Privacy policy

Privacy Policy of SmileyMed Health and Services Ltd.

The SmileyMed Egészségügyi és Szolgáltató Korlátolt Felelősségű Társaság (registered office. 7., company registration number: 01 09 300979, tax number: 26083713--1--41, telephone number: +36--1--889--5820, e--mail: web: www.smileymed. hu, represented by: Ágnes Deákné Molnár, Managing Director (hereinafter referred to as SmileyMed or Data Controller)), as Data Controller, considers it important to its customers and all other natural persons concerned (hereinafter referred to as: SmileyMed, as the Data Controller, is committed to respecting and enforcing the rights of its customers and data subjects (hereinafter referred to as "Data Subjects") in relation to data management, and therefore hereby informs the Data Subjects that it respects the Data Subjects' personal rights and acts in accordance with the substantive and procedural rules of Hungarian law, the currently applicable Data Protection and Data Security Code and other internal regulations.

The purpose of this short Privacy Notice is to provide data subjects with concise information on the most important data protection rules of the Data Controller. The Notice is permanently available at and in paper form at SmileyMed's personal customer services.

Who are the data subjects?

Data Subjects. The data subjects are therefore primarily the users of the services of the Data Controller, the Staff, SmileyMed and/or those interested in its services, the natural person Partners of SmileyMed, the representatives, contacts, possibly other employees of non-natural person Partners, those entering or staying in the area monitored by the camera system.

What processing activities does the Data Controller perform and for what purposes and for how long does the Data Controller process my data?

Request for one-off information

The request for information is based on voluntary consent.
Az érintettek köre: Minden természetes személy, aki az Adatkezelővel kapcsolatba lép és az Adatkezelőtől információt kér személyes adatainak megadása mellett.

Scope and purpose of the data processed::

name* identification
telephone number contact
e-­‐mail address* contact
question content* reply

The purpose of the processing is to provide the data subject with appropriate information and to maintain contact. Duration of processing: until the purpose is achieved.

Request for proposal

The request is based on voluntary consent.

The data subjects are:

Any natural person who requests an offer from the Data Controller in connection with a given service, providing their personal data.

Scope and purpose of the data processed:

név* identification
telephone number contact
e-mail address contact
question/request content* reply
indication of selected service required for quotation
name of service ordered* required for quotation
quantity of service ordered* required for quotation
requested delivery date* required for quotation
indication of special requirements required for quotation

The purpose of the processing is to provide the data subject with a suitable offer and to maintain contact. Duration of processing: until the expiry of the offer.
Use of the service:

The legal basis for the processing of all recorded data during the use of the service is the voluntary consent of the data subject pursuant to Article 5 (1) a) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter:, and based on Article 136 (1) and (2) of Act CLIV of 1997 on Health Care and Article 5 (1) of Act XLVII of 1997 on the Management and Protection of Health and Related Personal Data.

Data subjects.

Scope and purpose of the data processed:

name* identification, legal obligation
mother's name identification, legal obligation
address identification,contact, legal obligation
place and date of birth identification, legal obligation
social security number identification, legal obligation
telephone number contact
e-mail address* contact
health service related data necessary to provide the service, legally required

SmileyMed collects the personal identification data required for medical documentation in order to fulfil its obligation to document the treatment you are seeking in accordance with § 136 of Act CLIV of 1997 on Health Care (hereinafter "the Act"). The provision of this information is mandatory, as the identification of the person concerned is required in order to receive healthcare. SmileyMed will keep the personal identification data required for medical documentation for at least 30 years from the date of collection, as provided for in § 30 of Act XLVII of 1997 on the management and protection of health data and related data, and will transfer them to recipients within and outside the health care system in accordance with the provisions of the Act.

SmileyMed processes the contact data on the basis of a legitimate interest related to the exercise of the rights and obligations to information set out in Articles 13 and 134 of the Privacy Act. In particular, SmileyMed processes contact data for the purpose of scheduling examinations and interventions, and in the event that it is necessary to provide test results containing medical data, or to transmit or send documents or findings. Without the provision of contact details, SmileyMed will not be able to communicate with you in an efficient and timely manner in relation to the healthcare service provided, leading to a reduction in the efficiency of care, which will result in a deterioration in the quality of care for you and for other patients of SmileyMed. The contact data will be processed by SmileyMed in the same way and for the same duration as the medical records. You will have the right to object to the processing of your contact details at any time throughout the processing period.

Duration of data processing: according to Article 30 (1) of Act XLVII of 1997 on the processing and protection of health and related personal data, which is generally 30 years.

Complaints handling

Complaints are based on voluntary consent, but the processing of data is mandatory by law (Act CLIV of 1997).

The data subjects are: any natural person who wishes to make a complaint orally or in writing about a service ordered or about the conduct, activity or omission of SmileyMed or its staff.

The purpose of the processing of the data is to identify the data subject and the complaint, and to record the data required to be recorded by law.

Scope and purpose of the data processed:

complaint identifier  identification
name identification
date of receipt of complaint identification
telephone number/e--mail address contact
time of call identification
personal data provided identification
billing/mailing address contact
service complained about investigation of complaint
documents attached  investigation of complaint
reason for complaint investigation of complaint
the complaint itself investigation of complaint

The purpose of data processing is to enable the communication of the complaint and to maintain contact.

Duration of processing: the Data Controller shall keep the record of the complaint and a copy of the reply for 5 years from the date of their recording, as required by Article 29 (4) of Act CLIV of 1997 on Health Care.

Sending a newsletter

Subscription to the newsletter is based on voluntary consent.

The data subject is any natural person who wishes to receive regular information about news, promotions and discounts from the Data Controller and therefore subscribes to the newsletter service by providing his/her personal data.

The scope and purpose of the data processed:

name identification (Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities. § 6 (2) mandatory data)
e-­mail address e-mail address for sending newsletters (Act XLVIII of 2008. Article 6 (2) of the Law on Advertising)

The purpose of data processing in connection with the sending of newsletters is to inform the recipient in a general or personalized way about the latest promotions, events, news, notification of changes or cancellations of services of the Data Controller.

The data subject may unsubscribe from the newsletter at any time, at the bottom of the e-mails and by sending an unsubscribe request to

You can unsubscribe from the newsletter by post at the following address.

Duration of processing: until erasure at the request of the data subject.

Who processes my data?

The data may only be processed by the Data Controller's employees and contributors to the extent strictly necessary for the performance of their tasks, if the Data Controller employs staff. If no staff member is employed, the Data Controller's representative will process the data.

Does the Data Controller transfer or transfer data to another party?

The processing of personal data is essentially carried out by the Data Controller. Where a processor is involved, the Data Controller transfers data to the processors and is responsible for the activities of the processors.

The Data Controller may transfer the data specified by the data subject to its contractual partners only if the Data Controller has identified the partner to the data subject prior to the transfer, specified the expected time and purpose of the processing and the data subject has consented to the transfer. The Data Controller may also designate Partners by means of a notice or a prospectus, provided that it makes it available to data subjects. The Data Controller may transfer data to the requesting authority in response to a request from a public authority, on the basis of a legal authorisation.

Where required by the processing activities carried out by the Controller for its Partners, the Controller may transfer data to public authorities, persons specified by law or by a data processing contract. In this case, the information of the data subjects shall be provided by the Partners as data controller.

What are my rights?

The rights of the data subject under Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information and Regulation (EU) 2016/679 of the European Parliament and of the Council are the right to information, the right to rectification, the right to erasure, the right to be informed of the
"right to be forgotten, right to blocking/restriction of data, right to object, right to apply to a court, right to apply to a public authority.

The processing of health data is governed by Act XLVII of 1997 on the processing and protection of health and related personal data, so the above rights can only be exercised in the light of this legislation.

Where and how can I request detailed information on the processing and transfer of my data and where and how can I exercise my rights?

The Data Controller draws the attention of the data subjects to the fact that they may request information and exercise their other rights, unless excluded by law, by sending a statement to the e-mail address or to any other contact details of the Data Controller. The Data Controller will examine and reply to the declaration as soon as possible after receipt, but within a maximum of 15 days, and will take the necessary steps as provided for in the declaration, its Rules and Regulations and the law.

Where can I turn if my right to self-determination is infringed?

National Authority for Data Protection and Freedom of Information

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Telephone: +36 (1) 391-­‐1400 Fax:
+36 (1) 391-­‐1410

To the supervisory body: ÁNTSZ National Office of the Chief Medical Officer

Address: 1097 Budapest, Albert Flórián út 2-­‐6.,
Telephone: 06-­‐1 -­‐476-­‐1100

In case of violation of the rights of minors in relation to offensive, hateful, exclusionary content, rectification, violation of the rights of a deceased person, violation of reputation:

National Media and Infocommunications Authority

Address: 1015 Budapest, Ostrom u. 23-­‐25.
Postal address: 1525. Pf. 75
Tel: (06 1) 457 7100
Fax: (06 1) 356 5520

The data subject may take legal action in case of violation of his/her rights. The court will rule on the case out of turn. The Data Controller shall prove that the processing complies with the law.

In the event that the Controller infringes the data subject's right to privacy by unlawfully processing his or her data or by breaching data security requirements, the data subject may claim damages from the Controller.

How does the Controller ensure the security of my data?

The Data Controller shall ensure the security of the data. To this end, it shall take the technical and organisational measures and establish the procedural rules necessary to enforce the applicable laws, data protection and confidentiality rules.

The Data Controller shall take appropriate measures to protect the data against unauthorised access, alteration, disclosure, disclosure, deletion or destruction, accidental destruction or accidental damage and against inaccessibility resulting from changes in the technology used.

It (also) ensures the enforcement of data security rules by means of internal rules, instructions and procedures, which are separate in content and form from this Policy.

When defining and implementing data security measures, the Controller shall take into account the state of the art and shall choose the most appropriate data processing solution to ensure a higher level of protection of personal data, unless this would imply a disproportionate level of difficulty.

The Data Controller shall ensure, in particular, in the context of its IT security responsibilities:
•    - measures to protect against unauthorised access, including the protection of software and hardware devices and physical protection (access protection, network protection);
•    Measures to ensure the possibility of recovery of data files, including regular back-ups and separate secure management of copies (mirroring, backup);
•    Protection of data files against viruses (virus protection);
•   Physical protection of data files and the media on which they are stored, including protection against fire, water, lightning, other natural hazards and the ability to recover from damage caused by such events (archiving, fire protection).

Other information

The Data Controller declares that it reserves the right to amend the Prospectus in order to bring it into line with the legislative background, the Rules and other internal regulations, which may be amended in the meantime.

Date: 2018. january 01. 

Managing Director

Download as PDF

You can see the cookies used by our site, and modify your privacy settings by clicking the button below.

Cookies are small text files used by websites to provide better and more efficient customer experience. According to general regulations we can only store the essential cookies in your browser. To use use other cookies we need your permisson.

By clicking "Authorize all cookies" you'll recieve the best user experience. On the other pages you can authorize different types of cookies one by one.

You can find all information about cookies and privacy protection on the Privacy policy page.

Without these cookies our website could not give the best customer experience.

By accepting the regulation these cookies are getting authorized.

Name Provider Reason Validity
PHPSESSIDsmileymed.huSession ID, helps storing the status between page loadsEnd of session
cookieConsentsmileymed.huUsed for storing your cookie settings.1 year

The statistical data collection is totally anonym, this way visitors can not be identified by the cookie content. With these cookies we can observe visitors' behaviour which helps us to develope our customer focused service.

To authorize these cookies click 'authorize' checkbox then 'accept' or close the panel and click 'authorize all cookies' button.

Name Provider Reason Validity
_gasmileymed.huUnique identifier made by Google Analytics to prepare online visitors statistics.2 years
_gidsmileymed.huUnique identifier made by Google Analytics to prepare online visitors statistics.End of session
_gat_*smileymed.huUsed by Google Analytics for regulating the frequency of data retrieval.End of session