Data Management Notice –
Effective from: 1 January 2024
This Privacy Notice provides information on the processing of personal data by the Data Controller – GentleDent Service Ltd. (hereinafter: Controller, “GentleDent”, or “Dental Clinic”) in respect of its operations, in compliance with the European Union’s General Data Protection Regulation (“GDPR”).
GentleDent is a dental clinic operating as a private healthcare provider. All patient examinations and treatments are carried out in private practice, and GentleDent is not a publicly funded facility. Patients voluntarily engage our services and choose which treatment(s) they wish to receive. All Patients who contact GentleDent – regardless of which service they use – are subject to the same data processing practices.
We collect identifying personal data and special categories of personal data (health data) from the Data Subject. Our staff may examine identity documentation solely for the purpose of verifying accuracy, but copies of such documents will not be made in any case.
The following personal data are processed when you receive any healthcare service at GentleDent.
GentleDent processes personal data in the following categories / for the following purposes, under the legal bases specified, for the periods set out, and allowing the rights of the Data Subject as described below.
II.1. Appointment Booking & Contact
Purpose: To handle requests for appointment scheduling and communication.
Personal Data Processed: Name; phone number; email; chosen treatment; appointment date.
Source of Personal Data
The Data Subject.
Categories of Data Subjects
Patients initiating the use of healthcare services.
Legal Basis for Processing
For the mandatory data, the legal basis is the performance of a contract and compliance with a legal obligation (Article 6(1)(b) GDPR).
Storage Period
a) until the purpose of processing has been fulfilled; and
b) where the appointment (or its modification) may give rise to legal effect, or is relevant for proving compliance with a legal obligation, or for the enforcement of legitimate interests, the Dental Clinic shall retain the data for the statutory limitation period or until the legitimate interest ceases.
Recipients
Hosting service provider.
Rights of the Data Subject
You have the right of access, rectification, erasure, and restriction of processing.
Important Notice
The Data Subject has the right, at any time and on grounds relating to his or her particular situation, to object to the above data processing by contacting us at the contact details provided.
Please note that if you provide the personal data of a relative or another third party, you are obliged to ensure that you have the consent of that third party. We are not in a position to verify this. If, as a parent or legal guardian, you book an appointment for your minor child, your consent is required for the processing of your child’s personal data.
The Dental Clinic may make the provision of certain services conditional upon the prior execution of a consent form, of which the Data Subject shall be duly informed.
Purpose of Data Processing
The purpose of processing is to identify the Data Subject, to provide appropriate healthcare services in accordance with the provisions of the consent form, and to enable communication.
Personal Data Processed
Name, residential address, social security number (TAJ), name of treating dentist, area of treatment, drug allergies, drug sensitivities, regular medications, the fact of consent, and signature.
Source of Personal Data
Patients receiving the service.
Legal Basis for Processing
The legal basis for processing is the Data Subject’s consent (Article 6(1)(a) GDPR, as well as Article 9(2)(b) GDPR).
The consent form is based on voluntary consent. Where the Data Subject discloses to the Clinic any fact that influences or excludes the provision of the service, or where the Clinic establishes such a fact in a clear and verifiable manner in connection with the Data Subject, the Clinic may refuse to provide the given service(s).
Retention Period
In accordance with Act XLVII of 1997 on the management and protection of health and related personal data, Act LXXXIII of 1997 on the benefits of compulsory health insurance, and Decree 62/1997 (XII. 21.) of the Ministry of Welfare on certain issues of the processing of health and related personal data:
Recipients
Hosting service provider.
Rights of the Data Subject
The Data Subject has the right of access, rectification, erasure, and restriction of processing.
Important Notice!
The Data Subject has the right, at any time and on grounds relating to his or her particular situation, to object to the above processing by contacting the Clinic at the contact details provided.
When you visit GentleDent Dental Clinic and receive healthcare services, your data are recorded in the medical documentation certifying and describing the care provided.
The purpose of such data processing is to promote the preservation, improvement, and maintenance of health, to support effective medical treatment (including professional supervisory activities), to monitor the health status of the Data Subject, and to ensure the enforcement of patients’ rights.
Purpose of Data Processing
Examination, treatment, and documentation of our Patients.
Personal Data Processed
Identification and healthcare-related data necessary for the provision of services: name, birth name, social security number (TAJ), residential address, place and date of birth, and all data relating to the treatment received.
Source of Personal Data
Patients receiving the service.
Legal Basis for Processing
The processing is based on a legal obligation under:
Retention Period
In accordance with Act XLVII of 1997 on the Management and Protection of Health and Related Personal Data, Act LXXXIII of 1997, and Decree 62/1997 (XII.21.) NM:
Recipients
National Health Insurance Fund (NEAK), Implant Registry, Dental Registry System, Dental Patient Record Software.
Rights of the Data Subject
The Data Subject has the right of access, rectification, erasure, and restriction of processing.
Important Notice
The Data Subject has the right, at any time and on grounds relating to his or her particular situation, to object to the above data processing by contacting the Clinic at the contact details provided.
A key element of dental treatment is the treatment plan, which is based on preliminary clinical examinations, radiographs, and model evaluations. The treatment plan is prepared on the basis of the first consultation, oral and facial examination, the evaluation of radiographs, upper and lower jaw models, and photographic documentation, while also taking into account the Patient’s preferences. The treatment plan includes the anticipated costs as well as any potential side effects. The treatment plan forms part of the medical documentation and is sent to the Patient at the e-mail address provided.
Purpose of Data Processing
To inform Patients regarding the proposed treatment.
Personal Data Processed
Name, residential address, social security number (TAJ), and details of the identified dental problems.
Source of Personal Data
Patients initiating the use of dental care.
Legal Basis for Processing
Performance of a healthcare services contract (Article 6(1)(b) GDPR).
Retention Period
Recipients
Dental Registry System.
Rights of the Data Subject
The Data Subject has the right of access, rectification, erasure, and restriction of processing.
Important Notice
The Data Subject has the right, at any time and on grounds relating to his or her particular situation, to object to the above data processing by contacting the Clinic at the contact details provided.
The Clinic shall record in the healthcare documentation:
Healthcare data includes all information relating to the physical or mental state of a natural person, as well as any data generated in connection with the healthcare services used by that individual.
Healthcare data and related documentation are stored by the Dental Clinic in an electronic medical records system specifically designated for this purpose and/or in paper-based form.
Purpose of Data Processing
The provision of healthcare services; the conclusion, amendment, and termination of the related contract; performance of obligations arising from the contract; enforcement of rights and any potential claims; defense against claims; and maintaining contact with the Patient.
Personal Data Processed
Name, date and place of birth, mother’s name, residential address, telephone number, e-mail address, social security number (TAJ), and healthcare insurance fund data.
Source of Personal Data
The Data Subject.
Legal Basis for Processing
Performance of a contract for the provision of healthcare services (Article 6(1)(b) GDPR).
Retention Period
In accordance with Act XLVII of 1997 on the Management and Protection of Health and Related Personal Data, Act LXXXIII of 1997 on the Benefits of Compulsory Health Insurance, and Decree 62/1997 (XII.21.) NM on certain issues of processing health and related personal data:
Recipients
E-mail service provider, hosting service provider.
Rights of the Data Subject
The Data Subject has the right of access, rectification, erasure, and restriction of processing.
Important Notice
The Data Subject has the right, at any time and on grounds relating to his or her particular situation, to object to the above processing by contacting the Clinic at the contact details provided.
Following the provision of dental services, the Dental Clinic issues an invoice; therefore, the Clinic processes your invoicing data. Payment is made at the Clinic’s reception desk after the examinations, where our staff issue the final invoice to you.
Purpose of Data Processing
Financial accounting and compliance with statutory invoicing requirements.
Personal Data Processed
Name and billing address of the payer; in some cases, health insurance fund membership identifier; type of treatment; final amount invoiced.
Source of Personal Data
All Data Subjects for whom an invoice has been issued.
Legal Basis for Processing
Compliance with a legal obligation (Article 6(1)(c) GDPR), pursuant to:
Retention Period
In accordance with Act C of 2000 on Accounting and Act CXXVII of 2007 on Value Added Tax, invoices and related data must be retained for 8 + 1 years.
Recipients
E-mail service provider, hosting service provider, accountant, invoicing software provider.
Rights of the Data Subject
The Data Subject has the right of access, rectification, erasure, and restriction of processing.
Important Notice
The Data Subject has the right, at any time and on grounds relating to his or her particular situation, to object to the above processing by contacting the Clinic at the contact details provided.
Photo documentation is used to accompany and record the course of treatment, allowing the Dental Clinic to use such photos for scientific presentations and on the Clinic’s website. The published “before-after” photo documentation helps visitors to the website become familiar with the treatments performed at the Clinic.
Purpose of Data Processing
Photo documentation of healthcare services.
Personal Data Processed
Name, treatment photographs (in a form not suitable for personal identification).
Source of Personal Data
Patients initiating the use of healthcare services.
Legal Basis for Processing
Consent of the Patient – Article 6(1)(a) GDPR.
Retention Period
Until the Clinic ceases operation or until consent is withdrawn.
Recipients
Hosting service provider, e-mail service provider, website editor, social media platforms.
Rights of the Data Subject
Right of access, rectification, erasure, and restriction of processing.
Important Notice
The Data Subject has the right, at any time and on grounds relating to his or her particular situation, to object to the above processing by contacting the Clinic at the contact details provided.
Photo documentation is used to accompany and record the course of treatment, allowing the Dental Clinic to present such photos in scientific lectures.
Purpose of Data Processing
Photo documentation of healthcare services.
Personal Data Processed
Name, treatment photographs (in a form not suitable for personal identification).
Source of Personal Data
The Patient.
Legal Basis for Processing
Consent of the Patient – Article 6(1)(a) GDPR.
Retention Period
Until the Clinic ceases operation or until consent is withdrawn.
Recipients
E-mail service provider, hosting service provider.
Rights of the Data Subject
Right of access, rectification, erasure, and restriction of processing.
Important Notice
The Data Subject has the right, at any time and on grounds relating to his or her particular situation, to object to the above processing by contacting the Clinic at the contact details provided.
Such data processing occurs when you consent to receiving newsletters. By sending newsletters, the Dental Clinic intends to inform you, for marketing purposes, about newly available treatments and any currently announced promotions.
Purpose of Data Processing
To inform existing and prospective Patients for marketing purposes.
Personal Data Processed
Name, e-mail address.
Source of Personal Data
Individuals subscribing to the newsletter.
Legal Basis for Processing
Consent of the Patient – Article 6(1)(a) GDPR.
Retention Period
Until the Clinic ceases operation or until consent is withdrawn.
Recipients
E-mail service provider, hosting service provider, newsletter service provider.
Rights of the Data Subject
Right of access, rectification, erasure, and restriction of processing.
Important Notice
The Data Subject has the right, at any time and on grounds relating to his or her particular situation, to object to the above processing by contacting the Clinic at the contact details provided.
For the purpose of improving customer satisfaction, the Dental Clinic periodically makes a chatbot service available via the GentleDent Facebook Messenger platform (hereinafter: “Messenger”). Automated conversations take place when the customer initiates contact with the Controller through Messenger.
Purpose of Data Processing
To enhance the user experience, provide faster service to customers, and ensure more efficient case management.
Personal Data Processed
Data strictly necessary for the operation of the chatbot and available through Messenger’s standard settings, in particular: App user ID generated for the chatbot, username, profile picture URL, as well as any other data provided by the Data Subject during the chatbot interaction (e.g. text, keystrokes, uploaded graphic or other files, images). In addition: Messenger application used, chosen language, registration time, and all data shared during the chat conversation.
Source of Personal Data
Data Subjects using the Chatbot.
Legal Basis for Processing
Voluntary consent of the Data Subject, pursuant to Article 6(1)(a) GDPR. Consent is deemed to have been given when the customer responds to the chatbot’s notification message concerning data protection information, thereby actively initiating a conversation.
Retention Period
Recipients
Meta (Facebook).
Rights of the Data Subject
Right of access, rectification, erasure, and restriction of processing.
Important Notice
The Data Subject has the right, at any time and on grounds relating to his or her particular situation, to object to the above processing by contacting the Clinic at the contact details provided.
For marketing purposes, the Dental Clinic may record videos or take photographs on its premises. Warning signs will be placed on site during filming or photography sessions.
Purpose of Data Processing
Promotion and marketing of the Clinic’s activities and services.
Personal Data Processed
The image of the Data Subject and any other personal data recorded in the photo or video.
Source of Personal Data
Data Subjects present at the premises.
Legal Basis for Processing
Voluntary consent of the Data Subject – Article 6(1)(a) GDPR.
Retention Period
Photographs and video recordings shall be deleted at the end of the 10th year following their creation.
Recipients
Hosting service provider.
Rights of the Data Subject
Right of access, rectification, erasure, and restriction of processing.
Important Notice
The Data Subject has the right, at any time and on grounds relating to his or her particular situation, to object to the above processing by contacting the Clinic at the contact details provided.
Disclosure
The Clinic may publish the recordings and photographs for up to 10 years from their creation on its websites, Facebook page, other content-sharing platforms, electronic and paper newsletters, as well as in other electronic and printed publications, press products, or television.
The Clinic processes the personal data of contact persons designated in contracts concluded by GentleDent as follows:
Purpose of Data Processing
Processing of personal data of natural persons designated as contact persons on behalf of contractual partners (e.g. suppliers or clients).
Personal Data Processed
Personal data necessary for identification and communication: name, e-mail address, telephone number.
Source of Personal Data
Contractual partners of the Clinic.
Legal Basis for Processing
The Clinic’s legitimate interest pursuant to Article 6(1)(f) GDPR, and compliance with a legal obligation pursuant to Article 6(1)(c) GDPR.
Legitimate Interest of the Controller
To conclude, perform, and monitor contracts with business partners, to resolve disputes where applicable, and to maintain contact with the partner.
Retention Period
Until the termination of the contract and the archiving of the contract. Where an invoice is issued that contains the contact person’s data, such data shall be deleted at the end of the 8th year following the date of the invoice.
Recipients
Hosting service provider.
Rights of the Data Subject
Right of access, rectification, erasure, and restriction of processing.
Important Notice
The Data Subject has the right, at any time and on grounds relating to his or her particular situation, to object to the above processing by contacting the Clinic at the contact details provided.
Google (Google Analytics, Google Tag Manager)
Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) provides the Google Analytics service, which uses cookies (text files stored on the user’s computer) to analyze how you use our online services. Generally, data generated by the cookie concerning your user behaviour is transmitted to and stored on a Google server in the United States.
Where IP anonymisation is activated for the online services, Google shortens the IP address within Member States of the European Union or the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. Google uses this information on behalf of the operator of the online services to evaluate your use of the services, to compile reports on such activity, and to provide further services related to website and internet usage for the operator.
The IP address transmitted by your browser within Google Analytics is not combined with other data held by Google. You may prevent the storage of cookies by selecting the appropriate setting in your browser; however, please note that in this case you may not be able to use all functions of the online services in full. You can also prevent the collection and use of cookie-generated data by Google by downloading and installing the browser plugin available here: https://tools.google.com/dlpage/gaoptout?hl=en.
Our website also uses Google Tag Manager, which allows for the rapid and simple updating of tracking codes and related snippets (“tags”) on the website and mobile application.
Further information:
Data Subjects may exercise the rights provided under the GDPR against the Controller at any time, orally, in writing, or electronically. Important: Certain rights may only be exercised where the relevant personal data are processed on an appropriate legal basis. Details of the rights available for each processing purpose are set out in the sections above.
Withdrawal of Consent
Where processing is based on consent (Article 6(1)(a) GDPR), you may withdraw your consent at any time, without justification. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. Following withdrawal, the Clinic will no longer process the personal data concerned and will delete them.
Right of Access
You may request confirmation as to whether the Clinic processes your personal data. If so, you are entitled to receive information about such processing and may request a copy of your personal data. Copies will be provided free of charge, either in a commonly used, machine-readable format (PDF/XML) or in printed paper form.
Right to Rectification
You may request correction of inaccurate personal data concerning you, or completion of incomplete data. Where necessary information is not available to complete or correct inaccurate data, the Clinic may request supporting documentation. Pending such provision, processing of the data shall be restricted.
Right to Erasure (“Right to be Forgotten”)
You may request deletion of your personal data where:
Right to Restrict Processing
You may request restriction of processing where:
During restriction, the Clinic will not process personal data other than for storage, except where:
Right to Data Portability
You may request provision of your personal data in a structured, commonly used, machine-readable format, or request their transmission directly to another controller.
Important: This right only applies to data processed on the basis of your consent.
Right to Object
You may object at any time to processing based on the Clinic’s legitimate interests. In such cases, the Clinic will cease processing unless it demonstrates compelling legitimate grounds overriding your interests, rights, and freedoms, or where processing is necessary for legal claims.
Post-Mortem Rights
Within 5 years after a Data Subject’s death, the rights of access, rectification, erasure, restriction, and objection may be exercised by a person authorised by the Data Subject by administrative disposition or by a public or private deed with full probative force deposited with the Clinic. In the absence of such, the rights of rectification and objection, as well as erasure/restriction where processing was unlawful during life or the purpose ceased upon death, may be exercised by a close relative (spouse, direct ascendant/descendant, adopted/step/raised child or parent, sibling). Proof of death (death certificate or court decision) and proof of identity and status must be provided.
The Controller implements appropriate technical and organisational measures to ensure data security, including:
If you believe that the Clinic has processed your personal data unlawfully, contrary to applicable regulations, or has failed to respond adequately to a request to exercise your data subject rights, you may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) or initiate proceedings before the competent court at your residence or place of stay.
NAIH Contact Details:
Name of Data Processor | Address | Description of Processing | Privacy / Data Protection |
|---|---|---|---|
Simor Zsuzsa | — | Accounting services | — |
Billingo Technologies Zrt.(“Billingo”) | 1133 Budapest, Árbóc utca 6., I. floor | Invoicing software | Data Protection: https://www.billingo.hu/adatkezelesi-tajekoztato |
DentalPocket – BAUMANN DENTAL ÉS MARKETING Kft. | 1021 Budapest, Üdülő út 19/A | Dental records management software | Data Protection: Privacy Notice(Adatkezelési tájékoztató) |
HGRV Kft. (HGRV Informatikai Korlátolt Felelősségű Társaság) | 1115 Budapest, Etele tér 4. | Camera maintenance and operation | Data Protection: https://hgrv.hu/adatkezelesi-tajekoztato/ |
Budaörs, 1 January 2024
Please acknowledge and accept the Processing of Personal Data as set out in this Notice.
Privacy Information relating to GentleDent Service Kft.’s presence on TikTok
For the purposes of this Notice, certain terms are used as follows:
Field | Details |
|---|---|
Controller | GentleDent Service Kft. |
Tax No. | 27509650-2-13 |
Company Reg. No. | 13-09-227981 |
Registered Address | 2040 Budaörs, Domb utca 25–27, ground floor 4. |
Phone | +36 30 504 8517 |
info[at]gentledent.hu | |
Website | gentledent.hu |
GentleDent is a private healthcare provider. Examinations and treatments are performed in private practice and are not publicly funded. Patients voluntarily engage our services and choose the treatments they wish to receive. Any Patient who interacts with our Clinic—regardless of the specific service used—encounters the same data-processing practices (“our Activities”).
Unless expressly defined otherwise, terms relating to personal data and data protection have the meanings given in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”).
The purpose of our processing is to introduce and promote the Clinic to interested users and to support our business success by maintaining a presence on the social media platform TikTok, which has become highly popular in recent years. Within this framework, we upload short videos about the Clinic’s daily life, the services we provide and the messages we communicate.
From time to time, we may arrange for our videos to be shown in a targeted manner to TikTok users that fit an advertising profile.
Where a viewer wishes to learn more, the video may redirect the user to our own online platform(s). If you continue there, the processing applicable to our websites and forms is governed by a separate privacy notice available on our website.
Data subjects concerned: individuals who view videos published via the Clinic’s TikTok account.
For the target audience and viewers of videos on TikTok, the legal basis for processing is the consent you have given to TikTok. Based on criteria we provide, advertisements may be displayed on TikTok either randomly or in a targeted manner by us (as Controller) or our processor, to persons registered on the TikTok platform. Targeting criteria may draw on data provided by the data subject in his/her TikTok profile, or personal data generated during sharing or other activity on TikTok. The scope and use of such data are governed exclusively by TikTok’s privacy policy and cookie policy; neither our Clinic nor our processors have access to those underlying datasets.
You decide whether to consent to personalised (targeted) advertising on TikTok and, beyond mandatory fields, what types and amounts of personal data you share on your TikTok profile.
Where a legal obligation requires us to process or share data (e.g. upon lawful request), we may do so on that legal basis.
TikTok (including TikTok Technology Limited and TikTok Information Technologies UK Limited) acts as an independent controller in relation to the processing carried out on the TikTok platform.
We do not record and do not have access to the personal data of individuals who merely view our videos on TikTok; accordingly, we do not disclose such data to third parties. The Clinic’s TikTok account is accessible only to the Clinic and authorised staff.
We do not have access to the target audience data used by TikTok for ad delivery, nor do our processors.
For data subjects using TikTok within the European Economic Area, the primary relationship is with TikTok’s European group entities. Nevertheless, under TikTok’s policies, personal data may be transferred to third countries, including Singapore and the United States, where protection may be different from that afforded by the GDPR. TikTok states that it applies the Standard Contractual Clauses under Chapter V GDPR to such transfers.
Your rights in relation to TikTok’s processing are governed by TikTok’s privacy rules.
If you wish to exercise any data subject rights against the Clinic, or if you believe a data protection incident has occurred, please contact us using the contact details above.
If you submit a rights request by e-mail, we may ask you to verify your identity prior to fulfilling the request.
You may also lodge a complaint with your local data protection authority. In Hungary, this is the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
E-mail / Postal address: ugyfelszolgalat@naih.hu, 1363 Budapest, Pf.: 9.
TikTok’s Data Protection Officer can be contacted via TikTok’s dedicated interface: Contact the Data Protection Officer | TikTok.
Budaörs, 2023
Privacy information regarding GentleDent Service Kft.’s presence on social media
GentleDent Service Kft. maintains pages/channels on social networking platforms (in particular Facebook and Instagram) to inform interested users and customers about existing and new products, services, news and promotions.
This document informs you about the categories of personal data processed by GentleDent Service Kft. (the Controller), the related practices, the measures taken to protect personal data, and how you may exercise your rights.
Please note that, for the purposes of the platforms, the Controller and the platform provider qualify as joint controllers, and the platform provider’s privacy policies and data-processing principles also apply (see the platform links below).
Field | Details |
|---|---|
Controller | GentleDent Service Kft. |
Tax No. | 27509650-2-13 |
Company Reg. No. | 13-09-227981 |
Registered Address | 2040 Budaörs, Domb utca 25–27, ground floor 4. |
Phone | +36 30 504 8516 |
info@gentledent.hu | |
Website | gentledent.hu |
GentleDent is a private healthcare provider. Examinations are performed within private care and are not publicly funded. Patients voluntarily seek our services and choose the treatments they wish to receive. All Patients interacting with our Clinic encounter the same data-processing practices.
Through social-media platforms, users (interested individuals) may view the Controller’s page/channel, like or share posts, leave comments, or send messages. The purpose of processing is to respond to the user’s message or comment.
On social-media platforms, the legal basis for processing is the data subject’s consent (Article 6(1)(a) GDPR). Users may delete their own messages, shares, or comments at any time on a voluntary basis.
Personal data displayed on the interested user’s public profile (in particular, the profile name and, where shown, the profile image), to the extent enabled by the user’s platform settings.
Until a response has been provided to the user’s message or comment. The Controller does not engage in any further, off-platform processing (including keeping separate records of responses or downloading comments).
In addition, the platform’s privacy rules and settings determine the storage period and processing. Data displayed on the Controller’s fan page are processed by the Controller until the page is deleted or a deletion request is fulfilled.
Messages sent by the user are processed by the Controller. User posts and likes may be visible to readers of the Controller’s social-media account and to other users, depending on the platform’s settings and privacy rules.
Platform provider / joint controller: Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland); Website: https://www.facebook.com/
The Controller enables all data-subject rights in respect of processing that it directly performs and can influence on the platform (in addition to the platform’s own privacy rules), with particular regard to the right to information, right of access, and right to erasure.
By means of this Notice, the Controller provides concise, transparent, intelligible and easily accessible information regarding the processing of personal data.
You may request confirmation from the Controller as to whether your personal data are being processed. If so, you have the right to access the personal data and the following information:
You may request a copy of the personal data undergoing processing. The Controller may charge a reasonable fee for additional copies. If the request is made electronically, the information will be provided in a commonly used electronic form (e-mail), unless you request otherwise.
You may request:
The Controller will act without undue delay and will notify all recipients to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Upon request, the Controller will inform you about those recipients.
You may request erasure of personal data without undue delay where:
Erasure may be refused where processing is necessary for: freedom of expression and information; compliance with a legal obligation or performance of a task carried out in the public interest or in the exercise of official authority; public interest in the area of public health; archiving in the public interest, scientific or historical research or statistical purposes; or the establishment, exercise or defence of legal claims. Where feasible, the Controller will notify recipients of the erasure upon your request.
Upon your request, the Controller will restrict processing where:
During restriction, data may be processed only with your consent; for legal claims; to protect the rights of another person; or for important public interest. You will be informed in advance if a restriction is lifted. Where feasible, the Controller will notify recipients of the restriction upon your request.
You may receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller; where technically feasible, you may request direct transmission between controllers.
You may object at any time to processing carried out for the purposes of the Controller’s or a third party’s legitimate interests, including profiling based on those provisions. The Controller will no longer process the data unless it demonstrates compelling legitimate grounds which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
If your rights are infringed, you may bring an action before a court. You may initiate the proceedings, at your choice, before the court having jurisdiction over your place of residence or place of stay.
You may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
1055 Budapest, Falk Miksa u. 9–11.; 1363 Budapest, Pf. 9.; https://www.naih.hu/; ugyfelszolgalat@naih.hu
You may submit requests to exercise your rights using the Controller’s contact details above. The Controller will inform you within one month of receipt of the request of action taken. If necessary, this period may be extended by two further months; you will be informed within one month of receipt of the request of any such extension and the reasons for the delay. If the request is submitted electronically, the response will also be provided electronically unless you request otherwise. If the Controller does not act on your request, you will be informed within one month of the reasons and of your rights to lodge a complaint and seek judicial remedy.
Budaörs, 2023
GentleDent Dental Clinic – Privacy Notice on the Electronic Surveillance System (CCTV)
This Privacy Notice (the “Notice”) is issued by GentleDent Service Kft. (the “Controller”) to ensure transparency and accountability in its personal data processing.
To this end, the Controller maintains a record of disclosures (making personal data available to third parties), which enables the Hungarian National Authority for Data Protection and Freedom of Information to verify compliance with applicable requirements. This Notice provides information on data processing carried out in relation to the electronic surveillance system operating on the Controller’s premises.
This Notice has been prepared with due regard to the GDPR, Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.), and other laws relevant to the operation of electronic surveillance systems. A list of legislation and related documents is set out in Annex 1 to this Notice, and key definitions are provided in Annex 2.
This Notice is effective from 1 December 2022 until revoked, in respect of processing carried out in connection with the electronic surveillance system operating on the Controller’s premises. A printed copy is available at the Controller’s registered office.
The Controller reserves the right to amend this Notice unilaterally at any time. Any amendments will be communicated on site to visitors.
Budapest, 1 January 2024
GentleDent Service Kft.
This Notice includes the Controller’s identification and contact details. The identification and contact details of processors are set out in Annex 3.
The cameras operating on the Clinic’s premises serve to protect the company’s property and the life and physical integrity of natural persons present on the premises, while processing the images and actions (personal data) of natural persons within their field of view.
The provisions of this Notice do not apply to data relating to non-natural persons.
The Controller operates an electronic surveillance system comprising analogue and IP cameras that allows live monitoring and recording on private areas under its control and on publicly accessible parts of such private areas.
The primary purpose of operating the cameras is to prevent, detect and identify unexpected events and incidents. Cameras are not operated in places where monitoring would infringe human dignity—in particular changing rooms, washrooms or toilets.
Purpose of Processing
Protection of life and physical integrity and property, in particular the prevention and deterrence of unauthorised entry into monitored areas, theft and other criminal acts, and the identification of such acts.¹
Personal Data Processed
Image (likeness) of any person entering the monitored area (patient, companion, persons working for or on behalf of the Controller, visitors); actions visible on the recording; date and time of the recording.
Source of Personal Data
The movements and actions of the Data Subject within the monitored area.
Legal Basis for Processing
The Controller’s legitimate interests under Article 6(1)(f) GDPR.
The Controller has carried out the required legitimate-interest balancing test. The Controller’s primary legitimate interests include: (i) identification of persons committing unlawful acts and the ability to take necessary legal steps; (ii) in the event of an accident or damage, establishing who bears responsibility; and (iii) clarifying, where complaints are made against staff, whether staff have breached duties arising from generally accepted social expectations.
Storage Period
Recordings are stored by the IT system for 10 days, after which the system automatically deletes them by overwriting.
Persons Authorised to Access
Designated personnel employed by the Controller for this task.
Categories of Data Subjects
All persons entering the area under camera surveillance.
Data-Subject Rights
Right of access, rectification, erasure, and restriction of processing.
Notice: The Data Subject may object at any time, on grounds relating to his/her particular situation, to the above processing via any of the contact details provided.
¹ Life and property protection. The CCTV system is applied by the Controller as the most effective means available to protect life and property, ensure personal safety, detect/uncover infringements, and prevent and evidence unlawful conduct.
The monitored areas, the number of cameras placed therein and the exact retention periods for the recordings are specified in Annex 4 to this Notice.
Personal data processed for personal and property protection may be accessed primarily by the Controller’s designated employees, and by X Védelem Kft., which is responsible for maintenance of the electronic surveillance system, as well as the Controller’s designated employees. Where court or other authority proceedings are initiated and data transfer to the competent authority is necessary, courts or authorities may also gain access to the personal data.
The Controller, its processors and their employees are authorised to access personal data recorded by the electronic surveillance system only to the extent necessary to perform tasks related to the protection of life, physical integrity and personal freedom, the guarding of hazardous substances, and property protection. The Controller and its processors adopt all security, technical and organisational measures necessary to guarantee data security. The Controller has conducted a data-protection impact assessment for processing carried out under the surveillance system.
Access to the closed system used for recording and transmitting images is role-based and person-specific. The principle of least privilege applies: each user may use the system only to the extent and for the duration necessary to perform his/her duties. Access rights are granted only to persons not subject to restrictions for security or other reasons (e.g. conflicts of interest) and who possess the professional, business and information-security knowledge required for secure use.
Employees of the Controller and the processor(s) sign written confidentiality undertakings and must comply with such obligations during work.
The buildings and rooms used by the Controller—and the data processed and stored therein—are protected by appropriate physical and logical security (e.g. alarm systems, grilles, access-controlled entry systems, fire-protection systems).
Images recorded by the surveillance system are stored on a dedicated server located in a secure room designed for this purpose.
To ensure confidentiality, integrity and availability, personal data recorded by the system are stored in a password-protected database. Network, infrastructure and application-level protections (including firewalls, anti-virus tools and encryption mechanisms for storage and transmission) are applied. The Controller continuously monitors for data-protection incidents.
The Controller endeavours to ensure that its IT assets and software meet generally accepted technological standards. Systems are designed so that logging enables control and traceability of operations and detection of incidents, such as unauthorised access.
The Controller aims to ensure that its processing complies with the principles of fairness, lawfulness and transparency. You may request information on the processing of your personal data, request rectification or erasure, withdraw consent (where applicable), exercise data portability (where applicable), and object. To help you understand your rights and how to exercise them, please see below.
Pursuant to Section 28(2)(c) of the Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation (Szvtv.), the Controller places clear and visible warning signs informing third parties that an electronic surveillance system is in operation. A sample sign is included in Annex 6.
Further, pursuant to Section 28(2)(d) Szvtv., an information notice is placed at each building entrance stating: the purposes of recording and storing images, the legal basis, the location and duration of storage, the operator, the persons authorised to access the data, and the rights of Data Subjects and how to exercise them.
Upon request submitted via the Controller’s contact details, you may obtain access to your personal data processed by the Controller, including information on:
You may also request a copy of the recording containing your personal data. This is possible only if you indicate the specific date and a two-hour time window during which you entered the monitored area.
Important: Providing a copy must not infringe the fundamental rights and freedoms of others. Accordingly, the Controller will mask/obscure any data in the recording relating to other natural persons, where you have no legitimate interest in processing those data.
Important: Under Section 31 Szvtv., the Controller must keep a log of the reason and time of any access to recorded images and the identity of the person accessing them.
You may request rectification of inaccurate personal data and completion of incomplete data. For CCTV data, this typically concerns metadata (e.g. correcting the recording date or time if improperly recorded). The content of the image itself cannot be altered. Where necessary information is unavailable, the Controller may request supporting information; pending provision, processing will be restricted (other than storage).
You may request erasure of personal data where:
If the Controller determines that the conditions for erasure are met, it will cease processing and destroy the data. Erasure may also be required where you object successfully or where a legal obligation so provides.
You may request restriction where:
The Controller will automatically restrict processing where you contest accuracy, for the period necessary to verify accuracy.
During restriction, personal data may not be processed other than for storage, except where:
You may object at any time to CCTV processing. The Controller will assess whether, at the time of objection, there exist compelling legitimate grounds which override your interests, rights and freedoms, or whether processing is necessary for legal claims. If the Controller cannot demonstrate such grounds, your personal data will be deleted.
The Controller will inform you without undue delay and within one month of receipt of your request of the action taken. Considering the complexity and number of requests, this period may be extended by two further months; you will be notified of any extension within one month, together with reasons.
If the Controller does not act on your request, you will be informed within one month of the reasons, and of your right to lodge a complaint with a supervisory authority and to seek judicial remedy.
Responses will be provided in the form you specify. If you submit your request electronically, the response will be provided electronically, unless you request otherwise. Information and actions are provided free of charge.
The Controller will notify all recipients to whom personal data have been disclosed of any rectification, erasure or restriction, unless this proves impossible or involves disproportionate effort. Upon request, the Controller will inform you of such recipients.
To fulfil your request, the Controller must verify that the request is made by the rightful person. This may require you to appear in person at the Controller’s registered office for identification.
If you believe the Controller has processed your personal data unlawfully or otherwise contrary to applicable law, or has failed to act on your rights request, you have several remedies:
Budapest, 1 January 2024
