Privacy Policy

1. Purpose of the General Privacy Policy

By publishing this Privacy Policy, OncoPet Kft, Oncotherm Kft, SCA Holding Kft, SCA Medical Trading Kft, SCA Pro Med Service Kft, SCA Oncology Kft, Oncotherm GmbH and XAX Kft (hereinafter collectively referred to as the Company or Data Controller) comply with the preliminary data processing requirements of Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL (HEREINAFTER GDPR). This document sets out the scope of the data collected and the purposes for which it was collected, how the data is used and the possibilities of verifying the data.

2. Name of the Data Controller

The Company informs the data subject that in the processing of his personal data, OncoPet Kft.,  OncoTherm Kft., ÁCS Medical Holding Kft., SCA Holding Kft., SCA Medical Trading Kft., SCA Pro Med Service Kft., SCA Oncology Kft., Oncotherm GmbH and XAX Kft are considered joint data controllers.

Company name: OncoPet Kft.
Headquarters: 7396 Magyarszék, Kossuth Lajos u. 51.
Company registration number: 02-09-086230
Tax number: HU 27467514
Phone number: +3623555510
Name of representative: Balázs Ács, Managing Director
Email: info@oncopet.org
Website: www.oncopet.org

Company name: OncoTherm Innovation and Trade Ltd.
Headquarters: 2040 Budaörs, Gyár utca 2.
Company registration number: 13 09 125195
Tax number: HU10228018
Phone number: +36 (23) 555 515
Name of representative: Balázs Ács,  Managing Director
Email: info@oncotherm.org
Website: www.oncotherm.com

Company name: Ács Medical Holding Kft.
Headquarters: 7396 Magyarszék, Kossuth Lajos u. 51.
Company registration number: 02 09 081321
Tax number: HU25112579
Phone number: +3623555510
Name of representative: Balázs Ács, Managing Director
Email: info@oncotherm.org
Website: -

Company name: SCA Holding Kft.
Headquarters: 7396 Magyarszék, Kossuth Lajos u. 51.
Company registration number: 01 09 737129
Tax number: HU13475219
Phone number: +3623555510
Name of representative: Balázs Ács, Managing Director
Email: info@oncotherm.org
Website: -

Company name: SCA Medical Trading Kft.
Headquarters: 7396 Magyarszék, Kossuth Lajos u. 51.
Company registration number: 02 09 085783
Tax number: HU29177525
Phone number: +3623555510
Name of representative: Balázs Ács, Managing Director
Email: info@oncotherm.org
Website: -

Company name: SCA Pro Med Service Kft.
Headquarters: 7396 Magyarszék, Kossuth Lajos u. 51.
Company registration number: 02 09 085826
Tax number: HU29194599
Phone number: +3623555510
Name of representative: Balázs Ács, Managing Director
Email: info@oncotherm.org
Website: -

Company name: SCA Oncology Kft.
Headquarters: 7396 Magyarszék, Kossuth Lajos u. 51.
Company registration number: 02-09-086520
Tax number: HU27526150
Phone number: +3623555510
Name of representative: Balázs Ács, Managing Director
Email: info@oncotherm.org
Website: -

Company name: Oncotherm GmbH
Headquarters: 53842 Troisdorf, Belgische Allee 9, Germany
Company registration number: HRB 6545
Tax number: DE813471390
Phone number: +49 (2241)-319920
Name of representative: Balázs Ács, Managing Director
Email: info@oncotherm.de
Web page: -

Company name: XAX Kft.
Headquarters: 1024 Budapest, Káplár u. 4-6. b. ép. b. lház. 1st floor 4.
Company registration number: 01 09 349297
Tax number: HU12000784
Phone number:  +3623555510
Name of representative: Dr. Olivér Szász, Managing Director
Email: info@oncotherm.org
Website: www.xax.hu

Data Protection Officer: The company is not obliged to appoint a Data Protection Officer and therefore, a Data Protection Officer hasn’t been appointed.

Personal data may be disclosed to employees of the Company who have access rights related to the relevant data processing purpose, to the extent determined by the Company and to the extent necessary for the performance of their activities.

On the basis of Article 26 of the GDPR, data controllers implement joint data management in connection with the provision of the services included in this General Privacy Policy, in the course of which the goals and means of data management are jointly determined. Their responsibility for data management is joint, the Data Subject may exercise his rights according to this General Privacy Policy in relation to any data controller and against any data controller. With regard to joint data management, the person in contact with the Data Subjects is the same in the case of joint data controllers.

3. Scope of the Policy

The policy shall cover all natural persons connected with the Company, in particular:

  • employees employed by the Company under an employment contract, including past and future employees and temporary workers,
  • applicants who have submitted a job application to the Enterprise,
  • Employees of partners affiliated with the Company.

4. Concepts

4.1. Natural person

A person who has legal capacity independently i.e. can become the subject of rights and obligations [Act V of 2013 of the Civil Code].  § 2:1(1)].

4.2. Identifiable natural person

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. [Article 4 (1) of the GDPR]

4.3. Data subject

A natural person whose data is processed by the company.

4.4. Personal data

Personal data is any information relating to an identified or identifiable natural person.  [Article 4 (1) of the GDPR]

4.5. Data management

Processing is any operation or set of operations which are performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.  [Article 4 (2) of the GDPR]

4.6. Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. [Article 4 (7) GDPR]

4.7. Processing

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.  [Article 4 (8) GDPR]

4.8. Database

A set of personal data which can be accessed by specific criteria, whether centralised, decentralised or structured according to functional or geographical criteria, in any way.  [Article 4 (6) GDPR]

4.9. Access rights

Permits that authorize the designated employees of the company to carry out data processing activities to the extent necessary related to the relevant data processing purpose to the extent determined by the Company.

4.10.    Third-party

A natural or legal person, public authority, agency or body other than the data subject, controller, processor or persons who, under the direct authority of the controller or processor, are authorised to process personal data. [Art. 4 (10) GDPR]

4.11.    Consent of the data subject

Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.  [Art. 4 (11) GDPR]

4.12.     Appliance

Medical devices developed, manufactured and distributed by the Enterprise.

4.13.    Potential candidate

A potential candidate is a data subject whose personal data (CV) is downloaded from various candidate databases by the Company in the course of its recruitment activities, or whose personal data (CV) are transmitted by the Company's Partners performing recruitment activities. Data subjects are considered potential candidates as long as the Company contacts them or the Company decides to reject the potential candidate.

4.14.    Candidate

A natural person who has applied for job advertisements posted by the Company or who has been contacted by the Company in order to be offered a job.

5. Legal basis for data processing

The Company only processes data that has at least one of the following legal bases [Art. 6 GDPR].

5.1. Consent of the data subject

The consent may be given by the data subject in the following form:

  • In writing, in the form of a declaration giving consent to personal data processing
  • Electronically - by expressing behaviour on the website of the Company or the website of the Applicant Tracking System used by the Company, by using a check box, or by technical settings, as well as making any other statement or action that, in the given context, constitutes the data subject's consent to their personal data, and which clearly indicates the intended data handling. Silence, pre-ticked boxes or non-action do not constitute consent.

If the processing serves several purposes at the same time, consent must be given for all the purposes for which it is processed. [GDPR Principles (32)]

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject shall be informed thereof before consent is given. [Art. 7 (3) GDPR]

After the withdrawal of the consent to data processing, the data subject shall be informed of the fact that the data processing has ended.

The duration of data processing depends on the purpose of data processing, the data subject is informed about it during the granting of consent or at the start of data processing.

5.2.  Performance of a contract

Processing is considered lawful if it is necessary for the completion of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into a contract.  [Art. 6 (1) (b) GDPR]

The consent of the data subject to the processing of personal data that is not strictly necessary for the performance of the contract should not be a condition for the conclusion of the contract. Consent to the processing of personal data necessary for the performance of the contract is not necessary, as the data controller performs a legal obligation.

5.3. Compliance with a legal obligation to which the controller is subject

The legal basis for data processing is determined by law if a legal obligation is fulfilled, so the consent of the data subject is not required for the processing of his or her personal data, however, he or she must be informed about the data processing.

The data controller is entitled to process the scope of data necessary for the fulfilment of a legal obligation even after the withdrawal of the consent of the data subject.

5.4. Protection of the vital interests of the data subject

The legal basis for data processing is determined by law in the case of the protection of the vital interests of the data subject or another natural person, so the consent of the data subject is not necessary for the processing of his or her personal data.

5.5. Pursuit of the rightful interests pursued by the controller or by a third party

The rightful interests pursued by the controller, including the controller to whom the personal data may be disclosed, or by a third party, may constitute a legal basis for the processing, unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child [Article 6 (1) (f) GDPR].  Such a rightful interest may be the case, for example, where there is a relevant and appropriate relationship between the data subject and the controller, for example in cases where the data subject is a customer of or employed by the controller.

In order to determine the existence of a rightful interest, it is essential to carefully examine, inter alia, whether the data subject can reasonably expect, at the time and in the context of the collection of the personal data, that the processing may take place for that purpose.

The interests and fundamental rights of the data subject may take precedence over the interests of the controller where personal data are processed in circumstances where the data subjects do not expect further processing.

The scope of the personal data processed: security camera recordings from the common areas of the Company's buildings, GPS data in the case of the  Company's vehicles, list of visitors to the building, data of employees whose legal basis is not the performance of a contract and a legal obligation – documents certifying qualifications, name, contact details.

The purpose of data processing: property protection, interest protection, quality assurance, ensuring the safety of the devices manufactured by the Company.

6. Purpose of data processing and scope of data collected

The company determines the purpose of the processing by referring to the above legal bases.

The consent may cover all processing activities carried out for the same purpose or purposes.

The data may only be used for the purposes for which the data subject has been informed (if the processing is based on any of the above legal bases) or for which the data subject has expressly given his or her consent (in case of consent).

The primary purpose of data collection is to improve the quality of services provided by the enterprise.

The Company processes the following data:

6.1. Information you share with us in the course of your general private inquiry

Description of the service:
Data shared by the interested party in messages received by the Company by e-mail or telephone inquiry.

Given that the Company serves companies and not individuals (B2B business), our employees will normally assume that the request is related to the general course of a business unless there is any other indication in this regard. Accordingly, our colleagues regard the data obtained in this way as company data (data processing included in section 6.2).

Data subjects:
The person who contacts the Company on their own behalf or on behalf of someone else by e-mail or telephone inquiry.

Purposes of data processing:
Fulfilment of the request received by the Company.

How we collect your data:
The data is forwarded to the Company by the requesting natural person online (by e-mail) or by phone.

The processed data:
Phone number and/or e-mail address and additional data shared by the Data Subject.

The Data Controller shall not be liable for the correctness of the processed data, the accuracy and correct provision of the data shall be the obligation of the Data Subject. If the data of the data subject are modified during the period of data processing or need to be corrected due to any clerical error, the data subject is entitled to have his or her data corrected as described in section 10.2.

Duration of data processing:
Examination and, where possible, duration of the request received. The Data Controller shall not record the Data in its database and shall not store them unless the Data Subject expressly requests it for the purpose of subsequent contact. Written requests may be archived depending on the duration of the investigation, and archive files shall be deleted if the data subject's consent is withdrawn.

Legal basis for data processing:
Consent of the data subject.

The data is accessed:
By the employees of the Company engaged in administrative activities.

Data transmission:
Only at the express request of the Data Subject, the data shall be forwarded to data processors:

Processing

Seat

The task of the data processor

Dr Szász Attila Marcell EV. 1082 Budapest, Baross u. 15. As the medical director of the Company, he assesses the patients’ needs and contacts the patients.
Dr Carrie Minaar, Consulting Africa Marketing and Research Pty Ltd. Wits Donald Gordon Medical Centre, 18 Eton Road, Parktown, Johannesburg, 2193 As an expert appointed by the Company, she assesses the patients’ needs and contacts the patients.

 

In case of individual needs, data may be transferred to other data processors in order to fulfil the request. In all cases, the Company shall provide detailed information on this to the data subject and shall request his or her consent to the implementation of the data transfer.

Automated decision-making and profiling
The Data Controller does not carry out automated decision-making, including profiling.

6.2. Data processing related to contracts concluded by the Company

Service Description:
The Company handles the processing of the personal data of the natural persons contracting with it – customers, buyers, and suppliers – in connection with the contractual legal relationship.

The Data Controller processes the data of the Partner's contact persons in order to conclude and fulfil the existing contracts with the partners of the legal entity (hereinafter: Partner).

Data Subjects:
On the part of the Partner, the person establishing a relationship with the Company for the purpose of concluding and performing contracts.

Purposes of data processing:
Maintaining contact with the Partners in order to conclude and perform existing contracts,  enforcing claims arising from the contract, and ensuring compliance with contractual obligations.

How we collect your data:
The data will be transmitted by the Partner or a natural person acting on behalf of the Partner to the Data Controller on paper, online or by phone. In the case of data collection on paper, the Data Controller records and stores the data in electronic form in order to achieve the purpose of data management.

The processed data:
Company data we share in the course of general business with the Company (inquiry, request for quotation, order, sale, other communication): your company information, your corporate email address and telephone number, your name, and any other information you share with us.

The Data Controller shall not be liable for the correctness of the processed data, the accurate and correct provision of the data is the obligation of the Partner or the person acting on its behalf. If the data of the data subject are modified during the period of data processing or need to be corrected due to any clerical error, the data subject shall be entitled to comply with Article 10.2. to correct your data.

Duration of data processing:
In the case of contracts entered into by the undertaking in connection with its activities, until the end of the limitation period following the disposal of the Devices covered by the contract, in accordance with the applicable legislation.

In the case of contracts that the Company concludes in connection with the provision of its operating conditions, until the end of the limitation period following the existence of the contractual relationship, in accordance with the applicable legislation.

Legal basis for data processing:
Rightful interest.

The Data Controller takes over and processes the personal data in its own and the Partner's rightful interest, in which the enforcement of the rightful interest of the Partner and the Data Controller takes precedence over the right to dispose of the personal data of the Partner's contacts (employees), as it is a necessary and proportionate restriction for the performance of the employee's job.

The data is accessed:
By the employees of the company who are responsible for maintaining the business relationship with the respective Partner.

Data transmission:
No data is transferred.

Automated decision-making and profiling:
The Data Controller does not carry out automated decision-making, including profiling.

6.3. Archiving

Service Description:
In order to increase data security and the traceability of the medical devices manufactured by the Company, the Data Controller performs archiving of all written data related to the Company.

Data Subjects:
On the part of the Partner, persons establishing contact with the Company for the purpose of concluding and performing contracts, employees of the Company, and other individuals contacting for private interests.

Purposes of data processing:
Increasing data security. The Data Controller performs tasks that may have the subsequent effect of a possible personal injury. The tracking of medical devices is in the rightful interest of the company. The purpose of archiving is to establish errors and responsibilities in the event of a possible personal injury.

The data will only be used for the purpose of data verification, data cleaning and data loss for the purpose of recovery, or if an event occurs that needs to be investigated and the use of the data is unavoidable.

How we collect your data:
The data is transmitted to the Data Controller by the employee concerned, a natural person acting on behalf of a Partner or contacting for private purposes on paper, online or by phone. In the case of data collection on paper, the Data Controller records and stores the data in electronic form in order to achieve the purpose of data management.

The processed data:
Due to the fact that the filtering and systematization of the data would entail a disproportionate use of resources, the Company archives all written data generated in the organization.

Duration of data processing:
The organization, assignment for deletion and deletion of archived files (e.g. correspondence, documentation, other hard-disk content) imposes a disproportionate burden on the Company, so these files are stored until the end of the limitation period after the disposal of the Devices, in accordance with the applicable legislation.

Legal basis for data processing:
Rightful interest.

The Data Controller takes over and processes the personal data in its own and the Partner's rightful interest, in which the enforcement of the rightful interest of the Partner and the Data Controller takes precedence over the right to dispose of the personal data of the Partner's contacts (employees), as it is a necessary and proportionate restriction for the performance of the employee's job.

The data is accessed:
The archived data is accessed by the system administrators of the Company.

Data transmission:
No data is transferred.

Automated decision-making and profiling:
The Data Controller does not carry out automated decision-making, including profiling.

 

6.4. Data processed during newsletter registration

Service Description:
The Company sends newsletters to subscribed natural persons. The purpose of the newsletter service is to share news about the Company and its products with stakeholders.

Data Subjects:
Natural persons who have subscribed.

Purposes of data processing:
Sharing news and events affecting the Company with stakeholders.

How we collect your data:
The data will be transmitted to the Data Controller by the employee concerned, a natural person acting on behalf of a Partner or contacting for private purposes on paper, online or by phone. In the case of data collection on paper, the Data Controller records and stores the data in electronic form in order to achieve the purpose of data management.

The processed data:
Data shared when subscribing to the newsletter: your name, e-mail address and area of work (doctor, nurse, service person, marketing type jobs, secretary, patient, other).

Duration of data processing:
From the granting of consent to the withdrawal of consent.

Legal basis for data processing:
Consent of the data subject.

The data is accessed:
By the employees of the Company.

Data transmission:
No data is transferred.

Automated decision-making and profiling:
The Data Controller does not carry out automated decision-making, including profiling.

 

6.5. Candidate data

Service Description:
For the purpose of filling vacant or new positions, the Company

  • posts advertisements on various job portals and social media
  • engages in recruitment activities to find potential candidates in various databases,
  • hires recruitment services providers to fill open positions. When processing candidate data from recruitment companies, the Company is considered a Data Processor.

Data Subjects:
Applicants (candidates) for advertisements posted to fill vacant positions in the Company, as well as potential candidates in various databases.

Purposes of data processing:
To fill vacant or new positions in order to perform the duties of the Company.

How we collect your data:
The data is

  • forwarded by the candidate, online or on paper,
  • forwarded by the commissioned recruitment partner company, or
  • in the course of the Company's recruitment activities, downloaded from various candidate databases.

In the case of data collection on paper, the Data Controller records and stores the data in electronic form in order to achieve the purpose of data management.

The processed data:
Data shared during the application process or data on the downloaded CV.

Duration of data processing:
The maximum duration of data processing for potential candidates is 30 days if the Company does not contact the potential candidate during this time.

Data of candidates who have been contacted is processed:

  • until the 30th day following the rejection, or
  • until the employment relationship is established if the candidate is recruited.

Further data processing is based on a separate consent, from the granting of consent until the withdrawal of consent.

Legal basis for data processing:
Consent of the data subject.

When applying for jobs advertised by the Company, candidates accept the content of this General Privacy Policy by using the checkbox, thereby contributing to the data collection and accepting the method and duration of data storage.

If the candidate does not submit his/her application through the candidate management system indicated in this document, the data protection information may be provided by e-mail or in person.

The data is accessed:
By authorized employees of the Company: the head of the department to which the position to be filled belongs ("Hiring Manager") and the employee responsible for recruitment (HR).

Data transmission:
The Company uses an ATS (Applicant Tracking System) to make it easier to manage candidates and keep in touch, during which the company providing the cloud-based system is considered a data processor. The data processing activity takes place based on the data processing contract concluded with the service provider.

Processing

Seat

Task of the data processor

SmartRecruiters Inc. San Francisco CA 94104, 225 Bush Street, Suite #300 Candidate management and a cloud-based system suitable for contacting applicants.

 

We inform the candidates that the data processing takes place outside the EEA, so the data processing provisions in accordance with the Data Protection Regulation are defined in a data processing contract.

Guarantees of the aforementioned data processor on data protection:

  • Technical and organizational measures:
    • Determination and use of security perimeters when storing critical information
    • Ensuring physical security of offices, premises and facilities
    • Physical protection against natural disasters, attacks or accidents
    • Protection from power outages and other disturbances
    • "Blank table and blank screen policy"
    • Use of access rights
  • System access privileges: Technical (ID/password) and organizational measures for user identification and authorization
  • Data access rights: Requirement-based authorization definitions and access rights, audit of employee activity
  • Data portability control: restriction and control of data portability, transmission and disclosure
  • Input control: recording the opening, changing, and deleting of data and the identity of the employee who performed them
  • Measures to segregate the responsibilities of SmartRecruiters (data processor) and the Company (data controller)
  • Availability control: Store and access data securely

If you have any doubts about the security of data processing, you can request a copy of the data processing contract using the contact details provided in this document.

Automated decision-making and profiling:
The Data Controller does not carry out automated decision-making, including profiling.

6.6. Privacy policy for the employees of the Company

Our data processing measures for our employees are regulated by a separate data management policy and work instructions.

Service Description:
In order to perform its tasks, the Company employs employees, agents and trainees, during which data processing takes place.

Data Subjects:
Every past, present and future employee, including persons employed under a contract of assignment, consultants and trainees.

Purposes of data processing:
Payroll/ payment of employees, workers and agents in contractual relations with the Company, social security administration, other administration related to the employment relationship, compliance with the regulations related to the production of the product (quality assurance – certificate of competence), employer branding, ensuring general business, identification, labour law liability, asset protection, creation of a safe workplace.

How we collect your data:
The data are transmitted by the employee concerned to the Data Controller online or on paper.

In the case of data collection on paper, the Data Controller records and stores the data in electronic form in order to achieve the purpose of data management.

The processed data:
Personal data necessary for the establishment and maintenance of employment and for contact.

Duration of data processing:
In the case of data required for social security administration, salary payment and other employment-related administration, the duration of data processing is determined in accordance with the current accounting and labour laws, which at the time of the completion of this document is the end of the fifth year after reaching the retirement age. In the case of such data, the processing, therefore, lasts from the provision of the data necessary for the conclusion of the contract until the end of the fifth year after reaching retirement age.

In the case of data necessary to ensure compliance with the requirements related to the manufacture of the product (e.g. quality assurance, proof of competence), the data processing lasts from the beginning of the employment relationship until the end of the fifth year from the disposal of the products manufactured by the employee.

For consent-based information that is not necessary for contact (e.g. photographs, driver's/passport number, etc.)  The data processing lasts from the beginning of the employment relationship until the 10th working day after the end of the employment relationship or until the withdrawal of consent.

Some data necessary for contact (private e-mail address and phone number) are necessary during the employment relationship, however, after the end of the employment relationship, their storage is based on consent. The processing of such personal data lasts from the granting of consent until the withdrawal of consent.

Legal basis for data processing:
In the case of data required in the course of administration related to social security, wages and fringe benefits, the legal bases for data processing are Performance of a contract in which the employee is one of the parties [Art. 6 (1) (b) GDPR], the rightful interest of the controller [Art. 6 para. 1 lit. f GDPR], the performance of the controller's legal obligation [Art. 6 para. 1 lit. c GFPR].

In the case of data necessary to ensure compliance with the requirements related to the production of the product (quality assurance – proof of competence), The rightful interest of the data controller (control of conduct related to the employment relationship and liability under labour law) [Article 6 (1) (f) of the GDPR].

In the case of data recorded by the electronic surveillance systems of the Company The rightful interest of the data controller, the protection of the vital interests of the data subject (property protection, security) [Article 6 (1) (f) of the GDPR].

Certain data necessary for contact (private e-mail address and phone number) are necessary during the employment relationship, however, after the end of the employment relationship, their storage is based on the consent of the data subject.

The data is accessed:
By eligible Employees of the Company: the head of the department to which the position to be filled belongs ("Hiring Manager"), the managing director of the Company, the financial assistant responsible for the salary transfer and the employee responsible for human resources management (HR).

The data necessary for contact is available to all employees of the company, however, we ask for the consent of the employees for the internal use of this data, and in case of refusal of consent, we provide alternative solutions (e.g. company phone card).

In the case of data recorded by the electronic surveillance systems of the Company, the operators of the property protection systems, and the security service have access to the recorded data.

Data Transmission:
The rights and obligations of the data processor in relation to the processing of personal data are determined by the data controller within the framework of the law and the specific laws on data processing.

The Company shall be responsible for the lawfulness of the instructions given to the data processor in respect of the data processing operations.

Processing

Seat

Task of the data processor

Tax Europe Ltd. H-7761 Kozármisleny, Pécsi u. 126. Administration related to salary payment, social security, tax advice, and labour law advice.
Broad Law Firm 1126 Budapest, Szendrő köz 4. Legal advice
Defter Economic Services Ltd. 1141 Budapest, Pered u. 24. Financial audit
Dr. Pózmán Ilona EV. 2071 Páty, Munkás tér 12. Occupational health services
Hunbuild Bt. H-2142 Nagytarcs, Puskás Tivadar u. 15. Occupational safety and fire safety training, site visits, site qualification, occupational safety consulting
GSGroup MyFleet Plc. 1118 Budapest, Budaörsi út 52.  Operation of a GPS-based road registration system installed in a company car
Zoltán Orbán and Partner Industrial Trade and Service Ltd. H-2071 Páty, Vörösmarty út 29. Asset protection

 

The Company does not authorize the data processor to use another data processor.

Automated decision-making and profiling:
The Data Controller does not carry out automated decision-making, including profiling.

7. Transmission of data

7.1. Data processing

The rights and obligations of the data processor in relation to the processing of personal data are determined by the data controller within the framework of the law and the specific laws on data processing.

The Company declares that it has no competence to make a substantive decision on data processing in the course of its data processing activities, it may process the personal data it has become aware of only in accordance with the provisions of the data controller, it may not carry out data processing for its own purposes, and it is obliged to store and retain personal data in accordance with the provisions of the data controller.

The Company shall be responsible for the lawfulness of the instructions given to the data processor in respect of the data processing operations.

The Company is obliged to provide the data subjects with information about the identity of the data processor and the place of data processing.

The Company does not authorize the data processor to use another data processor.

The contract for data processing must be in writing.

In all cases, the data subjects are informed in detail about the fact of data processing before the start of data processing.

7.2. Transfer of data to third parties

The data may be transferred by the data controller to the following organizations:

National Research, Development and Innovation Office

 

1077 Budapest, Kéthly Anna tér 1. Administration of subsidies, control of the use of grants
Ministry of Finance – Department of Privileged Corporate Relations

 

1051 Budapest, József nádor tér 4. Administration of subsidies, control of the use of grants
Ministry of Finance – Undersecretary of State for the Implementation of Economic Development Programmes

 

1139 Budapest, Váci út 81. Administration of subsidies, control of the use of grants
Pest County Government Office (as state administration of adult education)

 

1052 Budapest, Városház utca 7. Provision of data on training

8. Cookie management on www.oncotherm.hu/.com/.de, www.xax.hu and www.oncopet.org sites

The Company uses cookies on the websites as follows.

8.1. What is a cookie?

A cookie is a small data file that is placed on your computer when you visit a website. Among other things, cookies collect information, remember the individual settings of the visitor and generally make it easier for users to use the websites.

Only security and session cookies are used on the websites of the Company. A cookie is a small piece of data that this website stores in your computer's browser and can read from there. The cookie cannot be read by any other website other than the one that placed it. The cookie is used by the Company for administrative purposes, such as measuring website traffic. No cookie contains any personal information that would allow anyone to access you via email, phone, or regular mail. Most web browsers can also be configured to send you a message informing you that cookies are placed or to prevent cookies from being placed.

List  of  cookies used on oncotherm.hu/.com/.de and oncopet.org website, data to which the cookie has access and function of the cookie:

(A) Cookies that are strictly necessary for the operation of the website

 

Cookie name

Data managed/used by cookies

Cookie lifetime

Function of cookies, purpose of data processing

Cookie-agreed It does not store any personal data. 100 days Stores the user's choice regarding the use of cookies
Cookie-agreed-categories It does not store any personal data. 100 days It stores the categories of cookies that the user has allowed.

 

(B) Other third-party cookies and information about them

 

In addition to the cookies we use directly when visiting this website, we may also create and use targeting so-called third-party cookies in connection with the services of third parties (e.g. Google), which help us, for example, to record and analyze traffic data and to deliver targeted marketing and advertising messages. More information about them can be found under the website https://www.google.com/policies/technologies/types/ and https://www.google.com/analytics/learn/privacy.html?hl=hu.

 

Cookie name

Data managed/used by cookies

Cookie lifetime

Function of cookies, purpose of data processing

 _Ga Google Analytics. It does not store any personal data, it assigns a single anonymous identifier, with the help of which it can provide the following data to the website operator: The number of visits, their duration, pages visited, device information about which the visit took place (mobile, desktop, tablet, display size, operating system type and version), the geographical location of the visit at a maximum city level, the frequency of the visit (what is the rate of returning or new visits)

 

2 years Allows the anonymous identification of the user. It ensures that we continuously improve the operation of the website and provide a better user experience for visitors with the help of non-personally identifiable data for statistical purposes.
 _gid Google Analytics. It does not store any personal data, it assigns a single anonymous identifier, with the help of which it can provide the following data to the website operator: The number of visits, their duration, pages visited, device information about which the visit took place (mobile, desktop, tablet, display size, operating system type and version), the geographical location of the visit at a maximum city level, the frequency of the visit (what is the rate of returning or new visits)

 

1 day Allows the anonymous identification of the user. It ensures that we continuously improve the operation of the website and provide a better user experience for visitors with the help of non-personally identifiable data for statistical purposes.
_Gat It does not store any personal data, it is necessary for the operation of the Google Analytics service.

 

1 minute Used by Google Analytics to reduce request rates
collect It does not store any personal data. It stores information about the pages visited and the user's devices. It also follows the user on additional web pages opened during the session. session It collects statistical data about users and their use of the website.

 

Legal basis for data processing:
In the case of cookies (Part A), which are essential for the operation of the website, the legal basis for data processing is the rightful interest of the data controller. In  the case of additional cookies (Part B), the legal basis for data processing is the consent of the data subject.

Each of the cookies listed in section (A) is a necessary cookie. These cookies are necessary for users to browse our website and use its functions. Without the use of these cookies, we cannot guarantee you the use of our website.

Please note that this Policy does  not extend to websites to which you have been redirected  by a link on  oncotherm.hu/.com/.de  or oncopet.org websites.

9. The Company as a data processor

Data generated during the use of the device
Device usage data is stored on purchased devices, i.e. locally. Such data includes hardware logs, i.e. entry-exit data, system failures, system activity, date and time of events, hardware settings, management commands and data, including own and patient data entered by an employee of your company or another natural person. The data controller in this case is not the Company, but the company that purchased the product. The Company may only process the data stored on the purchased device if you, as a representative of the purchasing company, are authorized to do so as follows:

  • The Company is considered a data processor if your company commissions us to archive the entire digital system of your OncoThermia device.
  • In some services, we must request certain information (e.g., hardware logs, which may include anonymized patient data) about your use of your device, so please note that we may only be able to provide any services related to your device if your company authorizes us to perform the service activities. It is also considered an authorization if your company requests a service from us (e.g. it requires the service of a device). In this case, the Company is considered a data processor.
  • The Company is also a data processor if, at the company's request, your company provides treatment data (anonymized patient data necessary for the evaluation of various clinical statistics) to the Company for the purposes of quality assurance and compliance with relevant standards.

Please note that if you provide data to the Company as a data processor, it is your responsibility to properly inform the patients and employees concerned about the transfer of their data to third parties for processing purposes and to publish their anonymized data (case studies and clinical statistics).

The data management information related to the device information is provided on paper during the purchase of the device.

10. Rights of the data subject in relation to the processing of his or her data

10.1. Right of access

The data subject shall have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of the processing in relation to the given personal data,
  • the categories of personal data concerned,
  • the categories of recipients to whom the personal data of the data subject have been or will be disclosed, including in particular recipients in third countries or international organisations (in the case of transfers to recipients in third countries and international organisations, the Data Subject shall have the right to request information as to whether the transfer is subject to appropriate safeguards),
  • the envisaged period for which the personal data concerned will be stored or, if that is not possible, the criteria used to determine that period,
  • the data subject's rights (right to rectification, erasure or restriction, right to data portability and right to object to the processing of such personal data),
  • the right to lodge a complaint with a supervisory authority,
  • if the data controller did not obtain the data from the Data Subject, then all available information about the source,

Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards for the transfer according to Article 46.

The controller shall provide the data subject with a copy of the personal data undergoing processing free of charge. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

Where the data subject requests by electronic means, the information shall be provided in a commonly used electronic format, unless otherwise requested by the data subject.

10.2. Right to rectification and erasure of the data subject

Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (“right to be forgotten”)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1) of the Regulation (consent to the processing of personal data) or Article 9 (2) (a) of the Regulation (giving explicit consent) and there is no other legal ground for the processing;
  • the data subject objects to the processing according to Article 21 (1) of the Regulation (right to object) and there are no overriding legitimate grounds for the processing or the data subject objects to the processing according to Article 21 (2) of the Regulation (objection to personal processing for marketing purposes);
  • the personal data have been unlawfully processed;
  • the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1).

Where the controller has made the personal data public and is obliged to erase them at the request of the data subject, he or she shall take reasonable steps, including technical measures, taking into account available technology and the cost of implementation, to inform controllers which are processing the personal data that the data subject has requested a copy of the links, or copies of those personal data, or the deletion of a duplicate thereof.

The foregoing shall not apply where processing is necessary:

  • for exercising the right to freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • on grounds of public interest in the field of public health in accordance with Article 9 (2) (h) and (i) of the Regulation and Article 9 (3) of the Regulation;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the Regulation, as far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.

10.3. Right to restriction of processing

The data subject shall have the right to obtain the restriction of processing from the controller where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, in which case the restriction shall apply for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
  • the data subject has objected to the processing according to Article 21 (1) of the Regulation; In this case, the restriction applies to the period until it is established whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject.

Where processing has been restricted on the basis of the above, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The controller shall inform the data subject at whose request processing has been restricted before the restriction of processing is lifted.

10.4. Notification obligation related to rectification or erasure of personal data or restriction of processing

The controller shall communicate the rectification or erasure of processing or restriction of processing to each recipient to whom the personal data have been disclosed unless this proves to be impossible or involves a disproportionate effort.

At the request of the data subject, the controller shall inform the data subject of those recipients.

10.5. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  • the processing is based on consent according to Article 6 (1) (a) of the Regulation (consent of the data subject to the processing of personal data) or point (a) of Article 9 (2) of the Regulation (explicit consent of the data subject to the processing) or on a contract according to point (b) of Article 6 (1); and
  • the processing is carried out by automated means.

When exercising the right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17 of the Regulation, i.e.any measure taken within the scope of data portability shall not constitute the erasure of the data, it shall be kept in the records by the Data Controller as long as the controller has a suitable purpose or legal basis for the processing of the data.

The right to data portability should not adversely affect the rights and freedoms of others.

The right to data portability under this section does not create an obligation for controllers to introduce or maintain technically compatible processing systems.

10.6. Right to object

In view of the fact that the Data Controller does not carry out data processing in the public interest and does not have a public authority, does not carry out scientific or historical research, and the data processing does not take place for statistical purposes, the exercise of the right to object may arise in the case of data processing based on a rightful interest.

If the data of the Data Subjects is processed on the basis of a rightful interest, it is an important provision of a guarantee nature that the Data Subject must be provided with adequate information in connection with the data processing and the enforcement of the right to object. This right must be expressly brought to your attention at the latest during the first contact with the Data Subject.

On this basis, the Data Subject shall have the right to object to the processing of his or her personal data and in such a case the Data Controller shall no longer process the personal data of the Data Subject unless it can be demonstrated that:

  • the processing is justified by compelling legitimate grounds on the part of the Controller which override the interests, rights and freedoms of the data subject, or
  • the processing is related to the submission, exercise or defence of the legal claims of the Data Controller.

10.7. Right of complaint and redress of the data subject

Visiting the Data Controller
If the Data Subject considers that the processing of his or her personal data by the Data Controller is prejudicial to the Data Subject, please contact the Data Controller at any of the contact addresses specified in section 2 of this Privacy Policy. The Data Controller is committed to complying with and enforcing the rights related to the processing of personal data, therefore it investigates all complaints received with due care and informs the Data Subject of the results thereof.

 

Right to lodge a complaint with a supervisory authority
The data subject shall have the right to lodge a complaint with a supervisory authority according to Article 77 of the Regulation if the data subject considers that the processing of personal data concerning him or her infringes this Regulation.

The data subject may exercise his or her right to lodge a complaint at the following contact details:

National Authority for Data Protection and Freedom of Information: 1055 Budapest, Falk Miksa utca 9-11
Phone: +36 (1) 391-1400;  Fax: +36 (1) 391-1410 www: http://www.naih.hu e-mail: ugyfelszolgalat@naih.hu

The supervisory authority with which the complaint has been lodged shall inform the customer of the progress and outcome of the complaint, including the right to a judicial remedy according to Article 78 of the Regulation.

 

Right to an effective judicial remedy against a controller or processor
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority according to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in compliance with this Regulation.

Proceedings may be brought against the Data Controller as a data controller with a domestic place of business before a Hungarian court.

In this case, it shall be free to decide whether to bring an action before the court having jurisdiction over its domicile (permanent address) or its place of residence (temporary address) or the seat of the Authority. You can contact the court of your place of residence or stay on the https://birosag.hu/birosag-kereso page. According to the seat of the Authority, the Metropolitan Court of Justice has jurisdiction over the proceedings.

 

10.8. Procedure to be applied in the event of a request by the data subject in connection with data processing

The Company facilitates the exercise of the rights of the data subject, it may not refuse to comply with the request to exercise the rights of the data subject also set out in this Privacy Policy unless it proves that it is not in a position to identify the data subject.

The Company shall inform the data subject of the action taken in response to the request without undue delay, but in any event within one month of receipt of the request. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension of the time limit, indicating the reasons for the delay, within one month of receipt of the request.  [Art. 12 (3) GDPR]

Where the data subject makes the request by electronic means, the information shall, where possible, be provided by electronic means, unless otherwise requested by the data subject.

If the Company does not take action on the request of the data subject, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The Company shall provide the data subject with the following information and action free of charge: feedback on the processing of personal data, access to the processed data, rectification, supplement, erasure of data, restriction of data processing, data portability, objection to data processing, information about the personal data breach.

Where the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive character, the controller may, taking into account the administrative costs of providing the information or communication or taking the action requested, charge or refuse to act on the request.

The burden of proof that the request is manifestly unfounded or excessive shall lie with the controller.

Without prejudice to Article 11 of the Regulation, where the controller has reasonable doubts as to the identity of the natural person making a request according to Articles 15 to 21 of the Regulation, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

11. Personal Data Breach

11.1. Procedure in the event of a personal data breach

A personal data breach within the meaning of the Regulation is a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

A personal data breach is the loss or theft of a device containing personal data (laptop, mobile phone), or if it is also considered to be the loss of access to the code used to decrypt the file encrypted by the data controller, becoming inaccessible, infection by ransomware, which makes the data processed by the data controller inaccessible until the ransom is paid, attacking the IT system, e-mail containing incorrectly sent personal data,  disclosure of the address list, etc.

If a personal data breach is detected, the representative of the Company shall immediately conduct an investigation in order to identify the personal data breach and determine its possible consequences. The necessary measures must be taken to remedy the damage.

It shall notify about the personal data breach to the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by the reasons justifying the delay.

The processor shall report the personal data breach to the controller without undue delay after becoming aware of it.

The notification shall include at least:

  • Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of data concerned; the name and contact details of the data protection officer or other contact person providing further information shall be provided;
  • Description of the likely consequences of the personal data breach;
  • Description of the measures taken or planned by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences resulting from the personal data breach.

If and in so far as it is not possible to communicate the information at the same time, it may subsequently be provided in instalments without further undue delay.

The controller shall keep a record of personal data breaches, indicating the facts related to the personal data breach, its effects and the measures taken to remedy it. Such records shall enable the supervisory authority to verify compliance with the requirements of Article 33 of the Regulation.

 

11.2. Communication of a personal data breach

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The aforementioned communication to the data subject shall clearly and intelligibly describe the nature of the personal data breach and shall include at least the name and contact details of the data protection officer or other contact person providing further information, the likely consequences of the personal data breach, the measures taken or planned by the controller to remedy the personal data breach including, where applicable, the data breach resulting from the personal data breach measures to mitigate possible adverse consequences.

The data subject need not be informed as foregoing if any of the following conditions are met:

  • the controller has implemented appropriate technical and organisational protection measures and those measures have been applied to the personal data affected by the personal data breach, in particular, those such as encryption, which render the personal data unintelligible to any person who is not authorised to access it;
  • the controller has taken further measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
  • the provision of information would require a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly available information or a similar measure shall be taken to ensure that the data subjects are informed in an equally effective manner.

Where the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered whether the personal data breach is likely to result in a high risk, may require it to do so or may decide that one of the conditions referred to in paragraph (c) is met.

12. Provisions on data security

The Company may only process personal data in accordance with the activities set out in this policy, according to the purpose of data processing.

The Company ensures the security of the data, in this regard, it undertakes to take all the technical and organizational measures that are necessary for the enforcement of the laws, data protection and confidentiality rules on data security, and to establish the procedural rules necessary for the enforcement of the laws specified above.

The Company protects the data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, as well as against becoming inaccessible due to changes in the technology used.

The technical and organizational measures to be implemented by the Company for data security are set out in the procedures and work instructions of the Company.

When defining and applying measures for the security of data, the Company takes into account the current state of the art, and in the case of several possible data processing solutions, it chooses a solution that ensures a higher level of protection of personal data, unless this would present disproportionate difficulties.