Privacy Policy

Privacy Policy

Purpose of Privacy Statement

Our information aims to provide you with all the important details regarding the handling and protection of your healthcare and personal data provided during treatment.

When handling personal data, we comply with legal requirements, ensure the confidential treatment of data, and provide information about the methods and legality of data management at any time. We comply with the provisions of the current Data Management Act and relevant regulations, and therefore reserve the right to adhere to any possible legislative changes without prior notice.

Data Controller:

Name: Dr. Goodwin Limited Liability Company
Registered Office: 1064 Budapest, Bajza utca 54. I/1.
Central email: info@drgoodwin.hu
Website: www.drgoodwin.hu
Contact phone number: +36 1 6005040
Data Protection Officer: Anita Éva Hazai, CEO
Developer and responsible manager of the data protection policy: Krisztina Takács, Data
Protection Officer (dpo@drgoodwin.hu).
Date of entry into force of the policy: December 18, 2019.

The data protection policy may only be used in relation to this institution, and any use elsewhere, in whole or in part, without the owner's permission, is prohibited.

Laws applied in data management: The following laws are applied concerning the use of healthcare services:

  • Regulation (EU) 2016/679 of the European Parliament (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data,
  • Act CLIV of 1997 on health (hereinafter: Health Act),
  • Act XLVII of 1997 on the management and protection of health-related personal data, and
  • Act CXII of 2011 on informational self-determination and freedom of information.

Guidelines applied in data management:

  • Principle of purpose limitation
  • Principle of proportionality, necessity, and data minimization
  • Principle of lawfulness, fairness, and transparency
  • Principle of accuracy and timeliness
  • Principle of integrity and confidentiality
  • Principle of accountability

Organizational units of the data controller, locations of data usage: Due to our activities, we have several organizational units, each having separate data usage regulations. This policy applies to all our units. Our organizational units:

  • Outpatient care
  • Reception
  • Inpatient care at external locations
  • Economic and managerial department
  • Human resources and labor department
  • Finance and accounting
  • Marketing

Key areas of data management: Data management related to the provision of healthcare services As a healthcare service provider, the Data Controller has an obligation to manage data. Due to the nature of our institution, individuals voluntarily come to us, so the provision of personal data is also voluntary, and thus constitutes consent to regulated use. The data provided and managed by us include the following:

  • surname and given name
  • birth name
  • maiden name
  • place and date of birth
  • mother's name
  • residence
  • possible place of residence
  • social security identification number (TAJ)
  • phone number
  • email address

In addition to the above, the following data may be supplemented in the following areas: Regarding medical care:

  • data necessary for medical history as determined by the treating physician /medical history, family background, possible sensitivities, allergies, etc./
  • Contact details of the persons to be notified

Regarding non-medical care:

  • documents required to establish an employment relationship, copies of certificates
  • contracts and other documents related to other economic entities

Regarding marketing activities:

  • email addresses for use with newsletter databases

Regarding billing activities:

  • partner's tax number
  • partner's bank account number
  • patient's health fund identifier

In addition to the above, we only provide any data upon official request, but we also ensure compliance with regulations (certified request, participation of authorized persons only, compliance with the rules of data transmission). Individuals providing data may request information about the processing of their personal data at any time and are entitled to update, modify, or request the deletion of their personal data, except where other laws or provisions regulate the obligation to retain data, such as labor-related data.

Duration of data management: Healthcare documentation - except for images and reports from imaging diagnostic procedures, which must be kept for 30 years; - final reports for 50 years; - images from imaging diagnostic procedures for 10 years; - reports made from images must be kept for 30 years, and prescription storage time is 5 years. Duration of retention of non-healthcare documentation:

  • Accounting and billing documentation generally for 10 years according to the Accounting and Taxation rules in force at any given time,
  • Retention of labor and HR documents is mandatory until the end of the company's operation. The destruction of individual documents is carried out in accordance with the laws in force at the time of destruction and within the prescribed deadlines, within the institution, in a closed system, with full guarantee of destruction, using a document shredder.

Data of external data processors used during data management: The consent of the data subject is not required for their use, but informing them is mandatory. Given that contractual partners may change, we do not mention them by name in the regulation, but we will provide information about them upon request. These providers may include:

  • laboratories
  • external diagnostic service providers
  • external healthcare providers
  • IT service providers
  • marketing service providers When engaging any external service provider, we regulate and adhere to the following points during the activity. These include in particular:
  • We always request the provider's own regulations
  • When transferring data, if done electronically, we ensure the security of data carriers
  • If data transfer is done on paper, we ensure that it does not fall into unauthorized hands
  • We only provide the data necessary for the given activity
  • The fact of transmission is always traceable; if this would involve a large amount of data, a separate record is made.

Regulation regarding newsletter services A natural person subscribing to the newsletter, hereinafter referred to as the Data Subject, may, in accordance with § 6 of Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activity, give prior and express consent for the Data Controller to contact them at the email address or phone number provided during registration with advertising offers and other mailings. Other mailings may only be for marketing and promotional purposes and may not include any medical advice that might lead the patient to self-medicate and possibly harm their own or their environment's health. Nor can they advertise or recommend any products that qualify as drugs. The Data Subject can give consent to receive newsletters in two ways, voluntarily and can withdraw it at any time.

  1. By marking a designated option, they can give their consent to the processing of their personal data made available voluntarily.
  2. When registering for specific treatment, they also mark the consent request line or indication. The Data Subject may unsubscribe from the newsletter at any time, without limitation or explanation, free of charge - directly from the newsletter or by written request to the Data Controller.

Purpose of data management and scope of data processed Information about current services, possibly other services, tools related to our activities, and advice related to them. Personal data used for this purpose: surname, given name, email address Scope of individuals: Natural persons subscribing to the newsletter Duration of data management: The Data Controller processes the provided personal data until the declaration of consent is withdrawn, i.e., until unsubscribing from

Data Processors
We process some of our data with the assistance of external data processors. The data of these data processors are as follows:

Flexi Medical Hungary Ltd.
Invoicing, Management of Medical and Patient Data
Registered Office: 1027 Budapest, Tölgyfa u. 28.
Company Registration Number: 01-09-991891
Tax Identification Number: 24131140-2-41
Actual data processing address:
1027 Budapest, Tölgyfa u. 28.
Internet availability (and the websites of the relevant actual data processing):
https://www.flexi-dent.hu/
https://www.facebook.com/flexident/
Phone number: 061-792-1234
Email: sales@felxi-dent.hu
Represented by: Tamás Friss, CEO
Data protection information: https://www.flexi-dent.hu/uploads/files/flexi-medical-hungary-kft-adatvedelmi-es-adatbiztonsagi-szabalyzata.pdf

Google
Google Email, Drive, Spreadsheets, Documents for storing various company documents.
Google LLC
Headquarters: 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States
Phone: 650-253-0000
Website: www.google.com, www.google.com/gmail, www.google.com/drive, www.google.com/spreadsheets/about, www.google.com/docs/about

SalesAutopilot Ltd.
Newsletter sending, CRM service, processing of sales and application forms
Headquarters: 1016 Budapest, Zsolt utca 6/C, IV. em. 4.
Tax number: 25743500-2-41
VAT number: HU25743500
Company registration number: Cg. 01 09 286773
CEOs: Balázs Csepregi and György Khauth (authorized for independent company registration)
Website: https://www.salesautopilot.hu/

SMS sending service
Bip Communications Service and Consulting Ltd.
Headquarters: 1134 Budapest, Bulcsú utca 23. bldg. III. floor 8.
Company registration number: 01 09 947432
Phone number: +36-30/493-7166
Website: https://sms.bipkampany.hu/

BIP campaign
SMS sending service
Bip Communications Service and Consulting Ltd.
Headquarters: 1134 Budapest, Bulcsú utca 23. bldg. III. floor 8.
Company registration number: 01 09 947432
Phone number: +36-30/493-7166
Website: https://sms.bipkampany.hu/

Facebook
Ads and company page
Facebook Inc
Headquarters: 1601 Willow Rd MENLO PARK CA 94025-1452
Phone number: +1650.6187714
Website: www.facebook.com

Accountant
Invoices, delivery confirmations, and similar documents
Eszter Hagymási
Headquarters: 2162 Őrbottyán, Bartók Béla utca 43.
Tax number: 66475677-1-33

Simple
Payment service for card payments
OTP Mobil Ltd.
Headquarters: 1143 Budapest, Hungária körút 17-19.
Company registration number: 01 09 868837
Phone number: +36 1 776-6901
Website: https://www.simple.hu/fooldal/

Számlázz.hu
KBOSS.hu Ltd.
Headquarters: 1031 Budapest, Záhony utca 7.
Company registration number: 01-09-303201
Phone number: +3630 35 44 789
Website: https://www.szamlazz.hu/szamla/main

Data protection authority procedure
Complaints can be lodged with the National Authority for Data Protection and Freedom of Information:
Name: National Authority for Data Protection and Freedom of Information
Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, Pf.: 5.
Phone: 061-391-1400
Fax: 061-391-1410
Email: ugyfelszolgalat@naih.hu
Website: https://www.naih.hu

Handling of Data Protection Incidents

A data protection incident is any breach that may result in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

Preventing and managing data protection incidents, and complying with relevant legal requirements, is the responsibility of the Company's management. Accesses and access attempts must be logged in the information systems.

If employees authorized for inspections detect a data protection incident in the course of their duties, they must immediately notify the Company's management. Employees of the Company are required to report any data protection incident or event suggestive of such to the Company's management or the employer exercising management rights.

Data protection incidents can be reported to the Company's central email address or phone number. Upon reporting a data protection incident, the data protection officer shall examine the report. In this process, the incident must be identified, and a decision must be made as to whether it is a real incident or a false alarm. The following must be examined and determined:

a. the time and location of the incident,
b. description of the incident, circumstances, and consequences,
c. the scope and quantity of data affected during the incident,
d. the individuals affected by the incident,
e. description of measures taken to address the incident,
f. description of measures taken to prevent, mitigate, or reduce the damage.

In the event of a data protection incident, the affected systems, individuals, and data must be isolated and separated, and evidence supporting the occurrence of the incident must be collected and preserved. Following this, efforts can be made to restore any damages and resume lawful operations. Records of data protection incidents must be maintained, including the scope of the affected personal data, the number of individuals affected by the data protection incident, the time of the data protection incident, the circumstances and consequences of the data protection incident, the measures taken to remedy the data protection incident, and any other data specified in the legislation prescribing data processing.

Profiling

The Data Controller does not engage in profiling based on the behavior, interests, or any other data provided by visitors/registrants, and does not employ automated decision-making, classification, or decision-making.

Identifying our website visitors is not our goal, and we do not take any steps in this regard.

Of course, you can unsubscribe from our list at any time - in this case, we physically delete the data stored about you from all our systems.
Also, you can use any of our services without subscribing to our promotional emails.

Our Principles

Our company follows the following principles in data processing:

  • We handle personal data lawfully, fairly, and transparently for the data subjects.
  • Personal data is collected only for specified, explicit, and legitimate purposes, and it is not further processed in a manner that is incompatible with those purposes.
  • The personal data we collect and process is adequate, relevant, and limited to what is necessary for the purposes of processing.
  • We take all reasonable steps to ensure that the personal data we hold is accurate and, where necessary, up to date. Inaccurate personal data is promptly deleted or corrected.
  • Personal data is stored in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
  • We apply appropriate technical and organizational measures to ensure the security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

We do everything in our power to handle your data securely and lawfully.