Privacy Policy

Introduction

Healwise International Ltd as a service provider and concurrently as a data controller (hereinafter referred to as the “Provider”), acknowledges the content of this legal notice as binding on itself. The Provider commits to ensuring that every data processing related to its activity complies with the requirements set out in this policy and the applicable laws.

Please read this Information to understand how we handle your personal data and to learn about your rights related to data processing!

The Provider reserves the right to modify this Information at any time. Any potential changes will be promptly communicated on the Healwise website and via email to existing Customers.

If you have any questions that are not clarified based on this notice, please send your question to … and our colleague will answer your query.

I. What does this information answer?

From this information, you can learn which data we process, why and under what conditions we have the opportunity to do so, and what you can do if you have questions, requests, or complaints about your data processing.

II. Data Processing in a Nutshell

As the service is aimed at organizing healthcare services, the Provider must comply with even stricter data protection regulations due to the sensitive health data. The EU General Data Protection Regulation (GDPR) defines the principles and frameworks of personal data processing. The Provider takes this and the corresponding Hungarian data protection rules into account. Different data processing provisions may apply in other countries, especially outside the EU.

III. Why do we process data, what’s the legal basis, duration, and to whom can we forward the data?

Our data processing activities are summarized in the table below.

During its regular operations, the Provider primarily processes personal data based on the consent of the subject [GDPR Article 6(a)]. Some data processing is based on the same article’s points b) and c), as detailed in the data processing register. Thus, the Provider’s data processing within its services is based on voluntary consent and is necessary for the fulfillment of the contract between the user as a customer and the Provider. In certain cases, however, regulations make the processing (storage, forwarding) of the provided data mandatory. During service provision, data processing also involves health data, classified as a special protection category. We draw the attention of data providers to the Provider that if they do not provide their own personal data, it is the data provider’s obligation and responsibility to obtain the subject’s consent.

We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

IV. Who else can access the data?

The Provider uses partners, so-called data processors, who assist in performing tasks set by the Provider and need access to personal data for this purpose. Such tasks include accounting, website maintenance, or analyzing the information of cookies used on the website. The Provider uses the following data processors:

V. What physical and IT precautions does the Provider use to protect personal data?

The Provider treats personal data confidentially and takes all necessary security, technical, and organizational measures to guarantee data security.

The Provider establishes its data processing measures in line with current laws, especially the following:

• GDPR

• Act C of 2000 on Accounting

• Act CVIII of 2001 on certain aspects of electronic commerce services and information society services

• Act CXII of 2011 on Informational Self-Determination and Freedom of Information.

The provider adheres to the relevant data processing guidelines by ensuring the following measures are in place:

Physical Data Protection Measures:

1. Secure Access to Premises: Our office premises, where physical data is maintained, operate under controlled access mechanisms, including security personnel and electronic access card systems.

2. Protected Document Storage: All tangible records with personal data are preserved in securely locked storage facilities when not actively used.

3. Maintained Clean Desk Policy: We enforce a policy ensuring that sensitive documents are not left unattended on desks and are safely stored.

4. Document Disposal Protocols: We have established protocols for the secure disposal of physical records, primarily using shredding techniques or partnering with trusted disposal entities.

IT Data Protection Measures:

1. Data Encryption Protocols: We have adopted encryption techniques for safeguarding electronic data in all states – whether it’s stored (in databases or files) or transmitted (emails, data sharing).

2. Firewall and Intrusion Detection Deployment: Our systems are equipped with firewalls and intrusion detection tools that continuously monitor and preemptively block any suspicious digital activities.

3. Routine Data Backups: We perform scheduled data backups and ensure such backups are safely stored, often in a separate off-site location.

4. Enforced Password Guidelines: We implement stringent password policies which necessitate the use of diverse characters, periodic alterations, and, wherever feasible, multi-factor authentication.

5. Role-Based Access Controls: Access to specific data is restricted based on job roles within our organization, ensuring only authorized individuals can access sensitive data.

6. Software Update Schedule: All our software components, inclusive of operating systems and applications, are kept current to shield against recognized vulnerabilities.

7. Employee Data Protection Training: We hold regular training sessions for our staff, focusing on data protection principles, the identification of phishing attempts, and the risks associated with unverified downloads or links.

8. Incident Management Protocols: We’ve formulated a robust incident response strategy to effectively manage and counter any unauthorized data access or potential breaches.

9. Principle of Data Minimization: Our approach is to collect and retain only the most essential data for the referral procedures. We periodically review and purge unnecessary data.

10. Guaranteed Secure Communication Channels: We employ secure communication methods, such as VPNs, especially during remote data access.

VI. How Do We Obtain Your Consent for Processing Your Data?

When you visit our website, you may be asked to provide consent for various data-related operations. Accessing certain functionalities of the website may require your consent for critical data processing. By accepting our service agreement and these data protection guidelines, you confirm that we may process your data in order to fulfill our contract, following the conditions outlined herein. Please ensure you have read and understood this information before providing your consent.

VII. Where Can You Learn About Our Data Processing Activities?

Clients and other involved parties can familiarize themselves with our data processing practices by referring to these guidelines and our comprehensive data protection policy. For direct information, please use the contact details provided.

VIII. How Do We Handle Data Discrepancies or Breaches?

In the event that we identify signs of a potential data breach, we will take steps in line with our legal obligations. This might involve consultation with involved data processors, legal professionals, or other experts to ascertain the nature and implications of the breach. After an internal evaluation, and if deemed necessary, we will inform the affected parties. Following the report of such an incident, we will assess and, if necessary, implement measures to prevent similar breaches in the future.

X. What Rights Do You Have Regarding Your Data?

You possess the following rights concerning your data:

1. Access and review your data and determine if we are processing them.

2. Request correction of outdated or inaccurate data.

3. Request deletion of data, unless there’s a legal requirement for its retention.

4. Limit processing of your data if you challenge its accuracy or legality.

5. Object to your data being used for direct marketing unless explicitly consented.

6. Request or restrict the transfer of your data to third parties.

7. Obtain a copy or photographic evidence of your data in our possession.

8. File objections against specific data processing activities. Upon receipt, we will review the objection within 15 days and notify you of our decision. If the objection is valid, we will halt the associated data processing and inform any third parties involved. If you disagree with our resolution, you have the right to seek legal action within 30 days.

If you believe your rights related to data processing have been infringed upon, you can pursue legal action. Courts handle such cases with priority. The responsibility to prove the legitimacy of data processing lies with us. Additionally, you can file a complaint with the relevant data protection authority.

XI. How Can You Submit Requests or Inquiries About Your Data Processing?

Via email: [email protected]

In Hungary, the National Data Protection and Freedom of Information Authority (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C; phone: +36 1 391 1400, e-mail: [email protected], website: www.naih.hu) oversees data protection matters. Legal proceedings related to data protection can be initiated at courts, based on the plaintiff’s preference, either at their residence or place of stay.

These guidelines are effective as of November 8, 2023.