentation must be maintained in a way that accurately reflects the treatment process.
Medical documentation must include:
– The patient’s personal identification data
– For capable patients, the name, address, and contact details of the person to be notified; for minors or patients under guardianship, the legal representative’s details
– Medical history
– Results of the first examination
– Diagnosis and examination results supporting the treatment plan, dates of examinations
– Name of the illness justifying treatment, underlying illness, accompanying illnesses and complications
– Name of other illnesses not directly justifying treatment and risk factors
– Time and results of performed interventions
– Data about the patient’s drug allergies
– Name of the healthcare worker making the entry and time of entry
– Record of information provided to the patient or other authorized person
– Fact of consent or refusal and their timing
– Any other data or fact that may influence the patient’s recovery

The following must be preserved as part of medical documentation:
– Test results
– Documents created during treatment and consultation
– Medical imaging diagnostic procedure images

Special attention must be paid to ensuring that medical documentation is detailed, professional, legible, and retrievable.
According to Section 30(1) of Act XLVII of 1997 on the Processing and Protection of Health and Related Personal Data, medical documentation must be retained for at least 30 years from data collection (50 years for discharge summaries, 10 years for diagnostic imaging records, 30 years for reports of images).

 6.2 General Principles of Documentation Storage and Organization

The healthcare provider offering specialist medical care establishes its own documentation storage rules considering its possibilities.
Documents must be protected against unauthorized access, theft, falsification, and physical destruction. A simple but traceable system must be used when removing documents from the storage system.

7. DATA PROTECTION

7.1 Regulation of Data Protection Training

The head is responsible for ensuring annual data processing and protection training for service provider employees. Training must be documented.
The head conducts and documents data protection training for new employees.

7.2 Data Security, Protection of Data

The data controller and data processor within their scope of activity must ensure data security and take technical and organizational measures and establish procedural rules necessary to enforce the Data Protection Act and other data and confidentiality protection rules.
Data must be protected particularly against unauthorized access, modification, transfer, disclosure, deletion or destruction, and accidental destruction and damage. The data controller, data processor, or telecommunications or IT equipment operator must take special protection measures to ensure technical protection of personal data if personal data is transferred via network or other IT equipment.

Everyone involved in data processing must act with the greatest expected care during their work to ensure data authenticity, preservation, and prevention of unauthorized access.
General accident and fire safety regulations must be considered during data storage and transfer.

7.3 Manually Processed Data

Data must be recorded on appropriate quality data carriers (traditional paper, forms) at creation. The person collecting the data is responsible for data legibility.

7.4 Electronically Stored Data

For electronically stored data, only registered data processors on the access list may process data. The data processor must log into the system with an individual, secret password. They must log out of the system after completing data processing. The data processor is responsible for password-protected data processing in the system. To prevent potential misuse, it is the data processor’s duty to ensure the secrecy of their individual password.

7.5 Procedure in Case of Data Damage

In case of damage to or destruction of health and personal data, attempts must be made to restore damaged data to the extent possible from other available data sources.

7.6 Planned Measures for Data Processing System Damage or Failure

The healthcare provider performs automatic security backup at specified intervals in the computer system, thus making data backup continuous.

7.7 Data Protection Officer

A data protection officer operates at the data controller.

8. DATA CONTROLLER INFORMATION, CONTACT

Healthcare Provider: Geomedical Medical Ltd.
Headquarters: 1066 Budapest Jókai u.6.
Site: Geomedical Health Center
1066 Budapest Jókai u.6.
Company Registration Number: 01-09-194235
Tax Number: 25005442-2-42
Phone: +36/19999500
Email: info@geomedical.hu

Data Protection Officer contact: toth.attila@geomedical.hu

9. LEGAL REMEDIES

For legal remedies and complaints, you may contact the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Website: http://www.naih.hu
Email: ugyfelszolgalat@naih.hu

Date: Budapest, June 05, 2020

Approved by:
Miklós Zórándy