szegi medical center, dianostic tests, aesthetic treatments, specialist clinics
Szegi Medical Center

Privacy Notice

Privacy Notice For the websites of Szegi Medical Center Limited Liability Company.
v 1.1
Effective from May 12, 2023

Szegi Medical Center Ltd. (Reg. No.: 01-09-323148; registered office: 1052 Budapest, Haris köz 5, 1st floor 1) hereby informs Users about data processing related to the use of its websites at szegimed.com in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or “GDPR”).

When designing the provisions of this Notice, the company has taken particular account of the General Data Protection Regulation of the European Parliament and the Council (GDPR), Act CXII of 2011 on the right to informational self-determination and freedom of information (“Infotv.”), Act V of 2013 on the Civil Code (“Ptk.”), Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities (“Grtv.”), Act CVIII of 2001 on certain issues of electronic commerce services and information society services, as well as Act C of 2000 on accounting (regarding the issuance and preservation of documents), Act CXIX of 1995 on the processing of name and address data for the purpose of research and direct acquisition, and the provisions of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, adopted in Strasbourg on 28 January 1981, published in Act VI of 1998, and the recommendations of the “ONLINE PRIVACY ALLIANCE.”

This Privacy Policy may be unilaterally modified by Szegi Medical Center Ltd. The current version of this Privacy Policy will be published on the szegimed.com website. This Privacy Policy shall enter into force upon its publication.

1. Definitions

1.1 Data file: the totality of data stored in a register;

1.2 Data processing: any operation or set of operations performed on Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.3 Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

In the case of the Services referred to in this Privacy Notice, the Data Controller is: Szegi Medical Center Ltd. (Reg. No.: 01-09-323148; registered office: 1052 Budapest, Haris köz 5, 1st floor 1) hereinafter referred to as the “Data Controller.” The Data Controller is an economic company registered in Hungary, which operates and develops its own websites, social media platforms associated with them, and a webshop.

1.4 Personal data or data: any information relating to an identified or identifiable natural person (data subject).

1.5 Data processor: a service provider who processes personal data on behalf of the data controller.

1.6 Website(s): the websites operated by the Data Controller and the social media platforms associated with the websites.

1.7 Service(s): the services provided by the Data Controller.

1.8 User: the natural person who provides their data listed in point 2 below in order to use the Services.

1.9 Employee: the natural person who is in an employment or other employment relationship with the Data Controller.

1.10 Potential employee: the natural person who applies for a position advertised by the Data Controller.

1.11 External service provider: third-party service provider partners used by the Data Controller, to whom personal data may be or are transmitted for the provision of their services, or who may transmit personal data to the Data Controller. External service providers also include those service providers who do not cooperate with the Data Controller, but collect data about Users by accessing the Websites, which, alone or in combination with other data, may be used to identify Users.

1.12 Notice: the data processing notice of the Data Controller.

1.13 Data erasure: the complete physical destruction of the data carrier containing the data.

1.14 Data transmission: making the data accessible to a specific third party; Public disclosure: making the data accessible to anyone.

1.15 Data deletion: making the data unrecognizable in such a way that their restoration is not possible.

1.16 Automated data file: a series of data processed automatically.

1.17 Machine processing: it includes the following operations, if they are carried out in whole or in part by automated means: storage of data, logical or arithmetic operations on data, modification, deletion, retrieval, and transmission of data.

1.18 System: the technical solutions operated by the Data Controller and its partners that enable access to their pages and services via the internet.

2. Scope of processed personal data

2.1 When the User visits any of the surfaces of the Websites, the Data Controller’s system automatically records the User’s IP address.

2.2 Depending on the User’s decision, the Data Controller may process the following data in connection with the use of the Services available through the Websites: name, place of residence, place of stay, telephone number, email address, profile picture, customer identification number registered with the Data Controller, and the content of telephone conversations with the Data Controller.

2.3 If the User sends a message (e.g., email, reader letter) to any of the Services, or contacts them by phone, the Data Controller records the User’s address, email address, telephone number, time of the call, and processes them to the extent and duration necessary for the provision of the service.

2.4 The Data Controller processes the following personal data of speakers and participants of events organized by them: name, professional title (Dr, prof, etc.), email address, position, telephone number, secondary telephone number, name of the company with which they are in contact, sectoral and activity interests, membership rights entitling to discounts, and biographical data of speakers.

2.5 In the case of occasional prize draws organized by the Data Controller, the following personal data may be processed: name, date of birth, address, email, telephone number, occupation, membership in a pension fund and the name of the pension fund concerned, and the personal data specified in the advertisement of the prize draw.

2.6 In connection with the operation of the website service, the Data Controller may process the following personal data: name, place of residence, place of stay, telephone number, email address, as well as personal data related to billing, such as the name and address for billing provided by the User, and personal data related to the selected products to be purchased and the selected payment method.

2.7 In connection with contracts concluded by the Data Controller, the Data Controller may process the name, telephone number, and email address of the authorized representative and the contact person of the contracting party.

2.8 Regardless of the above, it may occur that a service provider technically related to the operation of the Services carries out data processing on one of the Websites without informing the Data Controller. Such activity does not qualify as data processing by the Data Controller. The Data Controller will do everything in its power to prevent and filter out such data processing activities.

3. What personal data do we process, for how long, what do we use them for, and based on what authorization?

The legal bases for our data processing are as follows:

a) the User’s voluntary consent to data processing based on appropriate information according to Article 6(1)(a) of the GDPR (hereinafter: Consent);

b) the processing is necessary for the performance of a contract in which the data subject is a party, according to Article 6(1)(b) of the GDPR (hereinafter: Contract performance);

c) the processing is necessary for compliance with a legal obligation to which the Data Controller is subject, according to Article 6(1)(c) of the GDPR (e.g., compliance with accounting obligations – hereinafter: Compliance with legal obligation);

d) the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, according to Article 6(1)(f) of the GDPR (hereinafter: Legitimate interest);

e) processing permitted by Act CVIII of 2001 on certain issues of electronic commerce services and information society services, specifically Section 13/A, which permits the processing of natural person identification data (name, birth name, mother’s birth name, place and date of birth) and address for the purpose of establishing, determining the content, modifying, monitoring performance, invoicing the fees resulting from, and asserting the claims arising from the contract for the provision of information society services, as well as the processing of natural person identification data, address, and data relating to the time, duration, and location of the service use without the consent of the User for the purpose of invoicing the fees resulting from the contract for the provision of information society services (hereinafter: Elkertv.) The legal basis for data processing is determined separately for each category of data and purpose of data processing, with reference to the above list.

3.1. In the case of data processing related to the general use of the websites operated by Szegi Medical Center Ltd., the legal basis for processing is the User’s voluntary consent based on appropriate information (hereinafter: Consent).

ABCDEF
Data SubjectData categoryData sourceThe purpose of data processing is the establishmentLegal basis for data processingData Retention Period
Registered UserIdentification of the processed transactionCollected from the data subjectEstablishment, determination, modification, and fulfillment of contractsAccording to points (a) and (b) of column D: Pursuant to Section 13/A of the Law. §Until the fulfillment of legal obligations or the existence of legitimate interests.
Invoicing of fees arising from contracts 
Assertion and enforcement of rights and claims, prevention and management of fraudAccording to points (a) and (b) of column D, in case of the following purposes:
 GDPR Article 6(1)(b) – Performance of a contract
  
 According to point (c) of column D, in case of the following purposes:
 GDPR Article 6(1)(f) – Legitimate interests
Amount of the processed transaction

Collected from the data subject

Establishment, determination, modification, and fulfillment of contractsAccording to points (a) and (b) of column D: Pursuant to Section 13/A of the Law. §From the date of registration for the purpose of contract fulfillment and invoicing, for a period of 8 years from the date of user deletion (reason: invoicing data).

Until the fulfillment of legal obligations or as long as there is a legitimate interest.

Invoicing of fees arising from contracts 

Assertion and enforcement of rights and claims, prevention and management of fraud

In the case of purposes indicated in column D, points a) and b):

 

GDPR Article 6(1)(b) – Performance of a contract

  
 

In the case of the purpose indicated in column D, point b):

 

GDPR Article 6(1)(c) – Compliance with a legal obligation – issuance of invoices

  
 

In the case of purposes indicated in column D, point c):

 

GDPR Article 6(1)(f) – Legitimate interests

Subject of the processed transaction (purchased product, service)Collected from the data subjectEstablishment, determination, modification, and fulfillment of contractsAccording to points (a) and (b) of column D: Pursuant to Section 13/A of the Law. §

From the date of deletion of the user’s registration, for a period of 8 years (justification: billing data), in order to fulfill the contract and for invoicing purposes.

Until the withdrawal of consent.

Invoicing of fees arising from contracts  
Assertion and enforcement of rights and claims, prevention and management of fraudIn the case of purposes indicated in column D, points a) and b): 
 GDPR Article 6(1)(b) – Performance of a contract 
   
 

In the case of the purpose indicated in column D, point b):

 
 

GDPR Article 6(1)(c) – Fulfillment of a legal obligation – issuance of invoices

 
   
 

In the case of purposes indicated in column D, point c):

 
 

GDPR Article 6(1)(f) – Legitimate interest

 
Shipping addressCollected from the data subjectEstablishment, determination, modification, and fulfillment of contractsIn the case of the purpose indicated in column D, point a): Pursuant to Section 13/A of the Law.  §Until the fulfillment of legal obligations or the existence of legitimate interests.
Assertion and enforcement of rights and claims, prevention and management of fraud 
 

In the case of the purpose indicated in column D, point a):

 

GDPR Article 6(1)(b) – Fulfillment of a contract

  
 

In the case of the purposes indicated in column D, point b):

 

GDPR Article 6(1)(f) – Legitimate interest

Billing name and addressCollected from the data subjectEstablishment, determination, modification, and fulfillment of contractsIn the case of the purpose indicated in column D, point a): Pursuant to Section 13/A of the Law.  §From the date of registration for the purpose of contract fulfillment and invoicing, for a period of 8 years from the date of user deletion (reason: invoicing data).

Until the fulfillment of legal obligations or as long as there is a legitimate interest.

Invoicing of fees arising from contracts  
Assertion and enforcement of rights and claims, prevention and management of fraudIn the case of purposes indicated in column D, points a) and b): 
 

GDPR Article 6(1)(b) – Fulfillment of a contract

 
   
 

In the case of the purposes indicated in column D, point b):

 
 

GDPR Article 6(1)(c) – Compliance with a legal obligation – issuance of invoices

 
   
 

In the case of the purposes indicated in column D, point c):

 
 

GDPR Article 6(1)(f) – Legitimate interest

 

GPS coordinates if authorized by the user

Collected from the data subject’s mobile deviceProfiling for behavior-based advertising display, and understanding customer preferencesGDPR Article 6(1) Consent

Until the withdrawal of consent.

Providing the data marked with an asterisk (*) is mandatory, without which usage is not possible. The provision of this data is a prerequisite for entering into a contract. The User may object to data processing based on legitimate interests by sending an email to the following email address: [email protected]. The data controller is Szegi Medical Center Ltd.

5. What data do we collect automatically about you, why do we profile your data, and how does it affect you? What tools do we use and what data do we collect automatically about you?

During the use of websites operated by Szegi Medical Center Ltd., we use small programs, called cookies, and similar technologies on users’ mobile devices to facilitate identification and recognition of user data.

When visiting the Website and using the services, we place cookies in the User’s browser and HTML-based emails in accordance with this Privacy Policy.

In general, a cookie is a small file consisting of letters and numbers that we send to the User’s device from our server. The main purpose of cookies is to enable the User to receive personalized offers and advertisements that customize the User experience on the Website and express the User’s personal needs.

5.2. Purposes of the cookies used by the Service Provider:

a) Security: supporting and enabling security, and assisting the Service Provider in detecting unlawful behavior.

b) Preferences, features, and services: cookies can inform the Service Provider about the User’s preferred language, the User’s communication preferences, and help the User fill out forms on the Website, making it easier for them.

c) Advertising: The Service Provider may use cookies to show relevant advertisements to the User on and off the Website. The use of cookies may also show whether Users who have seen an advertisement on the Website later visit the advertiser’s website. Similarly, the Service Provider’s business partners may use cookies to determine whether the Service Provider displayed their advertisement on the Website and how it performed, and they may provide information to the Service Provider about how the User behaves with regard to advertisements. The Service Provider may also collaborate with a partner that displays advertisements to the User on or off the Website after the User has visited the partner’s website.

d) Performance, analytics, and research: these cookies help the Service Provider understand how the Website performs in different locations. The Service Provider may also use cookies that evaluate, improve, and research the Website, products, features, and services, including when the User accesses the Website from other websites or devices, such as the User’s computer or mobile device.

5.3. Types of cookies used by the Service Provider:

a) Analytics and tracking cookies;

b) Session cookies, which only work until the session (usually the visit to the Website or a browser session) ends;

c) Persistent cookies: they help recognize the User as an existing User, making it easier to return to the Website without logging in again. Once the User logs in, the persistent cookie remains in the User’s browser, and the Website can read it when the User returns to the Website. Adobe Flash is another technology that has functionality equivalent to cookies. Adobe Flash is capable of storing data on the User’s device. However, not all browsers allow the removal of Adobe Flash cookies. The User can limit or block Adobe Flash cookies through the Adobe website. If the User limits or blocks them, some features of the Website may not be available.

5.4. Cookies used by third parties:

Trusted partners assist the Service Provider in displaying advertisements on the Website and beyond, and analytics providers such as Google Analytics, Quantcast, Nielsen, ComScore may place cookies on the User’s device. Users can disable Google cookies on the page for disabling Google ads. At http://www.networkadvertising.org/choices/, there is also an option to disable cookies from other external service providers.

5.5. Controlling and managing cookies:

Most browsers allow Users to control the application of cookies through settings. However, if the User restricts the use of cookies on the Website, it may impair the User experience, as personalization may no longer be applied. Additionally, the User can also stop saving personalized settings, such as login information. If the User does not want the Service Provider to use cookies when visiting the Website, the User can disable the application of certain cookies in the settings section. In order for the Service Provider to be aware that the User has disabled the use of certain cookies, the Service Provider places a disabling cookie on the User’s device, so the Service Provider will know not to place cookies when the User visits the Website next time. If the User does not want to receive cookies, the User can change the browser settings on their computer. If the User uses the Website without changing the browser settings, the Service Provider considers that the User agrees to any cookies being sent to the User on the Website. The Website will not function properly without cookies. For more information about cookies, including their types, management, and deletion, visit the Wikipedia.org page or the www.allaboutcookies.org or www.aboutcookies.org websites. Users can also control and enable cookies through the following links: https://www.aboutads.info/choices and https://www.youronlinechoices.eu.

6. Who processes your personal data, and who has access to them?

Data Controller

In addition to the data specified in this Privacy Policy, the data controller of your data is Szegi Medical Center Ltd., with the following contact information and company details:

Szegi Medical Center Ltd.
Company registration number: 01-09-323148
Tax number: 22717319-2-41
Registered office: 1052 Budapest, Haris köz 5, 1st floor 1.
Email address: [email protected]
Regarding your data, only employees of the company have access to the extent necessary for the performance of their work. Access rights to personal data are defined in a strict internal policy.

Data Processors

For the purpose of processing your data, Szegi Medical Center Ltd. may engage data processors in accordance with the applicable legal provisions by means of written contracts, and the data you provided may be transmitted to such data processors to the necessary extent. The contact information (name, address, email address, phone number) required for communication and the information you provide in the future regarding public opinion research and market research will be processed collectively (without separation or anonymization).

7. Who is the data protection officer of Szegi Medical Center Ltd., and what are the contact details?

The data protection officer of Szegi Medical Center Ltd. is provided by Hacker Hunter Ltd.
Contact details:
Email: [email protected]
Phone number: +36 70 612 4507

8. What are your rights regarding the processing of your personal data, and how do we ensure their exercise?

a) Right of access: You can request information about what data we process, for what purposes, for how long, to whom we disclose them, and the source of the data we process.

b) Right of rectification: If your data changes or is incorrectly recorded, you can request the correction, amendment, or clarification of your data.

c) Right of erasure: In cases defined by the law, you can request the deletion of your data processed by us.

d) Right to restrict processing: In cases defined by the law, you can request the restriction of data processing.

e) Right to data portability: You can request the transfer of your data, and by exercising this right, you can request that we provide your data of the type specified by the law to you or directly to another service provider designated by you. In the case of submitting the above requests, we will proceed in accordance with the provisions of the law and inform you within one month about the measures we have taken based on your request.

f) Right to withdraw consent: When we process your data based on your consent, you have the right to withdraw your consent at any time, which, however, does not affect the lawfulness of our processing based on your consent before its withdrawal.

g) Right to lodge a complaint: If you believe that our data processing has violated your rights, you have the right to lodge a complaint with the competent supervisory authority: National Authority for Data Protection and Freedom of Information; Website: http://naih.hu; Postal address: 1530 Budapest, Pf.: 5. Email: [email protected]; Phone number: +36 (1) 391-1400 In addition to the above, you may also file a lawsuit against Szegi Medical Center Ltd. before the Budapest Metropolitan Court in case of violation of the protection of personal data.

h) Right to object:

• If we process your data based on legitimate interests, as described above, you have the right to object to the processing based on these legitimate interests.

• You can also object to profiling.
If you object, we will no longer process your personal data for these purposes.

9. How do we ensure the security of your data?

To ensure the security of the data and information we handle, all our employees are obliged to comply with the requirements of data and information security, which they are aware of and apply. Our employees are regularly educated and trained regarding the requirements of data and information security. We store personal data on our own central server, which can only be accessed by a very limited circle of personnel and employees. We regularly and repeatedly test and control our IT systems to establish and maintain data and IT security. Office workstations are password-protected, the use of external data carriers is limited, and only allowed under secure conditions and after inspection. All our systems have comprehensive, regular, and continuous protection against malicious software. We handle security features in the design, development, testing, and operation of programs, applications, and devices in a prioritized and separate manner. Access keys (e.g., passwords) of the information system are stored and transmitted in encrypted form, and we ensure the protection of data related to the security of the system (e.g., passwords, permissions, logs).

10. What do we do in case of a data protection incident?

In accordance with the legal requirements, we report the data protection incident to the supervisory authority within 72 hours of becoming aware of it and keep a record of the data protection incidents. In the cases specified by law, we also inform the affected users.

11. When and how do we modify this Privacy Policy?

If the scope of the processed data and other circumstances of data processing change, we will modify and publish this Privacy Policy on the szegimedical.com website within 30 days in accordance with the GDPR requirements and notify you of the changes. Please carefully read the modifications to the Privacy Policy as they contain important information about the processing of your personal data.

Budapest, 12/05/2023

You can download the data protection information as a pdf: Privacy_Notice.pdf