CHAPTER I – Introduction

1. Statutory and regulatory background

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (of 27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”)
Act CXII of 2011 on Informational Self-Determination and Freedom of Information
Act XLVII of 1997 on the Processing and Protection of Health and Related Personal Data (Eüat)
Act CLV of 1997 on Healthcare
Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers
Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activity.

2. Purpose of the Notice

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the Regulation) requires that the Data Controller take appropriate measures to provide the data subject with all information relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and that the Data Controller facilitate the exercise of the data subject’s rights.

The obligation to provide prior information to the data subject is also prescribed by Act CXII of 2011 on Informational Self-Determination and Freedom of Information.
By means of the information set out below, we fulfil this statutory obligation.

3. Presentation of the Data Controller

The healthcare Data Controller

Name: Foxximed Kft.
Registered office: 1024 Budapest, Széll Kálmán tér 3. 1. em. 9. ajtó
Company registration number: 01-09-387467
OTH (National Public Health Service) number: 522448
Place of business: 1024 Budapest, Széll Kálmán tér 3. 1. em. 9. ajtó
Range of patients (NEAK [National Health Insurance Fund] / Private / both): Private
Responsible for the implementation of the data processing
Responsible manager: Dr. Pulay Zoltán Tamás, Dr. Magyar Dominika
Telephone number: 06 30 270 9420
E-mail address: info@foxxi.hu
Websites: https://foxximed.hu/, https://foxxi.hu/

Description of the participants in the data processing operations and of the data subjects:
Personnel: at the time of the creation of this data processing policy, the team is expanding and currently comprises 2 dental specialists and 1 dental hygienist, a headcount that may be supplemented in the future by additional employees and personal contributors.

Since the personal contributor dentist has a work-performance contract with the Data Controller, for the purposes of data processing and data security they are regarded as part of the personnel. In the event of an increase in headcount, the possible job positions are: dentist, dental specialist, dental assistant, receptionist, dental technician, management.
Size of the practice: At the time of the preparation of the introductory version of the policy, the size of the Data Controller’s practice is dynamically growing and can be estimated at 2,000–3,000 persons. Within 5 years this is expected to rise to 6,000–7,000 persons.

4. Presentation of the Data Processors (register)

The data processors involved in the personal data processing activities of the Clinic, and their details, are contained in the Register of Data Processors maintained by the clinic, which may be inspected at the clinic; further information may also be requested in person or in electronic form.

CHAPTER II – INFORMATION ON CERTAIN DATA PROCESSING OPERATIONS

1. Information on data processing related to health data and documentation

The data subject may hand over their previous and current health data and documentation (X-ray images, findings, examination results) to their treating physician in order to substantiate the requested service. During the examination of data subjects, the Data Controller records, stores, captures and processes health data and health documentation using its own equipment and methods.
The capture of health data and documentation is part of the provision of the service (treatment). The treating physician decides what health data must be captured and stored in accordance with the professional rules.
The data subject hands over their health data and documentation voluntarily and consents to the examinations voluntarily.
The direct purpose of the data processing is to substantiate which service of the Data Controller is appropriate for the data subject (establishing a diagnosis and treatment plan), as well as the provision of a quotation, the answering of the data subject’s questions and the accurate keeping of the mandatory health documentation.
The health data necessary for the service may be processed by the physician and by the colleague performing activities related to the treatment of the data subject (dental assistant, dental hygienist, receptionist) in accordance with the instructions of the treating physician and to the extent necessary for the performance of their tasks.
With regard to health data, the Data Controller fulfils its statutory obligation; consequently, the legal basis for the processing is compliance with a legal obligation. The Data Controller also has a data supply obligation towards the EESZT (Electronic Health Service Space) and the National Implant Register systems.
Duration of data processing: Pursuant to Section 30(1) of Act XLVII of 1997, the Data Controller must retain the health documentation and health data for at least 30 years, images produced by imaging diagnostic procedures for 10 years from the date of their creation, and findings prepared from such images for 30 years from the date of creation of the image.

2. Information on data processing based on the data subject’s consent

Where the Data Controller intends to carry out consent-based data processing, the data subject’s consent to the processing of their personal data must be requested with the content and information specified in the data request form defined in the data processing policy.
Consent is also deemed to be given where the data subject, when viewing the Data Controller’s website, ticks a relevant box, makes relevant technical settings when using information society services, or makes any other statement or performs any other act which clearly indicates in the given context the data subject’s consent to the intended processing of their personal data. Therefore, silence, a pre-ticked box or inactivity does not constitute consent.
Consent extends to all processing activities carried out for the same purpose or purposes. Where the processing serves multiple purposes at once, consent must be given separately for all processing purposes.
If the data subject gives their consent in the framework of a written declaration which also concerns other matters – e.g. the conclusion of a sales or service contract – the request for consent must be presented in a manner clearly distinguishable from these other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration containing the data subject’s consent which infringes the Regulation shall not be binding.
The Clinic may not make the conclusion or performance of a contract conditional upon consent to the processing of personal data that is not necessary for the performance of the contract.
It must be as easy to withdraw consent as to give it.
Where personal data has been collected with the data subject’s consent, the data controller may, in the absence of a contrary provision of law, process the collected data for the purpose of fulfilling a legal obligation incumbent upon it without further separate consent, as well as after the withdrawal of the data subject’s consent.

3. Information on the processing of customer data and the data of contracting partners and contact persons

On the legal basis of the performance of a contract, for the purpose of the conclusion, performance and termination of the contract and the provision of a contractual discount, the Clinic processes the name, birth name, date of birth, mother’s name, residential address, tax identification sign, tax number, entrepreneur’s or primary producer’s licence number, identity card number, residential address, registered office and place of business address, telephone number, e-mail address, website address, bank account number, customer number (client number, order number) and online identifier of the natural person contracted with it as a buyer or supplier (lists of buyers, suppliers, loyalty-customer lists). This data processing is also deemed lawful where the processing is necessary in order to take steps at the request of the data subject prior to the conclusion of the contract. Recipients of the personal data: the Clinic’s employees performing tasks related to customer service, employees performing accounting and tax-related tasks, and its data processors. Duration of storage of the personal data: 5 years following the termination of the contract.
The legal basis for the processing of the data provided in the contract by the natural-person contracting party for accounting and tax purposes is compliance with a legal obligation; in this respect the duration of data storage is 8 years.
The Clinic processes the personal data provided in the contract – as well as the residential address, e-mail address, telephone number and online identifier – of the natural person acting on behalf of the legal person contracting with it (i.e. the person signing the contract), for the purpose of keeping in contact and exercising the rights and obligations arising from the contract, on the legal basis that this is necessary for the performance and conclusion of the contract. The duration of storage of this data is 5 years following the termination of the contract. In the case of processing based on legitimate interest, the data subject has the prominent right to object to the processing.
The Clinic processes the name, address, telephone number, e-mail address and online identifier of the natural person designated as a contact person – not a signatory – in the contract concluded with it, for the purpose of keeping in contact and exercising the rights and obligations arising from the contract, on the legal basis of legitimate interest, having regard to the fact that the contact person is in an employment relationship with the contracting party, so that this data processing does not adversely affect the rights of the data subject. The contracting party declares that it has informed the contact person concerned about the data processing related to their capacity as a contact person. The duration of storage of this data is 5 years following the cessation of the capacity as a contact person.
In respect of all data subjects, the recipients of the personal data are: the head of the Clinic, the employees performing tasks related to customer service, contact persons, employees performing accounting and tax-related tasks, and its data processors.
The personal data may be transferred for data processing for the purposes of taxation and accounting to the accounting firm commissioned by the Clinic, for the purposes of mailing and delivery to the Hungarian Post or to the commissioned courier service, and for the purposes of property protection to the property-protection contractor of the Clinic.
Data processing is deemed lawful where it is necessary in the framework of a contract or an intention to conclude a contract (Recital 44), or where it is necessary in order to take steps at the request of the data subject prior to the conclusion of the contract (Article 6(1)(b)). Thus, on the legal basis of the performance of a contract, personal data collected in the framework of contractual offers may also be processed as set out in this point. When making or receiving an offer, the Clinic is obliged to inform the offeror or the addressee of the offer thereof.

4. Information on data processing based on compliance with a legal obligation

In the case of data processing based on a legal obligation, the scope of data that may be processed, the purpose of the processing, the duration of data storage and the recipients are governed by the provisions of the underlying legislation.
Data processing based on the legal basis of compliance with a legal obligation is independent of the data subject’s consent, as the processing is determined by legislation. In this case, the data subject must be informed before the commencement of the processing that the processing is mandatory; furthermore, before the commencement of the processing the data subject must be informed clearly and in detail of all facts relating to the processing of their data, in particular of the purpose and legal basis of the processing, the person entitled to carry out the processing and the data processing, the duration of the processing, the fact, where applicable, that the data controller processes the data subject’s personal data on the basis of a legal obligation incumbent upon it, and of who may access the data. The information must also cover the data subject’s rights and remedies in relation to the processing. In the case of mandatory data processing, the information may also be provided by publishing a reference to the legislative provisions containing the foregoing information.

5. Information on data processing carried out for the purpose of fulfilling tax and accounting obligations

On the legal basis of compliance with a legal obligation, for the purpose of fulfilling the tax and accounting obligations prescribed by law (accounting, taxation), the Clinic processes the data – specified by law – of natural persons entering into a business relationship with it as buyers or suppliers. Pursuant to Sections 169 and 202 of Act CXXVII of 2007 on Value Added Tax, the data processed are in particular: tax identification sign, name, address, tax status; pursuant to Section 167 of Act C of 2000 on Accounting: name, address, the designation of the person or organisation ordering the economic operation, the person authorising it and the person certifying the execution of the disposition, and, depending on the organisation, the signature of the controller; on the vouchers for inventory movements and on the cash-handling vouchers the signature of the recipient, on the counter-receipts the signature of the payer; pursuant to Act CXVII of 1995 on Personal Income Tax: entrepreneur’s licence number, primary producer’s licence number, tax identification sign.
The duration of storage of the personal data is 8 years following the termination of the legal relationship providing the legal basis.
Recipients of the personal data: the Clinic’s employees and data processors performing its taxation, accounting, payroll and social-security tasks.

6. Information on payer data processing

On the legal basis of compliance with a legal obligation, for the purpose of fulfilling the tax and contribution obligations prescribed by law (assessment of tax, tax advance and contributions, payroll, social-security and pension administration), the Data Controller processes the personal data – prescribed by the tax laws – of those data subjects (employees, their family members, persons employed, persons receiving other benefits) with whom it is in a payer relationship (Section 7(31) of Act CL of 2017 on the Order of Taxation (Art.)). The scope of the data processed is defined by Section 50 of the Art., highlighting in particular: the natural personal identification data of the natural person (including the previous name and title), their sex, citizenship, the natural person’s tax identification sign and social-security identification sign (TAJ number). Where the tax laws attach legal consequences thereto, the Clinic may process data relating to the employees’ health (Section 40 of the Personal Income Tax Act) and trade-union (Section 47(2)(b) of the Personal Income Tax Act) membership for the purpose of fulfilling tax and contribution obligations (payroll, social-security administration).
The duration of storage of the personal data is 8 years following the termination of the legal relationship providing the legal basis.
Recipients of the personal data: the Clinic’s employees and data processors performing its taxation, payroll and social-security (payer) tasks.

7. Information on data processing relating to documents of permanent value under the Archives Act

On the legal basis of compliance with a legal obligation, the Clinic processes its documents deemed to be of permanent value under Act LXVI of 1995 on Public Records, Public Archives and the Protection of Private Archival Material (Archives Act), for the purpose of ensuring that the part of the Clinic’s archival material of permanent value is preserved intact and in usable condition for future generations as well. Period of data storage: until handover to the public archive.
Recipients of the personal data: the head of the Clinic, the employee performing records management, and the staff member of the public archive.

CHAPTER III – VISITOR DATA PROCESSING ON THE CLINIC’S WEBSITE – INFORMATION ON THE USE OF COOKIES

General information on cookies

The visitor to the website must be informed on the website about the use of cookies, and their consent to this must be requested.
A cookie is a piece of data which the visited website sends to the visitor’s browser (in variable-name–value form) so that it stores it and the same website can later load its content. A cookie may have a validity period: it may be valid until the browser is closed, or for an unlimited time. Subsequently, the browser sends this data to the server with every HTTP(S) request. This way it modifies the data on the user’s machine.
The essence of a cookie is that, due to the nature of website services, it is necessary to mark a user (e.g. that they have logged into the site) and to be able to handle them accordingly in the following steps. The danger lies in the fact that the user is not always aware of this, and it may be suitable for tracking the user by the website operator or by another service provider whose content is embedded in the site (e.g. Facebook, Google Analytics), whereby a profile is created about them; in that case the content of the cookie is regarded as personal data.
Accepting and enabling the use of cookies is not mandatory. You can reset your browser settings so that it refuses all cookies, or so that it indicates when a cookie is being sent. Although most browsers automatically accept cookies by default, these settings can generally be changed in order to prevent automatic acceptance and to offer the option to choose on each occasion.
You can find out about the cookie settings of the most popular browsers at the following links:
1. Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu
2. Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn
3. Safari: https://support.apple.com/hu-hu/HT201265

In addition to all this, however, we draw your attention to the fact that certain website functions or services may not work properly without cookies.

You can find more detailed information about the cookies used by the Data Controller’s individual websites on the website:
https://foxxi.hu/
as well as
https://foxximed.hu/

by clicking on the “Cookie Notice” on the websites.

CHAPTER 4 – INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

The Clinic is committed to ensuring the exercise of the data subject’s rights in all of its data processing operations.

The rights of the data subject in brief

Transparent information, communication and facilitation of the exercise of the data subject’s rights
Right to prior information – where the personal data is collected from the data subject
Information to be provided to the data subject and information to be made available where the personal data has not been obtained from the data subject by the data controller
The data subject’s right of access
The right to rectification
The right to erasure (“the right to be forgotten”)
The right to restriction of processing
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The right to data portability
The right to object
Automated individual decision-making, including profiling
Restrictions
Communication of a personal data breach to the data subject
The right to lodge a complaint with a supervisory authority (right to an administrative remedy)
The right to an effective judicial remedy against a supervisory authority
The right to an effective judicial remedy against a data controller or data processor

The rights of the data subject in detail

1. Transparent information, communication and facilitation of the exercise of the data subject’s rights

On the basis of the Act on the Processing and Protection of Health Data:
The patient (or their legal representative) is entitled to receive information about the data identifying their person and about their health data, and may inspect the data subject’s health documentation.
In dental care, the patient becomes aware of and accepts the completion of the given course of care. The dentist is responsible for the process of definitive care. The fact and reasons for the interruption or modification of the care process are recorded by the treating dentist in the patient documentation.
The interpretation of the right to information not related to data processing, in relation to the data subject as a patient:
Before the commencement of patient care, the possibility of immediately accessible information must be ensured for the patient in such a way that the Data Controller makes its relevant data processing notice available at all times in electronic and paper-based form at the Data Controller’s place of business. The patient confirms the provision of the information with their signature in a declaration handed over to them at the same time as the anamnesis questionnaire. The signed notice must be attached to the patient’s health documentation. Any restrictive declaration of the patient, if there is one, must also be attached to the patient’s documentation.
Information related to the patient’s treatment is provided to the patient by the dentist or healthcare specialist performing the patient’s treatment. The healthcare specialist providing care may also give information about the nursing aspects of the patient’s medical treatment. A healthcare specialist or other employee may not provide information about the patient’s medical treatment, unless the dentist performing the patient’s treatment has authorised them to do so in the case of the given patient, or where they independently perform care falling within their own field of competence (e.g. clinical dental hygiene).
By telephone, pursuant to Section 11(1) of the Eüak., no substantive information may be given about the patient’s medical treatment. By telephone, information may be given about the dates and durations of planned interventions and examinations, and about the planned interventions, provided that the patient can be clearly identified over the telephone (their voice is familiar to the Data Controller’s employee/personal contributor). By telephone, no information may be given to another person about the medical treatment of a given patient or patients.

1.1. The data controller must provide the data subject with all information relating to the processing of personal data and each piece of information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular in the case of any information addressed specifically to children. The information must be provided in writing or by other means, including, where appropriate, by electronic means. At the data subject’s request, information may also be provided orally, provided that the identity of the data subject is proven by other means.

1.2. The data controller must facilitate the exercise of the data subject’s rights.

1.3. The data controller informs the data subject of the measures taken in response to their request relating to the exercise of their rights without undue delay and in any event within one month of receipt of the request. This time limit may be extended by a further two months under the conditions set out in the Regulation, of which the data subject must be informed.

1.4. If the data controller does not take measures in response to the data subject’s request, it informs the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking measures and of the possibility of the data subject lodging a complaint with a supervisory authority and exercising their right to a judicial remedy.

1.5. The data controller provides the information and the information and measures relating to the data subject’s rights free of charge; however, in the cases set out in the Regulation, a fee may be charged.

The detailed rules can be found under Article 12 of the Regulation.

2. Right to prior information – where the personal data is collected from the data subject

2.1. The data subject is entitled to be informed of the facts and information related to the processing before the commencement of the processing. In this framework, the data subject must be informed of:
a) the identity and contact details of the data controller and its representative,
b) the contact details of the data protection officer (if there is one),
c) the purpose of the intended processing of the personal data and the legal basis for the processing,
d) in the case of processing based on the enforcement of a legitimate interest, the legitimate interests of the data controller or a third party,
e) the recipients of the personal data – to whom the personal data is disclosed – or the categories of recipients, if any;
e) where applicable, the fact that the data controller intends to transfer the personal data to a third country or international organisation.

2.2. In order to ensure fair and transparent processing, the data controller must inform the data subject of the following additional information:
a) the duration of storage of the personal data, or if that is not possible, the criteria used to determine that duration;
b) the data subject’s right to request from the data controller access to the personal data relating to them, the rectification, erasure or restriction of processing thereof, and to object to the processing of such personal data, as well as the data subject’s right to data portability;
c) in the case of processing based on the data subject’s consent, the right to withdraw consent at any time, which does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal;
d) the right to lodge a complaint addressed to a supervisory authority;
e) whether the provision of personal data is based on a statutory or contractual obligation or is a precondition for concluding a contract, and whether the data subject is obliged to provide the personal data, as well as the possible consequences of failure to provide such data;
f) the fact of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved and about the significance and the envisaged consequences of such processing for the data subject.

2.3. If the data controller intends to carry out further processing of the personal data for a purpose other than that for which they were collected, it must inform the data subject, prior to that further processing, of that other purpose and of any relevant additional information.

The detailed rules on the right to prior information are contained in Article 13 of the Regulation.

3. Information to be provided to the data subject and information to be made available where the personal data has not been obtained from the data subject by the data controller

3.1. Where the data controller has not obtained the personal data from the data subject, the data controller must inform the data subject – at the latest within one month of obtaining the personal data; if the personal data is used for the purpose of communicating with the data subject, at the latest at the time of the first communication with the data subject; or if disclosure to another recipient is envisaged, at the latest when the personal data is first disclosed – of the facts and information set out in point 2 above, as well as of the categories of personal data concerned, the source of the personal data and, where applicable, whether the data originates from publicly accessible sources.

3.2. For the further rules, the provisions set out in point 2 above (Right to prior information) shall apply.

The detailed rules on this information are contained in Article 14 of the Regulation.

4. The data subject’s right of access

4.1. The data subject is entitled to obtain from the data controller confirmation as to whether or not their personal data is being processed, and, where such processing is taking place, is entitled to obtain access to the personal data and to the related information set out in points 2–3 above. (Article 15 of the Regulation).

4.2. Where personal data is transferred to a third country or international organisation, the data subject is entitled to be informed of the appropriate safeguards relating to the transfer pursuant to Article 46 of the Regulation.

4.3. The data controller must provide the data subject with a copy of the personal data undergoing processing. For any further copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs.

The detailed rules on the data subject’s right of access are contained in Article 15 of the Regulation.

5. The right to rectification

5.1. The data subject is entitled to obtain from the Data Controller, at their request, the rectification without undue delay of inaccurate personal data concerning them.

5.2. Taking into account the purpose of the processing, the data subject is entitled to request the completion of incomplete personal data, including by means of a supplementary statement.

These rules are contained in Article 16 of the Regulation.

6. The right to erasure (“the right to be forgotten”)

6.1. The data subject is entitled to obtain from the data controller, at their request, the erasure without undue delay of the personal data concerning them, and the data controller is obliged to erase the personal data concerning the data subject without undue delay where
a) the personal data is no longer necessary for the purpose for which it was collected or otherwise processed;
b) the data subject withdraws the consent on which the processing is based, and there is no other legal basis for the processing;
c) the data subject objects to the processing of their data and there is no overriding legitimate ground for the processing;
d) the personal data has been unlawfully processed;
e) the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject;
f) the personal data has been collected in relation to the offering of information society services offered directly to a child.

6.2. The right to erasure cannot be exercised where the processing is necessary
a) for the purpose of exercising the right of freedom of expression and information;
b) for compliance with an obligation under Union or Member State law to which the data controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
c) on grounds of public interest in the area of public health;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of that processing; or
e) for the establishment, exercise or defence of legal claims.

The detailed rules on the right to erasure are contained in Article 17 of the Regulation.

7. The right to restriction of processing

7.1. Where processing has been restricted, such personal data may, with the exception of storage, only be processed with the data subject’s consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

7.2. The data subject is entitled to obtain from the Data Controller, at their request, the restriction of processing where one of the following applies:
a) the data subject contests the accuracy of the personal data, in which case the restriction relates to a period enabling the Data Controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of its use instead;
c) the Data Controller no longer needs the personal data for the purposes of the processing, but the data subject requires it for the establishment, exercise or defence of legal claims; or
d) the data subject has objected to the processing; in which case the restriction relates to the period until it is established whether the legitimate grounds of the data controller override those of the data subject.

7.3. The data subject must be informed in advance of the lifting of the restriction of processing.

The relevant rules are contained in Article 18 of the Regulation.

8. Notification obligation regarding rectification or erasure of personal data or restriction of processing

The data controller communicates any rectification, erasure or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. The data controller informs the data subject about those recipients if the data subject so requests.

These rules can be found under Article 19 of the Regulation.

9. The right to data portability

9.1. Under the conditions set out in the Regulation, the data subject is entitled to receive the personal data concerning them which they have provided to a data controller in a structured, commonly used and machine-readable format, and is entitled to transmit this data to another data controller without hindrance from the data controller to which the personal data was provided, where
a) the processing is based on consent or on a contract, and
b) the processing is carried out by automated means.

9.2. The data subject may also request that the personal data be transmitted directly between data controllers.

9.3. The exercise of the right to data portability shall not prejudice Article 17 of the Regulation (The right to erasure (“the right to be forgotten”)). The right to data portability shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. This right shall not adversely affect the rights and freedoms of others.

The detailed rules are contained in Article 20 of the Regulation.

10. The right to object

10.1. The data subject is entitled to object, on grounds relating to their particular situation, at any time to the processing of their personal data based on the public interest, the performance of a public-interest task (Article 6(1)(e)), or legitimate interest (Article 6(f)), including profiling based on those provisions. In that case, the data controller may no longer process the personal data, unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or which relate to the establishment, exercise or defence of legal claims.

10.2. Where personal data is processed for the purposes of direct marketing, the data subject is entitled to object at any time to the processing of personal data concerning them for such purposes, including profiling to the extent that it is related to such direct marketing. Where the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for such purposes.

10.3. At the latest at the time of the first communication with the data subject, the data subject must be explicitly drawn attention to these rights, and the related information must be presented clearly and separately from any other information.

10.4. The data subject may also exercise the right to object by automated means using technical specifications.

10.5. Where personal data is processed for scientific or historical research purposes or statistical purposes, the data subject is entitled, on grounds relating to their particular situation, to object to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The relevant rules are contained in the relevant Article of the Regulation.

11. Automated individual decision-making, including profiling

11.1. The data subject is entitled not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning them or similarly significantly affects them.

11.2. This right shall not apply where the decision:
a) is necessary for entering into, or the performance of, a contract between the data subject and the data controller;
b) is authorised by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c) is based on the data subject’s explicit consent.

11.3. In the cases referred to in points a) and c) above, the data controller is obliged to implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the data controller, to express their point of view and to contest the decision.

The further rules are contained in Article 22 of the Regulation.

12. Restrictions

Union or Member State law applicable to the data controller or data processor may, by way of a legislative measure, restrict the scope of the rights and obligations (Articles 12–22, Article 34 and Article 5 of the Regulation), where such a restriction respects the essence of the fundamental rights and freedoms.

The conditions for this restriction are contained in Article 23 of the Regulation.

13. Communication of a personal data breach to the data subject

13.1. Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must communicate the personal data breach to the data subject without undue delay. This communication must describe in clear and plain language the nature of the personal data breach and contain at least the following:

a) the name and contact details of the data protection officer or other contact point providing further information;
c) a description of the likely consequences of the personal data breach;
d) a description of the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

13.2. The data subject need not be informed if any of the following conditions is met:
a) the data controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the data affected by the personal data breach, in particular those measures – such as the use of encryption – that render the data unintelligible to any person not authorised to access the personal data;
b) the data controller has taken subsequent measures following the personal data breach which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
c) the communication would involve disproportionate effort. In such cases, the data subjects must be informed by means of publicly disclosed information or a similar measure must be taken whereby the data subjects are informed in an equally effective manner.

The further rules are contained in Article 34 of the Regulation.

14. The right to lodge a complaint with a supervisory authority (right to an administrative remedy)

The data subject is entitled to lodge a complaint with a supervisory authority – in particular in the Member State of their habitual residence, place of work or place of the alleged infringement – if the data subject considers that the processing of personal data relating to them infringes the Regulation. The supervisory authority with which the complaint has been lodged is obliged to inform the complainant of the procedural developments and the outcome of the complaint, including that the complainant is entitled to a judicial remedy.

These rules are contained in Article 77 of the Regulation.

You may seek a remedy by making a notification or complaint to the supervisory authority:

Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) (Hungarian National Authority for Data Protection and Freedom of Information) Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
www: https://www.naih.hu
e-mail: ugyfelszolgalat@naih.hu

15. The right to an effective judicial remedy against a supervisory authority

15.1. Without prejudice to any other administrative or non-judicial remedy, every natural and legal person is entitled to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

15.2. Without prejudice to any other administrative or non-judicial remedy, every data subject is entitled to an effective judicial remedy where the competent supervisory authority does not handle a complaint or does not inform the data subject within three months of the procedural developments or outcome of the complaint lodged.

15.3. Proceedings against a supervisory authority must be brought before the court of the Member State where the supervisory authority is established.

15.4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority is obliged to forward that opinion or decision to the court.

These rules are contained in Article 78 of the Regulation.

16. The right to an effective judicial remedy against a data controller or data processor

16.1. Without prejudice to any available administrative or non-judicial remedy – including the right to lodge a complaint with a supervisory authority – every data subject is entitled to an effective judicial remedy where they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

16.2. Proceedings against a data controller or data processor must be brought before the court of the Member State where the data controller or data processor has an establishment. Such proceedings may also be brought before the court of the Member State of the data subject’s habitual residence, unless the data controller or data processor is a public authority of a Member State acting in the exercise of its public powers.

These rules are contained in Article 79 of the Regulation.