Terms of service

I. Head of company: dr. Kristóf Balla

Mailing address: 1085 Budapest, József krt. 81. I./1.

Telephone number: (1) 318 4926

Email address:

II. Purpose, legal basis, duration, and transfer of personal data:

  • Before the collection of the data, the data subject shall be informed of the purpose of the processing, whether the provision of the information is voluntary or obligatory, and of the legal consequences of failure to provide the information. In the case of mandatory data provision, the legislation ordering data processing must also be indicated. The information shall also cover, in particular, the data subject's rights and remedies for the processing. This information may be provided in writing or the form of a notice on the data controller's website.
  • An employee of Balla-Dent may handle personal data only in the course of carrying out an activity that falls within the scope of the company's activities, to the extent necessary for the performance of his / her duties specified in his / her job description, by legal regulations and these data protection regulations. Employees who process data at the data controller are obliged to keep the personal data they know as a professional secret. Only those who have made a statement of confidentiality may be employed in such a position.

Personal data may be used by Balla-Dent for subsequent advertising and/or promotion and market research purposes following the provisions of the Advertising Act in force, with the consent of the data subject.

  • The purpose of processing health and personal data is:

- promoting the preservation, improvement, and maintenance of health; - promoting the effective medical treatment activities of the Company; - monitoring the health status of the person concerned.

  • For paragraphs 1 to 3, only data that are necessary and appropriate for the processing may be processed. Personal data or special data may only be processed to the extent and for the time necessary to achieve the purpose. If the purpose of the data processing has ceased or the data processing is otherwise unlawful, the data must be deleted.
  • At all stages of the data processing, the purposes set out in paragraphs 1 to 3 shall be met.
  • The data controller may use the data processed by it in a manner unsuitable for personal identification for statistical purposes and may provide data from them in a manner unsuitable for personal identification for statistical purposes.
  • An employee of the company may process personal data if authorized by law or with the consent of the data subject. Special data may be processed if the data subject consents to the processing in writing or is required by law.
  • In the event of the incapacity of the data subject, consent to the processing of personal data shall be given by the legal representative. The person concerned is hereinafter also referred to as the legal representative.
  • The security of data processing by the data controller is guaranteed by the following technical and organizational measures:
  1. (a) personal data stored electronically may be accessed only by employees authorized to do so by their job, after entering their access password; (b) regular backups;
  2. (c) a statement of confidentiality made by employees.
  • Balla-Dent will only process the data provided under this Privacy Policy for the time necessary to achieve the purpose of the data processing.
  • The medical records shall be kept for at least 30 years from the time of data collection, and the final report shall be kept for at least 50 years, except for images taken by the imaging diagnostic procedure. If further registration is not warranted, the registration shall be destroyed.
  • The image taken with an imaging diagnostic procedure (eg X-ray) must be kept for 10 years from the time it was taken, and the recording of the image must be kept for at least 30 years from the time the image was taken.
  • In the case of any processing of personal data which is not based on a statutory provision and for which there is no legal basis for the processing under Article 6 (1) (b), (d), or (f) GDPR, the data subject's explicit consent must be sought before the processing begins.
  • In the course of data processing, personal data may be processed for the period specified in the law and, in the absence of an express legal provision, for the period specified in paragraph (6).
  • Personal data processed by the controller for which the law does not provide for the deletion shall be deleted by the controller if:
    1. the purpose of data processing has ceased or the storage of data by law

certain time has expired,

  1. data processing is illegal,
  2. the data subject requests
  3. ordered by a court or the Data Protection Commissioner,
  4. it is incomplete or incorrect and cannot be legally corrected.
  • The facts relating to the deletion of the data or the termination of the data processing shall be recorded in a report.

III. Guarantees to protect personal data

The security of the data processing operations carried out by the controllers referred to in point I shall be guaranteed by the following technical and organizational measures:

  • information security audit;
  • use of external and internal firewalls, intrusion detection and prevention (IDS / IPS) packet filtering tools, anti-virus software, and virtual private networks (VPNs);
  • regular backups so that in the event of data corruption, changes within a given day can be restored.

IV. Rights of data subjects

In connection with data processing in the course of medical services, data subjects have the following rights:

  • the right to information,
  • the right of access,
  • the right to rectification,
  • the right to restrict data processing,
  • the right to protest.

Given that the legal basis for data processing in the case of medical services is in all cases the fulfillment of the right or legal obligation conferred on it by law, the data subjects may not exercise the right to erasure and data portability.

Requests relating to the exercise of data subjects' rights shall be answered by the controller without undue delay and at the latest within one month of receipt. This period may be extended by a further two months if justified. If the controller does not act on the request without delay, it shall inform the data subject no later than one month after receipt of the request.

If the controller has reasonable doubts as to the identity of the person making the request, he or she may request the provision of additional information necessary to confirm the identity of the data subject.

If the data subject's request is manifestly unfounded or excessive, the controller may charge a fee or refuse to take action.

IV.1. The data subject's right to information

By publishing this information, the controller shall take measures to ensure that the data subject has access to all information relating to the processing of personal data provided for in Article 13 of the GDPR. Where the data provided were not obtained by the controller from the data subject, the acquisition of the data shall in all cases be governed by the Union or Member State law applicable to the controller.

IV.2. The data subject's right to access

After verifying the identity of the data subject, he or she is entitled to receive feedback from the data controller on the processing of his or her personal data. An application to exercise this right may be made in writing to the doctor's office. Information related to the exercise of the right of access shall be provided by the doctor's office in writing, by post, or electronically.

IV.3. Right to rectification

The data subject may request the controller to correct inaccurate data relating to him. In all cases, the data controller shall assess this request taking into account the provisions of the legislation governing the given procedure.

IV.4. Right to restrict data processing

In the case of data processing related to important public interests or the enforcement of legal claims, the data controller may continue to process personal data even if there is a reason justifying the restriction of data processing.

IV.5. Right to protest

If the data subject objects to the processing of his or her personal data, the data controller shall inform him or her of the legal provision on which the data processing is based and that the processing is necessary due to a compelling legal reason justifying the data processing.

V. Order of Remedies

V.1. File a complaint with the Data Protection Officer

If you wish to make a complaint about the processing of your personal data, please contact the Data Protection Officer of the Data Controller at one of the following contact details:

Head of company: dr. Kristóf Balla

Mailing address: 1085 Budapest, József krt. 81. I./1.

Telephone number: (1) 318 4926

Email address:

V.2. Initiation of legal proceedings

If you are infringed in connection with the exercise of the rights of the data subject or the processing of your personal data, you may initiate a civil lawsuit against the data controller. The court has jurisdiction to hear the case. Proceedings may be instituted before the court for the place of residence or stay of the person concerned. The court is acting out of turn in the case. If an infringement is found, you can claim compensation and damages, and the court may order the data controller to exercise the rights of the data subject.

You can find more information and the contact details of the courts at the following link:

V.3. Submitting a complaint to the supervisory authority

If you have a complaint about the processing of your data, you can complain to the National Data Protection and Freedom of Information Authority.

Contact details of the authority:

E-mail: Phone: + 36-1-391-14-00 Postal address: 1530 Budapest, Pf .: 5.