PRIVACY NOTICE
The purpose of this Privacy Notice (hereinafter: Privacy Notice) is to provide Ildikó Barbara Bertók, Psychologist sole trader with information to her clients about the processing of their personal data, either through the website www.psychologistbudapest.hu or www.alelekkulcsa.hu or as a result of a personal inquiry.
The psychologists of the A Lélek Kulcsa Pszichológiai Központ as self-employed, independent data controllers, pay particular attention to respecting the right to informational self-determination of their clients. All of them act in accordance with Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information and other applicable data protection legislation, as well as in accordance with the data protection practices established in the course of the activities of the National Authority for Data Protection and Freedom of Information.
I. The Data Controller and Processors
Data Controller:
Bertók Ildikó Barbara e.v.
E-mail: bertokildiko.pszichologus@gmail.com / ildiko.bertok@alelekkulcsa.hu
Data Processors:
Bertók Ildikó Barbara e.v.
E-mail: bertokildiko.pszichologus@gmail.com / ildiko.bertok@alelekkulcsa.hu
II. Purpose of Data Processing
Ongoing contact with clients using the service, invoicing and to facilitate the consultation process.
The Psychologist stores the Client's personal data in electronic and paper form, and keeps written records of the counselling process in electronic/paper form. Life history data is used in professional supervision (with the client's consent).
Life History Data: data on emotional, thought content, life history, which may include special data and medical data, which are collected during the psychology sessions.
III. Legal basis and duration of processing, scope of data processed
In the case of specific data collected and processed during the Psychological Process, the explicit consent of the data subject is required for the processing of such personal data for specific counselling purposes pursuant to Article 9 (2) (a) of the GDPR, and the purpose of processing health data is to promote the preservation, improvement and maintenance of health pursuant to Article 4 (1) (a) of Act XLVII of 1997 on the processing and protection of health and related personal data (Eüaktv.), and the monitoring of the health of the data subject pursuant to subsection (c).
Article 6 of the GDPR sets out the lawfulness of data processing:
(1) The processing of personal data shall be lawful only if and to the extent that at least one of the following conditions is met:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) the processing is necessary for the performance of a contract to which the data subject is a party or is necessary for the purposes of taking steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary for the protection of the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
The legal basis for processing is the prior and voluntary consent of the data subject. In the absence of this consent, the service cannot be provided.
The data are processed for as long as the service is being used.
The data controller processes the following data in connection with the provision of the service:
Surname and first name
Mother’s name
Permanent address
E-mail Address
Telephone number
Tax ID
ID/ Passport number
Notes, records, test results
The data controller will only transfer the data subject's data to third parties with the prior written consent of the data subject or in the fulfilment of a legal obligation.
IV. Duration of Data Processing
Personal data: all documents documenting the occurrence of an economic event between the Psychologist and the Client are considered accounting documents and are kept by the Psychologist for the period of retention specified in the tax and accounting rules in force. To the extent necessary and for the purpose for which it is required, the data shall be kept for 8 years in accordance with the provisions of Article 169 (2) of Act C of 2000 on Accounting. Such documents include, in particular, contracts, invoices, supporting documents and inspection documents. In the case of documents necessary for the assessment of tax, your data will be processed until the limitation period of the right to assess tax (the period specified in Article 78(3) of Act CL of 2017 on the Rules of Taxation (Art.)).
If the data are not necessary for accounting purposes, the data may be processed after the termination of the legal relationship with the data subject up to the limitation period under civil law, provided that the personal data may be processed up to the limitation period under civil law if the Psychologist has a legal claim against the Client or if the Client asserts a legal claim against the Psychologist. Pursuant to § 6:22 of Act V of 2013 on the Civil Code, the data may be deleted after 5 years.
In case of special data: special data collected and otherwise processed during the Psychology Process will be processed on the basis of the client's written consent until the client's written consent is withdrawn, until the client's request for data erasure is fulfilled or until the Psychology Process is terminated.
V. WHO ELSE HAS ACCESS TO YOUR PERSONAL DATA
The Psychologist, as an independent data controller, has personal access to your data in connection with the organisation and implementation of the Psychological process. In relation to the consultancy contractual relationship, the Psychologist's accounting tasks are carried out on behalf of a data processor under a data processing contract.
Person and contact details of the data processor (accountant):
For Ildikó Barbara Bertók, Psychologist: Molnárné Orosz Edit e.v. The data processor accountant has access only to the personal data used for invoicing (name, address).
VI. DATA SECURITY MEASURES
The data controller shall store the paper documents separately in a separate, locked room where the consultation takes place. The laptop used by the controller for work purposes shall be password protected.
Electronic communication between the Psychologist and the Client, personal data and specific data, in particular medical data, recorded in relation to what is said during the consultations, shall be made via the Psychologist's dedicated e-mail address. With regard to written (electronic) communication between the Psychologist and the Client, category II personal data (including special data) may also be processed in accordance with the provisions of this Information Notice.
VII. OTHER OBLIGATIONS OF THE DATA CONTROLLER
We take all necessary measures to protect the personal data we process against unauthorized access, alteration, disclosure, deletion, damage or destruction.
The psychologist is bound by the psychologist's duty of confidentiality with respect to his/her psychological and personal data concerning the Client, which are covered by the psychologist's confidentiality, in accordance with the provisions of Section 5 of the Joint Professional Code of Ethics of the Hungarian Psychological Society ("Code of Ethics"). The obligation of confidentiality of the Psychologist shall survive the termination of his/her relationship with the Client. Your personal data are protected by psychologist-client confidentiality. The data controller is exempted from the confidentiality obligation pursuant to Section 7 (2) of the Eüaktv. only if you have given your written consent to the transfer of the health and personal data within the limitations set out therein; unless the transfer of the data is required by law.
VIII. DATA SUBJECT'S RIGHTS AND REMEDIES IN RELATION TO DATA PROCESSING
Rights
Withdrawal of consent
Data subjects have the right to withdraw their consent to the processing they have given at any time during the period of processing, but such withdrawal does not affect the lawfulness of the processing carried out on the basis of their consent prior to the withdrawal.
Access
The data subject shall have the right to obtain from the Controller feedback as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to access the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom or which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
d) where applicable, the envisaged duration of the storage of the personal data or, where this is not possible, the criteria for determining that duration;
e) the right of the data subject to obtain from the controller the rectification, erasure or restriction of the processing of personal data relating to him or her and to object to the processing of such personal data;
f) the right to lodge a complaint with a supervisory authority;
g) where the data have not been collected from the data subject, any available information concerning their source.
Correction
The data subject shall have the right to obtain, at his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration.
Right to object
The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data based on the legitimate interests pursued by the controller. In such a case, the Controller may no longer process the personal data, unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Employee or for the establishment, exercise or defence of legal claims.
Deletion and restriction
The data subject shall have the right to obtain from the Data Controller, upon his or her request, the erasure of personal data relating to him or her without undue delay and the Data Controller shall be obliged to erase personal data relating to the data subject without undue delay if one of the following grounds applies:
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) the data subject withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing,
d) the personal data have been unlawfully processed;
e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
f) the personal data have been collected in connection with the provision of information society services directly to children.
The above provisions shall not apply where the processing is necessary:
to comply with an obligation under Union or Member State law to which the controller is subject to which requires the processing of personal data, or for reasons of public interest;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right of erasure would be likely to render such processing impossible or seriously jeopardise it; or
for the establishment, exercise or defence of legal claims.
The data subject shall have the right to obtain, at his or her request, restriction of processing by the controller where one of the following conditions is met:
a) data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
c) the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or
d) the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the data subject.
If the processing is subject to restriction, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.
The controller shall inform the data subject at whose request the processing has been restricted in advance of the lifting of the restriction.
Data Portability
The data subject shall have the right to receive personal data relating to him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data, if:
a) the processing is based on consent or on a contract; and
b) the processing is carried out by automated means.
In exercising the right to data portability, the data subject shall have the right to request, where technically feasible, the direct transfer of personal data between controllers.
Please note that if it is not technically feasible for the data subject to receive the data, the right to data portability cannot be exercised.
Remedies
Data subjects may lodge a complaint with the National Authority for Data Protection and Freedom of Information in the event of a breach of the law on the processing of personal data:
Name: Nemzeti Adatvédelmi és Információszabadság Hatóság
Seat: 1024 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal Address: 1530 Budapest, Pf.: 5.
Email: ugyfelszolgalat@naih.hu Web Page: http://www.naih.hu
Furthermore, the data subject may bring a judicial remedy against the Controller or its data processors before the courts of the place of residence or domicile of the data subject, at the data subject's choice.
IX. MISCELLANEOUS PROVISIONS
This Privacy Notice is effective from 1 May 2023.