Privacy Notice

Privacy Notice

Present Notice contains the criteria of the activities of Plazmacentrum Nyugati Kft. (registered seat: HU-1066 Budapest, Teréz körút 46. 2. em.; register number: Cg.01-09-300738, and PLAZMACENTRUM Kft. (seat: 9400 Sopron, Várkerület utca 17.; register number: Cg.08-09-026591, hereinafter the two companies referred to as the "Data Controller" or the "Company") in relation to the processing of personal data. In the following, you will be informed about the personal data processed by the Company, the purposes of and legal grounds for data processing, retention period of data processed and who may know it and access the personal data processed by the Company. You will also find detailed information below on what rights you have in relation to the processing and how you can exercise them.

If you have any questions or comments regarding the data processing or the Notice, please send them to mark@pecsvarady.hu.

In particular, the Company may amend the Privacy Notice in the event of the introduction of new data processing or changes to existing data processes, of which its donors and other natural persons concerned are informed on the website of the Data Controller.

1.) Data Controller data

Data Controller Name: Plazmacentrum Nyugati Kft.

Registration Authority: Budapest Metropolitan Court as Court of Registration

Registered seat: HU-1066 Budapest, Teréz körút 46. 2. em.

Tax number: 25997424-2-42

Data Controller Name: PLAZMACENTRUM Kft.

Registration Authority: Győr Metropolitan Court as Court of Registration

Registered seat: HU-9400 Sopron, Várkerület utca 17.

Tax number: 24283539-2-08

Data Protection Officer: dr. Pécsvárady Márk

E-mail: mark@pecsvarady.hu

Address: HU-1066 Budapest, Teréz körút 46. 2nd floor.

2.) Purposes of the Notice

The purpose of the Notice is to ensure compliance with the legal requirements of data protection, to set out, in accordance with the relevant legal provisions, the data processing principles, purposes and other facts that determine the purposes for which, for how long and how the personal data provided by the data subject are processed, and the data subject's rights of enforcement and remedies in relation to the processing.

The purpose of the Notice is to ensure that, in all areas of the services and operations provided by the Data Controller, all individuals, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.

3.) Relevant laws

The Data Controller respects the personal data of the individuals concerned and undertakes to ensure that its processing complies with the provisions of the Notice and applicable law, in particular, but not limited to:

Regulation 2016/679 of the European Parliament and of the Council (EU) (hereinafter referred to as the “GDPR” or the “General Data Protection Regulation”),
Act CXII of 2011 on the right of informational self-determination and on freedom of information (hereinafter referred to as the “Info tv.”),
Act CLIV of 1997 on Health Care (hereinafter referred to as the “Health Care Act”),
Act XLVII of 1997 on the processing and protection of health and related personal data (hereinafter referred to as "Act XLVII"),
EüM Decree 3/2005 (II. 10.) on quality and safety standards for the collection, testing, processing, storage and distribution of human blood and blood components and on certain technical requirements thereof (hereinafter referred to as the "EüM Decree"),
Act XLVIII of 2008 on the basic conditions and certain restrictions on commercial advertising activities (hereinafter referred to as “Grt.”)

defined provisions and consistent with other laws and directives in connection with data processing.

4.) Definitions

4.1. “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

4.2. “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

4.3. “restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;

4.4. “pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

4.5. „filling system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

4.6. „processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

4.7. „recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

4.8. „third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

4.9. „consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

4.10. „personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

4.11. „biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

4.12. „supervisory authority”: Hungarian National Authority for Data Protection and Freedom of Information (NAIH);

4.13. „system”: Controller the totality of the technical solutions that operate the Controller's services;

5.) Lawfulness of processing

Processing shall be lawful only if and to the extent that at least one of the following applies:

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) processing is necessary for compliance with a legal obligation to which the Data Controller is subject;

d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Where processing is based on consent, the Data Controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

6.) Principles relating to processing of personal data

Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of the data subject (“storage limitation”);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (”integrity and confidentiality”).

The controller shall be responsible for, and be able to demonstrate compliance with, above principles (”accountability”).

7.) Information on joint data controlling

The Plazmacentrum Nyugati Kft. (registered seat: HU-1066 Budapest, Teréz körút 46. 2. em.; register number: Cg.01-09-300738, in this I.7. point referred to as Data Controller1) as Data Controller1, PLAZMACENTRUM Kft. (registered seat: HU-9400 Sopron, Várkerület utca 17.; register number: 08-09-026591, hereinafter referred to as the "Data Controller2"), collectively referred to as “Data Controllers”, hereby inform data subjects about the joint data processing agreement between the Data Controllers in accordance with Article 26 of the General Data Protection Regulation.

The Data Controllers are affiliated companies in accordance with Act LXXXI of 1996 on Corporate Tax and Dividend Tax, and consequently their activities are coordinated. In order to ensure efficient plasma sales and to protect the health of the data subjects, the Data Controllers share personal data related to plasma sales and process them jointly as necessary.

The processing is based on the legal interest of the Data Controllers, which is to ensure safe plasma delivery to all donors.

Data Controllers may process donors' personal data only in relation to the plasma donation.

Data subjects may exercise their rights under the General Data Protection Regulation in relation to and against any controller.

The Data Controllers shall designate Data Controller1 as the common contact person for the purpose of fulfilling requests received from data subjects (postal address: HU-1066 Budapest, Teréz körút 46. 2. floor; e-mail: mark@pecsvarady.hu).

II. AREAS OF DATA PROCESSING:

1.) Applying for an aptitude test

Scope of data controlled:

Name (surname and first name), e-mail address, telephone number (optional), date of birth

Purpose of data controlling: deciding whether the data subject is fit to donate plasma at the Data Controller

Legal basis for data controlling: consent of the data subject

Duration of data controlling: until the appearance or non-appearance on the booked date, until the cancellation / cancellation of the reservation, and until the withdrawal of the consent.

Data processors (recipients):

FutureWeb Design Korlátolt Felelősségű Társaság (seat: 4467 Szabolcs, Szabadság út 22., Cg.15-09-088763, info@futureweb.hu) The activities of the data processor include the operation of the Data Controller's website and the provision of the IT infrastructure.

Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland). The activity of the data processor covers the operation of the infrastructure necessary for correspondence with the donor.

Google Ireland Limited (registration number: 368047, seat: Gordon House, Barrow Street, Dublin 4, Ireland). The activity of the data processor extends to the provision of the mail system (Gmail).

2.) Appointment of donors for plasma donation

Scope of data controlled:

Name (surname and first name), donor number, donor plasma donation number, nearest available time, donor time reservation, e-mail address, telephone number

Purpose of data controlling: Informing donors about the number of plasma donations that have already taken place and enabling the verification of the controlled data and identifying and contacting the person making the appointment in connection with the appointment.

Legal basis for data controlling: consent of the data subject

Duration of data controlling: until the appearance or non-appearance on the booked date, until the cancellation / cancellation of the reservation, and until the withdrawal of the consent.

Data processors (recipients):

Google Ireland Limited (registration number: 368047, seat: Gordon House, Barrow Street, Dublin 4, Ireland). The activity of the data processor extends to the provision of the mail system (Gmail).

3.A.) Data management related to plasma donation as a healthcare service

Scope of data controlled:

Name (surname and first name), birth name, donor number, donor plasma donation number, donor appointment booking, mother's birth name, place and time of birth, e-mail address, telephone number, place of residence / address, citizenship, social security (TAJ) number, health data required for plasma donation

Purpose of data controlling: implementation of plasma donation as a health care service.

Legal basis for data controlling: consent of the data subject

Duration of data controlling: retains all health and personal data related to the health service that are part of the health documentation in accordance with the law for 30 years from the data collection in accordance with Eüak. Section 15. Subsection 9.

Data processors (recipients):

Invitech ICT Services Kft. (seat: 2040 Budaörs, Edison utca 4., Cg.13-09-190552 The activity of the data processor covers the operation of the servers of the Data Controller.

Országos Vérellátó Szolgálat (Hungarian National Blood Transfusion Service, seat: 1113 Budapest, Karolina út 19-21., 1518 Budapest, Pf.: 44., ovsz@ovsz.hu). The activity of the data processor covers the operation of the Nemzeti Keresztdonációs és Donorkizárási Regiszter (National Cross Donation and Donor Exclusion Register, the national register of donors excluded from donating blood, the cross-donation register, mandatory management of the national blood stock, and the date and blood group of the last blood donation) in connection with which the data processor examines and records the serological positivity of donors, cross-donations.

The Data Controller hereby informs the data subjects that continuous medical activity is required for the performance of the activities stated above. The specialists are the data processors of the Company, with whom the Company concludes a data processing agreement in a separate form.

3.B.) Data management related to filling a questionnaire regarding plasma donation habits

Scope of data controlled:

Purpose of data controlling: providing a better plasma donation service and surveillance of donor satisfaction.

Legal basis for data controlling: consent of the data subject

Duration of data controlling: all health and personal data related to the health service that are part of the health documentation in accordance with the law shall be retained for 30 years from the data collection in accordance with Section 15. Subsection 9 of the Eüak.

Data processors (recipients):

Invitech ICT Services Kft. (seat: 2040 Budaörs, Edison utca 4., Cg.13-09-190552). The activity of the data processor covers the operation of the servers of the Data Controller.

4.) Complaints handling

Scope of data controlled:

Personal data provided by the complainant in the complaint (typically: name, e-mail address, home address) as well as personal and, where applicable, medical data contained in the complaint

Purpose of data controlling: complaint handling, investigation of the circumstances of the case affected by the complaint and handling of the complaint.

Legal basis for data controlling: legal obligation (Eütv. 29. § (1))

Duration of data controlling: 5 years from the investigation of the complaint (according to Section 29 (4) of the Eütv., complaints must be registered and the documents related to the complaint and its investigation must be kept for 5 years).

Data processors (recipients):

Google Ireland Limited (registration number: 368047, seat: Gordon House, Barrow Street, Dublin 4, Ireland). The activity of the data processor extends to the provision of the mail system (Gmail).

5.) Recording telephone conversations

Scope of data controlled:

Voice of the person concerned and personal data made during the telephone conversation, date, duration and number of the call

Purpose of data controlling: the general purpose of recording telephone conversations is to prove what was said during the conversation. n the case of complaints made by telephone, the aim is to accurately record the complaint. In addition, the goal is to continuously improve the quality of service provision, adequate response to telephone inquiries and the services of the Data Controller.

Legal basis for data controlling: The legal basis for the data processing is your consent as a data subject, which you give by continuing the call after being alerted to the recording (GDPR Article 6. (1) a)). Furthermore, the legitimate interest of the Data Controller for quality assurance and enforcement is a legal basis (GDPR 6. Article (1) f)).

The Company, as a data controller, considers that the activities of the Company under this section, which serve the security of the Company and the donor, meets the provisions of the legitimate interest as stated in Article 6 (1) (f) of the GDPR, or the measures provided by the Company to ensure the rights of the data subjects do not infringe the interests or fundamental rights and freedoms of the data subjects in such a way as to override the legitimate interests of the Company.

The Company has decided to process the data referred to in this section for the security of the Company and the data subjects because it complies with Article 6 (1) (f) of the GDPR as a legal basis.

Duration of data controlling: 5 years from the end of the call, in case of complaints 5 years from the closing of the complaint (general deadline for claims).

Data processor (recipient): Magyar Telekom Nyrt. (seat: 1097 Budapest, Könyves Kálmán körút 36., Cg.01-10-041928). The activities of the data processor include the recording and preservation of sound recordings.