Online shopping
Online date
Telephone appointment

Privacy notice

Introduction

We have prepared this data processing information sheet to ensure the transparency of our data processing procedures. We update it regularly to provide healthcare service users with up-to-date and accurate information about what happens to the personal data they provide to us and why.

This information sheet explains who exactly processes your data in connection with Móra-Vitál Outpatient Care and Balneotherapy Centre, why they process it, and on what legal basis they may process this personal data. We provide information about who has access to your data and why. You can find out what your rights are and how you can exercise them.

When using our services, data subjects provide us with personal data. This personal data is necessary for the provision of our services, so in most cases, the use of healthcare services makes our data processing lawful.

The Data Controller shall always process personal data that comes to its attention in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), Act CXII of 2011 on the right to self-determination and freedom of information (Info tv.), Act V of 2013 on the Civil Code (Ptk.), Act CVIII of 2001 on certain issues related to information society services, and the provisions of this Notice, and only to the extent necessary to achieve the purpose of data processing.

The Móra-Vitál Outpatient Care and Balneotherapy Centre reserves the right to change this information. Up-to-date information is available at all times. /data-processing-information/ If the data subject continues to use the Data Controller's services after receiving this information, this shall be deemed to constitute acceptance of the amended provisions of the Information Notice. 

This Notice does not cover the processing of data on websites linked to from the Website, nor the processing of data of persons to whom the Data Controller transfers personal data.

The Data Controller shall process personal data collected directly from data subjects and received from other data controllers in accordance with this Notice. If we process data in order to enforce our legitimate interests, we shall always carry out a balancing test prior to processing.

In order to successfully provide our healthcare services, we may in certain cases transfer data to third parties (e.g. to our IT system partners or government databases). Similarly, it is unavoidable to use data to fulfil our legal obligations (e.g. legislation requires us to issue invoices to our customers, and our accountant also has access to these invoices, and we record the data in the IT systems of state organisations).

In providing our services, we undertake to ensure that all data processing carried out by us is performed in accordance with this information document and in compliance with the applicable laws.

The Móra-Vitál Outpatient Care and Balneotherapy Centre sets out its data processing principles below, presenting the expectations it has set for itself as a data controller and which it complies with. Its data processing principles are in line with the applicable data protection laws, in particular the following:

  • Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv.);
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);
  • Act V of 2013 – on the Civil Code (Ptk.);
  • Act C of 2000 – on accounting (Accounting Act);
  • Act XLVII of 1997 on the protection of health and related personal data (EAVT);
  • Act CLIV of 1997 on healthcare (hereinafter referred to as Eü.tv.);
  • Decree No. 62/1997 (XII.21.) NM on certain issues concerning the processing of health and related personal data (hereinafter: R.);
  • Act C of 2000 on Accounting (hereinafter: Szt.)
  • Act XXV of 2023 on complaints, reports in the public interest, and rules relating to the reporting of abuses

Identification of the data controller

When using our services and visiting our buildings and events, you provide us with personal data. In legal terms, we process your personal data as a data controller, and we determine the purposes and means of data processing as an obligation imposed on us by law.

Data controller: Móra-Vitál Outpatient Care and Balneotherapy Centre Registered office and postal address: 6782 Mórahalom, Szent László park 3.

Telephone: 06 62 280-123

Tax number: 15849540-2-06

Email: moravital@morahalom.hu

Web: https://moravital.morahalom.hu

Leader: Dr Balázs Pécsy, Head of Institution

Data Protection Officer

The Móra-Vitál Outpatient Care and Balneotherapy Centre, in compliance with Article 37 of the GDPR, has appointed the following organisation as its data protection officer. Maxentrop Kft, address: 7174 Kéty, Petőfi u.2/A, e-mail: dpo@maxentropia.hu

Rules for the processing of personal data

Based on the principle of lawful, fair and transparent data processing, as Data Controller, we process personal data lawfully, fairly and in a manner that is transparent and traceable to you.

As a data controller, we comply with the principle of purpose limitation by collecting personal data only for predefined, clear and lawful purposes, and we do not process them in a manner incompatible with those purposes. 

We would like to draw your attention to the fact that, in accordance with Article 89(1) of the Regulation, further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes. 

The principle of data minimisation is applied by ensuring that, as Data Controller, we only process relevant personal data to the extent necessary for our activities and in an appropriate manner.

In accordance with the principle of accuracy, the Regulation stipulates that personal data must be accurate and, where necessary, kept up to date; to this end, as Data Controller, we shall take all reasonable measures to ensure that personal data that are inaccurate in relation to the purposes of the processing are erased or rectified without delay.

In accordance with the principle of limited storage, as Data Controller, we store personal data in a form that allows your identification only for as long as is necessary to achieve the purposes of processing personal data. Personal data may only be stored for longer than this if the processing of personal data is necessary for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes, subject to the implementation of appropriate technical and organisational measures provided for in the Regulation in order to safeguard your rights and freedoms.

In order to enforce the principles of integrity and confidentiality, as Data Controller, we process personal data in such a way that appropriate technical or organisational measures are applied to ensure the adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage. 

In order to implement the principle of accountability, as Data Controller, we take responsibility for the practices described in section 4 in relation to the processing of personal data, and we are able to demonstrate compliance with the principles set out in the Regulation.

Lawfulness of data processing, „legal grounds”

The processing of personal data is lawful only if at least one of the following conditions is met: 

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes; 
  • data processing is necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract; 
  • data processing is necessary for compliance with a legal obligation to which the Data Controller is subject; 
  • data processing is necessary to protect the vital interests of the Data Subject or another natural person; 
  • data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; 
  • data processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child. We process personal data only in a lawful, fair and transparent manner for our customers.

We only collect data for specific purposes, which we communicate to the individuals concerned in advance.

We never collect more data than is necessary to achieve the purpose.

We do everything we can to ensure that the data we process is accurate and up to date, and we correct or delete incorrect data as quickly as possible. We only store data for a limited period of time; once it is no longer necessary to store it, we delete it or anonymise it as required.

When taking photographs at public events, we provide brief verbal or written information about the following before the start of the event on an advertising platform related to the event:

  • about the recipient,
  • the purpose of data processing,
  • the location of the recordings, and
  • to provide information on how the data subject may request that the recording not be made public, and
  • how you can delete the recording, and also that
  • where they can find detailed and comprehensive information on data processing.

Therefore, as a general rule, we must obtain the voluntary consent of the parents concerned before publishing the photos.

We would like to draw the attention of data providers to the Móra-Vitál Outpatient Care and Balneotherapy Centre that if they are not providing their own personal and health data, it is the data provider's responsibility to obtain the consent of the data subject.

Our data processing activities are summarised in the following table:

Data processing related to healthcare activities 
Processed dataLegal basisStorage period
Data processing arising from health visitor service obligationsAct CXXIII of 2015 on basic healthcare Act XLVII of 1997, Section 4Act XLVII of 1997 on the processing and protection of health and related personal data, Section 30.
Data processing related to specialist healthcare 
Processed dataLegal basisStorage period
Organising specialist services Data processing arising from obligationsAct CXXIII of 2015 on basic healthcare Act XLVII of 1997, Section 4Act XLVII of 1997 on the processing and protection of health and related personal data, Section 30.
Data processing related to health spa care 
Processed data Legal basisStorage period
Organising spas Obligations Data processingsupply arisingAct CXXIII of 2015 on basic healthcare Act XLVII of 1997, Section 4Act XLVII of 1997 on the processing and protection of health and related personal data, Section 30.
Data processing related to wellness services 
Processed dataLegal basisStorage period
Data processing arising from contractual obligationsNecessary for compliance with legal obligations8 years
Data processing arising from job applications 
Processed dataLegal basisStorage period
processing of data relating to prospective employment, CVs, copies of certificatesThe legitimate interest of the data controllerFor the mandatory retention period specified in the Archives Act.
Data processing arising from employment 
Processed data Legal basisStorage period
processing of employment dataarisingAct LXVI of 1995.As specified on television.
Complaint handling, service support, service guarantee, billing 
Processed dataLegal basisStorage period
Surname, first name, postcode (title, town, country, address, email address, telephone number optional)Legal obligation under Act XXV of 2023For the mandatory retention period specified in the Archives Act.
Invoicing, issuing invoices in accordance with accounting regulations
Processed dataLegal basisStorage period
billing name, postcode, town, street, house number, floor, doorNecessary for compliance with legal obligations8 years
Using cameras in public spaces Protection of human life, physical integrity, personal freedom, property; and related violations (prevention and detection of fraud, abuse, and other criminal offences). Location and field of view of cameras
Processed dataLegal basisStorage period
Images of persons entering the camera's field of view, certified conduct, and possibly identity documentsThe legitimate interest of the data controller7 days
Cookies used by the website to improve the user experience
Processed dataLegal basisStorage period
pages opened by the user, sessions, 4 required, 1 functional, 3 advertisements, 2 othersConsent (you may withdraw your consent at any time)365 days 
The „Can't find what you're looking for? Send us a message!” feature on the website improves the user experience, access to services, and provision of information.
Processed dataLegal basisStorage period
name, addressConsent (you may withdraw your consent at any time)Retention period according to consumer protection law, until revoked 
Personal data arising from social media presence, access to services, provision of information
Processed dataLegal basisStorage period
registration details, Consent (you may withdraw your consent at any time)until revoked 

Principles governing data processing at the Móra-Vitál Outpatient Care and Balneotherapy Centre

Details of health data processing

Purpose of processing health and personal identification data Section 4 of Act XLVII of 1997

  • promoting the preservation, improvement and maintenance of health,
  • promoting effective medical treatment for patients, including professional supervision,
  • monitoring the health status of the person concerned,
  • taking measures necessary for public health [Section 16], public health and epidemiological reasons,
  • enforcing patients' rights.

Act XLVII of 1997, Section 4. (3) Health and personal identification data may also be processed for purposes other than those specified in paragraphs (1) and (2) with the written consent of the data subject or his or her legal or authorised representative (hereinafter collectively referred to as "legal representative") based on adequate information.

Scope of data processed:

  • the patient's personal identification data (first and last name, maiden name, gender, place and date of birth, mother's maiden name and first name, place of residence, place of stay, social security identification number (TAJ number), nationality, native language, mailing address, telephone number, e-mail address, tax identification number, student status, name and address of higher education institution, data specified in the service contract);
  • in the case of care financed by an insurer, the details of the insurer/insurance policy;
  • in the case of care financed by a health insurance fund, the details of the health insurance fund;
  • in the case of a patient capable of acting, the name, address and contact details of the person to be notified;
  • in the case of minors or patients under guardianship with partially or completely restricted legal capacity, the name, address and contact details of their legal representative;
  • medical history, medical records;
  • the test result;
  • the test results on which the diagnosis and treatment plan are based, the date on which the tests were performed;
  • the name of the illness justifying the care, the underlying illness, accompanying illnesses and complications;
  • other illnesses not directly justifying the treatment, and the risk factors; 
  • the time of the procedures performed and their results;
  • medication and other therapies, their results; m. data concerning the patient's hypersensitivity to medication;
  • the content of the information provided to the patient or other persons entitled to receive information;
  • based on the patient's right to self-determination, the patient's consent to healthcare is required, this statement of consent;
  • the patient may refuse healthcare under the conditions set out in Eü.tv, the fact of this refusal and the date thereof
  • any other information and facts that may influence the patient's recovery.

Duration of data processing: Section 30 of Act XLVII of 1997 on the processing and protection of health and related personal data

Data transfer

In the case of services provided on the basis of social security, the Data Controller is obliged to forward the data specified in the relevant legislation (name, address, TAJ number, place and date of birth, type of treatment provided) to the OEP, which processes the data and performs the data processing activities required by law for the OEP. The record of the data transfer must include the recipient, method and date of the data transfer, as well as the scope of the data transferred. 

The Health Insurance Act and the mandatory transfer of data to the competent authority as required by the Health Care Act (including the mandatory transfer of data to the National Health Insurance Fund if the patient uses health care services covered by social security) in order to comply with the legal obligation under Article 6(1)(c) of the GDPR. In other cases, pursuant to Article 6(1)(b) of the GDPR, the performance of a contract concluded with the Data Controller as a healthcare provider.  

Data protection

By registering for our services, you consent to the processing and handling of your personal data as described in this privacy policy for the purpose of providing the services you have requested. We undertake to treat the personal data of persons using our services as confidential and to take responsibility for ensuring full compliance with the data protection legislation in force at any given time. We comply in all respects with data protection legislation, including Act CXII of 2011 on the right to self-determination and freedom of information („Info Act”) and other relevant legislation. We apply the concepts related to personal data in accordance with the provisions of the Info Act. Otherwise, we reserve the right to modify the information provided in this privacy policy without prior notice in the event of changes in the relevant legal provisions or legal practice. 

We process personal and health data exclusively on the basis of the consent of the data subject or in order to fulfil our legal obligations. Móra-Vitál Outpatient Care and Balneotherapy Centre uses your personal and health data exclusively in accordance with the data processing consent you have given, within the framework thereof and in accordance with the provisions of the relevant legislation. Data processing complies with this purpose at all stages. All personal and health data that you voluntarily provide to us or that we process in accordance with the provisions of the relevant legislation will be recorded, processed and handled for the purpose of providing the services you have requested. We only ask you to provide the data that is necessary for the performance of these services. In this regard, we undertake to comply fully with the following data protection guidelines: We collect and process personal data fairly and lawfully. We collect personal and health data only for specific, lawful purposes and do not use it for any other purpose. The method of data processing and storage is such that the data subject can only be identified for as long as is necessary for the purpose of data processing. We only process data that is essential for the purpose of data processing. The data we process is accurate, complete and, where necessary, up to date. Data is not stored for longer than is necessary to achieve the purpose of its use. When processing data, we fully guarantee the rights of data subjects as set out in the Info Act and other relevant legislation. We take the technical and organisational measures and establish the procedural rules necessary to prevent the unauthorised or unlawful use of personal data, as well as the loss, damage or destruction of data. By giving your consent to data processing, you consent to the processing, storage and handling of your personal data as described above. We only allow third parties to access the stored data in the manner described in this information notice. We will only transfer your personal and health data to third parties in order to comply with our legal obligations or with your express consent, in accordance with legal requirements, and only if such third parties have undertaken to comply with the applicable data protection provisions in relation to us.

Please note that you are responsible for the accuracy of your personal and health data. We accept no liability for damages resulting from false data.

Dear Guests and Patients,

We hereby inform you that the Móra-Vitál Outpatient Care and Balneotherapy Centre, located at 6782 Mórahalom, Szent László park 3, operates an electronic surveillance system. The institution's electronic surveillance systems are managed by an IT specialist who performs system administration tasks.

The Móra-Vitál Outpatient Care and Balneotherapy Centre operates an indoor surveillance system. The rules of use for this system are set out in the Fundamental Law of Hungary, Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Info tv.), Act I of 2012 on the Labour Code (hereinafter: Mt.), Act CXXXIII of 2005 on the rules of personal and property protection and private investigation activities (hereinafter referred to as Szv tv.), and Act XXXIV of 2019 on the legislative amendments necessary for the implementation of the European Union's data protection reform.

Please note that data processing is considered to be in the legitimate interest of the Móra-Vitál Outpatient Care and Balneotherapy Centre if you enter a room monitored by CCTV after reading this information notice.

Scope of data processed:

  • the facial images and other personal data of patients, guests, doctors and employees visible on camera recordings.

The electronic surveillance system operates 24 hours a day, seven days a week.

The recordings stored by the camera surveillance and recording system operated by the Móra-Vitál Outpatient Care and Balneotherapy Centre may only be viewed by authorised persons for the purpose of proving offences committed against human life, physical integrity and property, identifying the perpetrator, or investigating other incidents affecting life or physical integrity. and accidents.

  • We act lawfully in the course of data processing, as we comply with the fundamental provisions of Section 4(1) and (2) of the Info Act, which is the principle of purpose-bound and fair data processing.
  • As a general rule, we store recorded footage for 30 working days.
  • Recorded material may only be reviewed in cases of suspected offences or criminal acts, or in the event of an accident at work.
  • The Móra-Vitál Outpatient Care and Balneotherapy Centre can certify that the internal monitoring system it uses is compatible with the principle of purpose limitation set out in Section 4(1) and (2) of the Info Act and with the balancing of interests test. Personal data may only be processed for specific purposes, for the exercise of legal rights and for the fulfilment of obligations.
  • The cameras' viewing angles can only be directed at the target area, so we only monitor our own property or areas in our own use.
  • If, at the initiative of the director of the Móra-Vitál Outpatient Care and Balneotherapy Centre, the competent body or authority has initiated proceedings and has informed the director of the Móra-Vitál Outpatient Care and Balneotherapy Centre thereof within the prescribed time limit, the director of the Móra-Vitál Outpatient Care and Balneotherapy Centre may process the recorded footage until it is forwarded to the body or authority entitled to initiate proceedings, provided that the duration of data processing does not exceed 30 days.

The Móra-Vitál Outpatient Care and Balneotherapy Centre also observes the principles of Info TV when reviewing recorded footage. The institution's IT specialist, who performs system administration tasks, has the necessary authorisation. Access to recordings, the name of the person performing the access, the reason for accessing the data and the time of access are recorded in a log. In order to ensure the secure handling of personal data, the data stored on the servers detailed below is protected by a personalised username and password, which can be used to determine who is authorised to access the data and when they accessed it.

Data may only be transferred to the authorities or courts conducting proceedings in cases of unlawful conduct or breach of obligations. The data transferred may include recordings made by the camera system containing relevant information, as well as the names of any persons appearing in the recordings.

Location of installed cameras and monitored area:

  • CAM01 – Lift to the second floor
  • CAM02 – Boiler room, second floor and waiting area
  • CAM03 – Server room, second floor and waiting area
  • CAM04 – Lift to first floor and stairwell
  • CAM05 – Administration, first floor and waiting area
  • CAM06 – Ramp, first floor and corridor
  • CAM07 – Lift ground floor and stairwell
  • CAM08 – Reception area in front of the ground floor
  • CAM09 – Emergency entrance Ground floor between two doors
  • CAM10 – Emergency entrance outside
  • CAM11 – Statue outside
  • CAM12 – Main entrance ground floor and gate
  • CAM13 – Passageway Ground floor, former reception area
  • CAM14 – Reception area behind the counter on the ground floor
  • CAM15 – Reception area behind the counter on the ground floor
  • CAM16 – Reception area behind the counter on the ground floor
  • CAM 17 – office 1 – office safe and institutional key 
  • CAM 18 – office lobby 
  • CAM 19 – office 2 – office safe

The cameras' viewing angles can only be directed at the target area, so we only monitor our own property or areas in our own use.

Safety measures

We do everything we can to keep your data safe while we're doing our data processing stuff.

To this end, our primary goal is to,

  • that only our employees and partners who have been specifically authorised to do so have access to your data,
  • to prevent unauthorised access, unauthorised alteration, unauthorised disclosure or unauthorised deletion of your personal data,  to store your data accurately, avoiding data loss, and to be able to restore the data in the event of a problem,
  • that in the event of a data protection incident, the authorities and data subjects are notified as soon as possible.

Móra-Vitál Outpatient Care and Balneotherapy Centre implements appropriate technical and organisational measures to ensure data security, taking into account the state of science and technology, in order to protect the data processed, including:

  • Our responsible agents and employees use operating systems and software with the latest security updates when performing their duties.
  • We encrypt our backups.
  • We delete personal data that is no longer required or anonymise it for statistical purposes.
  • Our hosting provider's servers operate in a secure data centre.

We regularly review our security measures, record the necessary actions in our internal Security Regulations, and our employees always perform their duties in accordance with the current regulations. Móra-Vitál Outpatient Care and Balneotherapy Centre stores personal data on IT equipment located at its headquarters and branches, as well as on servers located in the secure data centre of its hosting provider.

The Móra-Vitál Outpatient Care and Balneotherapy Centre selects and operates the IT tools used for the processing of personal data in the course of providing its services in such a way that the data processed:

  • accessible to those authorised to do so (availability);
  • its authenticity and verification are ensured (authenticity of data processing);
  • its integrity can be verified (data integrity);
  • be protected against unauthorised access (data confidentiality).

The Móra-Vitál Outpatient Care and Balneotherapy Centre protects data with appropriate measures, in particular against unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction, damage, and inaccessibility resulting from changes in the technology used. In order to protect the data files managed electronically in its various registers, the Móra-Vitál Outpatient Care and Balneotherapy Centre uses appropriate technical solutions to ensure that the stored data cannot be directly linked to or assigned to the data subject, unless permitted by law. The Móra-Vitál Outpatient Care and Balneotherapy Centre takes technical, organisational and structural measures to ensure the security of data processing in line with the current state of technology, providing a level of protection appropriate to the risks associated with data processing. The Móra-Vitál Outpatient Care and Balneotherapy Centre

During data processing, the Centre shall retain:

  • confidentiality: protects information so that only those who are authorised to access it can do so;
  • integrity: protects the accuracy and completeness of information and processing methods;
  • availability: ensures that when an authorised user needs it, they can actually access the desired information and that the necessary tools are available.

The IT system and network of Móra-Vitál Outpatient Care and Balneotherapy Centre and its partners are protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses, computer intrusions and denial-of-service attacks. The operator ensures security through server-level and application-level protection procedures.

We inform users that electronic messages transmitted over the Internet, regardless of protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that may lead to dishonest activity, contract disputes, or the disclosure or modification of information. The data controller shall take all reasonable precautions to protect against such threats. The systems are monitored in order to record any security breaches and provide evidence in the event of any security incidents. System monitoring also allows the effectiveness of the precautions taken to be verified.

Data protection incidents

A data protection incident involves a breach of confidentiality, accessibility or integrity. The most common data protection incidents are: loss of portable data storage devices (e.g. USB sticks), theft of mobile devices (e.g. laptops), misdirected transmission of personal data, and attacks on IT systems. The Data Controller is responsible for preventing data protection incidents, handling them when they occur, and complying with and enforcing the relevant legal requirements. 

The head of the Data Controller is obliged to report any data protection incidents that come to their attention. with the competent supervisory authority. The announcement without undue delay, no later than 72 hours after becoming aware of the data breach.

In the event of an incident, we will clearly and comprehensively explain the nature of the data protection incident to the data subject, communicate the content of the mandatory report to the supervisory authority, and provide information on all steps that the data subject can take to protect themselves from the consequences of the incident. The information provided to the data subject will always be sent in the form of a separate message (by e-mail, or failing that, by post, or failing that, by SMS). 

We will not inform the data subject about the data breach if:

  • we have implemented appropriate technical and organisational protection measures and applied these measures to the data affected by the data breach;,
  • following the data breach, we have taken further measures to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialise in the future; 
  • the provision of information would require a disproportionate effort. In such cases, we will inform the data subjects by means of publicly available information (by publishing a notice on our website or issuing a press release) or take similar measures to ensure that the data subjects are informed in a similarly effective manner.

Data transfer and data processors

In order to provide specialist healthcare services and for the technical operation of IT systems, we use external service providers. Upon request, we will inform you about who we transfer data to, with whom we may jointly process data, and which data processors we use. 

Transfer of data to third countries

The Móra-Vitál Outpatient Care and Balneotherapy Centre does not transfer the personal data it collects to third countries outside the EU. If it does, it will inform the data subject and require its third-country partner to comply with Regulation (EU) 2016/679 in its data processing activities.

Rights of data subjects

We hereby inform you that, as a data subject under the EU General Data Protection Regulation (EU GDPR), you have the following rights in relation to the processing of your personal data.

Right to information

The Móra-Vitál Outpatient Care and Balneotherapy Centre shall take appropriate measures to provide data subjects with all information relating to the processing of personal data referred to in Articles 13 and 14 of the GDPR and all information referred to in Articles 15 to 22 and 34, in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Access to personal data

You may request in writing a copy of your personal data stored by us, either in full or in relation to a specific transaction, provided that we process your personal data. We will also provide you with the following information as requested if you request access to your personal data processed by us:

  • the purpose and legal basis of data processing
  • the categories of personal data concerned
  • the categories of recipients or recipients to whom we have disclosed or will disclose personal data
  • where applicable, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • a description of your further rights (correction, deletion or restriction, and objection)
  • the possibility and method of submitting a complaint to the supervisory authority

With this information, you can find out how and why we use your data and ensure that we process your data lawfully.

Correction of personal data

If any data in our database is incorrect or your details have changed, we will update the data upon request.

Deletion of personal data

You may request that we delete your personal data stored by us. Upon your request, we will delete or anonymise your data, but only if we no longer need it for the purpose for which we originally collected it, or if we do not need it to comply with our legal obligations.

Restriction of processing of personal data

Restriction means that your personal data may only be processed with your consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of public interest of the Union or of a Member State. You may request that we restrict the processing of your data in the following cases:

  • if you dispute the accuracy of the data, you may restrict the processing of the data for the period during which we verify the accuracy of the data
  • if the data processing is unlawful, but you only wish to restrict the data processing instead of erasing it
  • if we no longer need the data, but you require it for the establishment, exercise or defence of legal claims
  • if you have objected to data processing, the restriction applies for the period until it is determined whether our legitimate grounds take precedence over your legitimate grounds

Objection to the processing of personal data

In certain cases, you have the right to object to the processing of your personal data, for example, if the legal basis for our processing is legitimate interest. In this case, we may no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Data portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format, and you have the right to transmit this data to another data controller, provided that the legal basis for data processing is consent or the performance of a contract and the data processing is carried out by automated means.

Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Right of withdrawal

You have the right to withdraw your consent to the processing of data processed on the basis of voluntary consent at any time. Withdrawal does not affect the lawfulness of data processing prior to withdrawal.

How to file a complaint to enforce your rights

If you have any questions or comments regarding the processing of personal data, please contact the Data Controller or the Data Protection Officer (DPO). 

If, following your request, the Data Controller does not take action without delay, but at the latest within one month of receiving the request, the Data Protection Officer will inform you of the reasons for not taking action and that you may lodge a complaint with the supervisory authority and exercise your right to judicial remedy. The Data Controller shall inform you of the legal remedies available at your request.

If you believe that the Data Controller has violated your rights regarding the processing of personal data, you may take legal action. The court has jurisdiction over the case. At your discretion, the lawsuit may also be brought before the court of the Data Subject's place of residence or place of stay. The Data Subject may also submit their complaint regarding data processing directly to the authority: 

National Authority for Data Protection and Freedom of Information, 1055 Budapest, Falk Miksa utca 9-11. Postal address: 1363 Budapest, Pf. 9. Telephone: +36-1-3911400, Fax: +36-1-3911410, Website: https://naih.hu, E-mail: ugyfelszolgalat@naih.hu, Online case initiation:

https://naih.hu/online-uegyinditas.html

Appendix: terms

  1. „personal data” means any information relating to an identified or identifiable natural person („data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  2. „data processing”: any operation or set of operations performed on personal data or data files, whether automated or not, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  3. „restriction of processing”: marking stored personal data with a view to limiting their future processing;
  4. „profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  5. „pseudonymisation”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  6. „filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed according to functional or geographical criteria;
  7. „data controller” means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  8. „processor”: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
  9. „recipient”: a natural or legal person, public authority, agency or any other body to whom personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  10. „third party” means a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  11. „consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  12. „personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  13. „genetic data” means all personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or health of that natural person, resulting primarily from the analysis of a biological sample taken from that natural person;
  14. „biometric data” means any personal data relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
  15. „health data” means personal data relating to the physical or mental health of a natural person, including data relating to health care provided to a natural person which reveal information about the health status of that natural person;
  16. „centre of operations”: (a) in the case of a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, and that other establishment has the power to implement decisions regarding the purposes and means of the processing, that establishment shall be considered the centre of operations; (b) in the case of a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the place of business within the Union where the main processing activities in relation to the activities carried out at the place of business of the processor take place, insofar as the processor is subject to the obligations laid down in this Regulation;
  17. „representative” means a natural or legal person established in the Union by the controller or processor, designated in writing by the controller or processor pursuant to Article 27, who represents the controller or processor with regard to their obligations under this Regulation;
  18. „undertaking”: any natural or legal person engaged in economic activity, regardless of its legal form, including partnerships and associations engaged in regular economic activity;
  19. „group of undertakings” means the controlling undertaking and the undertakings controlled by it;
  20. „binding corporate rules”: rules for the protection of personal data which are complied with by a controller or processor established in the territory of a Member State of the Union with regard to transfers or a set of transfers of personal data to a controller or processor in one or more third countries within the same group of undertakings or the same group of undertakings engaged in a joint economic activity;
  21. „supervisory authority” means an independent public authority established by a Member State in accordance with Article 51;
  22. „supervisory authority concerned” means the supervisory authority which is concerned by the processing of personal data on any of the following grounds: (a) the controller or processor has an establishment on the territory of the Member State of that supervisory authority; (b) the processing significantly affects or is likely to significantly affect data subjects residing in the Member State of that supervisory authority; or (c) a complaint has been lodged with that supervisory authority;
  23. „cross-border processing of personal data” means: (a) the processing of personal data in the Union in the context of the activities of establishments in more than one Member State of a controller or processor; or (b) the processing of personal data in the Union in the context of the activities of a single establishment of a controller or a processor and which substantially affects or is likely to substantially affect data subjects in more than one Member State;
  24. „relevant and well-founded objection”: an objection raised against a draft decision, alleging that this Regulation has been infringed or that the proposed measure against the controller or processor is not in accordance with this Regulation; the objection must clearly demonstrate the significance of the risks to the fundamental rights and freedoms of data subjects and, where applicable, to the free flow of personal data within the Union posed by the draft decision;
  25. „information society service” means a service within the meaning of Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);
  26. „international organisation” means an organisation governed by public international law, or its subordinate bodies, or any other body which has been set up by, or on the basis of, an agreement between two or more countries.

Last update of the data processing policy: 01.06.2024

Dr. Balázs Pécsy
head of institution

Table of contents