Privacy Notice of Global Perio Kft.

1. General Information

Global Perio Kft. (hereinafter: the “Controller”) provides the following detailed information on its processing of personal data in accordance with Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information and Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR).

The Controller processes personal data for the purposes and in the manner described in the sections below, in full compliance with applicable laws. The Controller affirms that it considers the right to informational self-determination and the protection of personal data a priority and takes all organisational, operational, regulatory, and technical measures within its competence to safeguard such rights.

2. Controller’s Details

Company name: Global Perio Kft.
Registered seat: 1016 Budapest, Mészáros utca 32. II. em. 8.
Company registration number: 01-09-196527
Tax number: 25044289-2-41
Representative: Dr. Péter Ernő Tóth
Data protection officer: Dr. Péter Ernő Tóth
Email: [email protected]

3. Definitions

Personal data: Any information relating to an identified or identifiable natural person (“Data Subject”). A person is identifiable, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or factors specific to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

Processing: Any operation or set of operations performed on personal data, whether by automated or non-automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Controller: The natural or legal person, public authority, agency, or other body which determines the purposes and means of the processing of personal data, alone or jointly with others.

Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.

Consent of the Data Subject: A freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they, by a statement or clear affirmative action, signify agreement to the processing of personal data relating to them.

Data Subject: Any identified or identifiable natural person whose personal data is processed.

Third party: Any natural or legal person, public authority, agency, or body other than the Data Subject, the Controller, the Processor, or persons authorised to process personal data under the Controller’s or Processor’s direct supervision.

Recipient: Any natural or legal person, public authority, agency, or other body to whom personal data is disclosed, whether or not a third party. Public authorities that may receive personal data under Union or Member State law in connection with a particular inquiry shall not be regarded as recipients.

4. Purpose of Data Processing and Categories of Personal Data Processed

4.1. Personal data processed in connection with contact requests

Categories of data processed:
Personal data provided via the website www.periohome.hu, via any of the Controller’s contact details, or through the contact form, including in particular:
• Name
• Postal address
• Email address
• Telephone number
• Any additional personal data voluntarily provided by the Data Subject during the contact process.

Purpose of processing:
General communication, enabling the Data Subject to request specific information or actions from the Controller.

Legal basis:
Voluntary consent of the Data Subject provided through initiating contact (see Section 5(a)).

Retention period:
Until the withdrawal of consent by the Data Subject.

4.2. Processing of applications and CVs submitted to the Controller

Categories of data processed:
Personal data provided during contact via www.periohome.hu or any of the Controller’s contact channels, including in particular:
• Name
• Date and place of birth
• Address or place of residence
• Email address
• Telephone number
• Educational background
• Any additional personal data provided voluntarily by the Data Subject.

Purpose of processing:
Communication with the Data Subject and evaluation of applications.

Legal basis:
Voluntary consent of the Data Subject (see Section 5(a)).

Retention period:
• For applications submitted in response to an advertised job position: until the position is filled.
• For unsolicited applications: the Controller shall request explicit consent from the Data Subject to retain the documents. With consent, the Controller retains the documents for up to 1 year or until consent is withdrawn.

4.3 Processing Related to the Provision of Healthcare Services

Storage of Medical Documentation and Imaging Records

The Clinic stores medical documentation relating to patients – including, in particular, X-ray images, intraoral and extraoral photographs, treatment documentation, digital impressions and treatment plans – in electronic form.

The data are primarily stored within the Clinic’s IT system on a local network storage device (NAS – Network Attached Storage) and may also be stored in digital treatment planning systems used for planning and documenting treatments.

Purpose of Processing:

– provision of healthcare services
– establishing diagnosis and preparing treatment plans
– documentation of care
– digital treatment planning
– compliance with legal obligations
– enforcement of potential legal claims

Legal Basis of Processing:

– Article 6(1)(c) and (e) of GDPR
– Article 9(2)(h) GDPR (processing for the purposes of healthcare)
– Act XLVII of 1997 on the Processing and Protection of Health and Related Personal Data

The processing of health data is based on statutory obligations and does not depend on the patient’s consent.

Data Retention Period:

The Clinic retains medical documentation in accordance with applicable legislation, in particular:
– medical documentation: minimum 30 years
– discharge summaries: minimum 50 years
– diagnostic imaging records: minimum 10 years

After expiry of the statutory retention period, the data are deleted or anonymised.

Method of Data Storage

Healthcare Management System (FlexiDent)

The Clinic uses the cloud-based version of the FlexiDent dental management software for maintaining medical documentation and patient records.

The system records patients’ identification data, medical documentation, treatment data, appointment records and, where relevant, billing information.

The data are stored within the service provider’s cloud-based IT infrastructure.

The provider of the FlexiDent software acts as a data processor on behalf of the Controller and in accordance with the Controller’s instructions. A written data processing agreement compliant with Article 28 of the GDPR is in force between the Controller and the service provider.

Data storage takes place within the European Economic Area (EEA). Should any transfer of personal data to a third country occur, the Data Controller ensures appropriate safeguards (e.g. Standard Contractual Clauses adopted by the European Commission).

Local Data Storage (NAS)

Medical documentation is stored electronically within the Clinic’s IT system on a local network-attached storage device (NAS).

Use of External Digital Planning System (SmileCloud)

The Clinic uses the SmileCloud digital planning software for treatment planning and documentation.

The system records patients’ dental images, digital impressions and treatment plans.

The provider acts as a data processor on behalf of the Data Controller. A written data processing agreement pursuant to Article 28 GDPR has been concluded.

If the service involves transfers of data outside the EEA, the Data Controller applies appropriate safeguards (e.g. Standard Contractual Clauses adopted by the European Commission).

The SmileCloud privacy notice is available on the service provider’s official website.

Access to Data

Access to personal data is restricted to:
– healthcare professionals of the Clinic
– administrative staff to the extent necessary for their duties
– data processors acting under contract (e.g. IT service providers, digital planning software providers)

Access is granted on a role-based authorisation system.

The Clinic has concluded written data processing agreements with its data processors.

Data Security Measures

To ensure the protection of health data, the Clinic applies, in particular, the following technical and organisational measures:
– password-protected systems with role-based access levels
– encrypted data transmission
– regular backups
– firewall and antivirus protection
– logged access
– physical protection of NAS devices in secured premises
– regular IT maintenance

Processing generally takes place within the European Economic Area. Transfers outside the European Union are carried out only with appropriate safeguards.

4.4 Processing Related to Appointment Booking

Categories of Personal Data Processed:

– Name
– Telephone number
– E-mail address
– Type of requested treatment
– Appointment date

Data may be provided via telephone, e-mail ([email protected]), or through the online booking system available on the Clinic’s website.

Purpose of Processing:

– scheduling appointments
– organising treatment
– communication related to healthcare services

Legal Basis:

– Article 6(1)(b) GDPR (steps taken prior to entering into a contract)

Retention Period:

If an appointment results in healthcare treatment, the data become part of the medical documentation and are retained according to the applicable statutory retention periods.

If no treatment takes place, the data are deleted within a maximum of one year.

Access to Data:

– reception staff (telephone bookings)
– reception staff and management (e-mail enquiries)
– Clinic staff via the FlexiDent system (online bookings)

4.5 Processing Related to Invoicing

Categories of Personal Data Processed:

– Name
– Address / billing address
– E-mail address (in case of electronic invoice)
– Description of treatment
– Payment details
– Tax number (where applicable)

Purpose of Processing:

– issuance of invoices
– compliance with accounting obligations
– financial record-keeping

Legal Basis:

– Article 6(1)(c) GDPR (compliance with legal obligation)
– Act C of 2000 on Accounting

Retention Period:

Accounting documents are retained for 8 years pursuant to accounting legislation.

Access to Data:

– reception staff
– management

Invoicing is carried out through the FlexiDent system. The service provider acts as a data processor and a data processing agreement has been concluded.

Online appointment booking is integrated into the FlexiDent system, and the provider acts as a data processor pursuant to Article 28 GDPR.

4.6 Data Transfer for Accounting Purposes

For the fulfilment of its accounting obligations, the Clinic transfers invoicing data to its contracted accountant.

Categories of Data:

– Name
– Billing address
– Invoice details
– Payment details

Legal Basis:

– Article 6(1)(c) GDPR
– Act C of 2000 on Accounting

The accountant acts as a data processor on behalf of the Data Controller.

4.7 CCTV System

A CCTV system may operate in the building where the Clinic is located; however, it is not operated by Global Perio Kft.

The data controller of the CCTV system is the property operator / landlord.

Global Perio Kft. does not have access to, does not process, and does not store CCTV recordings.

Detailed information regarding CCTV processing is provided by the property operator.

5. Legal Basis for Processing

a. The Data Subject has given consent to the processing of their personal data for one or more specific purposes.
b. Processing is necessary for the performance of a contract to which the Data Subject is a party or for steps taken at the request of the Data Subject prior to entering into a contract.
c. Processing is necessary for compliance with a legal obligation to which the Controller is subject.
d. Processing is necessary to protect the vital interests of the Data Subject or another natural person.
e. Processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject, particularly where the Data Subject is a child.

6. Rights of the Data Subject

The Data Subject has the following rights regarding the processing of their personal data:

a. Right to transparent information

The Controller shall provide concise, transparent, intelligible, and easily accessible information about its data processing activities upon the Data Subject’s request, within 30 days from receipt of the request.

b. Right of access

The Data Subject has the right to obtain confirmation as to whether personal data concerning them is being processed, and, where that is the case, access to the personal data and information on:
• the categories of personal data concerned,
• the legal basis,
• the purposes of processing,
• the retention period,
• the recipients to whom the personal data has been or will be disclosed.

c. Right to rectification

The Data Subject may request the correction of inaccurate personal data without undue delay, and may request the completion of incomplete data.

d. Right to erasure

The Data Subject may request the erasure of their personal data without undue delay where:
• the data is no longer necessary for the purposes for which it was collected,
• the Data Subject withdraws consent and no other legal basis exists,
• the Data Subject objects to processing and there are no overriding legitimate grounds,
• the data has been unlawfully processed,
• erasure is required to comply with a legal obligation.

e. Right to restriction of processing

Processing must be restricted upon request where:
• the accuracy of the personal data is contested, for the period enabling verification,
• the processing is unlawful but the Data Subject opposes erasure,
• the Controller no longer needs the data, but the Data Subject requires it for legal claims.

f. Right to data portability

The Data Subject may receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

g. Right to object

The Data Subject may object at any time to the processing of personal data concerning them on grounds relating to their particular situation. The Controller shall no longer process the data unless it demonstrates compelling legitimate grounds which override the Data Subject’s interests or the data is needed for legal claims.

7. Data Security

The Controller takes all necessary precautions to protect the confidentiality of electronically stored personal data (password protection, backups, etc.) and to prevent unauthorised access, accidental destruction, damage, or alteration. Personal data is not disclosed to third parties except where required by law. Paper-based documents are stored securely to prevent unauthorised access and ensure preservation.

8. External Service Providers and Cookies

The Controller uses the services of Webflow, Inc. (398 11th Street, 2nd Floor, San Francisco, CA 94103) to operate www.periohome.hu. When the website loads, the service uses “persistent cookies.”
Details of Webflow’s processing practices are available in its privacy notice: https://webflow.com/legal/privacy.

What are cookies?

Cookies are small text files used to store small pieces of information. These files are stored on your device when the website loads in your browser. Cookies help the site function properly, enhance security, improve user experience, measure performance, and identify areas for improvement.

How we use cookies

Like most online services, our website uses first-party and third-party cookies.
• First-party cookies are essential for the website’s basic functionality and do not collect personally identifiable information.
• Third-party cookies help us understand website performance, user interactions, service security, and enable the display of relevant advertising, contributing to an overall improved user experience.