Privacy Policy | INNOMED MEDICAL ZRT.

INNOMED MEDICAL INC.

DATA MANAGEMENT AND PRIVACY POLICY

TERMS AND CONDITIONS

Establishment of a privacy policy to which Innomed Medical Inc. is subject and with which it must comply.

INNOMED MEDICAL Medical Device Developer and Manufacturer Inc. (company registration number: 01-10-043382, tax identification number: 12221275-2-42, seat: 12 Szabó József St., Budapest 1146, Hungary), hereinafter referred to as the ‘Data Controller’, hereby establishes the following data protection policy and agrees to be bound by it. INNOMED MEDICAL Inc. shall undertake to ensure that all processing of data related to its activities shall comply with this policy, with the applicable national legislation and with the requirements laid down in the legal acts of the European Union, and in particular with the legislation listed below:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Act CVIII of 2001 on Electronic Commerce and on Information Society Services (with special regard to §13/A)
Act C of 2003 on Electronic Communications (with special regard to §155)
Act XC of 2005 on the Freedom of Information by Electronic Means
Act XLVII of 2008 on the Prohibition of Unfair Business-to-Consumer Commercial Practices
Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (with special regard to §6)
Act CXII of 2011 on the Right to Informational Self-Determination and on the Freedom of Information
Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behaviour Advertising
Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements for accessible prior information
169 of Act C of 2000 on Accounting

The provisions of our Privacy Policy apply to the https://www.innomed.hu website.

The Privacy Policy is available at https://www.innomed.hu/en/privacy-policy/

INNOMED MEDICAL Inc. reserves the right to change this policy at any time. Any future amendments to this policy will enter into force upon publication at the above web address. Personal data shall be handled confidentially and all security, technical and organisational measures shall be taken to protect the security of such data.

The data management practices of INNOMED MEDICAL Inc. are detailed below.

Information on and contact details of the Data Controller:

Name: INNOMED MEDICAL Inc.

Seat: 12 Szabó József St., Budapest 1146, Hungary

Email address: [email protected]

Telephone number: +36 1 460 9200 and +36 1 460 9201

Company registration number: 01-10-043382

Tax identification number: 12221275-2-42

Purpose of this Privacy Policy

The purpose of this Privacy Policy is to define the scope of the personal data managed by the Data Controller, the method of data management, to ensure respect for the privacy of natural persons and compliance with data protection and data security requirements in accordance with the applicable legislation, and to prevent unauthorized access to, alteration of, and unauthorized disclosure or use of the Data Subject’s personal data.

The Data Controller declares that the processing of personal data shall be compliant with the following principles:

a, the principle of lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and in transparent manner in relation to the data subject.

b, the principle of purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.

c, the principle of data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

d, the principle of accuracy: personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

e, the principle of storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.

f, the principle of integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

g, the principle of accountability: The controller shall be responsible for, and be able to demonstrate compliance with, the above-described principles.

Definitions:

‘personal data’: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘data processing’: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘data controller’: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘data processor’: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘recipient’: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

‘consent of the data subject’: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them;

‘personal data breach’: breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data processing

The legal grounds for processing data are based on voluntary consent as set out in Article 6(1)(a) of the GDPR. Processing of personal data shall be carried out on the basis of the voluntary, explicit, properly informed and unambiguous consent of the Data Subjects, including their explicit consent to the processing of their personal data disclosed during the use of the Website (in general or for specific activities).

Users/Customers (website visitors, registered users, customers): With particular emphasis on Article 1(1)-(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) website visitors, registered users of the website and customers (having concluded a contract with the service provider) are regarded Data Subjects.

Data Subjects agree to be bound by the provisions of this Privacy Policy with regard to technical data by visiting and/or accessing the website for the purpose of obtaining information. For all other kinds of data, Data Subjects agree to be bound by this Privacy Policy by giving consent during the registration process. In such cases, the Data Subjects, by ticking the empty checkbox for all requested data, consent to the processing of their personal data by the Data Controller in accordance with Article 6(1)(a) and Article 7 of the GDPR, and the terms of the privacy policy of the company, with the possibility to withdraw their consent at any time, even with a single click, in accordance with Article 7(3) of the GDPR.

Data Subjects are obliged to provide the Data Controller with valid, correct data (the Data Subject is liable to compensate for any damage caused by providing false data). Data Subjects are solely responsible for the consequences of providing incorrect or incomplete data. The Data Controller does not verify the data and its accuracy.

Processed data consists of name, e-mail address, telephone number, visited website address, and the IP address of the user’s computer, as well as data related to the user’s operating system and browser. The Data Controller collects visitor data during visits to the website in order to monitor the performance of the service, to provide personalised service and content and to prevent abuse. Legal basis for data processing: consent of Data Subjects and §13/A(3) of Act CVIII of 2001 on Electronic Commerce and on Information Society Services.

Purpose of data processing: the purpose of data processing related to visits to the website and registration is to provide quality content (considering substantive and IT criteria), to display personalised content and to ensure customer relations. The purpose of data processing in connection with Orders/Purchases, in addition to ensuring customer relations, is to carry out the contracted service and issue invoices in accordance with the rules of accounting.

Data Subjects give explicit consent to the processing of their data in the uploaded/submitted registration form to the Data Controller, within the limits established by the applicable laws, and for the purposes specified herein. Data processing is carried out by the Data Controller through its IT systems. The Data Controller can use a hosting service provider to store the data (data processor). Where the Data Subject goes beyond the scope of personal data and provides specific data (e.g., via e-mail), the Data Subject expressly consents to the processing of such data by accepting this Privacy Policy. In such cases, however, the Data Controller shall inform the Data Subject that it processes only the data requested by the Data Controller. The Data Subject shall regard the acceptance of this policy as being in writing. The Data Controller declares that the data provided by the Data Subjects will be processed for the intended purpose only and will not be used for any other unspecified purposes. However, upon request by a public authority the Data Controller is obliged to disclose the data to the requesting party (e.g., to a public authority), which the Data Subject acknowledges by accepting this Privacy Policy and expressly consents to, so the Data Controller does not need to seek further consent from the Data Subject in this regard. In this respect, Data Subjects may not address any demands or complaints to the Data Controller. The Data Controller is not liable for the data provided. In all cases where the Data Controller intends to use the data provided for purposes other than those for which they were originally collected, the Data Controller shall inform the Data Subject thereof and obtain their prior explicit consent or give them the opportunity to deny the use. Data processing takes place exclusively in Hungary, in national territory.

Declaration of consent by the Data Subject

By accessing the site, visitors of the https://www.innomed.hu site automatically,
By finalizing the registration, concerning their technical and other type of data, registered users of the https://www.innomed.hu site,
By submitting the product order form, concerning their technical and other type of data – in connection with the contract, contracting partners (Customers) of INNOMED MEDICAL Zrt.

consent to the to the processing of their data as set out in this Policy. No claim for compensation, indemnity, damages or any other claim against the Data Controller may be asserted by the Data Subjects on condition that the Data Controller processes the data provided by the Data Subjects in accordance with the provisions of this Policy.

Data provided at registration:

Personal data	Purpose of data processing
First and last name	· contacting the customer · unique identifier to use the services of https://www.innomed.hu
E-mail address	· contacting the customer · staying in contact with the customer · unique identifier to use the services of https://www.innomed.hu
Telephone number	· contacting the customer · staying in contact with the customer

Data available after registration

Personal data	Purpose of data processing
IP address	· necessary for the efficient operation of the https://www.innomed.hu website
Username	· necessary for the efficient operation of the https://www.innomed.hu website · enabling access to selected content
Password	· necessary for the efficient operation of the https://www.innomed.hu website · enabling access to selected content

Data provided during contract preparation and conclusion (order/confirmation of order)

Personal data	Purpose of data processing
First and last name of the signatory, contact person etc.	· contacting the customer · placing the order · issuing the invoice
E-mail address	· staying in contact with the customer
Telephone number	· staying in contact with the customer · coordinating the issues of invoicing or delivery more efficiently
Invoice name and address	· invoicing · drafting, modifying, concluding, and monitoring the fulfilment of contracts · invoicing of fees arising from the contract · enforcing claims related to the contract
Shipping name and address	· home delivery
Date of order/registration	· carrying out technical operations
IP address at the time of order/registration	· carrying out technical operations

Technical data

Data generated during the use of the service, recorded by the IT system of the Data Controller as results of IT processes. In particular, but not limited to, data such as the time of the visit, the IP address of the Data Subject, the type of browser, and the URL of the previously visited website. (An IP address is a sequence of numbers that uniquely identifies the computers of users accessing the Internet. IP addresses can even be used to geolocate the visitor.) Such data alone are not sufficient to identify the Data Subject, however, combined with other data (e.g., data provided at registration), they can be used to draw conclusions about the user. The automatically recorded data are automatically logged by the system at the time of logging in or logging out without any special declaration or action by the Data Subject. Data files managed electronically in different registers are not linked and cannot be directly linked to Data Subjects – unless permitted by law. Only the Data Controller has access to the data (the hosting provider stores the data). The data of the registered Data Subject are stored together with their technical data in a database for the purpose of data processing. The Data Subject gives their express consent to this by signing up to the Website and by accepting this Policy.

Personal data	Purpose of data processing
IP address	· improving service quality
Data on the subpages visited while browsing https://www.innomed.hu	· improving service quality
Type of browser	· improving service quality
Type of operating system	· improving service quality

Cookie management

Cookies are small blocks of information in alphanumeric format sent by a web server to be stored on the user’s computer for a predetermined period of time. The use of cookies provides the possibility to retrieve certain data of the visitor and to track their internet activities.

Cookies can therefore be used to precisely determine the interests, browsing habits and website visit history of a given user. As cookies function as a kind of tag, allowing the website to recognize returning visitors, they can also be used to store the user’s username and password to the site.

If, during a visit to the website, the user’s browser returns a cookie previously saved on the hard disk, the service provider that originally sent the cookie can link the current visit to previous visits, but since cookies are domain-specific, it can only do so for its own content. Cookies are not capable of identifying the user by themselves, they are only capable of recognizing the user’s computer.

Several types of cookies can be distinguished based on their expiration date and origin:

cookies used for password-protected sessions
secure cookies
strictly necessary cookies
functionality cookies
statistical cookies

Data processing, scope of data processed: unique identification number, dates, time periods.

Data Subjects: all website visitors.

Purpose of data processing: identification of users and tracking of visitors.

Duration of data processing and deadline for the deletion of data:

Type of cookie

Legal basis for data processing

Duration of data processing

Scope of data processed

Session cookies

Paragraph 3 of §13/A of Act CVIII of 2001 on Electronic Commerce and on Information Society Services

Until the end of the relevant visitor session

No personal data is processed

Persistent cookies

Paragraph 3 of §13/A of Act CVIII of 2001 on Electronic Commerce and on Information Society Services

Until the deletion of the Data Subject

No personal data is processed

Rights of Data Subjects in relation to data processing:

Data Subjects have the option to delete cookies in the Tools/Preferences menu of their browsers, usually under the Privacy settings.

Legal basis for data processing: Consent from the Data Subject in not required where the sole purpose of the use of cookies is the transmission of communications over an electronic communication network or where the use of cookies is essential for the operation of an information society service expressly requested by the customer or the user.

Duration of data processing and deadline for the erasure of data: The processing of personal data that must be provided during the registration process starts upon the registration and continues until the deletion of the registration. Logged data is stored for up to 10 years from the date of logging, except for the date of the last visit, which is automatically overwritten. The deletion of any personal data provided by the Data Subject shall be made known to the Data Subject by the Data Controller by electronic means, in accordance with Article 19 of the GDPR. If the Data Subject’s request for deletion extends to their email address, the Data Controller shall also delete the email address following the notification. This excludes accounting documents, since according to Paragraph 2 of §169 of Act C of 2000 on Accounting, these records must be kept for 8 years. Accounting documents (including general ledgers and subledgers) directly and indirectly supporting bookkeeping accounts must be kept for at least 8 years in a legible form and retrievable by reference to the accounting records.

Potential Data Controllers, Recipients: personal data may be processed by the sales and marketing staff of the Data Controller in compliance with the above principles.

Rights of Data Subjects in relation to data processing

The Data Subject may request the Data Controller grant access to, rectify, delete or restrict the processing of their personal data;
can object to the processing of such personal data;
and has the right to data portability and the right to withdraw consent at any time.

The Data Subject may request access to, deletion, modification, or restriction of the processing of personal data, data portability and objection to processing in the following ways:

by post to 12 Szabó József St., Budapest 1146, Hungary,
via email to [email protected],
by telephone at +36 1 460 9200.

Legal basis for data processing

Article 6(1)(b) of the GDPR
Paragraph 1 of §5 of Act CXII of 2011 on the Right to Informational Self-Determination and on the Freedom of Information
Paragraph 3 of §13/A of Act CVIII of 2001 on Electronic Commerce and on Information Society Services
Service providers may process personal data that is necessary for the purpose of providing a technical service. The provider must, other things being equal, choose and operate the means of providing information society services in such a way that personal data are processed only to the extent strictly necessary for the provision of the services and for the fulfilment of the other purposes set out in this Act, but only to the extent and for the duration necessary.

Invoices are issued in accordance with the accounting rules referred to in Article 6(1)(c) of Act C of 2000 on Accounting.

Processing activities

INNOMED MEDICAL Inc. may carry out data processing activities on behalf of the Customer in relation to the scope of data set out below, to the extent necessary for the provision of the requested services. Data processing activities are conditional upon the consent of the Customer (product owner) after having received all necessary information concerning the subject matter, content and the scope of processing. The consent of the Customer given to the Data Controller must be in accordance with all applicable legal requirements.

Scope of data processed:

Personal data	Purpose of data processing
Historical data	Meeting the IT parameters of the service contract
Log files (files for logging and monitoring the processes running on the server, error messages generated by them, incoming and outgoing data on the network.)	Meeting the IT parameters of the service contract
User reports (summary pdf, excel files)	Meeting the IT parameters of the service contract
User data	Meeting the IT parameters of the service contract

Basis for data processing: voluntary consent.

Duration of data processing: for up to ten years (from the date of storage)

Data management by external service providers

The html code of the website contains links from and to external servers independent of the Service Provider. The servers of external service providers are directly connected to the user’s computer. Please note that the providers of these links may collect user data due to their direct connection and communication with the user’s browser.

Personalized content for the user is exclusively hosted by the serves of external service providers. The connection between the Service Provider and the server of the external service providers is limited only to the embedding of the code of the latter, so no personal data is transferred or transmitted in this context.

The following data controllers can provide detailed information on the processing of data by external servers.

Hosting service providers

Activities performed by the data processor: hosting.

Name and contact details of the data processor:

Deninet Ltd.

79/b Bercsényi St., Budapest 1188, Hungary

Email: [email protected]

Telephone number: +36 1 296 0075, +36 80 620 030

Mobile number: +36 20 935 4619. +36 70 318-9263

Fax number: 1 296 0076, 1 700 1780

Cloudflare, Inc.

https://www.cloudflare.com/

101 Townsend St, San Francisco, CA 94107, USA

US: 1 (888) 99 FLARE

UK: +44 (0)20 3514 6970

Singapore: +65 3158 3954

Int’l: +1 (650) 319 8930

Data processing, scope of data processed: all personal data provided by the Data Subject.

Data Subjects: all website visitors.

Purpose of data processing: availability and proper operation of the website.

Duration of data processing and deadline for the deletion of data: data processing continues until the termination of the agreement between the Data Controller and the hosting service provider or until a request for data deletion by the Data Subject to the hosting service provider.

Legal basis for data processing: Article 6(1)(f) of the GDPR and Paragraph 3 of §13/A of Act CVIII of 2001 on Electronic Commerce and on Information Society Services.

Use of Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Inc. (‘Google’). Google Analytics uses ‘cookies’, which are text files placed on the user’s computer, to help the website analyse how users use the website. The information generated by the cookies of the visited websites is typically transferred to a Google server in the US and stored there. By turning on IP anonymisation on a website, Google will truncate the IP address of users located in EU member states and in other countries of the EEA (European Economic Area). Truncation is usually carried out before data transfer to the US, only in exceptional cases will the full IP address be transmitted to a Google server in the US and get truncated there. On behalf of the operator of this website, Google will use the above data to evaluate the overall use of the website, to compile reports on website activity for website operators, and to provide other services relating to website activity and internet usage. Google Analytics will not merge IP addresses with other data held by Google. Cookies can be disabled by selecting the appropriate settings in the browser, however, please note that blocking cookies may result in certain features of the website not being fully functional. Users may also prevent Google from collecting and processing information on website visits (including IP addresses) via cookies by downloading and installing the browser plugin available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu

Complaint handling

Data processing, scope of data processed and purpose of data processing:

Personal data	Purpose of data processing
First and last name	Identification, staying in contact
E-mail address	Staying in contact with customers
Telephone number	Staying in contact with customers

Data Subjects: customers making a complaint.

Duration of data processing and deadline for the deletion of data: Copies of the record, transcript and reply to the reported complaint shall be kept for 5 years pursuant to Paragraph 7 of §17/A of Act CLV of 1997 on Consumer Protection.

Potential Data Controllers, Recipients: personal data may be processed by the sales and marketing staff of the Data Controller in compliance with the above principles.

Rights of Data Subjects in relation to data processing:

Data Subjects may request the Data Controller grant access to, rectify, delete or restrict the processing of their personal data;
can object to the processing of such personal data;
and have the right to data portability and the right to withdraw consent at any time.

Data Subjects may request access to, deletion, modification, or restriction of the processing of personal data, data portability and objection to processing in the following ways:

by post to 12 Szabó József St., Budapest 1146, Hungary,
via email to [email protected],
by telephone at +36 1 460 9200.

Legal basis for data processing: consent of Data Subjects, Article 6(1)(c) of the GDPR, Paragraph 1 of §5 of Act CXII of 2011 on the Right to Informational Self-Determination and on the Freedom of Information and Paragraph 7 of §17/A of Act CLV of 1997 on Consumer Protection.

Please note that

disclosure of personal data is based on contractual obligation,
personal data processing is a precondition for the conclusion of contracts,
you are required to disclose your personal data in order to allow us to handle your complaint,
failure to provide such information will result in our inability to deal with your complaint.

Social media sites

Data processing, scope of data processed: names registered on Facebook and LinkedIn and the users’ public profile picture.

Data Subjects: registered users of Facebook and/or LinkedIn who liked the website.

Purpose of data processing: sharing, liking or promoting certain contents, products, promotions of the website or the website itself.

Duration of data processing and deadline for the deletion of data, potential data controllers, rights of Data Subjects with regard to data processing: Data Subjects can learn more about the source of data, the processing of data and the method and legal basis for data transfer on the relevant social media platform. Data processing is carried out by the social media platforms, thus, the duration of data processing, the method of data processing and the possibility to delete and modify data are regulated by the policy of the social media site concerned.

Legal basis for data processing: the voluntary consent of the Data Subject to the processing of their personal data by social networking sites.

Customer relations and other data management activities

Should the Data Subject have any questions or concerns arising from the use of our services, they may contact the Data Controller by the means indicated on our website (telephone, e-mail, social networking sites, etc.). The Data Controller shall delete the data provided via e-mails, messages, telephone and Facebook, etc., together with names, e-mail addresses and other kind of voluntarily shared personal data, no later than 2 years after the data was provided.

Information on data processing not covered by this notice will be provided at the time of collection.

The Service Provider is required to disclose information, hand over data or make documents available in response to exceptional requests from public authorities or other agencies authorised by law.

In such cases, the Service Provider shall disclose personal data to the requesting party insofar as the exact purpose and scope of data have been specified, and only to the extent strictly necessary for the purpose of the request.

Rights of Data Subjects

Right of access

The Data Subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and to other information specified in the GDPR.

Right to rectification

The Data Subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (‘right to be forgotten’)

Where the Data Controller has made the personal data public and is obliged to erase said personal data, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Right to restriction of processing

The Data Subject shall have the right to obtain from the Data Controller restriction of processing where one of the following applies:

the accuracy of the personal data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
the processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
the Data Subject has objected to processing, in which case the restriction applies for the period until it is verified whether the legitimate grounds of the Data Controller override those of the Data Subject.

Right to data portability

The Data Subject shall have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

Right to object

The Data Subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning him or her which is based on legitimate interest or public authority as legal grounds, including profiling based on those provisions.

Right to object to direct marketing

Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

The previous paragraph shall not apply if the decision:

is necessary for entering into, or performance of, a contract between the Data Subject and a data controller;
is authorised by Union or Member State law to which the Data Controller is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests; or
is based on the Data Subject’s explicit consent.

Deadline for corrective action

Without undue delay, and in any case within 1 month of receipt of the request, the Data Controller shall inform the Data Subject of the subsequent measures taken in response of the request. If deemed necessary, this extent of time can be extended by 2 months. The Data Controller shall inform the Data Subject of the extension, stating the reasons for the delay, within 1 month of receipt of the request.

If the Data Controller fails to act on the request, it has the obligation to inform the Data Subject without delay, and at the latest within one month of receipt of the request, of the reasons for the failure to act, of the possibility of lodging a complaint with a supervisory authority and the Data Subject’s right to seek legal remedy.

Security of processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and the Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Communication of a personal data breach to the Data Subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The communication to the Data Subject shall describe in clear and plain language the nature of the personal data breach and contain the name and contact details of the data protection officer or other contact point where more information can be obtained, the likely consequences of the personal data breach and the measures taken or proposed to be taken by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Communication to the Data Subject shall not be required if any of the following conditions are met:

the Data Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
the Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialise;
it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.

Notification of a personal data breach to the supervisory authority

In the case of a personal data breach, the Data Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Complaints

Complaints against infringement by the Data Controller may be lodged with the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság):

National Authority for Data Protection and Freedom of Information

22/c Szilágyi Erzsébet Aly., Budapest 1125, Hungary

Postal address: PO box 5, Budapest, 1530

Telephone number: +36 1 391 1400

Fax number: +36 1 391 1400

E-mail address: [email protected]

31^st May 2018

INNOMED MEDICAL Inc.