HU-1123 Budapest, Alkotás utca 53. MOM park II. emelet   

Data Protection and Handling Policy


Data Protection and Handling Policy of the Patients of MOM Szent Magdolna Private Hospital Kft.



  • Purpose of data handling
  • Scope of data handling
  • Data protection organization
  • Scope of data handled
  • Legal base of data handling
  • Duration of data handling
  • People involved in data handling, data transmission
  • Data processing
  • Rights of affected persons
  • Data protection incident management
  • Remedies
  • Other provisions



Purpose of data management:

The purpose of these Rules is to ensure the European Parliament and Council Regulation 2016/679 (hereafter referred to as GDPR) and CXII of 2011 on Information and the Self-Determination Law (hereafter: Info tv), are data protection principles applied by the above mentioned Health Institution, according to the Institute’s data protection policy. In all areas of the service provided by the Institution, patients are guaranteed the protection of their rights and information regarding the management of their data. Scope:The Scope applies to the protection of the personal and special data of each patient who establishes a relationship with the Institute within the Institution.

Privacy Organization:

–          Data handler

–          Data processor

Data Handler: is a natural or legal person that determines the purpose, legal basis and means of handling personal data individually or with others. Name of the Institution as data controller: Name: MOM Szent Magdolna Magánkórház Kft. Head office: 1123 Budapest Alkotás út 53. Phone: + 36-1 / 7333-444, + 36-70 / 240-6868 E-mail address: Data processer: a natural or legal person or any other body that manages personal data on the order of the data controller and on its behalf performs the technical tasks related to data management. Name of the data processor: The internal worker of the Institution, who manages the Personal and Special Data of the Patients on the basis of the instructions and authorization of the Head of the Institution, and performs the technical tasks related to data management, is a processor.

Treated data range:

–          personal data of patients

–          specific details of patients

–          Technical details

–          cookie

–          telephone data management

Personal Information: GDPR Article 4. Any data, information or factor relating to an identified or identifiable natural person (“affected”) with which the natural person can be identified. These are in particular: data referring to the physical, physiological, genetic, spiritual, economic, cultural, and social identity of a person, or name, number, location data, online identity. Personal data management also includes the taking of photographs, sound, image capturing and personal identification of physical attributes. Special Data: GDPR Article 9. Personal data includes data referring to racial ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and genetic, biometric data, health data, natural persons’ sexual life and sexual orientation to identify natural persons individually. The handling of this data is only possible with the sole consent of the natural person concerned. If the person concerned refuses the consent, the handling of the special data indicated above is forbidden. Technical details: Technically recordable data during the operation of the system: the data of the patient’s computer generated by the use of the service and recorded by the Institution system as an automatic result of the technical processes. The data that will be automatically recorded upon logging into and out of the system, without the specific statement or action of the Person. These data cannot be linked to other personal user data. The data is only accessible to the Institution.

Visits on the Website will send one or more cookies to a visitor’s computer, that is, a small file containing a string of characters that will allow the browser to be uniquely identified. These Cookies are provided by Google and are used through Google Analytics. The cookies will only be sent to the visitor’s computer if they visit some sub-pages, so in this case we store only the actual visit and the time of visiting that sub-page, any other information or data are not stored.

Cookies Applied:

1 / Temporary Cookie: Automatically deleted after the person visits. These cookies are designed to help the Institute’s website work more efficiently and safely, so they are essential so that some features of the website or some applications work properly.
2. / Persistent cookie: a constant cookie is used by the Service Provider for a better user experience (eg providing optimized navigation). These cookies are stored for longer in the browser cookie file. The duration depends on the setting applied by your affected web browser.
3. / a cookie used for password-protected sessions.
4./Security cookie: External servers help independently measure and audit Site and other web-analytic data on the Website (Google Analytics). Data controllers can provide detailed information about the handling of measurement data to the affected party. They can be reached at If you do not want Google Analytics to measure the above data for the purpose and purpose described, install the blocking plugin in your browser.

5./The “Help” feature in most of the browser’s menu bar provides you with information about your browser how to disable cookies, how to accept new cookies, or how to instruct your browser to set a new cookie orturn off other cookies. Phone Data Management: The Institution maintains a telephone customer service during which customer service conversations are recorded in order to enable the Institution to reconstruct events in case of a dispute Upon initiating the call and contacting the Institution, the patient voluntarily agrees to Infotv. and after having provided information on this Privacy Policy, the Institution shall record a telephone conversation with the Customer Service. The institution informs the caller or other person before the conversation that the conversation is being recorded.

By providing brief information on the telephone, the Institution is able to allow the User to decide whether:

1 / whether to allow his / her conversation with the customer service to be recorded;
2 / whether to agree on a telephone interview with the person concerned, personal and special data relating to the subject will be recorded, stored by the Institution, possibly handled at the express request of the person concerned. If you do not want the phone conversation to be recorded or the Institution to handle your data, you have the option to interrupt the call and contact the Provider by email or mail. The Service Provider stores the recording for 30 days from the recording of the telephone conversation. In the event that the Subject uses obscene terms, insults the Customer Service Officer or the Institution, the Institution is entitled to interrupt the call.

Legal basis for handling data: 

–          Patients’ exclusive consent
–          Compliance with legal obligations
–          Institution, Patient, third party’s legitimate interest Consent of patients (affected):
According to the GDPR Decree, the consent of the Participants must be voluntary, specific, informative and unambiguous. In the case of special categories of personal data – health data – the consent must be explicit, in addition to the above. To fulfill a legal obligation: The handling of personal and special data recorded and stored in the system of the Institution is necessary for the fulfillment of the obligations of the Institution as Data Handler Union and domestic legislation.


Institution, Patient, third party’s legal interest:

The legal handling of personal and special data is the legal interest of the Institution, patient, third person, since there is an electronic camera system in the Institution that is capable of producing and storing images and phonograms. The goal of the camera system is personal and property protection, protection corporate secrecy, clarifying the facts in the event of a dispute.

Data management duration:

Pursuant to Article 17 (1) of the GDPR Regulation: data processed by the Data Controller (Institution) at the request of the Affected Person (s), unless there is no legal basis for data processing, only the consent of the person concerned, the personal data relating thereto shall be deleted without undue delay from the database.

Pursuant to Article 17 (3) of the Regulation, if the personal data processed is necessary for enforcement or for the purpose of accountability for the authority, data handling may be carried out on the basis of a legally binding obligation or a legitimate interest despite its request of the Patient. As stated above, the Institution fulfills the legal obligation as a legal basis, according to the Health Establishment Patient data protection. The Institution shall keep the personal and special data stored by the institution for 30 years from the date of recording of the data.

Institution, Patient, third party’s legitimate interest as a legal basis:

  • telephone conversations will be deleted on the 30th day after the recording of the conversations
  • in the case of data recording with the electronic observation system, the recorded data will be erased on the 30th day after the recording date.

The circle of people knowing data, the transferring of data Primarily, the internal staff of the Institution are authorized to know the information. Information pertaining to the treatment of the patient will be transferred to the necessary medical institutions and authorities if needed. The legal basis for the transfer of data is the legal obligation of the Institution based on the law. Data processing Patients’ personal and health data (special data) are processed and stored with the express consent of the patients. The processing of the data is done by the internal staff of the Institute. The data may be stored in a computer-encrypted system, or on paper base, securely stored and inaccessible by an unauthorized third-party.

Rights of the Affected (Patients) Transmitting of transparent information: Patient’s fundamental right is the right to proper and transparent information, which is the responsibility of the institution. The information must be provided to the patient free of charge in an understandable way. If the patient requests information, he or she must be provided without undue delay, but within 30 days. Right of Access: According to the right of access, the Data Controller (Institution) must, at the request of the patient, provide a copy of the personal data subject to data processing to the patient. Right to data storage: Subject to the right to data storage, the Affiliate (Patient) is entitled to receive the data provided to him by the Institution as a Data Controller in a widely used, machine-readable format and also have the right to transmit this data to another Data Manager without this would prevent the Institution from blocking it. Right to rectify: Pursuant to this right, the patient is entitled to request that the Institution, without undue delay, corrects any inaccurate personal and special information concerning it. Right to deletion: If there is no other legal basis for data processing, the patient may request the deletion of personal and special data processed by the Institution and the omission of the data handling.

Right to protest: In the case of legitimate interest-based data handling, the Affected (Patient) may object in writing to further processing of his / her personal data. In this case, the Institution must demonstrate that it has a legitimate interest in further handling the relevant data.

Right to Restrict Data Privacy (Right to Block): The Affected Person is entitled to request that the Data Controller restricts the data management upon request if any of the following conditions are met:

–          affected party is contesting the accuracy of personal data
–          data handling is illegal but the data subject is opposed to the deletion of the data
–          the data controller no longer needs personal data for data processing, but the claimant requires them to submit, enforce, protect legal claims
–          the person concerned objected to a legitimate interest-based data management, in which case the restriction lasts until it is established that the legitimate interest of the data controller has priority

Managing a privacy incident:

Privacy incident: Privacy incidents include the unauthorized handling or processing of personal data, in particular unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction or damage.

Procedure for privacy incidents:

Privacy incident management is always the responsibility of the data controller.

  • categorizing the incident on the basis of the risk to the rights and freedoms of natural persons
  • to report the incident within 72 hours to the supervisory authority
  • take measures to eliminate or remedy the incident
  • found the parties responsible
  • informing of stakeholders


Remedies: Complaint Law: If the affected natural person considers that personal data processing on him does not comply with legal requirements, he may file a complaint with the National Data Protection and Information Authority, to the NAIH. The complainant may appeal against the decision of the NAIH with legal remedy. Claim for damages: Any person who is harmed by the violation of the Info Act and the Decree shall be entitled to claim compensation from the data controller and the data processor for the reimbursement of his or her property and non-material damage. The data controller and the data processor shall be exempt from liability if he or she proves that he or she is not liable in any way for the event giving rise to the damage.

Other provisions:
1. / The Institution obliges itself to that, if the Institution wishes to use the provided data for purposes other than the purpose of the original data collection, it shall inform the patient thereof and obtain the prior consent thereof or give patient the opportunity to prohibit the use.
2. The Institution obliges itself to ensure the security of the data and also to take technical measures to ensure that the data that are recorded, stored or managed is protected and that it does everything to prevent their destruction, unauthorized use and unauthorized modification. The Institution also agrees that any third party to whom the data may be transferred or forwarded also calls for compliance with this obligation.
3. / The Institution reserves the right to unilaterally modify these Terms and Conditions without prior notice to the Website of the Affected. Following the entry into force of the amendment, the Users will accept the changes to continue using the Website, as provided by the Institution on the website.