The protection of your data

Privacy Policy

ARTDENTIST Limited Liability Company (registered office: 1165 Budapest, Nógrácverőce út 31.; hereinafter referred to as the Company) adopted the following privacy policy based on “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April 2016)” (hereinafter: the REGULATION), by resolution no. 2/2018. (05.24.) of its supreme body, which entered into force on 25 May 2018. This privacy policy is based on the data protection regulation adopted by resolution no. 1/2018. (05.24.) of the Company’s supreme body.

DATA CONTROLLER

  • Company name: ARTDENTIST Limited Liability Company
  • Tax number: 25460559-2-42
  • Company registration number: 01-09-276465
  • Registered office: 1165 Budapest, Nógrácverőce út 31.
  • Phone number: +36-30-519-7820
  • Email address: artdent@artdent.hu
  • Website: artdent.hu

DATA PROCESSORS

Dental laboratory

  • Company name: Dent Guide Fogászati Kft.
  • Tax number: 25488892-1-13
  • Registered office: 2000 Szentendre, Erdész köz 14.

Hosting provider

  • Company name: Netdoor Kft.
  • Address: 1055 Budapest, Nyugati tér 8. 1st floor, door 5
  • Tax number: 22635813-2-41
  • Company registration number: 01-09-936833
  • Email address: info@serverkraft.hu

Marketing software

This privacy policy is published on our Company’s website, www.artdent.hu, as well as displayed at our customer service clinic located at 1027 Budapest, Margit körút 1.

The REGULATION sets out rules on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. It protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data.

The Regulation applies to the processing of personal data wholly or partly by automated means, as well as to the non-automated processing of personal data which form part of a filing system or are intended to form part of a filing system.

The Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not.

The Regulation also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  1. the offering of goods or services to such data subjects in the Union, regardless of whether a payment from the data subject is required; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

The Regulation also applies to the processing of personal data by a controller not established in the Union, but in a place where the law of a Member State applies by virtue of public international law. The Company declares that it does not transfer data covered by this Regulation to third countries.

I. DEFINITIONS:

“personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“restriction of processing”: the marking of stored personal data with the aim of limiting their processing in the future;

“profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“pseudonymisation”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

“filing system”: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

“controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

“processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

“recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

“third party”: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

“data subject’s consent”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

“personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

“genetic data”: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

“biometric data”: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

“data concerning health”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

  1. for a controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment that took such decisions shall be considered to be the main establishment;
  2. for a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place, insofar as the processor is subject to specific obligations under this Regulation;

“Representative”: a natural or legal person established in the Union who is explicitly designated by the controller or processor pursuant to Article 27 in writing to represent the controller or processor with regard to their respective obligations under this Regulation.

“Enterprise”: a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in economic activity.

“Group of undertakings”: a controlling undertaking and its controlled undertakings.

“Binding corporate rules”: personal data protection policies adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within the same group of undertakings or group of enterprises engaged in a joint economic activity.

“Supervisory authority”: an independent public authority which is established by a Member State pursuant to Article 51.

“Concerned supervisory authority”: a supervisory authority which is concerned by the processing of personal data because:

  1. the controller or processor is established on the territory of the Member State of that supervisory authority;
  2. data subjects residing in the Member State of that supervisory authority are or are likely to be substantially affected by the processing; or
  3. a complaint has been lodged with that supervisory authority;

“Cross-border processing of personal data”:

  1. processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union, where the controller or processor is established in more than one Member State; or
  2. processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

“Relevant and reasoned objection”: an objection to a draft decision which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects or the free flow of personal data within the Union.

“Information society service”: a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council
(19).

“International organisation”: an organisation and its subordinate bodies governed by public international law, or any other body which is set up by or on the basis of an agreement between two or more countries.

II. PRINCIPLES

Personal data shall be:

  1. processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or
  3. statistical purposes shall not be considered to be incompatible with the initial purposes (“purpose limitation”); personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).
  7. The controller shall be responsible for, and be able to demonstrate compliance with, the above principles (“accountability”).

III. RIGHTS OF THE DATA SUBJECT

The controller shall take appropriate measures to provide any information relating to the processing of personal data to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. Where requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

  1. information at the time of data collection: the name and contact details of the controller and its representative (if any), the contact details of the data protection officer (if any), the purposes and legal basis of the processing, the consequences of failure to provide the data, the legitimate interest (in case of legitimate interest as the legal basis), categories and source of personal data (if not collected from the data subject), information on automated decision-making and profiling, recipients or categories of recipients, information on data transfers to third countries and safeguards, duration or criteria of data storage, rights of the data subject, right to lodge a complaint with a supervisory authority;
  2. right of access: the data subject has the right to obtain access to personal data and the following information: a copy of the personal data, the purposes of the processing, categories of personal data, data relating to automated decision-making and profiling, the source of the data (in case of data transfer), recipients to whom the data have been or will be disclosed, information on data transfers to third countries and safeguards, storage period and criteria, rights of the data subject, right to lodge a complaint with a supervisory authority;
  3. right to rectification: the data subject has the right to obtain without undue delay the rectification of inaccurate personal data and to have incomplete personal data completed, free of charge;
  4. right to erasure (“right to be forgotten”): the data subject has the right to obtain the erasure of personal data, and the controller is obliged to erase such data when the processing is no longer necessary, when the data subject withdraws consent and no other legal ground exists, in case of objection (unless overriding legitimate grounds exist), in case of unlawful processing, or for compliance with a legal obligation. If the controller has made the data public and is obliged to erase them, it shall take reasonable steps to inform other controllers of the data subject’s request for erasure of links, copies, or replications;
  5. right to restriction of processing: the controller shall restrict processing at the request of the data subject if the accuracy of the personal data is contested by the data subject, the processing is unlawful and the data subject opposes the erasure, the controller no longer needs the data but the data subject requires them for legal claims, or the data subject has objected to processing and verification is pending;
  6. right to data portability: the data subject has the right to receive the personal data provided to the controller in a structured, commonly used and machine-readable format, and has the right to transmit those data to another controller, or request direct transmission if technically feasible;
  7. rights related to automated decision-making and profiling: the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects him or her, unless it is necessary for the performance of a contract, authorized by law, or based on explicit consent;
  8. right to object: the data subject shall have the right to object to processing based on public interest, official authority, or legitimate interest, as well as direct marketing or profiling for direct marketing purposes. Processing shall cease unless compelling legitimate grounds or legal claims override the objection.

IV. DATA PROCESSING ACTIVITIES

1/ Data processing related to the website

If you wish to contact us via our website, the following personal data must be provided, which, under the REGULATION, qualify as personal data and are necessary for establishing and maintaining contact. Please note that your personal data will only be stored until the purpose of contact initiated by you is fulfilled. After this, your data will be destroyed. If further processing is needed, the data will be retained according to the relevant contractual terms.

Please note that this data processing is based on your consent. Without providing the above data, contacting us via the website will not be possible, and we will not be able to provide information.

personal data: name, email address, phone number, IP address

purpose of processing: necessary for contact and communication; in the case of IP address, necessary for technical operations

duration of processing: until the purpose of the contact is fulfilled

legal basis: data subject’s consent

Please note that our website uses security cookies, which do not process personal data, and therefore do not require consent. Their sole purpose is the transmission of communication over an electronic communications network. You may delete cookies at any time via your browser’s Tools/Settings – Privacy menu.

Please note that the website is operated by the data controller. The website uses a hosting service provider, which qualifies as a data processor under the REGULATION:

  • Company name: Netdoor Kft.
  • Address: 1055 Budapest, Nyugati tér 8. 1st floor, door 5
  • Tax number: 22635813-2-41
  • Company registration number: 01-09-936833
  • Email address: info@serverkraft.hu

The hosting provider is authorized to process all personal data provided by the data subject, for the purpose of ensuring proper operation and accessibility of the website. Processing lasts until the agreement with the provider terminates or the data subject requests deletion. The legal basis is the data subject’s consent, as well as relevant provisions of the Info Act and the Act on Electronic Commerce Services.

personal data: all personal data provided on the website

purpose of processing: essential for website operation

duration of processing: until the hosting agreement ends

legal basis: data subject’s consent

Rights related to data processing are described in Sections V and VI of this policy.

2/ Camera usage

The purpose of data processing is to protect the property of the equipment, furniture, and dental technology devices located in the clinic operated at the Company’s premises, as well as to ensure the quality assurance of medical treatments. The data controller informs the data subjects that the camera system does not record image or sound. ARTDENTIST Kft. only records footage in such manner and extent in the clinic that is compliant with the recommendations of the NAIH and the relevant legislation. Only Dr. Artúr Varajti has access to the recordings, which are not disclosed or made accessible to third parties. The processing of data is based on the explicit consent of the data subject.

During the camera surveillance, ARTDENTIST Kft. processes the facial image and voice of the data subjects. The installed cameras are capable of producing recordings that allow the individual identification of the persons involved. The legal basis for processing is the authorization under Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information. The circumstances and conditions of the processing are defined by the provisions of this Act.

ARTDENTIST Kft. declares that appropriate security measures have been implemented to protect personal data appearing on the recordings from unauthorized access, alteration, transmission, recording, disclosure, deletion or destruction, as well as from accidental destruction, damage, and inaccessibility due to changes in technology.

ARTDENTIST Kft. has ensured that employees with access to the data have been appropriately informed of the data protection requirements.

personal data: the data subject’s facial image and voice

purpose of processing: property protection and quality assurance

duration of processing: no recording is made

legal basis: data subject’s consent

Data controller:

  • Company name: ARTDENTIST Limited Liability Company
  • Tax number: 25460559-2-42
  • Company registration number: 01-09-276465
  • Registered address: 1165 Budapest, Nógrácverőce út 31.
  • Phone number: +36-30-519-7820
  • Email: artdent@artdent.hu
  • Website: artdent.hu

Rights related to data processing are described in Sections V and VI of this policy.

3/ Processing of personal and special categories of data

Please note that under the REGULATION, the data controller processes personal and special categories of data in connection with the provision of dental services, including your health data. This includes all your personal data and medical history related to dental treatment.

The legal basis for processing is Act XLVII of 1997 on the Processing and Protection of Health and Related Personal Data, the authorization of the Info Act, and the data subject’s consent. Following data collection, the data shall be processed for a minimum of 30 years under the health data regulations.

In order for you to receive healthcare services in our clinic, and for the protection of your life and physical integrity, it is essential that the data controller processes and records your health data. The form to be filled out prior to treatment is used by the treating physician to be informed of all relevant health data – in addition to special data, this also includes personal data necessary for patient identification – required for treatment, as well as to reduce or eliminate treatment-related risks (e.g. allergic reactions).

The data controller declares that the data are processed on paper and in a separate electronic system, accessible only to designated processors employed by the Company. The data controller informs the data subject that special category data will only be transferred to third parties if a dental technician is required for the treatment.

personal and special categories of data: all personal data of the data subject and health data strictly necessary for the treatments

purpose of processing: property protection-based surveillance not affecting treatments

duration of processing: 1 year

legal basis: data subject’s consent

Data processor:

  • Company name: ARTDENTIST Limited Liability Company
  • Tax number: 25460559-2-42
  • Company registration number: 01-09-276465
  • Registered address: 1165 Budapest, Nógrácverőce út 31.
  • Phone number: +36-30-519-7820
  • Email: artdent@artdent.hu
  • Website: artdent.hu

The data controller informs the data subject that in the event of detecting a communicable disease, it is legally authorized and obligated to forward the subject’s health and identification data to the relevant public authorities.

Rights related to data processing are described in Sections V and VI of this policy.

4/ Accounting obligations arising from contractual economic transactions

Please note that our Company is required by law to maintain double-entry bookkeeping. Accordingly, we are obliged to engage a licensed accountant or accounting company to perform bookkeeping. In order for our Company to fulfill its invoicing obligations under the Accounting Act, the VAT Act, and the Act on the Rules of Taxation, personal data must be transferred to the accounting company, which in this case qualifies as a data processor.

personal data: all personal data of the data subject that are required by law to be included on invoices subject to strict accounting rules (name, address)

purpose of processing: compliance with legal obligations

duration of processing: 8 years

legal basis: data subject’s consent, legal authorization

5/ Newsletter-related data

The controller sends advertisements or promotional messages (newsletters) – including postal mail – to the electronic addresses provided during registration only with the user’s explicit consent, and in accordance with the relevant legal requirements. Users may unsubscribe from the newsletter at any time by:

  • using the link provided at the bottom of the newsletter, or
  • sending an email to artdent@artdent.hu, or
  • sending a letter to 1165 Budapest, Nógrácverőce út 31.

V. INFORMATION ABOUT DATA PROCESSING AND COMPLAINT HANDLING

The data controller shall take appropriate measures to provide the data subject with all information and notifications regarding the processing of personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, especially in the case of any information addressed to children. Information shall be provided in writing or by other means, including, where appropriate, electronically. At the request of the data subject, the information may be provided orally, provided that the identity of the data subject has been otherwise verified.

The data controller shall facilitate the exercise of the data subject’s rights. The data controller shall not refuse to act on the request of the data subject to exercise their rights, unless the controller demonstrates that it is not in a position to identify the data subject.

The data controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The data controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If the data controller does not take action on the request of the data subject, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The information and actions shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may:

  1. charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
  2. refuse to act on the request.

The burden of demonstrating the manifestly unfounded or excessive character of the request shall lie with the data controller.

Where the data controller has reasonable doubts concerning the identity of the natural person making the request, it may request the provision of additional information necessary to confirm the identity of the data subject.

The information provided to the data subject may be supplemented by standardised icons to give, in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended data processing. Where presented electronically, the icons shall be machine-readable.

In its founding resolution No. 3/2018 (05.24.), the Company designated Dr. Artúr Varajti (telephone number: +36 20 218 5343) as the data controller responsible for contact with data subjects.

For the purpose of complaint handling, the following data must be provided by the data subject, which are used exclusively for identification and contact:

  • name, address, phone number, email address, description of the complaint

Our Company informs you that in the event of unlawful data processing by our Company, you may file a complaint with the competent Authority at the following contact:

  • Hungarian National Authority for Data Protection and Freedom of Information
  • 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
  • 1530 Budapest, P.O. Box: 5.
  • +36-1-391-1400

Our Company also informs you that in the event of unlawful data processing, you have the right to take legal action.

VI. DATA PROTECTION INCIDENT

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall not be required if any of the following conditions are met:

  1. the data controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach – in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  2. the data controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to above is no longer likely to materialise;
  3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

If the data controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the breach resulting in a high risk, may require it to do so.

Our Company informs you that in the event of unlawful data processing by our Company, you may file a complaint with the competent Authority at the following contact:

  • Hungarian National Authority for Data Protection and Freedom of Information
  • 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
  • 1530 Budapest, P.O. Box: 5.
  • +36-1-391-1400

In its founding resolution No. 3/2018 (05.24.), Dr. Artúr Varajti (telephone number: +36 20 218 5343) was appointed by the Company as the data controller responsible for contact with data subjects.

Our Company also informs you that in the event of unlawful data processing, you have the right to take legal action.

VII. FINAL PROVISIONS

The data controller undertakes to ensure the security of personal data under its control, and shall take all technical measures to ensure that the data collected, stored or processed are protected, and shall make every effort to prevent their destruction, unauthorised use or alteration.

The data controller reserves the right to unilaterally amend this statement, while notifying the users. The data controller will publish information on any changes to this privacy statement on the Website. By using the service after the changes take effect, the user acknowledges the provisions of the amended statement through implied conduct.

VIII. CONTACT

We welcome your questions, comments and requests regarding our Privacy Statement at the following address:

  • ARTDENTIST KFT. (registered office: 1165 Budapest, Nógrácverőce út 31.)
  • Email: artdent@artdent.hu
  • Phone: +36 30 519 7820