PRIVACY NOTICE AND DECLARATION
For rhinoplasty surgical procedures
(English translation of the Hungarian document "Adatkezelési tájékoztató és hozzájáruló nyilatkozat", document ID KLASOPLAST-GDPR-01, version 3.0. In case of any discrepancy, the Hungarian original prevails.)
1. DATA CONTROLLER DETAILS
Company name: KLASOPLAST Egészségügyi és Szolgáltató Korlátolt Felelősségű Társaság
Short name: KLASOPLAST Kft.
Registered office: 1137 Budapest, Katona József utca 41. fszt. 2.
Tax number: 13518758-2-41
Company registration number: 01 09 739441
Telephone: ___________________________
E-mail: ___________________________
Website: www.vargaklara.hu
Data protection contact:
Miklós Annamária
E-mail: ___________________________
Telephone: ___________________________
2. PURPOSES, LEGAL BASES AND DURATION OF DATA PROCESSING
The table below summarises the purposes, legal bases and retention periods of data processing:
Purpose of processing | Legal basis (GDPR) | Retention period |
|---|---|---|
Provision of healthcare, keeping medical records | Article 6(1)(c): legal obligation (Hungarian Healthcare Data Act – "Eüak.") | Medical records: at least 30 years |
Mandatory reporting to the Hungarian Electronic Health Service Space (EESZT) (outpatient sheet, discharge summary, surgical report) | Article 6(1)(c): legal obligation (Eüak., EESZT regulation) | In the EESZT system, in accordance with the applicable legislation |
Invoicing, accounting, taxation | Article 6(1)(c): legal obligation (accounting and tax legislation) | 8 years (under Act C of 2000 on Accounting) |
Appointment scheduling, communication, reminders | Article 6(1)(b): performance of a contract / provision of care | Communication is deleted after the care is completed, except in the cases below |
Retention of communication in case of legal dispute/complaint | Article 6(1)(f): legitimate interest (establishment, exercise or defence of legal claims) | 3 years (aligned with the civil-law limitation period) |
Photo documentation for treatment purposes (surgical planning, follow-up, complication management, quality assurance) | Article 6(1)(c): legal obligation | Same retention period as the medical records (at least 30 years) |
Photo documentation for marketing purposes (website – in anonymised form) | Article 6(1)(a) + Article 9(2)(a): explicit consent | 2 years from the last use, with annual review. If consent is withdrawn, further use ceases immediately. |
Important: Data subject to mandatory retention periods (medical records, invoicing data) cannot be deleted before the retention period expires, even at the data subject's request.
3. CATEGORIES OF PERSONAL DATA PROCESSED
3.1. Data related to healthcare:
- Identification data: name (birth and married name), place and date of birth, mother's name, social security (TAJ) number, sex
- Contact details: home address, place of residence, telephone number, e-mail address
- Information on health condition:
- Anamnesis (medical history, previous illnesses, surgeries)
- Current complaints, symptoms, aesthetic goals
- Results of physical examination
- Diagnosis
- Drug sensitivities, allergies
- Results of laboratory and imaging examinations
- Treatment plan, type of recommended procedure
- Surgical report, description of the procedure, documentation of surgical materials
- Documentation of post-operative follow-up, control examinations
- Photo documentation for treatment purposes (recording the pre- and post-operative state)
3.2. Invoicing and financial data:
- Name, home address
- Tax number (if relevant)
- Bank account number (in case of bank transfer)
3.3. Communication data:
- Telephone number, e-mail address (for appointment scheduling, reminders, keeping in contact)
- Content of e-mail and SMS communication (for 3 years in case of legal dispute/complaint)
3.4. Photo documentation for marketing purposes (only with explicit consent):
- Pre- and post-operative photographs in anonymised form (face covered) for display on the www.vargaklara.hu website
4. MANDATORY NATURE OF DATA PROVISION
4.1. Data that must be provided:
Providing the data necessary for healthcare and medical records is mandatory (point 3.1). Without this data, care cannot be provided safely and lawfully.
In the absence of the mandatory data:
- Care may be refused or provided only in a limited form
- The mandatory EESZT reporting obligation cannot be fulfilled
- Invoicing and settlement cannot be carried out
4.2. Voluntary data provision:
Creating and using photo documentation for marketing purposes is not mandatory; it takes place solely on the basis of the data subject's explicit consent. It does not affect the quality of care.
5. DATA TRANSFERS, CONTROLLERS AND PROCESSORS
5.1. Transfers to other controllers
KLASOPLAST Kft. transfers the data subject's personal and health data to the following organisations and persons:
Recipient | Controller status | Purpose | Legal basis (GDPR) |
|---|---|---|---|
Hungarian Electronic Health Service Space (EESZT) – central system | Independent controller function(s) within the statutory framework | Mandatory upload of outpatient sheet, discharge summary, surgical report | Article 6(1)(c): legal obligation (Eüak., EESZT regulation) |
Anesthesiologist | Independent controller | Providing anesthesia for the surgical procedure | Article 6(1)(c): legal obligation / Article 6(1)(b): performance of a contract |
Healthcare provider supplying the surgical venue | Independent controller | Providing surgical infrastructure and surgical assistance | Article 6(1)(c): legal obligation / Article 6(1)(b): performance of a contract |
Note on the EESZT: Reporting to the EESZT is a statutory obligation. Data in the EESZT system are processed in accordance with the applicable legislation (Eüak., EESZT regulation).
5.2. Data processor
Cloudent Kft. – operator of the electronic patient record system
The processor may act solely on the instructions of the controller. The servers of the Cloudent system are located within the European Union/European Economic Area. The Cloudent system is EESZT-compatible.
Sub-processors: Cloudent Kft. may engage sub-processors to provide the service (e.g. hosting, backup, operational services). The current list of sub-processors may be requested from the controller. The controller ensures that sub-processors are engaged in accordance with the requirements of Article 28 GDPR (written data processing agreement, appropriate guarantees).
5.3. Transfers to third countries
The controller does not transfer personal data outside the European Union/European Economic Area.
6. DATA SOURCES
Personal data are primarily collected directly from the data subject (patient) in the course of verbal and written communication.
In certain cases, data may also come from other sources:
- Documentation issued by the referring physician
- Documentation from a previous healthcare provider (handed over by the patient or with the patient's consent)
- Results of laboratory and diagnostic imaging examinations (if performed at another institution)
- Previous medical records available in the EESZT system
- Legal representative, relative (in case of a minor or a person with limited legal capacity)
7. AUTOMATED DECISION-MAKING AND PROFILING
The controller does not use automated decision-making, including profiling. All diagnostic and therapeutic decisions are made by a qualified physician.
8. DATA SECURITY
The controller ensures the security of data through appropriate technical and organisational measures pursuant to Article 32 GDPR:
8.1. Technical measures:
- Electronic data: stored in the Cloudent system, which is:
- Password-protected and accessible via an encrypted connection
- EESZT-compatible
- Protected by multi-factor authentication (MFA) at login
- Regularly backed up, with restoration tests
- Paper documents: stored in a closed, access-controlled location, in lockable cabinets, with a key-management register
- Access management: role-based access control (RBAC); strictly limited to what is necessary for the given task
8.2. Organisational measures:
- Access rights: only authorised healthcare workers and administrative staff may access the data
- Professional secrecy: all staff are bound by professional secrecy (under the Eüak. and healthcare ethics rules)
- Logging and audit: the electronic system logs access and data modifications; access rights are reviewed regularly
- Data protection training: regular data protection and information security training for staff
- Disposal of paper documents: paper documents whose retention period has expired are securely destroyed with a document shredder
8.3. Incident management:
The controller has a data breach management procedure:
- Immediate internal investigation upon detecting a data breach
- Notification to the NAIH within 72 hours (if the breach poses a risk to the rights of data subjects)
- Informing the data subjects without undue delay (if the breach poses a high risk)
- Reporting channel: via the contact details of the data protection contact
9. PROCESSING OF MINORS' DATA
In the case of a minor patient (under 18 years of age), accepting this notice and consenting to the procedure requires the signature of both parents (legal representatives) and the minor data subject.
The data protection rights of the minor data subject are exercised by the legal representative.
Verification of the legal representative:
- Presentation of an identity document
- The minor's birth certificate or another document proving the right of representation
Note: Hungarian healthcare legislation (Act CLIV of 1997) contains special rules on the self-determination rights of minors over 16 ("mature minors"). According to the institution's practice, plastic surgery procedures require the consent of both parents.
10. RIGHTS OF THE DATA SUBJECT
Under the GDPR and Hungarian Act CXII of 2011 on informational self-determination (Infotv.), you have the following rights:
10.1. Right of access (Article 15 GDPR)
You may at any time request access to the data processed about you and information on the circumstances of the processing (purpose, legal basis, duration, recipients).
10.2. Right to rectification (Article 16 GDPR)
You may request the correction or completion of inaccurate or incomplete data.
10.3. Right to erasure ("right to be forgotten") (Article 17 GDPR)
You may request the erasure of your data if:
- They are no longer necessary for the purpose of the processing
- You withdraw your consent (in the case of marketing photo documentation)
- The data were processed unlawfully
- Erasure is required by law
Important limitation: Erasure of medical records and invoicing data cannot be requested before the expiry of the statutory mandatory retention period:
- Medical records: 30 years
- Discharge summary: 50 years
- Imaging records: 10 years
- Imaging reports: 30 years
- Invoicing data: 8 years
10.4. Right to restriction of processing (Article 18 GDPR)
In certain cases you may request the restriction of processing (e.g. you contest the accuracy of the data or the lawfulness of the processing, or you need the data for asserting legal claims).
10.5. Right to data portability (Article 20 GDPR)
With limited scope: it applies only to data processed by automated means on the basis of consent or a contract. You may request to receive the data processed about you in a structured, commonly used, machine-readable format (e.g. PDF, XML), or that we transfer them directly to another controller.
It does not apply to processing based on a legal obligation (e.g. mandatory medical record keeping, EESZT reporting, invoicing).
10.6. Right to object (Article 21 GDPR)
With limited scope: you may object to processing based on legitimate interest (e.g. retention of communication in case of legal dispute/complaint – Article 6(1)(f) GDPR).
It does not apply to processing based on a legal obligation or contract (e.g. healthcare, record keeping, EESZT reporting, invoicing).
10.7. Right to withdraw consent (Article 7(3) GDPR)
You may withdraw your consent to the creation of marketing photo documentation at any time, without giving reasons. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
In case of withdrawal:
- Further use ceases immediately
- The photos are removed by updating the website gallery
- Copies are deleted (within 2 years)
Exercising your rights:
You may submit your request via the controller's contact details (e-mail, postal address, telephone) or to the data protection contact.
Identification: The controller is entitled to verify the identity of the data subject in order to prevent unauthorised access (e.g. requesting a copy of an identity document, applying data minimisation).
Response deadline: The controller informs you of the measures taken on the basis of your request without undue delay, but no later than within 1 month. If necessary (considering the complexity or number of requests), this deadline may be extended by a further 2 months, of which you will be informed.
11. REMEDIES
If you believe that your rights have been violated in the course of processing your personal data, you may use the following remedies:
11.1. Complaint to the supervisory authority
National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf. 9.
Telephone: +36 (1) 391-1400
E-mail: ugyfelszolgalat@naih.hu
Website: www.naih.hu
11.2. Judicial remedy
You may bring the matter before the regional court of your place of residence or stay (under Act CXXX of 2016 on the Code of Civil Procedure).
12. DECLARATIONS
12.1. Acknowledgement of information (healthcare)
I, the undersigned, declare that:
- I have read, understood and acknowledged the contents of this privacy notice.
- I have been informed that providing healthcare and keeping medical records is a statutory obligation (Eüak.), which does not require my consent but is a lawful condition of care.
- I acknowledge the mandatory retention periods:
- Medical records: at least 30 years
- Discharge summary: at least 50 years
- Diagnostic imaging records: 10 years
- Diagnostic imaging reports: 30 years
- I acknowledge that the controller is obliged to retain invoicing and accounting data for 8 years.
- I acknowledge that reporting to the EESZT is a statutory obligation.
- I acknowledge that communication data (e-mail, SMS) may be retained for 3 years in case of legal dispute/complaint.
12.2. Acknowledgement of photo documentation for treatment purposes
I, the undersigned, acknowledge that:
- Photo documentation for treatment purposes, recording the pre- and post-operative state, is necessary for the successful planning, follow-up and quality assurance of the procedure.
- This photo documentation forms part of the medical records and is used exclusively for medical-professional purposes:
- Surgical planning and preparation
- Documentation of follow-up and control examinations
- Complication management
- Quality assurance, professional consultation
- The retention period of treatment-purpose photos is the same as that of the medical records (at least 30 years), and their erasure cannot be requested during the mandatory retention period.
- These photos are not used for marketing or public presentation purposes without my separate consent below.
12.3. Photo documentation for marketing purposes – separate consent (OPTIONAL)
☐ I consent to KLASOPLAST Kft. displaying photo documentation taken of me, for marketing purposes, in anonymised form (face covered), on the www.vargaklara.hu website in the form of a "before–after" gallery.
I acknowledge that:
- This consent is entirely voluntary, and refusing it will not result in any disadvantage in my healthcare.
- The photos are displayed in anonymised form (face covered).
- Use is limited exclusively to the www.vargaklara.hu website.
- The retention period of the photos: 2 years from the last use, with annual review.
- I may withdraw my consent at any time, without giving reasons, via the controller's contact details.
- Withdrawal of consent does not affect the lawfulness of previous processing.
- In case of withdrawal, the photos are removed from the website immediately and further use ceases.
☐ I do not consent to the creation and use of photo documentation for marketing purposes.
13. PATIENT DETAILS AND SIGNATURE
The declaration and signature section is completed on the paper form provided at the clinic (patient details, procedure details, and — in the case of minors — the details and signatures of both legal representatives).
On behalf of the controller:
KLASOPLAST Kft.
Document ID: KLASOPLAST-GDPR-01
Document version: 3.0
Supplement: cookies and web analytics
Effective from 4 July 2026. This section provides information about the cookies and similar technologies used by this website (vargaklara.hu).
1. Strictly necessary storage
The website uses the following browser-stored data for its operation. These are not suitable for identifying the visitor and are not transmitted anywhere:
- vk-consent (localStorage) — stores the visitor's cookie consent decision; retained until deleted by the visitor. Legal basis: legitimate interest of the controller (Art. 6(1)(f) GDPR) — remembering the decision.
- vk-intro (sessionStorage) — plays the opening animation once per session; retained until the end of the browser session.
2. Statistical cookies — Google Analytics 4
The website uses Google Analytics 4 to measure traffic, solely with the visitor's prior consent (by clicking "Accept" on the cookie bar). Without consent, no measurement cookies are placed. Legal basis: the visitor's consent (Art. 6(1)(a) GDPR).
- _ga — identifier used to distinguish visitors; retention: 2 years.
- _ga_* — maintains session state; retention: 2 years.
Provider: Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) and Google LLC (USA). Data transfers take place under the EU–U.S. Data Privacy Framework. Measurement operates with IP anonymisation. About Google's data processing: https://policies.google.com/privacy
3. Advertising (marketing) measurement — Google Ads
If the website uses Google Ads conversion measurement, it is likewise activated only after the visitor's consent, through the Google Consent Mode v2 framework (without consent, all advertising storage is disabled).
4. Withdrawing consent
Consent can be withdrawn at any time, without justification, using the button below — the stored decision is deleted and the cookie bar reappears:
Cookies already placed can also be deleted in your browser settings (History / Clear cookies).