Medicolink Consultancy Tanácsadó Kft. (hereinafter: „Data Controller”) is committed to fully respecting its clients’ (doctors, healthcare workers, hereinafter: “Data Subject”) rights regarding data management. Accordingly, we handle Data Subjects’ data in agreement with the European Union’s 2016/679 regulation (hereinafter: General Data Protection Regulation, or “GDPR” abbr.) regarding natural persons’ protection concerning personal data management and the free flow of this data.
Data Controller’s contact data:
- Name of Data Controller: Medicolink Consultancy Tanácsadó Kft.
- Representative of Data Controller: Tamás Bárány
- Address: 59 Tűzoltó str., Budapest, 1094, Hungary
- Phone number: +36 20 533 6496
- E-mail address: info@medicolink.com
1. Controlling cookies
Cookies are short data files placed on the user’s computer by the visited site. The purpose of the cookie is to make the given infocommunication, internet service easier and more convenient when you visit the site again, and the cookie allows the site to recognize the visitor’s browser. Cookies can store user preferences (eg selected language) and other information Among other things, they collect information about visitors and their devices, note the visitor’s custom settings, for example when using online shopping carts. Cookies generally make it easier to use the website, help the website provide users with a real web experience and provide an effective source of information, as well as providing the website operator with the ability to check the site’s functionality, prevent abuses and ensure the smooth and adequate provision of services on the website.
When using this website, our website captures and handles the following information about the visitor and the device he / she browses:
- the IP address used by the visitor,
- browser type,
- features of the operating system of the device used for browsing (configured language),
- the visit’s date,
- the page(s)’s, function, or service visited.
Accepting or enabling cookies is optional. You can reset your browser settings to reject all cookies or to indicate when a cookie is just being sent. Most browsers accept cookies automatically as default, but they can usually be changed to prevent automatic acceptance and offer the choice every time.
See the links below for the most popular browsers’ cookie settings:
- Google Chrome
- Firefox
- Microsoft Internet Explorer 11
- Microsoft Internet Explorer 10
- Microsoft Internet Explorer 9
- Microsoft Internet Explorer 8
- Microsoft Edge
- Safari
However, it should be noted that certain site features or services may not function properly without cookies.
2. Cookies applied on the Data Controller’s website
2.1. Technically indispensible session cookies
These cookies are required to allow visitors to browse the website, to seamlessly and fully utilize its features, services available through the website, including – in particular – a note of visitors’ actions on those pages during a visit. The duration of these cookies’ data management is limited to the visitor’s current visit, this type of cookies will automatically be deleted from your computer when the session is completed or when the browser is closed.
The legal basis for data controlling: the legitimate interest of the Service Provider in the proper operation of the website.
The purpose of data controlling: to ensure the proper functioning of the website.
Utilized session cookies:
Type of cookie | Device | Collected data |
PHPSESSID (http) | – | preserves user session status while navigating through pages |
_gat (http) | Google Analytics | limits the speed of requests to the server |
_gid (http) | Creates a unique identifier for generating statistics on the use of the visitor website | |
collect (pixel) | Google Analytics | sends information about the visitor’s device and behavior, follows the visitor through devices and marketing channels |
_hjIncludedInSample | HotJar | Cookie’s setting that indicates to Hotjar whether the visitor has been selected for sampling. |
GPS (http) | Youtube | Registers a unique ID on mobile devices for location tracking |
lidc (http) | tracking the use of embedded services | |
r/collect (pixel) | Google Doubleclick | sends information about the visitor’s device and behavior, follows the visitor through devices and marketing channels |
test_cookie (http) | Google Doubleclick | Checks whether the visitor’s device supports cookies |
tr (pixel) | – | |
YSC (http) | Youtube | Specifies a unique identifier for statistical purposes to see what youtube videos the visitor viewed |
2.2. Cookies requiring consent
These provide the opportunity for the Data Controller to remember the user’s site choices. The visitor may prohibit this data management at any time prior to the use of the service and during the use of the service. These data can not be linked to the identifier of the user and can not be transferred to a third party without the user’s consent.
The purpose of the data collection is to produce analyzes and statistics about how the visitors use the web site (eg.: source, site visits, how much time they spent on the site, what devices, browsers did they use, etc.) understanding the user purposes of the website’s visitors. Legal basis for data controlling: the subject’s voluntary consent.
Cookies used:
Type of cookie | Device | Collected data | Expiration date |
_ga | – | Creates a unique identifier for generating statistics on how visitors use the website | 2 years |
__widgetsettings (html) | twitter.com | – | Does not expire |
bcookie (http) | tracking the use of embedded services | 2 years | |
bscookie (http) | tracking the use of embedded services | 2 years | |
fr (http) | advertising service to third party advertisers | 3 months | |
IDE (http) | Google Doubleclick | captures and reports the visitor’s activity after viewing an ad to measure the effectiveness of the ad | 2 years |
local_storage_support_test (html) | – | Does not expire | |
NID (http) | Creates a unique identifier that identifies the returning visitor’s device to targeted ads | 6 months | |
VISITOR_INFO1_LIVE (http) | Youtube | Estimates the visitor’s bandwidth on sites where youtube videos are embedded | 179 days |
yt-player-two-stage-token | Youtube | – | Does not expire |
3. Data Security
The Data Controller will take the necessary technical and organizational measures and establish appropriate procedural rules to ensure the security of personal data throughout the entire process of data management.
The Data Controller chooses and operates the IT devices used to manage personal data in a way that the controlled data:
- is accessible for authorized personnel (accessibility);
- is proven to be authentic and certified (authenticity of data controlling);
- its integrity is certifiable (data integrity);
- is protected from unauthorized access (data confidentiality).
The Data Controller
- protects the data with appropriate measures against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure or unauthorized access,
- restricts access to personal data by granting eligibility levels,
- protecting IT systems with a firewall and virus protection,
- during electronic data controlling, ensures that data is accessible with a specific purpose, under controlled circumstances, by only those who need it in order to complete their tasks,
- ensures that data stored in various electronic databases – unless made possible by law – can not be directly connected to the Data Subject by taking appropriate technical measures.
Data Controller provides technical, organizational and corporate measures to protect the security of data management, in view of the current state of the art, providing a level of protection appropriate to the data management risks.
The Data Controller records any possible privacy incidents, indicating facts related to the privacy incident, its effects, and remedies. Any data protection incident may be reported by the Data Controller without delay and, if possible, at the latest 72 hours after the Data Protection Incident becomes known to the National Data Protection and Information Authority (hereinafter the Authority) unless the privacy incident is unlikely to pose a risk for the rights and freedoms of natural persons.
4. Data Subject’s rights and the conditions for enforcing them
The Data Subject may request information concerning the management of their personal data, and the rectification of their personal data, furthermore, they may request the deletion of their personal data– except for statutory data management – as specified during the data collection process, or through the customer service.
4.1. Right to Access
At the request of the Data Subject, the Data Controller shall provide information on the data, source of the data, purpose of the data processing, legal basis, duration of the data processing, the name and address of the Data Processor, and the activities concerning data processing of the data managed by the Data Controller, or by the assigned Data Processor, furthermore, in case the Data Subject’s data has been forwarded, on the legal basis and addressee of the transmission. The data controller shall provide the information in writing, in a clear form, within the shortest possible time from the submission of the request, but not later than within 25 days. Information is free of charge if the requested information has not yet been filed with the Data Controller for the same data field in the current year. In other cases, reimbursement can be determined. The Data Controller may refuse to inform the Data Subject only in statutory cases In the event of non-disclosure, the data controller shall inform the data subject in writing that refusal of the information has been made under the provisions of the Data Protection Act. In the case of information refusal, the Data Controller notifies the Data Subject about the possibility of legal redress, and of turning to the Authority.
4.2. Right to Correction
If the personal data does not comply with reality and the personal data corresponding to reality is available to the Data Controller, the personal data will be corrected by the Data Controller.
4.3. Right to Data Erasure
Personal data must be erased if its handling is illegal; if the Data Subject requests it (except for compulsory data management); if it is incomplete or incorrect, and this cannot be legally remedied, provided that erasure is not legally forbidden; if the purpose of data management has ceased, or if the legally declared deadline for data storing has expired; if it has been ordered so by the court or the Authority.
4.4. Right to Restriction of processing
Instead of being deleted, the Data Controller will block the personal data if the Data Subject so requests or if, on the basis of the information available to him, it is assumed that the deletion would harm the legitimate interests of the Data Subject. Personal data so locked up can only be handled as long as there is a data management purpose that excludes the erasure of personal data. The Data Controller shall indicate the personal data they manage if the Data Subject disputes its correctness or accuracy, but the incorrect or inaccurate nature of the disputed personal data cannot be clearly identified.
4.5. Obligation to correct or erase personal data, and to notify on restrictions of data management
The Data Controller informs the Data Subject regarding correction, restriction and erasure. Notification may be omitted if it does not prejudice the legitimate interest of the Data Subject for the purpose of data handling. If the Data Controller fails to complete the Data Subject’s request for rectification, restriction or erasure, they shall within 30 days acknowledge the factual and legal grounds for refusal of the correction, restriction or erasure request. In the case of refusal of an application for rectification, erasure or restriction, the Data Controller shall inform the Data Subject of the judicial remedy and of the possibility of appeal to the Authority.
4.6. Right to objection
The Data subject is entitled to object any time for reasons concerning their own situation to the processing of data necessary for the execution of a task performed in the public interest or in the exercise of a public authority exercised on the Data Controller or for the treatment of the legitimate interests of the data controller or a third party, including profiling based on those provisions too.
In the event of an objection, the Data Controller shall not process the personal data unless it is justified by compelling reasons of lawfulness which prevail over the interests, rights and freedoms of the Data Subject, or which relate to the submission, enforcement or protection of legal claims.
The Data Controller shall examine the objection within the shortest time possible, but at most within 15 days of the submission of the request, decide on the matter of its validity and inform the applicant in writing. If the Data Controller establishes the validity of their objection, data management – including further data collection and data transfer – will terminate and data shall be locked, moreover, the Data Controller informs those about the measures taken who have been previously sent the data which is the subject of the objection, and those who are obligated to take measures in order to enforce the right to objection. If the Data Subject disagrees with the decision of the Data Controller or if the Data Controller fails to comply with the statutory deadline, the concerned party may refer the case to the court within 30 days from the date of notification of the decision or from the last day of the deadline. The Data Controller can also sue the Data Subject. The Data Controller cannot erase the relevant data if the data processing is ordered by law. However, the data cannot be forwarded to the data receiver if the Data Controller agrees to the objection or the court has found the objection rightful.
4.7. Right to store data
The Data Subject shall have the right to receive the personal data that they have commissioned to the Data Controller in a fragmented, widely used machine-readable format and forward this data to another Data Controller.
4.8. Possibility of judicial remedy
In the event of violation of their rights and in the cases specified by law, the Data Subject may turn to the court against the Data Controller. The court proceeds out of turn.
If the Data Subject has suffered material or non-material damage as a result of the breach of the Data Protection Regulation, they are entitled to compensation for the damage sustained by the Data Controller or the Data Processor. The Data Controller or the Data Processor shall be exempt from liability if they prove that the damage was caused by an unavoidable cause outside the scope of data management. There is no need to reimburse the damage in so far as it is due to the intentional or gross negligence of the injured party.
Submitting an objection or complaint does not affect the other rights – regulated in the data protection acts – of the Data Subject.
The Data Protection Officer (hereinafter: DPO) is involved in the processing of the complaint. The Data Subject can submit a complaint to:
- Medicolink Consultancy Tanácsadó Kft. DPO,
- the Authority (1024 Budapest, Szilágyi Erzsébet fasor 22/C), or
- the court.
Contact data of the Data Protection Officer:
- Anna Sebestyén | anse@medicolink.com | +36 20 533 6496