Terms and Conditions

General Terms and Conditions

DOKTOR24 WEBSHOP Terms and Conditions

1. SCOPE OF THESE TERMS AND CONDITIONS

1.1 These Terms and Conditions (hereinafter: "T&C") apply to the contracts concluded via purchases made on the website of Doktor24 Medicina Zrt. (headquarters: 1134 Budapest, Váci út 37., company registration number: 01-10-140606, hereinafter: Doktor24) through the Doktor24 Webshop.

1.2 The T&C and their inseparable annexes regulate, among other things, the ordering and purchasing process on the Doktor24 Webshop, payment terms, the content of contracts formed through online agreements, such as commission and other legal relationships, the provision of contractual performances, and the termination of contracts.

1.3 The personal scope of these T&C extends to all individuals who make purchases on the Doktor24 Webshop and to all those who receive the performance based on the purchase made via the Doktor24 Webshop.

1.4 These T&C are effective from December 1, 2024, and shall apply to contracts concluded thereafter.

2. DEFINITIONS

Call Center: The telephone customer service operated by Doktor24.
Gift Card: A plastic card issued in accordance with this policy, entitling the holder to make purchases as defined herein.
Issuer: Doktor24 Zrt. (registered office: 1134 Budapest, Váci út 37., 1st floor, tax number: 27277210-4-41).
Consumer: A natural person acting outside the scope of their trade, profession, or business activity.
Entitled Person: A natural person entitled to use a service based on a purchase or contract concluded via the Doktor24 Webshop.
Doktor24 / Service Provider: Doktor24 Zrt. (mailing address: 1134 Budapest, Váci út 37., phone: +36-1/44-33200, e-mail: webshop@doktor24.hu), a private healthcare provider authorized to deliver human healthcare services.
Doktor24 Medical Institution(s): Healthcare facilities currently operated by Doktor24. Up-to-date information is available on www.doktor24.hu.
Doktor24 Webshop: The online store operated by Doktor24 Medicina Zrt., available at www.webshop.doktor24.hu.
Buyer: A legal entity, an organization without legal personality, or a legally competent or partially competent natural person who purchases through the Doktor24 Webshop and enters into a contract with Doktor24.
Client: Collectively refers to both the Buyer and the Entitled Person.
Contract: A contract concluded electronically via purchase or order through the Doktor24 Webshop.
Product and/or Service: Healthcare or other types of products and/or services provided by Doktor24 Zrt., available for purchase at any time through the Doktor24 Webshop.
Service Fee: The purchase price/healthcare service fee set by the Service Provider and published in the Doktor24 Webshop (on the Doktor24 website).

4. PERFORMANCE OF THE CONTRACT

3.1 Steps for concluding the contract / making a purchase:

The Buyer accesses the website at https://webshop.doktor24.hu/.
Selects the Product(s) and/or Service(s) and adds them to the “Cart”.
Clicks the “Checkout” button on the “Cart” page.
Delivery method: Only personal pickup is available. The Buyer can choose the location (facility) where they wish to receive or use the purchased service. Selecting a facility is not binding; the Buyer may collect/use the product or service at a location other than the one selected during the purchase process.
Payment method: Payment is made via the Barion payment service.

3.2 Online credit card payments are processed through the Barion system. Credit card data is not shared with the merchant. The payment service provider, Barion Payment Zrt., is an institution supervised by the Central Bank of Hungary (Magyar Nemzeti Bank), license number: H-EN-I-1064/2013.

3.3 Registration is required for purchases. Registration requires providing an email address, password, and billing information.

3.4 Before purchasing, the Buyer must declare that they have read and accepted these Terms and Conditions and the Privacy Policy.

3.5 The Service Provider will send a confirmation email about the purchase.

3.6 Before finalizing the purchase (i.e. concluding the contract), the Buyer may modify the entered data and correct any errors by clicking the “Back” button.

3.7 The Contract does not qualify as a written agreement, but Doktor24 records and stores the details of the purchase, which remain accessible afterwards. The confirmation email sent after the purchase contains direct access to these Terms and Conditions and the details of the purchase.

3.8 The language of the Contract concluded through the purchase is Hungarian.

3.9 Doktor24 does not apply any code of conduct as defined under the law on the prohibition of unfair commercial practices against consumers.

3.10 Only individuals aged 14 or older may purchase as natural persons. If an individual under 14 places an order via the Doktor24 Webshop, the contract shall not be concluded.

3.11 Unless otherwise provided, the Contract is concluded for a fixed term necessary to fulfill the parties’ obligations (i.e., payment by the Buyer and provision of the Service by the Service Provider).

3.12 Unless otherwise provided, the product and/or service may be used for up to 1 year following payment (within the limitation period); in the case of a gift card, it must be used within 365 days from the date of purchase.

5. TERMINATION OF THE CONTRACT

The Contract shall terminate:

upon the expiration of the fixed term specified in Section 3.7;
upon the dissolution of the Service Provider without legal succession or the revocation of its operating license;
upon the death or dissolution without legal succession of the Entitled Person.

The Buyer and Doktor24 may terminate the Contract at any time by mutual written agreement.

Due to the fixed term nature of the Contract, ordinary termination is not permitted.

The Buyer may terminate the Contract with immediate effect by means of a unilateral written notice addressed to Doktor24 if:

Doktor24 breaches its obligations under these Terms and Conditions (and the relevant annexes) and fails to remedy such breach despite being called upon to do so;
Doktor24 unlawfully refuses to provide the service in violation of these Terms and Conditions (and the relevant annexes).

The Service Provider may terminate the Contract with immediate effect by means of a unilateral written notice addressed to the Buyer if:

the Client breaches their obligations under these Terms and Conditions (and the relevant annexes) and fails to remedy such breach despite being called upon to do so;
the Client presents themself at a Doktor24 Medical Institution in a condition unfit for receiving healthcare services due to their own fault;
the Client unjustifiably withdraws their consent to medical care or interrupts the examination without valid reason;
the Client behaves in an offensive, rude, aggressive, or violent manner towards Doktor24 staff;
the Client disturbs the peace or the medical services provided to other patients within the premises of a Doktor24 Medical Institution.

In the event of termination of the Contract for any reason, the Parties are obliged to settle all accounts with one another. Within this framework, the Buyer shall release the Service Provider from any obligations possibly undertaken towards third parties in connection with the performance of the Contract.

In the case of purchasing or ordering healthcare services via the Doktor24 Webshop, the Buyer is not entitled to the 14-day right of withdrawal/cancellation pursuant to Section 2(c) of Government Decree 45/2014 (II.26.).

6. OTHER PROVISIONS

6.1. Information on the Processing of Personal Data

6.1.1 The personal data provided by the Buyer during the ordering process is processed by Doktor24 for the purpose of concluding and fulfilling the Contract and providing the Service. The legal basis for data processing is the performance of the Contract (GDPR Article 6(1)(b)). The Buyer provides personal data to Doktor24 in connection with the Contract at the time of placing the order/purchase, without which the Contract cannot be concluded, and the Service cannot be provided. The purpose and legal basis of processing personal data generated during the provision of the Service is service provision and compliance with legal obligations (GDPR Article 6(1)(b) and Article 9(2)(h)).

6.1.2 Doktor24 is obliged by law to retain the personal identification and contact data provided at the time of order/purchase as part of the medical documentation for 30 years in case of healthcare service use. For other personal data not forming part of medical documentation, the retention period is 5 years; for accounting documents containing personal data, it is 8 years according to the Accounting Act (or 8+1 years for electronic invoices issued via szamlazz.hu). After these periods, personal data will be deleted or destroyed.

6.1.3 Doktor24 does not transfer personal data outside the EU and does not use the data for automated decision-making. For electronic payments, Doktor24 uses Barion Payment Zrt. [registered office: 1117 Budapest, Irinyi József utca 4-20, 2nd floor]. The data transferred includes name, email address, amount, date of payment, invoicing and delivery data. Details of data processing by Barion can be found in their Privacy Policy at: https://www.barion.com/hu/adatvedelmi-tajekoztato/

6.1.4 For issuing electronic invoices, KBOSS.hu Kft. [szamlazz.hu – registered office: 1031 Budapest, Záhony utca 7] is used. Data transferred include invoicing data, such as name, address, email, amount, and service description. Details of data processing by Szamlazz.hu can be found in their Privacy Policy at: https://www.szamlazz.hu/adatvedelem/

6.1.5 Regarding data processing by Doktor24, the data subject has the right to request information about the processing of their personal data, request correction of inaccurate data, request deletion, object to processing, request restriction of processing, withdraw consent, and exercise the right to data portability. To enforce these rights or for any questions, the data subject may contact the Data Protection Officer at Doktor24 (email: adatvedelem@doktor24.hu, postal address: 1134 Budapest, Váci út 37.), or lodge a complaint with the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa u. 9-11., postal address: 1363 Budapest, Pf.: 9., email: ugyfelszolgalat@naih.hu, phone: +36 (1) 391-1400; website: http://naih.hu).

6.1.6 More detailed information about Doktor24’s data processing is available in the Privacy Policy on the Doktor24 website (www.doktor24.hu).

6.2 Complaints Handling

6.2.1 Complaints related to products and/or services purchased via the Doktor24 Webshop can be made as follows:

Oral complaints:
- In person: at Doktor24 Healthcare Institutions during opening hours.
- By phone: via Doktor24 Call Center (recorded line): +36 1 4433200, on working days from 7 am to 8 pm.
Written complaints:
- In person or via a duly authorized representative by delivering a letter at Doktor24 Healthcare Institutions. If acting through a representative, the authorization must be in the form of a public document or a private document with full probative force.
- By mail to: Doktor24 Medicina Zrt., 1134 Budapest, Váci út 37.
- By email to: ugyfelkapcsolat@doktor24.hu

6.2.2 Detailed rules of complaints handling are contained in the complaints handling policy available at: https://www.Doktor24.hu/rolunk/panaszkezelesi-szabalyzat

6.2.3 For the purposes of the Contract, a written declaration made by email is also considered as written.

6.2.4 Contact details for submitting written declarations to the Service Provider:

Email: webshop@doktor24.hu
Postal address: 1134 Budapest, Váci út 37.

6.2.5 An email declaration is considered delivered when it becomes accessible to the recipient. A postal declaration is considered delivered at the date indicated on the return receipt; in case of refusal to accept, at the date of refusal; or, if marked ‘not collected’, ‘moved’, or ‘unknown recipient’, on the 5th day after dispatch. In case of personal or courier delivery, it is considered delivered at the time of handing over the item to a person authorized to receive it on behalf of the Client or Service Provider at the given address.

6.2.6 The Buyer may also turn to the National Consumer Protection Authority with general complaints (excluding data protection complaints). Contact details:

National Consumer Protection Authority

Address: 1088 Budapest, József krt. 6.

Postal address: 1428 Budapest, PF: 20.

Phone: +36 1 459 4800

Fax: +36 1 210 4677

Email: nfh@nfh.hu

6.2.7 The Buyer may also turn to the Budapest Conciliation Board with complaints. Contact details:

Budapest Conciliation Board

Address: 1016 Budapest, Krisztina krt. 99. I. floor 111.

Phone: +36 (1) 488 21 31

Email: bekelteto.testulet@bkik.hu

List of conciliation boards in Hungary available at: https://bekeltetes.hu/udvozlo

6.2.8 Complaints may also be submitted electronically to the consumer protection authority via the customer portal, using the appropriate form, which provides faster and more cost-effective administration.

7. Final Provisions

7.1 By concluding the online contract, the Buyer declares that they accept the terms and conditions of these GTC.

7.2 The present GTC applies to the online purchase and use of the Services. Matters not regulated herein shall be governed by applicable Hungarian laws, in particular Act CLIV of 1997 on Healthcare, Act V of 2013 on the Civil Code, and professional protocols and regulations applicable to healthcare service provision.

7.3 Doktor24 reserves the right to modify the content of these GTC at any time. The modified GTC will be published on www.doktor24.webshop.hu. Unless otherwise specified, the amended GTC shall apply to contracts concluded after its entry into force.

A Appendix

GENERAL TERMS AND CONDITIONS OF THE DOKTOR24 GIFT CARD

1. SCOPE

1.1 This appendix contains the specific provisions related to the Doktor24 Gift Card. Its subject-matter scope covers Contracts concluded by purchasing the Doktor24 Gift Card and the use of the card. Its personal scope extends to the Doktor24 Gift Card Buyer and the persons entitled to use the Doktor24 Gift Card (hereinafter: the Entitled).

1.2 This Appendix is effective as of December 1, 2024.

1.3 In matters not regulated in this Appendix, the provisions of the General Terms and Conditions (GTC) shall apply. The terms used in this Appendix shall have the same meaning as those defined in the GTC unless otherwise stated.

2. DEFINITIONS

2.1 Doktor24 Gift Card: A voucher issued by Doktor24 in physical form, which can be used for the services defined and under the conditions set forth in this Appendix.

2.2 Product and/or Service: The use of the Doktor24 Gift Card and the amount recorded on it for the utilization of healthcare services.

3. GENERAL RULES

3.1 The Doktor24 Gift Card can be purchased in the following ways:

Electronically in the Doktor24 Webshop;
At Doktor24 Healthcare Institutions.

3.2 Payment of the amount of the Doktor24 Gift Card can be made, in addition to the methods specified in the GTC, also by bank card, cash, or SZÉP card in the case of in-person purchase. The Gift Card cannot be purchased with another Doktor24 Gift Card.

3.3 The Doktor24 Gift Card is handed over to the Buyer/Entitled person in plastic card form.

3.4 The Service Provider is obliged to make the Doktor24 Gift Card available to the Buyer/Entitled only after receipt of the amount to be loaded.

3.5 The Doktor24 Gift Card can be purchased with a minimum amount of HUF 10,000. Above this amount, the Buyer is free to decide the amount to be loaded onto the card.

3.6 The Doktor24 Gift Card can be reloaded within its validity period via the Call Center.

3.7 One Buyer may purchase multiple Gift Cards.

3.8 The balance recorded on the Gift Card is credited and accounted for in Hungarian forints.

3.9 The amount recorded on the Gift Card cannot be redeemed for cash, and Doktor24 does not pay or credit interest on the amount. The Doktor24 Gift Card does not qualify as money or a security.

3.10 The Doktor24 Gift Card is non-refundable.

3.11 After receiving the Doktor24 Gift Card and its serial number, its management and safekeeping are the responsibility of the Client. In case of damage or loss of the card, the Buyer may request replacement or reissue at their own cost.

3.12 The Doktor24 Gift Card is valid for 1 calendar year from the date of loading, i.e., from the receipt of the card’s amount by Doktor24. The amount recorded on the card may only be used within the validity period.

3.13 The Contract is concluded for a fixed term, lasting until the full utilization of the amount recorded on the Doktor24 Gift Card but no later than the card’s validity period.

4. RULES FOR USING THE DOKTOR24 GIFT CARD

4.1 The Buyer may transfer the Doktor24 Gift Card to a natural person of their choosing; the card is not personalized and is therefore freely transferable.

4.2 The balance recorded on the Doktor24 Gift Card can be used only after handing over the card and its serial number. When booking the selected healthcare service or purchasing a product, the Buyer/Entitled must notify in advance that the payment will be made using the Gift Card.

4.3 The Service Provider is not obliged to verify or investigate whether the Doktor24 Gift Card was lawfully obtained by the user; therefore, Doktor24 is not responsible if the card or its serial number is used by someone other than the person the Buyer intended.

4.4 The balance recorded on the Doktor24 Gift Card can only be used for healthcare services provided by the Service Provider at Doktor24 Healthcare Institutions, and for products and services offered by Doktor24 affiliated companies as detailed in section 3.1. These include, in particular: outpatient care, diagnostic tests, laboratory tests, inpatient care, surgeries at Doktor24 Clinics and healthcare institutions, teleconsultations, e-prescription services, and Doktor24 webshop services and products.

4.5 The provisions of the GTC shall apply to the healthcare or other services and products obtained by using the balance recorded on the Doktor24 Gift Card, including their provision and utilization.

4.6 When booking a healthcare appointment, the Entitled must indicate if they intend to pay the fee for the healthcare service from the balance recorded on the Gift Card. In such cases, the payment shall be made by the Service Provider reducing the balance on the Gift Card by the amount of the booked service at the time of appointment booking. The current fees are published on the Service Provider’s website.

4.7 If the Entitled wishes to use a healthcare service that exceeds the amount available on the Doktor24 Gift Card, the difference must be settled by the Entitled.

5. RIGHT OF WITHDRAWAL AND TERMINATION

5.1 In case of purchase of the Doktor24 Gift Card via the Doktor24 Webshop, the customer qualifying as a consumer may withdraw from the contract within 14 days from the date of contract conclusion without any justification. If the Doktor24 Gift Card is activated and its use has begun within this period, the customer may terminate the contract.

5.2 The Buyer may exercise the right of withdrawal/termination by sending an unequivocal statement addressed to Doktor24 (postal address: 1134 Budapest, Váci út 37., or email: ugyfelszolgalat@doktor24.hu). The statement may be made using the template below in accordance with Government Decree 45/2014 (II.26.) Annex 2:

Recipient: Doktor24 Zrt., 1134 Budapest, Váci út 37., phone: 06-01/4433200, email: webshop@doktor24.hu

I/we, the undersigned, hereby declare that I/we exercise my/our right of withdrawal/termination regarding the purchase of the following product(s) or the contract for the provision of the following service(s):

Date of contract conclusion / date of receipt:
Name(s) of consumer(s):
Address(es) of consumer(s):
Signature(s) of consumer(s) (only if the statement is on paper):
Date:

5.3 Doktor24 shall refund the amount paid by the Buyer within fourteen days from becoming aware of the withdrawal. If the Gift Card was purchased at Doktor24 Healthcare Institutions or other service locations, the refund will be transferred to the bank account designated by the Buyer.

5.4 In case of termination after the use of the balance recorded on the card has begun, the unused balance shall be refunded within fourteen days from the awareness of the termination.

B Appendix

GENERAL TERMS AND CONDITIONS OF THE DOKTOR24 DISCOUNT CARD

1. SCOPE OF THE TERMS AND CONDITIONS

1.1 This Annex contains the conditions and rules for the services available on the Doktor24 website and their use. Its subject matter applies to all contractual relationships established by purchasing the Doktor24 Discount Card and the use of the discount card. Its personal scope extends to the owner of the Doktor24 Discount Card and the cardholder’s minor relatives.

1.2 This Annex enters into force on April 1 and remains valid until withdrawn.

2. DEFINITIONS

2.1 Service Provider: Doktor24 Medicina Zrt., (1134 Budapest, Váci út 37., company registration number: 01-10-140606, tax number: 27277210-4-41, contact: doktor24.hu) and the healthcare institutions operated by Doktor24 Medicina Zrt.

2.2 Doktor24 Discount Card: The Discount Card entitles its owner to use discounted services according to the terms of this GTC and other conditions set by the Service Provider (e.g., cancellation conditions, services not eligible for discount, etc.). The Discount Card is available either in a .pdf format sent by e-mail or as a physical card issued by Doktor24 after the subscription fee has been paid.

2.3 Product and/or Service: By registering and paying the subscription fee, the cardholder enters into a contractual relationship with the Service Provider. The Service Provider ensures that by presenting a valid Discount Card, the cardholder is entitled to the discount shown on the Discount Card for the services used at Doktor24 healthcare institutions. The discount does not apply to all services provided by Doktor24 healthcare institutions. The current discounts and services not eligible for discount can be found on the https://doktor24.hu website and the https://webshop.doktor24.hu webshop.

2.4 Cardholder: The individual who registers with the necessary data on the Doktor24 webshop and has financially fulfilled the subscription fee for the Discount Card, thereby holding a valid subscription.

2.5 Party, Parties: The Service Provider and the Cardholder individually are Parties, jointly: Parties.

2.6 Method of Service Use: After using the service at Doktor24 healthcare institutions, by presenting the card and its verification by the Service Provider.

2.7 Subscription Fee: The subscription fee for the Discount Card, which is a prerequisite for acquiring the Discount Card. The subscription is valid for 1 year (365 days) from the payment of the subscription fee.

2.8 Discount: The percentage discount provided by the Service Provider applicable to services not designated as non-discountable by the Service Provider.

2.9 Non-discountable Services: Services that are not subject to the general discount provided by the Discount Card. The scope of non-discountable services is specifically indicated by the Service Provider on its website, booking system, and webshop.

3. GENERAL RULES

The contract between the Parties is concluded exclusively in electronic form. Hungarian law applies to this GTC, with particular regard to the provisions of Act V of 2013 on the Civil Code (“Ptk.”) concerning contracts concluded electronically.

The contract language is Hungarian, and in case of translation into a foreign language, the Hungarian version shall prevail.

The Cardholder concludes the contract entitling the use of the discount card by registering electronically in the webshop. The contract is established from the day the Cardholder provides registration data, accepts the GTC provisions, and the Service Provider activates the service. The Service Provider sends electronic notification to the Cardholder about the activation of the service, i.e., the contract formation.

The Cardholder acknowledges that if false data are provided during electronic registration or if the data do not belong to the Cardholder, the contract is invalid. In case of invalidity, the Cardholder is not entitled to the discounts provided by the Discount Card, and the Service Provider will not refund any amounts already paid.

The Service Provider’s task is to provide the Service to the Cardholder once the Cardholder fulfills the conditions for using the services as per the GTC: registering with true data, paying the subscription fee, and using services eligible for discount.

The Service Provider, as data controller, along with its data processing partner and staff, excludes liability for the consequences of providing false data.

The Service Provider reserves the right to modify the website’s content at any time or terminate access in compliance with this GTC.

The Parties are exempt from liability for partial or total failure to fulfill obligations under this GTC if due to force majeure. Force majeure includes events arising after acceptance of this GTC, which are extraordinary and unforeseeable, and could not be avoided by reasonable measures. Such events include floods, fire, earthquakes, other natural disasters, war, military actions, acts of authorities, or other circumstances beyond the Parties' control. The party aware of such an event must promptly notify the other party.

The Cardholder may request deletion of registration and termination of the contract with legal consequences according to the Privacy Policy. If the Cardholder breaches the contract terms, the Service Provider may delete the registration. The Service Provider reserves the right to terminate any part or the entirety of the Service, in which case the contract terminates automatically.

If the Service Provider terminates the service within the validity period, the Cardholder is entitled to a pro-rata refund of the subscription fee for the remainder of the validity period.

The Cardholder is not entitled to a pro-rata refund if they terminate the registration voluntarily or if the Service Provider terminates it due to breach of this GTC.

I. Data Controller Information

Name: Doktor24 Medicina Zrt.
Registered office: 1134 Budapest, Váci út 37, 1st floor
hereinafter referred to as the “Data Controller”.

Contact details of the Data Protection Officer appointed by the Data Controller
Name: Data Protection Department
Address: 1134 Budapest, Váci út 37, 1st floor
Phone number: +36-1-696-1230
Email address: gdpr@doktor24.hu

If you have any questions regarding this Notice, or if you wish to exercise your rights under this Notice, please contact the Data Protection Officer using one of the contact details above, who will be happy to assist you.

II. Data Controller’s Data Protection Obligations

The Data Controller considers the provisions set forth in this Notice to be binding upon itself. The Data Controller undertakes to comply with all applicable laws concerning data processing, particularly Regulation (EU) 2016/679 of the European Parliament and of the Council on data protection (“GDPR”). The Data Controller reserves the right to amend this Notice at any time and will inform the Data Subject of any changes in a timely manner. Terms not otherwise defined in this Notice shall have the meanings assigned to them in the GDPR and other relevant legislation.

III. Information Regarding Data Processing

3.1. Appointment Booking

Purpose of data processing: appointment booking, i.e., receiving, modifying, canceling, and managing appointments, selecting and recording medical examination times, tracking appointments, planning healthcare services, and organizing patient pathways.

Legal basis for data processing: the data processing is necessary for the performance of a contract to which the Data Subject is a party, or to take steps at the request of the Data Subject prior to entering into a contract (GDPR Article 6(1)(b)). The contract between the Data Subject and the Data Controller can be concluded orally, by implied conduct, or in writing.

Appointment booking may involve the processing of certain special categories of personal data considered health data, the processing of which is based on GDPR Article 9(2)(h), as it is necessary for preventive or occupational medicine purposes, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services based on EU or Member State law or a contract with a healthcare professional.

Recipients with whom the Data Subject’s personal data may be shared or who may have access to the Data Subject’s personal data:

Employees of the Data Controller; companies providing appointment booking services, system administration, server services, system operation and development, and website operation services to the Data Controller as data processors, but only to the extent necessary to perform their tasks and only in accordance with data processing principles (especially purpose limitation and data minimization).

If the healthcare service related to the appointment booking is provided by another member of the Doktor24 Group, the Data Controller will forward the Data Subject’s data to the member of the Doktor24 Group that will actually provide the services. Members of the Doktor24 Group include: Doktor24 Medicina Zrt. [1134 Budapest, Váci út 37. 1st floor], Kastélypark Klinika Kft. [1145 Budapest, Törökőr utca 40.], OptoKid Kft. [1037 Budapest, Bokor utca 15-21. 2nd floor], Svábhegyi Országos Allergológiai, Immunológiai és Pulmonológiai Nonprofit Közhasznú Kft. [headquarters: 1037 Budapest, Bokor utca 17-21. 2nd floor 33.], Doktor24 Menedzsment Kft. [1134 Budapest, Váci út 37. 2nd floor].

The Data Controller does not transfer the Data Subject’s personal data to third countries or international organizations.

Duration of data storage: the Data Controller processes the data for one (1) year from the date of the booked appointment.

Providing personal data is necessary for the performance of healthcare services provided by the Data Controller. Consequence of failure to provide data: the Data Subject will not be able to book an appointment, and the Data Controller will not be able to provide healthcare services to the Data Subject.

The Data Controller does not apply automated decision-making when processing the Data Subject’s personal data.

Source of personal data: depending on who acts during the appointment booking, the source of personal data may be

the Data Subject, or
another person acting on behalf of the Data Subject (e.g., a relative, employer), or
a company in legal relationship with the Data Controller (e.g., service organizer, insurer, appointment booking service provider).

The data are not obtained from publicly available sources.

Categories of processed data:

identification data (e.g., name, address (residence, place of stay), place and date of birth, mother’s name),
contact details (e.g., address, telephone number, email address),
health data relevant to appointment booking (e.g., symptoms, medical history, social security number, attending physician, type of specialist examination, referral),
data related to preferred payment method (e.g., expected fee of the examination, data related to discount cards issued by the Data Controller, health fund membership, insurer/service organizer booking ID or authorization code, entitlement to partial or full reimbursement by the insurer/service organizer and related co-payment amount),
booked appointment date and location,
name of the Data Subject’s employer (in case of occupational health suitability examination).

Categories of Data Subjects:

private individuals to whom the Data Controller provides healthcare services.

3.2. Data Processing Related to the Provision of Healthcare Services

Purpose of data processing: Providing healthcare services to the Data Subject, whether outpatient or inpatient care, promoting the preservation, improvement, and maintenance of health, supporting the Data Controller’s effective treatment activities, and monitoring the health status of the Data Subject.

Legal basis for data processing: The data processing is necessary to fulfill legal obligations applicable to the Data Controller (in particular those specified in Act CLIV of 1997 on Health [“Eütv.”], Section 136; Act XLVII of 1997 on the Protection of Health Data and the Enforcement of the Rights of Patients [“Eüak.”], Sections 28–32/A, 35/A–35/O and its annexes; Government Decree 39/2016 (XII.21.) EMMI, Section 12(1); Act LVIII of 2020, Section 85) (GDPR Article 6(1)(c)).

The processing of special categories of personal data is based on GDPR Article 9(2)(h), since these data are processed for preventive health care purposes, medical diagnosis, provision of health care or treatment, or management of health care systems and services pursuant to EU or Member State law or a contract with a healthcare professional.

Recipients with whom the Data Subject’s personal data may be shared or who may have access to the Data Subject’s personal data:

Employees of the Data Controller,
Physicians and other healthcare staff involved in providing healthcare services on behalf of the Data Controller,
Companies providing system administration, server services, system operation and development, and document archiving services to the Data Controller as data processors, but only to the extent necessary to perform their tasks and in compliance with data processing principles (especially purpose limitation and data minimization),
Bodies and persons defined by law as data controllers, in cases and to the extent specified by law, including:
- Other healthcare providers involved in the treatment of the Data Subject (e.g., laboratories, imaging service providers, tele-diagnosis service providers). Note: The Data Subject has the right to prohibit the transmission of health data related to their illness. However, in cases specified by law and in urgent need, health and personal identification data may be transmitted even against the Data Subject’s objection (Eüak. Section 10(2)-(4)),
- Other bodies within the healthcare provider network upon request or in case of mandatory data reporting obligations prescribed by law (e.g., compulsory health insurance providers) (Eüak. Section 10(1)),
- The Data Controller is required to provide personal identification and legally specified health data of patients who have undergone hip or knee joint endoprosthesis implantation or replacement to the National Hip and Knee Joint Endoprosthesis Implant Registry (Prosthesis Registry) for further treatment and monitoring (Eüak. Section 16/B(1)),
- Persons authorized to access the health data of the Data Subject (e.g., a person authorized in writing) (Eüak. Section 4(4)-(7)),
- The body operating the Electronic Health Service Space (“EESZT”) (Eüak. Sections 35/A–35/O, Government Decree 39/2016 (XII.21.) EMMI Section 12(1)),
- Patient rights representative (Eütv. Section 31),
- Bodies outside the healthcare provider network upon request or as required by law (e.g., courts, prosecution, investigative authorities) (Eüak. Sections 23–27).

The Data Controller does not transfer the Data Subject’s personal data to third countries or international organizations.

Duration of data storage: The Data Controller records the health data related to the Data Subject in medical documentation, whose mandatory retention period is defined by applicable laws. Accordingly, the Data Controller is obliged to keep the medical documentation of the Data Subject — except for imaging diagnostic records and reports — for 30 years from data recording, and the discharge summary for 50 years. Imaging diagnostic records must be kept for 10 years from their creation, and the related reports for 30 years (Eüak. Section 30).

Provision of health and personal identification data by the Data Subject is voluntary, except for those mandatory for receiving healthcare services and those specified in Eüak. Section 13 (e.g., infectious diseases, occupational health examinations – preliminary, periodic, extraordinary, final). Please note that if the Data Subject voluntarily seeks healthcare services, their consent for processing health and personal identification data related to treatment shall be presumed unless stated otherwise.

Providing personal data is necessary for the provision of healthcare services by the Data Controller. Consequence of failure to provide data: The Data Controller will not be able to provide healthcare services to the Data Subject.

The Data Controller does not apply automated decision-making when processing the Data Subject’s personal data.

Source of personal data:

The Data Subject,
Another person acting on behalf of the Data Subject (e.g., an authorized representative),
A company in legal relationship with the Data Controller (e.g., service organizer, insurer, appointment booking service provider),
Other healthcare providers involved in the Data Subject’s treatment (e.g., referring physician, family doctor, laboratories, imaging service providers),
EESZT, as the patient cannot be required to present or verify health data available in the EESZT during treatment.

The data are not obtained from publicly available sources.

Categories of processed data: Recording health data is part of the treatment. The treating physician decides, according to professional rules, which health data, in addition to mandatory data, must be recorded to achieve the purposes of data processing (Eüak. Section 9(1)).

The scope of mandatory data is defined by relevant laws and must be recorded or preserved as part of the medical documentation.

Identification data (e.g., name, address (residence, place of stay), place and date of birth, mother’s name),
Health data (e.g., medical history, diagnosis, name of illness, performed procedures, medication or other therapy, social security number, European Health Insurance Card number, name of the healthcare worker making the entry, medical findings, imaging records, nursing documentation),
Other special categories of personal data, e.g., racial or ethnic origin, sexual life or orientation, if relevant to healthcare service provision,
Employment or job-related data, if relevant to healthcare service provision.

Categories of Data Subjects:

Private individuals receiving healthcare services from the Data Controller,
Persons authorized to access health data (Eüak. Section 7(4)),
Persons authorized to make declarations on behalf of the patient (Eütv. Section 16).

3.3 Data Processing Related to Occupational Health Services

Purpose of data processing:
Provision of occupational health services, especially performing job-related, professional, and personal hygiene suitability examinations (e.g., initial, periodic, extraordinary, final), initiating the necessary specialist medical examinations, reporting and investigating occupational diseases and cases of increased exposure.

Legal basis of data processing:
Data processing is necessary for the data controller to fulfill legal obligations (GDPR Article 6(1)(c)). The legal obligations are mainly prescribed by the following laws: Act CLIV of 1997 ("Eütv.") Section 136, Act XLVII of 1997 ("Eüak.") Sections 28-32/A, 35/A-35/O and their annexes, Government Decree 39/2016 (XII.21.) EMMI Section 12(1), Act XCIII of 1993, Act XLII of 1999, Government Decree 89/1995 (VII.14.), NM Decrees 33/1998 (VI.24.), 27/1995 (VII.25.), 27/1996 (VIII.28.), 33/1998 (VI.24.), EüM Decrees 50/1999 (XI.3.), 61/1999 (XII.1.), ITM Decree 5/2020 (II.6.), EüM Decrees 26/2000 (IX.30.), NGM Decree 10/2016 (IV.5.), EüM Decree 22/2005 (VI.24.), EüM Decree 66/2005 (XII.22.).

Processing of special categories of personal data is based on GDPR Article 9(2)(h), as such data processing is necessary for preventive or occupational health purposes, assessing the employee’s work capacity, establishing medical diagnoses, providing healthcare or treatment, or managing healthcare systems and services, based on Union or Member State law or a contract with a healthcare professional.

Recipients with whom the personal data of the data subject may be shared or who may have access to the personal data:
Employees of the Data Controller, doctors and other healthcare staff involved in the healthcare services provided by the Data Controller, enterprises providing system administration, server services, system operation and development, and document archiving services as data processors, but only to the extent necessary for their tasks and in accordance with data processing principles (especially purpose limitation and data minimization).

Statutorily designated bodies and persons as data controllers, in legally specified cases and scope, especially:

Other healthcare providers involved in the treatment of the data subject. Note: The data subject has the right to prohibit the transmission of health data related to their illness. However, in cases specified in Section 13 of Eüak. and in urgent need, data may be transmitted despite the data subject’s prohibition (Eüak. Sections 10(2)-(4)).
Other entities within the healthcare network upon request or statutory data reporting obligations (e.g., mandatory health insurance providers) (Eüak. Section 10(1)).
Persons authorized to access health data on the data subject’s side (e.g., persons authorized in writing) (Eüak. Section 4(4)-(7)).
The entity operating the Electronic Health Service Space ("EESZT") (Eüak. Sections 35/A-35/O, Government Decree 39/2016 (XII.21.) EMMI Section 12(1)).
Patient rights representatives (Eütv. Section 31).
Entities outside the healthcare network upon request or statutory data reporting obligations (e.g., courts, prosecutors, investigating authorities) (Eüak. Sections 23-27).

If the data subject’s employer changes the occupational health service provider, the Data Controller transfers the documents necessary for the occupational health tasks, including the contained health and personal data, to the new occupational health service provider (Government Decree 89/1995 (VII.14.) Section 2(5), NM Decree 33/1998 (VI.24.) Section 14(7)).

The suitability opinion and any work-related restrictions are communicated by the Data Controller to the data subject’s employer on the prescribed form by law (NM Decree 33/1998 (VI.24.) Section 13(5)). No other health data are shared with the employer, who cannot access the data subject’s health documentation nor request copies.

The Data Controller does not transfer the personal data of the data subject to third countries or international organizations.

Retention period of personal data:
If the Data Controller is the first-instance body assessing job or professional suitability, it retains the health documentation related to occupational health services for at least 30 years from data collection—40 years in case of employees exposed to biological factors (NM Decree 33/1998 (VI.24.) Section 14(6)).

Transfer of data based on legal obligation:
According to Eüak. Section 13(b), the data subject (or their legal representative) is obliged to provide their health and identification data upon the healthcare provider’s request if necessary for job-related or professional health suitability examinations (initial, periodic, extraordinary, final).

Consequence of failure to provide data:
Occupational health services cannot be provided, meaning the data subject cannot be employed in the given job, receive professional training, work in the work area, or perform activities (NM Decree 33/1998 (VI.24.) Section 16).

The Data Controller does not apply automated decision-making based on the data subject’s personal data.

Source of personal data:

The data subject, or
The employer in a contractual relationship with the Data Controller, or
Other healthcare providers involved in the data subject’s treatment (e.g., laboratories, imaging service providers), or
EESZT, since during treatment it is not required for the data subject to present health documentation or data available in EESZT.

The data do not originate from public sources.

Scope of processed data:
The employer must provide the Data Controller all job and workplace data deemed necessary for the evaluation or requested by the evaluator (NM Decree 33/1998 (VI.24.) Section 15(6)).

The mandatory data to be collected are defined by relevant legislation and must be recorded or retained as part of the health documentation.

Identification data (e.g., name, address (residence, temporary address), place and date of birth, mother’s name),
Health data (e.g., medical history, diagnosis, disease name, performed interventions, medication or other therapies, Social Security Number, name of the health professional making the entry, employee’s health record, vaccination data),
Data related to the employer, workplace, job, working conditions, profession.

Categories of data subjects:

Individuals involved in occupational health services,
Persons authorized to access health data (Eüak. Section 7(4)),
Persons authorized to act on behalf of the patient (Eütv. Section 16).

3.5 Data Processing Related to Invoicing, Taxation, Accounting Obligations, and Settlements Connected to Contracts with the Data Controller

Purpose of data processing:
To enable the fulfillment of contracts between the Data Controller and the Data Subject, and between the Data Controller and other parties (e.g., employer, National Health Insurance Fund, insurer, health fund, care organizer), to carry out settlements based on these contracts, and to fulfill accounting and taxation obligations.

Legal basis of data processing:

For fulfilling taxation and accounting obligations: data processing is necessary for the Data Controller to comply with legal obligations (e.g., Act CXXVII of 2007 on VAT, Section 159; Act C of 2000 on Accounting, Section 12) (GDPR Article 6(1)(c)).
For carrying out settlements: legitimate interest of the Data Controller and contracted parties (e.g., employer, National Health Insurance Fund, insurer, health fund, care organizer) (GDPR Article 6(1)(f)). This legitimate interest is to execute settlements related to contracts between the Data Controller and these parties.
NOTE: The Data Subject may object to data processing based on legitimate interest. In such cases, the Data Controller will assess if overriding legitimate grounds exist that outweigh the Data Subject’s interests, rights, and freedoms, or if the processing is necessary for legal claims.

Processing of special categories of personal data is based on GDPR Article 9(2)(h), as such data processing is necessary for preventive healthcare purposes, establishing medical diagnoses, providing healthcare or treatment, or managing healthcare systems and services, according to Union or national law or under contract with a healthcare professional.

Recipients who may receive or access the Data Subject’s personal data:

Companies performing the Data Controller’s accounting and auditing,
Employees of the Data Controller,
Companies providing system administration, server services, system operation, development, document archiving, and possibly invoicing services as data processors, only to the extent necessary and in accordance with data processing principles (especially purpose limitation and data minimization).
If the Data Subject holds a SuperShop card, personal data related to that card will be transferred to SuperShop Kft. (registered office: 1095 Budapest, Mester utca 30-32. 4th and 5th floor, company registration number: 01-09-674945) as a data controller.
The Data Subject acknowledges that in case of payment by bank card, the following personal data stored by the Data Controller in the user database of www.doktor24.hu will be transferred to OTP Mobil Kft. (1093 Budapest, Közraktár u. 30-32.) as data processor: email address, billing address, and phone number. The nature and purpose of this data processing is detailed in the SimplePay Privacy Policy available at http://simplepay.hu/vasarlo-aff.
If the healthcare service used by the Data Subject is financed by another party (e.g., employer, National Health Insurance Fund), the Data Controller will share necessary identification data of the Data Subject, the type and date of the healthcare service provided, and the amount with the financer as part of the settlement process.
If the Data Subject has consented to disclose their health data to a third party (e.g., insurer, care organizer), the Data Controller forwards the requested health data and documentation to that third party.

The Data Controller does not transfer the Data Subject’s personal data to third countries or international organizations.

Retention period of personal data:
The Data Controller must retain data contained in its reports, business statements, supporting inventories, evaluations, general ledgers, journal ledgers, or other legally required records for eight (8) years (Accounting Act 2000, Section 169).
The Data Controller must keep personal data contained in invoices, accounting vouchers, and supporting documents for the duration of the tax liability statute of limitations (five (5) years from the last day of the calendar year in which the tax obligation arose), except if an official audit or authority/court proceeding is ongoing, in which case data must be kept until the procedure is definitively closed (Act XCII of 2003 on Tax Administration Section 78, VAT Act 2007 Section 179).
The Data Controller records health data in medical documentation, whose mandatory retention period is defined by relevant laws. Based on this, the Data Controller must keep the medical documentation concerning the Data Subject for 30 years from data collection (except imaging diagnostics), and the discharge summary for 50 years. Imaging diagnostics must be kept for 10 years, and reports based on these images for 30 years (Eüak. Section 30).

Legal basis for data transfer:
The transfer of personal data is based on legal obligations and is a prerequisite for contract conclusion.

Consequence of failure to provide data:
If the Data Subject does not provide data, the Data Controller cannot provide healthcare services to the Data Subject or provide services financed by contracts with insurers, care organizers, or health funds at booked times.

The Data Controller does not apply automated decision-making based on the Data Subject’s personal data.

Source of personal data:

The Data Subject, or
Another person acting on behalf of the Data Subject (e.g., authorized declarant), or
Business partners of the Data Controller (e.g., care organizers, insurers, appointment service providers), or
Other healthcare providers involved in the Data Subject’s treatment (e.g., referring doctors, GPs, laboratories, imaging service providers), or
The Electronic Health Service Space (EESZT), since the Data Subject is not required to present documentation available in EESZT during treatment.

The data do not originate from public sources.

Scope of processed data:

Identification data (e.g., name, address (residence, temporary address), place and date of birth, mother’s name),
Tax identification number,
Client identifiers used by the Data Subject and other businesses (e.g., insurance companies, care organizers, health funds),
Health data (e.g., medical history, diagnosis, disease name, interventions, medications, Social Security Number, European Health Insurance Card number, name of health professional recording data, medical reports, imaging, nursing documentation),
Healthcare data (e.g., type and date of services used),
Other invoicing data (e.g., amount payable, payment method, performance date, payment deadline, any discounts) and accounting vouchers.

Categories of Data Subjects:

Private individuals to whom the Data Controller issues invoices,
Private individuals to whom the Data Controller provides healthcare services.

3.6 Data Processing Related to Newsletters

Purpose of data processing:
Sending newsletters, including those containing economic advertisements of the Data Controller or third parties, to interested persons; providing information about current news, events, and promotions.

Legal basis of data processing:
Voluntary consent of the Data Subject. The Data Subject may withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

Recipients who may receive or access the Data Subject’s personal data:
Employees of the Data Controller, Data Controller’s collaborators, companies providing system administration, server services, system operation and development services as data processors, only to the extent necessary and in accordance with data processing principles (especially purpose limitation and data minimization).

The Data Controller does not transfer the Data Subject’s personal data to third countries or international organizations.

Retention period of personal data:
Until the Data Subject withdraws consent (e.g., unsubscribes from the newsletter).

Data transfer is not based on legal or contractual obligations and is not a prerequisite for contract conclusion.

Consequence of failure to provide data:
The Data Subject will not receive current news, offers, or event information.

The Data Controller does not apply automated decision-making based on the Data Subject’s personal data.

Source of personal data:
The Data Subject.

Scope of processed data:
Name, email address.

Categories of Data Subjects:
Private individuals subscribed to newsletters.

3.7. Data Processing Related to Quality Assurance and Customer Satisfaction Management

Purpose of Data Processing:
Maintaining the quality of the Data Controller’s services, monitoring and ensuring quality,
Collecting opinions and feedback related to the Data Controller’s services, personnel, and material conditions, and measuring satisfaction related to these.

Legal basis for data processing:
The legitimate interest of the Data Controller (GDPR Article 6(1)(f)). This legitimate interest is the Data Controller’s interest in maintaining, improving, and developing the quality of its services.
NOTE! The Data Subject may object to data processing based on legitimate interest. In case of objection, the Data Controller will assess whether there are compelling legitimate grounds that override the interests, rights, and freedoms of the Data Subject or relate to the establishment, exercise, or defense of legal claims.

Recipients with whom the Data Subject’s personal data may be shared or who may have access:
Employees of the Data Controller, collaborators of the Data Controller, companies providing system administration, server services, system operation and development services to the Data Controller as data processors, but only to the extent necessary for performing their tasks and in accordance with data processing principles (mainly purpose limitation and data minimization).
The Data Controller does not transfer personal data of the Data Subject to third countries or international organizations.

Storage period of personal data:
The Data Controller retains individual feedback for six (6) months from the submission date. Anonymous aggregates derived from individual feedback, which are no longer personal data, may be created.

Consequences of failure to provide data:
No adverse consequences for the Data Subject in case of non-submission of customer satisfaction feedback.

Regarding quality assurance:
If the Data Subject does not wish to have their phone call recorded (e.g., when booking an appointment), they may interrupt the call and contact the Data Controller through other communication channels (e.g., email, postal mail).

Automated decision-making:
The Data Controller does not use automated decision-making in processing the Data Subject’s personal data.

Source of personal data:

The Data Subject, or
Another person acting on behalf of the Data Subject (e.g., authorized representative), or
An entity in a legal relationship with the Data Controller (e.g., employer).

The data do not originate from public sources.

Categories of processed data:

Identification data necessary to identify the Data Subject,
Evaluations provided by the Data Subject measuring the quality of the Data Controller’s services,
Other feedback and opinions of the Data Subject,
Recorded telephone calls and their identifiers.

Categories of Data Subjects:

Private individuals involved in healthcare services,
Persons authorized to access healthcare data (according to Healthcare Act 7. § (4)),
Persons authorized to make declarations on behalf of the patient (Healthcare Act 16. §).

3.8. Data Processing Related to Complaint Handling and Non-Performance of Contracts

Purpose of Data Processing:
Handling and responding to complaints related to the Data Controller’s activities and services, collecting necessary information,
Handling matters and procedures related to non-performance of contracts concluded with the Data Subject or partners connected to the Data Subject,
Enabling the application of legal consequences related to non-performance,
Filing, enforcing, and defending legal and other claims,
Responding to authorities’ and other bodies’ inquiries in legal and other procedures.

Legal basis for data processing:
The legitimate interest of the Data Controller (GDPR Article 6(1)(f)). This legitimate interest is the Data Controller’s interest in filing, enforcing, and defending legal claims.
NOTE! The Data Subject may object to this data processing. In case of objection, the Data Controller will assess whether there are overriding legitimate grounds or legal claims justifying data processing.
In complaint handling, the Data Controller processes data also to fulfill legal obligations (especially from the Consumer Protection Act 1997 CLV, §17/A, and Healthcare Act §29).

Processing of special categories of personal data:
Under GDPR Article 9(2)(f), data processing is necessary for the establishment, exercise, or defense of legal claims or when courts act in their judicial capacity.

Recipients:

Companies performing accounting and auditing for the Data Controller,
Lawyers or law firms commissioned by the Data Controller,
Employees of the Data Controller and companies providing IT and server services as data processors under strict limitations,
Insurance companies or service organizers related to the Data Subject upon consent,
Authorities outside the healthcare network (e.g., courts, prosecutors, investigative authorities) upon request.

The Data Controller does not transfer personal data to third countries or international organizations.

Storage period:
The Data Controller retains any complaint records and response copies for three (3) years (according to Consumer Protection Act 1997 CLV, §17/A (7)). If data processing continues beyond this, data are retained for eight (8) years after all legal obligations between the Data Subject (or partner) and Data Controller have ceased.

Consequences of failure to provide data:
In case of complaints, failure to provide data may result in complaints not being answered or inadequately answered. In other cases, failure may cause delays or difficulties in negotiations and procedures related to contract non-performance.

Automated decision-making:
The Data Controller does not use automated decision-making in processing personal data.

Source of data:

The Data Subject,
Authorized representatives of the Data Subject,
Entities in legal relationship with the Data Controller (e.g., service organizers, insurers, appointment service providers, employers).

Data do not come from public sources.

Processed data categories:

Personal identification data (e.g., name, address),
Tax identification number,
Customer identifiers used by other companies (e.g., insurers, organizers, health funds),
Healthcare data (e.g., type and date of service used),
Billing data (e.g., amount, payment method, deadline, discounts),
Facts and other data related to contract fulfillment,
Data related to initiated legal proceedings (e.g., type, case number, status, statements),
Recorded phone calls containing relevant data,
Data required by Consumer Protection Act §17/A(7) in case of complaints (e.g., complainant’s name and address, complaint details, evidence, company response, signatures, complaint record details).

Categories of Data Subjects:

Private individuals who breached obligations under contracts with the Data Controller (e.g., payment delays),
Private individuals asserting claims or initiating legal proceedings against the Data Controller,
Private individuals with direct knowledge of legal disputes involving the Data Controller.

3.9. Data Processing Related to Contact Information Management

Purpose of Data Processing:
Effective communication related to the Data Controller and/or the efficient administration of contracts related to the Data Controller.

Legal basis:
Legitimate interest of the Data Controller (GDPR Article 6(1)(f)). This legitimate interest relates to the efficient administration of healthcare services and maintaining customer relations.
NOTE! The Data Subject may object to data processing based on legitimate interest. In case of objection, the Data Controller will assess whether overriding legitimate grounds or legal claims exist.

Recipients:

Companies performing accounting for the Data Controller,
Lawyers or law firms commissioned by the Data Controller,
Employees of the Data Controller and companies providing IT and server services as data processors under strict limitations,
Tax authorities, other authorities, or courts (e.g., mandatory or request-based data provision).

The Data Controller does not transfer personal data to third countries or international organizations.

Storage period:
(1) Five (5) years after the termination of all obligations in contracts with the Data Subject or related person, or
(2) in the absence of a contract, until the end of business negotiations, or
(3) if the relationship with the Data Subject ends earlier, until notification of such termination.

Consequences of failure to provide data:
Communication or contracts may be partially or fully delayed, faulty, or impossible to carry out.

Automated decision-making:
The Data Controller does not use automated decision-making.

Source of data:

The Data Subject,
Authorized representatives,
Entities in legal relationship with the Data Controller (e.g., service organizers, insurers, appointment providers, employers).

Data do not come from public sources.

Processed data categories:

Name, position, and contact details (phone, email, postal address, other electronic contact),
Authorization to make declarations (e.g., power of attorney),
Authorization to access healthcare data.

Categories of Data Subjects:

Private individuals involved in healthcare services,
Persons authorized to access healthcare data,
Persons authorized to make declarations on behalf of the patient,
Persons designated for contact on behalf of companies.

3.10. Data Processing Related to Reminders
Purpose of Data Processing: Sending reminders aimed at regular health examinations (including screening and fitness examinations), sending personalized offers.
Legal Basis for Data Processing: Legitimate interest of the Data Controller (GDPR Article 6(1)(f)). This legitimate interest: the Data Controller’s interest in retaining clients and increasing the regularity of service use. WARNING! The Data Subject may object to this data processing. In case of objection, the Data Controller will assess whether there are overriding legitimate grounds that prevail over the interests, rights, and freedoms of the Data Subject, or which relate to the establishment, exercise, or defense of legal claims.
The processing of special categories of personal data is based on GDPR Article 9(2)(h), as the processing is necessary for preventive or occupational medicine purposes, to assess the working capacity of the employee, for medical diagnosis, provision of health or social care or treatment, or management of health or social care systems and services, in accordance with EU or Member State law or a contract with a healthcare professional.
Recipients who may receive or have access to the Data Subject’s personal data: Employees of the Data Controller, subcontractors of the Data Controller, companies providing system administration, server services, system operation, and development services as data processors, but only to the extent necessary for their tasks and only in accordance with data processing principles (especially purpose limitation and data minimization).
The Data Controller does not transfer the Data Subject’s personal data to third countries or international organizations.
Duration of Personal Data Storage: Two (2) years from the date of the last service provided to the Data Subject.
Provision of personal data is not based on legal or contractual obligation, and data provision is not a precondition for contract conclusion. Consequence of non-provision: the Data Subject will not receive reminders about the need to repeat health or fitness examinations to maintain health or fitness status.
The Data Controller does not apply automated decision-making during the processing of the Data Subject’s personal data.
Source of Personal Data: The Data Subject.
Categories of Data Processed:

Name, email address,
Type and date of healthcare service used.
Categories of Data Subjects: Private individuals using the Data Controller’s healthcare services.

3.11. Data Processing Related to Electronic Surveillance Systems
Purpose of Data Processing:

Ensuring protection of life, physical integrity, and personal freedom,
Protection of the Data Controller’s property, data, and business secrets,
Detection of violations related to the above and catching perpetrators,
Prevention or proof of crimes and unlawful acts.
Legal Basis for Data Processing: Legitimate interest of the Data Controller (GDPR Article 6(1)(f)). This legitimate interest includes protection of life, physical integrity, personal freedom, property, data, business secrets, and interests related to prevention and detection of crimes and other unlawful acts. The Data Controller has conducted a balancing test, concluding that these interests outweigh the Data Subject’s interests, fundamental rights, and freedoms. WARNING! The Data Subject may object to this data processing, in which case the Data Controller will continue data processing only if there are overriding legitimate grounds that prevail over the Data Subject’s interests or rights.
Recipients who may receive or have access to the Data Subject’s personal data: Courts, prosecutors, investigative authorities, and other authorities upon request; employees designated by the Data Controller as necessary for their tasks.
The Data Controller does not transfer the Data Subject’s personal data to third countries or international organizations.
Duration of Personal Data Storage: In the absence of use, image and sound recordings must be destroyed or deleted no later than fifteen (15) days from recording. This duration is justified by the fact that special categories of personal data (e.g., health data) and assets requiring special security (e.g., medicines, vaccines) are among the protected data.
Possible consequences of non-provision of data: The Data Subject may be denied entry to the monitored area and may not establish personal contact with the Data Controller.
The Data Controller does not apply automated decision-making during the processing of the Data Subject’s personal data.
Source of Personal Data: The Data Subject.
Categories of Data Processed: Image captured by video recording and other personal data recorded by the surveillance system, time and place of recording. The electronic surveillance system does not record sound or perform facial recognition.
Categories of Data Subjects: Private individuals entering the Data Controller’s premises monitored by cameras.

Additional Information According to the Practice of the National Authority for Data Protection and Freedom of Information:

Operator of the electronic surveillance system: the Data Controller.
Exact location of recordings storage: Data Controller’s headquarters.
Data security measures related to storage: The Data Controller stores recordings in a securely locked, dry room equipped with fire and property protection, or in locked cabinets accessible only to authorized personnel (physical protection).
Security of computer and network-stored recordings:
- Computers used are owned by the Data Controller or the Data Controller has equivalent ownership rights,
- Access to data on computers is granted only with valid, personal, identifiable authorization—at least username and password—with regular and justified password changes,
- All computer records involving data are traceably logged,
- Access to data on network servers is restricted to authorized designated personnel,
- Data files are irreversibly deleted after the data retention period expires,
- Continuous mirroring on servers prevents data loss,
- Continuous virus protection is ensured on the network handling personal data,
- Measures are in place to prevent unauthorized network access.

Persons Authorized to Access Data: Data Controller’s system administrator, executive officers, data protection officer.
Transfer of Recordings: The Data Controller only transfers recordings to third parties in cases defined by law (e.g., police, labor inspection). Recordings may be reviewed only in cases of suspected misdemeanors or crimes.
Rules for Reviewing Recordings: Only authorized persons may review recordings in cases of suspected violations, misdemeanors, or crimes.
Purposes for Using Recordings: Protection of property, data, business secrets; protection of human life, physical integrity, personal freedom; detection of related violations; catching perpetrators; prevention or proof of unlawful acts.
Data Regarding Individual Cameras: The Data Controller provides information about camera locations, monitoring objectives, monitored areas or objects, and the type of monitoring (live or recorded) via notices at entrances to monitored areas or at the reception.
Right to Access Recordings: If a Data Subject’s rights or legitimate interests are affected by recording, they may request within fifteen (15) days from recording, with justification, that data not be destroyed or deleted.
Requests from Courts or Authorities: Recorded footage and other personal data must be promptly sent to courts or authorities upon request. If not requested for preservation within thirty (30) days from the preservation request, recordings must be destroyed or deleted unless the legal retention period has not yet expired.

3.12. Data Processing Related to Business Development
Purpose of Data Processing: Tracking key performance indicators related to the Data Controller’s operation, improving internal processes.
Legal Basis for Data Processing: Legitimate interest of the Data Controller, namely ensuring effectiveness and improving internal processes. WARNING! The Data Subject may object, in which case the Data Controller will continue processing only if there are overriding legitimate grounds favoring the Data Controller after balancing interests.
Recipients who may receive or have access to the Data Subject’s personal data: Employees and subcontractors of the Data Controller, companies providing system administration, server, operation, and development services as data processors, but only within necessary scope and in accordance with data processing principles (especially purpose limitation and data minimization).
The Data Controller may also transfer personal data to affiliated companies.
The Data Controller does not transfer the Data Subject’s personal data to third countries or international organizations.
Duration of Personal Data Storage: Personal data are stored for five (5) years after the termination of the contract with the Data Subject.
Provision of data is not based on legal or contractual obligation and is not a precondition for contract conclusion.
The Data Controller may anonymize personal data, whereby the data lose their personal data nature. The Data Controller does not apply automated decision-making.
Source of Personal Data: The Data Subject.
Categories of Data Processed:

Name, other identifiers,
Type, date, and amount of healthcare service used, payment data,
Name of attending physician,
Source of information about the Data Controller.
Categories of Data Subjects: Private individuals using the Data Controller’s healthcare services.

3.13. Data Processing Related to Medical Research
If the Data Subject participates in medical research with the Data Controller’s cooperation, the data for research purposes are usually managed by the research sponsor—the person, company, or organization initiating, directing, and financing the research. The Data Subject’s consent form, provided before research participation, contains detailed provisions on the processing of personal data for research purposes.

IV. Data Subject’s Rights Related to Data Processing

The Data Subject is entitled to the following rights concerning the processing of their personal data:

ATTENTION! The GDPR contains numerous detailed provisions regarding the rights of data subjects which the Data Controller must comply with. However, for the sake of clarity and transparency in this Privacy Policy, the essence of these rules has been summarized. If you have any questions, please contact the Data Controller using the contact details provided in Section I, who will gladly provide you with more detailed information about your rights.

4.1. Right of Access

The Data Subject has the right to request information from the Data Controller via the contact details provided, on whether their personal data is being processed. If such processing is ongoing, the Data Subject is entitled to know:

What personal data of theirs is processed;
On what legal basis;
For what purpose;
For how long;

and also:

To whom, when, based on which legal regulation, the Data Controller has granted access to or transferred their personal data;
The source from which the personal data originates;
Whether the Data Controller uses automated decision-making, including profiling, and the logic involved.

Upon the Data Subject’s first request, the Data Controller shall provide a copy of the personal data processed free of charge; any subsequent copies may be subject to a reasonable fee based on administrative costs.

To ensure data security and protect the rights of the Data Subject, the Data Controller is obliged to verify the identity of the Data Subject or the person exercising the access right on their behalf. Therefore, information provision, data access, and issuance of copies are conditional on identifying the Data Subject.

4.2. Right to Rectification

The Data Subject may request the Data Controller via the provided contact details to rectify any personal data. If the Data Subject credibly proves the accuracy of the corrected data, the Data Controller shall fulfill the request within one month and inform the Data Subject accordingly.

4.3. Right to Erasure

The Data Subject is entitled to request the deletion of their data, in which case the Data Controller shall consider whether the conditions for deletion are met. If they are, the Data Controller shall delete the personal data without undue delay upon the Data Subject’s request. Please note that in the case of data processing described in Sections 3.2 to 3.5, data retention is prescribed by law, and deletion is only possible after the legally prescribed retention period has expired.

4.4. Right to Restrict Processing

The Data Subject may request that the Data Controller restrict the processing of their personal data (by clearly marking the restricted nature of the processing and ensuring separate processing from other data) if:

They dispute the accuracy of the personal data (in which case the restriction lasts until the accuracy is verified);
The processing is unlawful, and the Data Subject opposes deletion and instead requests restriction of use;
The Data Controller no longer needs the personal data for processing purposes, but the Data Subject requires them for the establishment, exercise, or defense of legal claims; or
The Data Subject has objected to processing (in which case the restriction applies until it is determined whether the Data Controller’s legitimate grounds override those of the Data Subject).

4.5. Right to Object

Regarding data processing for purposes set out in Sections 3.7 to 3.12, the Data Subject has the right to object. Upon objection, the Data Controller shall weigh whether there are compelling legitimate grounds which override the interests, rights, and freedoms of the Data Subject or relate to the establishment, exercise, or defense of legal claims.

4.6. Right to Data Portability

Regarding data processing for the purposes described in Sections 3.1 and 3.6 — taking into account the legal basis — the Data Subject has the right to receive the personal data they have provided to the Data Controller in a structured, commonly used, and machine-readable format, if the Data Controller processes the data in an automated manner.

4.7. Procedural Rules Applicable to the Data Controller Regarding the Exercise of Data Subject Rights

Please submit requests to exercise your rights via the contact details specified in Section I.

The Data Controller shall inform the Data Subject without undue delay, but at the latest within one month of receipt of the request, of the measures taken in response. This period may be extended by two months considering the complexity of the request and the number of requests, with notification to the Data Subject about the extension and reasons within one month of receipt. If the request was submitted electronically, the information shall be provided electronically, unless otherwise requested.

If the Data Controller does not take action in response to the Data Subject’s request, the Data Subject will be informed without delay, but at the latest within one month of receipt of the request, about the reasons for inaction and their right to lodge a complaint with a supervisory authority and to seek judicial remedy.

The Data Controller provides information and measures free of charge. However, if the request is clearly unfounded or excessive — particularly due to its repetitive nature — the Data Controller may charge a reasonable fee based on administrative costs or refuse to act on the request. The burden of proving the request’s unfounded or excessive nature lies with the Data Controller.

The Data Controller shall inform all recipients to whom the personal data has been disclosed of any rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort. Upon request, the Data Controller shall inform the Data Subject of these recipients.

V. The Data Subject’s Right to Remedies

5.1. Complaint to the Data Controller:
If you have a complaint regarding the processing of your personal data, please contact us using one of the contact details provided in Section I.

5.2. Right to Judicial Remedy:
The Data Subject is entitled to bring a case before a court and seek an effective judicial remedy if they believe that their rights under the GDPR have been violated due to unlawful processing of their personal data.
Proceedings against the Data Controller or the Data Processor must be initiated before the court of the Member State where the Data Controller or Data Processor has its place of business. Such proceedings may also be initiated before the court of the Member State of the Data Subject’s habitual residence, except where the Data Controller or Data Processor is a public authority acting in the exercise of public powers of a Member State.

5.3. Complaint to the Data Protection Authority:
The Data Subject has the right to file a complaint with a supervisory authority — especially in the Member State of their habitual residence, place of work, or the place where the alleged infringement occurred — if they consider that the processing of their personal data violates the GDPR or other legislation. The supervisory authority where the complaint is filed must inform the Data Subject about the progress and outcome of the complaint procedure, including the right to judicial remedy.

In Hungary, complaints can be filed with the National Authority for Data Protection and Freedom of Information, as the supervisory authority:
Name: National Authority for Data Protection and Freedom of Information
Address: 1055 Budapest, Falk Miksa Street 9-11.
Mailing address: 1363 Budapest, P.O. Box 9
Phone: +36 1 391 1400
Fax: +36 1 391 1410
Email: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

VI. Data Security:

The Data Controller commits to applying appropriate and effective physical, IT, organizational, and administrative measures to preserve the confidentiality, integrity, and availability of the Data Subject’s personal data.

Doktor24 Medicina Zrt.
Data Controller