General Data Protection Regulation (GDPR) 

DATA PROCESSING POLICY

Made on the 02. September 2024, Nagyréde

Aurelios Private Ophthalmology, as the data controller in the health care institution, adopts the following policy in order to ensure the lawful and secure processing and adequate protection of the personal and health data of individuals:

General provisions

Data Controller:

OphtoMed Hungary Kft.
Privacy Policy of the Hungarian Health Insurance Fund (HHH).
Ágnes Scharioth Managing Director

Purpose of data processing

OphtoMed Hungary Kft., as the Data Controller, aims to ensure that the rights of the data subjects are respected when processing the personal and health data of individuals, while at the same time ensuring full compliance with the legal requirements.

In order to ensure the lawfulness of the processing, the Controller shall take technical and organisational measures appropriate to all the circumstances of the processing, in particular its purposes and the risks to the fundamental rights of data subjects posed by the processing, including the use of pseudonymisation where justified. These measures shall be regularly reviewed and, where necessary, amended accordingly.

The processing of health and identity data is primarily for the following purposes:

- to promote the preservation, improvement and maintenance of health,
- to facilitate the effective treatment of patients by their health care providers,
- to monitor the health status of the patient,
- to take measures necessary in the interests of public health, public health and epidemiology
enforcing patients' rights, statistical analysis, facilitating the work of bodies carrying out official or lawful checks, professional or lawful supervision of bodies or persons handling health data, where the purpose of the checks cannot be achieved by other means, for the continuous and safe supply of prescription drugs, medical devices and medical care to health care recipients,
- to enforce rights in relation to cross-border healthcare within the European Union, for purposes other than those set out herein, health data may be processed in full or for specific processing activities with the consent of the data subject or his or her legal representative or authorised representative, given voluntarily and on the basis of adequate information, with a clearly expressed and informed indication of his or her wishes and with a credible statement of valid grounds for believing that a lawful declaration has been made.

Scope of processing

This Policy applies to all employees, workers, contractors or other contractual partners in a civil law employment relationship or a civil law contracting relationship with the Data Controller, who work at the Data Controller Aurelios Private Eye Clinic, 3214 Nagyréde, Gyöngyösi út 1.

Legal basis for processing

The main legislation that provides for and regulates data processing

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation) - hereinafter referred to by its common abbreviation in English as GDPR.

Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information

Act CLIV of 1997 on Health Care,

Act XLVII of 1997 on the processing and protection of health and related personal data

Decree No 62/1997 (XII. 21.) NM on certain issues concerning the processing of health and related personal data

Act LXXXIII of 1997 on the provision of compulsory health insurance

Decree 217/1997 (XII.1.) on the implementation of Act LXXXIII of 1997 on compulsory health insurance benefits

Government Decree No. 43/1999 (III.3) on the detailed rules for the financing of health services from the Health Insurance Fund.

Health data as special data

According to the provisions of the GDPR, health data are considered as special categories of data and therefore enjoy a higher level of protection than general personal data.

Special categories of data, such as health data, can only be processed if the processing is necessary for preventive health or occupational health purposes, to assess the ability of an employee to perform his or her work, to make a medical diagnosis, to provide health or social care or treatment, to manage health or social systems and services under EU or Member State law, or under a contract with a health professional.

Health data may be processed for the purposes referred to in the previous point if the processing is carried out by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules laid down by the competent authorities of the Member States or by another person who is also subject to the obligation of professional secrecy under Union or Member State law or rules laid down by the competent authorities of the Member States.


Legal basis for processing

The legal basis for the processing by the Data Controller is the fulfilment of the legal obligations imposed on the Data Controller by the legislation referred to in the previous points, for preventive health or occupational health purposes, for the purposes of medical diagnosis, health or social care or treatment.

Basic concepts

Personal data: any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal identification data means personal data which identifies the data subject of a health record and which is processed by the controller together with the health record as part of the health record for the same purpose as, or as an integral part of, the processing of the health record.

Health Data: personal data relating to the physical or mental health of a natural person, including data relating to health services provided to a natural person, which contain information about the health of the natural person.

Personal data concerning health include data relating to the health of a data subject which contains information about his or her past, present or future physical or mental health. This includes: personal data relating to a natural person collected in the course of registering an individual for health care services or the provision of such services, a number, mark or data assigned to an individual for the purpose of identifying the natural person for health care purposes, information obtained from the testing or examination of a body part or body constituent, including genetic data and biological samples, and any information obtained from the testing or examination of a body part or body constituent, such as any information relating to the subject's disease, disability, disease risk, medical history, clinical treatment, or physiological or biomedical condition, regardless of its source, which may include, for example, a physician or other health care professional, hospital, medical device, or in vitro diagnostic test.

The recording of health data is part of medical treatment. It is up to the treating physician to decide, in accordance with the rules of the profession, which health data, in addition to the mandatory data, should be recorded for the purposes of data management.

Data processing: any operation or set of operations which is performed upon the data, whatever the procedure used, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, prevention of their further use, taking of photographs, sound recordings or images, or any other physical means of identification of a person (e.g. fingerprints, palm prints, DNA samples, iris scans).

Data controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements the decisions concerning the processing (including the means used) or implements them with the processor, within the limits set by law or by a legally binding act of the European Union.

Data processor: a natural or legal person or an unincorporated body which processes personal data on behalf of or under the authority of the controller, within the limits and under the conditions laid down by law or by a legally binding act of the European Union.

Only a person or entity that provides adequate guarantees as to the implementation of technical and organisational measures suitable to ensure the lawfulness of processing and the protection of the rights of data subjects may act as a processor. These guarantees shall be certified by the processor to the controller before the processing starts.

Data security incident: a breach of data security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or transmission of, or access to, personal data transmitted, stored or otherwise processed.

Principles

Principles of data management:
The principles of legality, fairness and transparency:
Personal data must be processed lawfully and fairly and in a transparent manner for the data subject.

The processing of personal data must be lawful and fair. It should be transparent to natural persons how their personal data relating to them are collected, used, accessed or otherwise processed, and in what context the personal data are or will be processed.

The principle of transparency requires that information and communication relating to the processing of personal data should be easily accessible and comprehensible and should be drafted in clear and plain language. This principle applies in particular to the information provided to data subjects on the identity of the controller and the purposes of the processing, as well as to further information to ensure fair and transparent processing of their personal data, and to the information that data subjects have the right to obtain confirmation and information about the data processed concerning them. The natural person should be informed of the risks, rules, safeguards and rights associated with the processing of personal data and how to exercise his or her rights in relation to the processing.

In particular, the specific purposes for which personal data are processed must be clearly stated, lawful and determined at the time of the collection of the personal data. The personal data must be adequate and relevant for the purposes for which they are processed and the scope of the data must be limited to the minimum necessary for that purpose. In particular, this requires ensuring that the storage of personal data is limited to the shortest possible period of time. Personal data should be processed only if the purpose of the processing cannot be achieved by any other reasonable means. In order to ensure that the storage of personal data is limited to the period necessary, the controller shall set time limits for erasure or periodic review. All reasonable steps shall be taken to correct or delete inaccurate personal data. Personal data shall be made available in such a way that. Personal data shall be processed in a manner that ensures an adequate level of security and confidentiality, inter alia, in order to prevent unauthorised access to or use of personal data and the means used to process personal data.

The principle of purpose limitation:
Personal data may only be processed for clearly specified, legitimate purposes, for the exercise of rights and the performance of obligations. The data must be collected and processed fairly and lawfully at all stages of processing for the purposes for which it is collected and processed.

Personal data must be collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original purpose.

For the purposes of scientific research, the data stored may be consulted with the permission of the Executive Director, but no health or personal data may be included in a scientific communication in such a way that the identity of the data subject can be established. In the course of scientific research, copies of the stored data including personal identification data shall not be made. For the purposes of scientific research, the stored data may be consulted with the permission of the Executive Director, but no health and identity data may be included in a scientific communication in such a way that the identity of the data subject can be established. For the purposes of scientific research, copies of the stored data including personal identification data shall not be made.

The health data of the data subject may be processed for statistical purposes in a way that is not personally identifiable, unless otherwise provided by law.

The principle of data economy:
Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

The processing of personal data must be relevant, appropriate and proportionate to the purposes for which the data are processed.

The principle of accuracy:
Personal data must be accurate and, where necessary, kept up to date. Personal data should be accurate and should be kept up to date and should be kept up to date and should be accurate when necessary.

The principle of limited storage:
Personal data must be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods only if the personal data will be processed for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to protect the rights of data subjects as provided for in the GDPR Regulation.

The principles of integrity and confidentiality:
Personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organisational measures.

The principle of accountability:
The controller is responsible for compliance with the stated principles and must be able to demonstrate such compliance.

Other basic principles:
The protection of natural persons with regard to the processing of their personal data is a fundamental right: everyone has the right to the protection of personal data concerning him or her.

The data subject has the right of access to the data collected concerning him or her and the right to exercise this right simply and at reasonable intervals in order to ascertain and verify the lawfulness of the processing. This includes the right of access to personal data concerning his or her health, such as diagnosis, examination findings, opinions of treating physicians and medical records of treatments and interventions. In particular, each data subject should have the right to be informed of the purposes for which personal data are processed and, where possible, the period for which the personal data are processed, the recipients of the personal data, the logic underlying the automated processing of personal data, the possible consequences of the processing, at least where it is based on profiling, and to be informed of all the information.

The processing and handling of health and personal data must be secure against accidental or intentional destruction, loss, alteration, damage, disclosure or access by unauthorised persons.

The data subject shall have the right to obtain, in respect of personal data processed by the controller and by a processor acting on his or her behalf or under his or her instructions, in accordance with the conditions laid down by law:
- to be informed of the facts relating to the processing before the processing starts (right to prior information),

- to have access to his or her personal data and to information relating to the processing of those data at his or her request (right of access),

- to have his or her personal data rectified or completed by the controller at his or her request and in the further cases specified in this Chapter (right of rectification),

- at his request and in the further cases specified in this Chapter, to restrict the controller's processing of his personal data (right to restriction of processing),

- at his request and in the further cases specified in this Chapter, to erase his personal data (right to erasure)
Documentation requirements

- Medical records: a set of data relating to the examination and treatment of a patient. Health record means a record, register or any other form of record of medical and personal data, whatever its medium or form, which comes to the attention of the health care provider in the course of treatment.

Health records shall be maintained in a manner that accurately reflects the process of care.

The following information shall be included in the medical records

- the patient's personal identification data as defined in the Act on the processing and protection of health and related personal data,

- medical history, medical history,

- the results of the first examination,

- the results of the tests used as a basis for the diagnosis and treatment plan, the date of the tests,

- the name of the disease justifying the treatment, the underlying disease, concomitant diseases and complications,

- any other disease not directly justifying the treatment and the risk factors,

- the duration and outcome of the interventions carried out,

- any drug and other therapy and its results,

- data on the patient's hypersensitivity to medication,

- the name of the staff member making the entry and the date of entry,

- the recording of the content of the information provided to the patient or other persons entitled to receive the information,

- the fact and date of consent or refusal,

- any other data and facts which may influence the patient's recovery.

It must be kept as part of the medical record:

- the findings of each examination,

- documents generated during medical treatment,

- records of diagnostic imaging procedures.

The health service provider

at the end of an out-patient care activity, draw up an out-patient care record containing a summary of the patient's care and treatment and give it to the patient, unless the patient has waived the right to be informed under certain conditions.

Confidentiality

A health professional and any other person with an employment relationship with a health care provider shall be bound by a duty of confidentiality with regard to all data and other facts relating to the patient's state of health and which come to their knowledge in the course of providing health care, whether acquired directly from the patient, during the examination or treatment of the patient, or indirectly from medical records or by any other means, without time limitation.

Medical treatment means any activity aimed at preserving health and at the direct examination, treatment or processing of the examination records of a person concerned for the purpose of preventing, detecting, diagnosing, treating, maintaining or correcting a disease, including the provision of medicines, medical aids, medical care, rescue and patient transport.

Medical confidentiality includes health and personal identification data that come to the knowledge of the controller in the course of treatment and other data relating to necessary or ongoing or completed treatment that are learned in connection with treatment.

The patient shall have the right to have any information which comes to his knowledge in the course of his healthcare, and in particular his medical and personal data, disclosed by the persons involved in his healthcare only to those entitled to receive it and processed in accordance with the applicable legislation.

The obligation of confidentiality does not apply where the patient has given a waiver or where the law imposes an obligation to provide the data.



Data transmission

Health and personal identification data may be transferred in accordance with mandatory legal requirements:
to another health care body, or
on specific request, to authorities authorised by law to do so.

In the context of the transmission of health data and medical records, health and personal data may be transmitted by the treating physician.

All health data relating to the illness of the data subject which are relevant for the purposes of the treatment may be transmitted, unless the data subject expressly forbids this in writing. The data subject must be informed of this possibility before the transfer. In the cases provided for by law or by this Policy, health and personal data shall be transmitted despite the data subject's objection.
Copyright © 2024 Aurelios.hu
crossmenu