Dr. Tolvay Katalin - Data Protection Policy

Data Protection Policy

DATA PROTECTION POLICY

 

Dr. Katalin Tolvay, sole proprietor – 2025

 

 

 

Data Controller: Dr. Katalin Tolvay, sole proprietor, providing healthcare services and coaching

4026 Debrecen, Honvéd utca 72.

 

Tax number: 63742662-1-29

Registration number: 7325948

Email address: info@drtolvaykatalin.com

Phone number: +36 70 522 5567

Website: drtolvaykatalin.com

 

 

(hereinafter: the “Practice”) adopts this Data Protection Policy on the basis of the Fundamental Law of Hungary, Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR), the Civil Code Act 2013. évi V. törvény, the Health Act 1997. CLIV. törvény (hereinafter: Eütv.), Act on the Processing and Protection of Health and Related Personal Data 1997. évi XLVII. törvény (hereinafter: Eüak.), and Decree 62/1997. (XII. 21.) NM rendelet on certain issues of the processing of health and related personal data (hereinafter: Eünr.), and, taking into account the professional standards for the protection of data processed at the Practice, issues the following data protection policy.

 

 

  1. Definitions

 

  • personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
  • processing: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
  • processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;

 

  • personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
  • patient: a person who uses or receives healthcare services;
  • health data: personal data related to the physical or mental health of a natural person, including data related to the provision of healthcare services to that natural person, which reveal information about his or her health status;
  • genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
  • data protection impact assessment: where a type of processing, in particular using new technologies, taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Similar processing operations presenting similar high risks may be assessed in a single assessment;
  • medical confidentiality: health and identification data, as well as data concerning necessary, ongoing, or completed treatment and other information learned in connection with treatment, which become known to the controller during medical care;
  • health documentation: any record, register, or any other form of recorded data containing the health and identification data of the patient learned by the healthcare provider (the Service Provider) during treatment, regardless of the medium or format;
  • client (coachee): a person participating in a coaching process;
  • coaching service: a non-healthcare service in which, through a structured, solution-oriented and outcome-focused process, the coach supports the client (coachee) in finding the most suitable solutions for themselves, developing skills, and achieving goals in various areas of life.

 

 

 

  1. Personal scope of this data protection policy

 

- Patients using the Practice’s services

- Persons providing healthcare services and performing work at the Practice

- Persons participating in the coaching process (clients)

- Processors in a contractual relationship with the Practice

 

 

  1. Material scope of this data protection policy

 

- Data processed at the Practice; or

- Data of parties in a contractual relationship with the Practice arising in connection with activities carried out at the Practice, irrespective of the form of the data (automated or non-automated records)

 

 

  1. Principles of processing

 

  1. Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness, and transparency”);
  2. Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);
  3. Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
  4. Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
  5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);
  6. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
  7. All persons working for the Practice are required to keep confidential all data created or obtained at the Practice (including personal data and health or genetic data) and may not disclose such data to any third party, unless required to do so by law or by European Union legislation.

 

 

  1. Workflow of data processing

 

  1. During appointment booking, the patient and the client voluntarily provide their name and contact details, which the Practice records in its own system for the relevant appointment slot (pre-booking).
  2. Appointments can be requested by telephone, e-mail, or through the website. The controller is the exclusive controller of telephone and e-mail communication and of the website.
  3. Upon the patient’s personal appearance or prior to the first online session, written information on data processing precedes the general patient information and consent to healthcare services, or, in the case of a client, the start of the coaching process.

 

  1. In the case of online communication, the patient or the client returns the signed data processing consent documentation electronically before the first medical examination or the first coaching session.
  2. The Practice issues an invoice or receipt for the service provided.
  3. The patient’s health data are recorded in the Practice’s IT system and stored for the period prescribed by law (archiving), linked to personal data stored in an anonymised form. In the case of clients, no health data are recorded.
  4. With the written consent of the patient or the client, the Practice stores their contact details (e-mail address and/or telephone number) for the purpose of subsequent contact.

 

 

  1. Rights related to processing

 

  1. Right to information

Data subjects have the right to receive detailed information on the processing concerning them and may request the rectification, erasure, or restriction of their data, provided that this does not infringe the rights of others or conflict with applicable law.

  1. Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and to the information listed in the GDPR.

  1. Information on personal data breaches
  2. Right to rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

  1. Right to erasure

The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller has the obligation to erase personal data without undue delay where the conditions set out in the GDPR are met.

  1. Right to restriction of processing

The data subject has the right to obtain from the controller restriction of processing where one of the following applies:

- the data subject contests the accuracy of the personal data, in which case the restriction applies for a period enabling the controller to verify the accuracy of the personal data;

- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims;

- the data subject has objected to processing, in which case the restriction applies pending the verification whether the legitimate grounds of the controller override those of the data subject.

  1. Right to object

The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them, except where such objection is not permitted by law.

  1. Right to data portability

The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format (online or on paper) and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

 

 

  1. Personal data breaches

 

  1. The Practice keeps a register of all personal data breaches.
  2. The controller shall notify the supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it.
  3. A personal data breach need not be notified if it is unlikely to result in a risk to the rights and freedoms of natural persons.
  4. The data subject shall be informed if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
  5. The data subject need not be informed if:

i.  the controller has implemented appropriate technical and organisational protection measures and those measures were applied to the personal data affected by the breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

ii.  the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or

iii.  it would involve disproportionate effort to provide such communication. In such cases, data subjects shall instead be informed by public communication or similar measures, whereby data subjects are informed in an equally effective manner.

 

 

  1. Data protection-related registers

 

a.  Register of processing activities (type of data, legal basis, categories of persons authorised to access the data, safeguards)

b.  Register of personal data breaches (serial number, time of the breach, name of the incident, categories of data subjects, affected personal data, impact, measures taken)

c. Register of data transfers (serial number, date, recipient, categories of personal data, other data required by law, notes)

d. Register of termination of processing (serial number, date of request, name of the data subject, identification data, content of the request, measures taken, other notes)

e.  Register of database reviews (serial number, database name, compliance with the GDPR, measures taken, notes)

f. Register of prior data protection impact assessments – in the event a new database is established (serial number, time of the assessment, description of operations, purpose, legitimate interest, assessment of necessity and proportionality, risk analysis and mitigation, opinion of the data protection officer)

g. Register of inquiries/requests (serial number, time of receipt, subject of the request, action taken, other notes)

 

 

  1. Security of processing

 

  1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risk to the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate:

i.  the pseudonymisation and encryption of personal data;

ii. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

iii.  the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

iiii.  a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

  1. The controller shall ensure that any natural person acting under the authority of the controller or of the processor who has access to personal data does not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
  2. During online psychiatric specialist examinations, pharmacotherapy consultations, psychotherapy sessions, or coaching processes, the controller uses a video chat program that guarantees appropriate electronic protection of data.

 

 

  1. Categories of personal data processed, purposes and legal bases

 

  1. The categories of personal data processed by the Practice at the time of patient registration and prior to the commencement of healthcare services are: name, date of birth, mother’s maiden name, telephone contact details, e-mail address, and home address. In the case of foreign patients, the passport number is also processed in addition to the above. The purpose of processing is to record the patient’s application for a medical examination and to schedule an appointment. Legal basis: explicit consent (GDPR Article 6(1)(a) and GDPR Article 9(2)(a)).
  2. The special categories of personal data processed by the Practice (health data) include: TAJ number, diagnosis, health status-related data, and medical reports. The purpose of processing is to perform the examination of health status, determine the diagnosis, and issue medical reports. Legal basis: provision of healthcare services under GDPR Article 9(2)(h).
  3. The categories of data processed in relation to clients (coaching) are: name, contact details, and home address.

 

 

  1. Processors

 

Mucsi László, sole proprietor accountant

Registered office: 4026 Debrecen, Darabos utca 10., 1st floor, door 3

Tax number: 72573619-1-29

 

 

  1. Data reported to the Elektronikus Egészségügyi Szolgáltatási Tér (EESZT)

 

The Practice reports the healthcare data of patients with a TAJ number, in case of foreign patients with passport number, together with the related personal data, to the EESZT online and electronically, in accordance with applicable legislation. Digital self-determination enables patients to regulate access to their health data processed by the EESZT. The patient can continuously monitor who has requested access to their data and can set what type of EESZT event triggers a system notification. The data displayed to treating physicians depend on the permissions and restrictions set by the patient during digital self-determination. Patient data may only be viewed by the general practitioner and the treating physician; particularly sensitive data, such as data related to sexually transmitted diseases, psychiatric or addiction treatment, may be viewed only by the treating physician working in the relevant specialty, except in cases of urgent need. Digital self-determination has been available since 15 February 2017. (Availability: eeszt.gov.hu.)

 

 

  1. Electronic monitoring system (CCTV)

 

  1. An electronic monitoring system may be operated on the basis of legislation, and the legal basis of its operation is established by demonstrating the controller’s legitimate interest.
  2. In the case of the Practice, the legal basis for monitoring is provided by the vagyonvédelmi törvény; in other cases, the provisions of legislation relating to work performance and personal data processing shall apply. The operation of recording systems as a form of processing must be reported in the data protection register.
  3. A recording-capable monitoring system may be applied in the following cases:

- protection of human life

- protection of bodily integrity and personal liberty

- protection of property

  1. The circumstances of camera use must make it likely that the detection of infringements, catching the perpetrator in the act, prevention of unlawful conduct, or proving such conduct cannot be achieved by other methods, and that the use of such technical devices is indispensable and proportionate and does not result in a disproportionate restriction of the right to informational self-determination.
  2. If not used, the recordings must be irreversibly destroyed no later than 10 days after recording.
  3. “Use” means that a recording or other personal data are used as evidence in court or other administrative proceedings.
  4. Any person whose right or legitimate interest is affected by the recording or the recording of their personal data may, within the period of processing and upon proving their right or legitimate interest, request that the controller not destroy or erase the data. Upon request by a court or other authority, the recording and any other personal data must be sent to the court or authority without delay. If no such request is received within 30 (thirty) days from the request to refrain from destruction, the recording and any other personal data must be destroyed or erased.
  5. Recordings and other personal data may only be accessed by authorised persons where this is necessary for the enforcement of obligations arising from the contract and is indispensable for the prevention or interruption of unlawful conduct. The name of the person performing security activities who processes or otherwise becomes authorised to access such data, as well as the reason and time of access, must be recorded in minutes.
  6. In areas open to visitors and other persons contacting the Practice, as well as in working areas, a warning sign and information notice must be placed in the monitored area in a clearly visible and legible manner, helping third parties intending to enter the area to orient themselves. Processing is based on a legal provision or on the Practice’s legitimate interest as controller, which is supported by appropriate information provided to data subjects.

 

 

  1. Data protection of the website of the Practice

 

  1. The website https://drtolvaykatalin.com complies with Hungarian and the new European Union regulations [az információs önrendelkezési jogról és információszabadságról szóló 2011. évi CXII. törvény, az elektronikus kereskedelmi szolgáltatások, valamint az információs társadalommal összefüggő szolgáltatások egyes kérdéseiről szóló 2001. évi CVIII. törvény, továbbá a természetes személyeknek a személyes adatok kezelése tekintetében történő védelméről és az ilyen adatok szabad áramlásáról, valamint a 95/46/EK rendelet hatályon kívül helyezéséről (általános adatvédelmi rendelet) szóló Európai Parlament és a Tanács (EU) 2016/679 Rendelete ("GDPR") rendelkezéseinek].

Legal basis of processing: 2011. évi CXII. törvény az információs önrendelkezési jogról és az információszabadságról 5. § (1) bekezdés a) The data subject’s consent.

Dr. Tolvay Katalin sole proprietor  (hereinafter: referred to as the “Controller” ) processes users’ personal data in connection with its online activities exclusively for the purposes of completing the contact/quotation request form.

The Controller processes only such personal data that are indispensable for achieving the purpose of processing and suitable for achieving that purpose.

Personal data are processed only to the extent and for the time necessary to achieve the purpose.

The Controller does not disclose user data to third parties and does not use them for any other marketing purposes.

The Controller protects, by all means reasonably expected, the personal data of registered users processed on the website.

Controller’s address: 4026 Debrecen, Honvéd utca 72.
Controller’s contact details: +36 70 445 1155, info@drtolvaykatalin.com

Consent to data processing: Upon registration and when completing forms, the user expressly gives consent to the processing of the personal data voluntarily provided by them.

Categories of data subjects: registered users.

Categories of personal data processed: data provided by registered users during registration or via forms and necessary for handling the request/order: Name, Contact details (phone, email), Message, Date.

We do not collect children’s data and we do not collect sensitive data about users.

Purpose of data collection: responding to contact requests and quotation requests; servicing user needs.

Persons with access to the data / potential data processors:
Dr. Tolvay Katalin

The visitor is entitled to read the Controller’s website and to make a copy of it by printing or downloading it to a data carrier, but only for personal, private and non-commercial purposes.

It is prohibited to sell copies of any part of the website for financial gain. Any modification of, or incorporation of any part of the website into another work, publication or website—whether in electronic or printed form—is possible only with the owner’s consent.

Beyond what is described herein, the Controller does not grant any other authorisation or rights in relation to its website.

The website owner reserves the right to make any changes, corrections or modifications to the website at any time deemed necessary, without prior notice.

 

 

  1. Cookie management

 

a. General description of cookies
A cookie—also known as an HTTP cookie, web cookie or browser cookie—is used by the primary website to send information to the user’s browser, and the browser sends the information back to the primary website. The information may be used to authenticate the user, as well as to identify the browsing session, user preferences, the contents of a shopping cart, or anything else that can be done with textual data stored on the user’s computer.

b. The Controller does not use cookies to directly identify individuals. The collected information contains a cookie identifier (approximately a 20-character number) and a country identifier. This means that the Controller collects only statistical data relating to groups and is not able to identify individuals, information about individuals, or any website activity linked to any person in any way.

Personal data are collected exclusively via the forms on the website when the user actually provides the requested information and submits it to the Controller under separate policies. In such cases, the Controller always respects and follows the statutory provisions and regulations on the collection and storage of personal data.

You may also decide not to allow the use of cookies (for more information see the next section: “How can you block and avoid cookies?”). In this case you will remain fully unidentifiable for the Controller and for the Google Analytics tool used by us.

The information collected with the help of cookies is determined by the Google Analytics system, for example:
- The date and time of the current website visit.
- Whether the user has visited the website before, and if so, when.
- Which website the user arrived from (note: the primary website’s cookies do not share information between websites).
- IP address, which is used to identify information such as country, state and city (so-called IP geolocation). The cookie does not collect data such as name, email address, other address data or billing details.
- The Google Analytics Terms of Service explicitly prohibit any Analytics customer from collecting information that associates personal data with Google Analytics data.
- The information provided by users varies across all forms depending on the purpose. We declare that these forms have been prepared in compliance with global and local laws and regulations.

The information collected with the help of cookies is stored by Google. Further information is contained in Google’s privacy policies.

A registered user may request from the Controller:
- information about the processing of their personal data,
- rectification of their personal data,
- erasure or restriction (blocking) of their personal data.

The Controller shall provide the requested information in an intelligible form and in writing, upon the registered user’s request, as soon as possible and no later than within 10 days from the submission of the request. If the Controller finds the registered user’s request justified, it shall take immediate measures to rectify or erase the personal data.

If the registered user is not satisfied with the Controller’s response, they may enforce their right to the protection of their personal data before a civil court and may also turn to the National Authority for Data Protection and Freedom of Information (www.naih.hu/kapcsolat.html).

The 2011. évi CXII. törvény az információs önrendelkezési jogról és az információszabadságról is available here: Nemzeti Jogszabálytár (www.njt.hu).

 

 

 

Version effective from 30/11/2025.

Gyakran, amikor valakire vagy valamire címkét ragasztasz, létrehozol egy korlátot - a címke válik korláttá (Jim Kwik)