Privacy Policy

Data protection statement

In connection with the processing of data, Delta Bio 2000 Ltd., as the data controller (Service Provider), hereby informs the users of the website about the personal data processed on the website, the principles and practices followed in the processing of personal data, the organizational and technical measures taken to protect personal data, as well as the ways and means of exercising the rights of the data subjects. The Service Provider shall treat the personal data collected confidentially, in accordance with data protection legislation and international recommendations, and in accordance with this Statement.

By using the website, you accept as a user the provisions of this Privacy Statement.

Data protection information

  1. Delta Bio 2000 Ltd. processes the data of persons who have logged on to the site or registered to use the service during the operation of the website and the DeltaGene program in order to provide them with an appropriate service. Delta Bio 2000 Ltd. processes and protects personal data in accordance with the applicable data protection legislation when using the system. 
  2. Delta Bio 2000 Ltd. may keep the following information about individual users and patients 

Personal data: 

  • Name;
  • Personal data;
  • Personal data: name, address, place and date of birth;
  • Name and address;
  • social security number;
  • e-mail address and telephone number;
  • occupation;
  • marital status;
  • family medical history

 

Specific data may include: 

  • general data on health status;
  • disease description
  • disease details;
  • pathology;
  • previous treatments and their effectiveness;
  • sample type;
  • molecular diagnostic test results of the sample
  • acquired and inherited genetic variations
  • name of treating physician(s)
  • details of previous medical treatments

 

  1. Delta Bio 2000 Ltd. uses information about individual users for the following purposes: 

– registration for the purpose of using the Delta Bio 2000 Ltd. IT system;

– To register for the use of the Delta 2000 Bio 2000 system for the purposes of providing, monitoring, revising or improving the services related to the system;

– Delta Bio 2000 Ltd. to fulfil its contractual obligations and exercise its rights vis-à-vis the user, as part of its consumer protection procedures and to fulfil any similar contractual obligations; and to communicate with the user in connection with the above; 

– for the purpose of providing the user with molecular diagnostic tests, in the course of which the data will be shared with the authorised medical practitioner, biologist, medical assistant of Delta Bio 2000 Ltd; 

– to send the user personalised information by e-mail, post, telephone about new clinical trials, new scientific discoveries, new diagnostic and therapeutic procedures, if the user requests or authorises this in his/her personal settings; 

– to request a medical second opinion for the user, where the user can make a specific statement in his/her personal settings to allow the sharing of personal data; 

– the user himself/herself may share his/her data with other users (patients and doctors) within the system;

– for statistical, analytical analysis in an anonymised form, combined with data from other users, and its publication;

– anonymised data of the user, so that the system can provide better decision support for the management of similar users (patients);

– anonymised user data in a statistical context to assist third parties in the development of new diagnostic methods.

  1. Delta Bio 2000 Ltd. shall keep information about the user only for as long as it is strictly necessary for the purpose for which it was collected, for the purpose for which it was collected, or for as long as permitted by any contract or law. Delta Bio 2000 Ltd. will not collect information to an extent that is unnecessary or information that is unnecessary or inappropriate for the purpose for which it is collected

 

  1. Upon the user’s request, Delta Bio 2000 Ltd.. shall provide information about the data processed by it or by a data processor it or a data processor it has appointed, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the data processor and the activities related to the processing, as well as the legal basis and recipient of the data transfer in the event of the transfer of the user’s data.

 

  1. Delta Bio 2000 Ltd. will not disclose personal data relating to the user to third parties without the user’s permission, except in cases where it is necessary or desirable to disclose information about the user to other companies, financial institutions or public authorities (as defined by law) for crime prevention or consumer protection reasons; if required or permitted by law or if Delta Bio 2000 Ltd. is required to do so by a public authority, and if it is necessary to do so in order to fulfil its obligations.

 

  1. In the event that the user’s personal data is shared with third parties by Delta Bio 2000 Ltd. Delta Bio 2000 Ltd. will comply with the provisions of data protection legislation in all cases. 

 

  1. In accordance with data protection legislation, the user has the right to request information about the processing of his/her personal data at any time. This information is free of charge.  . 

Delta Bio 2000 Ltd. shall comply with such a request of the user within 30 (thirty) days from the date of its submission, in writing, upon request of the data subject. 

If you wish to contact Delta Bio 2000 Ltd. with a request regarding the processing of your user data, Delta Bio 2000 Ltd. requests that you contact Delta Bio 2000 Ltd. via the contact details on the website www.deltagene.hu (e.g., by e-mail to info@deltabio.eu) or via the admin interface.

 

  1. Through the contact details indicated above, the user is entitled to: 

– request information about the processing of his/her personal data;

– request the rectification, erasure or blocking of his/her data, except in cases of mandatory processing;

– object to the processing of his or her personal data in the cases provided for by data protection legislation;

– in the event of a breach of his or her rights and in the case provided for in data protection legislation, to apply to the relevant authorities and courts; and

– claim compensation for any damage caused to the user in connection with the unlawful processing of his or her data or in connection with a breach of data security requirements.

 

  1. Delta Bio 2000 Ltd informs the user that the national legislation of each country may lay down more detailed rules on data protection than those described in this Privacy Policy.

 

  1. Delta Bio 2000 Ltd. is obliged to ensure the protection of user information. Delta Bio 2000 Ltd. has put in place reasonable physical, electronic and managerial procedures to protect the user’s personal data, in particular against unauthorized access, alteration, disclosure, disclosure, deletion or destruction, accidental destruction or damage, and inaccessibility due to changes in the technology used. 

Delta Bio 2000 Ltd. is particularly attentive in this activity to prevent any unlawful or unauthorized action in the handling of the user’s data by the means at its disposal. Notwithstanding these measures, Delta Bio 2000 Ltd. cannot fully guarantee the security of the user’s data.

 

  1. Delta Bio 2000 Ltd. protects the security of user information by: using encryption where possible; using password protection where applicable; and restricting access to information (for example, by limiting access to only those employees who need it to achieve the purposes described above). 

 

Delta Bio 2000 Ltd. requests that users help it to protect information by not using obvious login names or passwords and by changing their passwords regularly. 

 

Delta Bio 2000 Ltd. also requests that you protect your password from being disclosed to third parties.

Privacy Policy

The Privacy Policy of Delta Bio 2000 Research, Development, Trade and Service Ltd. (hereinafter referred to as the “Service Provider”) sets out the procedures for the traditional (manual) and electronic processing of personal and health data of persons supplied by the Service Provider and persons who otherwise come into contact with the Service Provider (e.g. business partners, etc.). 

The Service Provider / Data Controller processes the data of persons who have logged on to the site or registered to use the service during the operation of the website and the DeltaGene program, in order to provide them with an appropriate service. The aim is to protect the personal and health data of the data subjects throughout the entire process of data processing, transmission and storage, both within and outside the operations of the service provider. 

The service provider aims to fully comply with the legal requirements for the processing of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council. This policy is based on Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of personal data of natural persons and on the free movement of such data, taking into account the content of Act CXII of 2011.

Data controller’s data, contact details

Name: Delta Bio 2000 Research, Development, Trade and Service Ltd.

6726 Szeged, Temesvári krt. 62.

Company registration number: 06-09-011882

Name of the registering court: Szeged Court of Szeged General Court

Tax number: 14138373-2-06

Telephone: +36-30-403-3046

Email: info@deltabio.eu

  1. SCOPE OF THE POLICY 

 

The scope of the Policy covers 

– care provided on the Provider’s premises where health, human genetic and personal identification data are processed,

– to all natural and legal persons who process or come into contact with personal, health and human genetic data in connection with the Provider’s activities; 

– any data which are personal data under data protection legislation and any data which are human genetic data.

1.1 Abbreviations and interpretative provisions used in the Code

Processor: a natural or legal person who processes personal data on behalf of the controller; 

‘processing’ means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
controller: the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data; 

carer: a medical practitioner, a healthcare professional, another person involved in the treatment of the data subject, a pharmacist; health data: data relating to the physical, mental or psychological state, pathological condition, pathological addiction of the person concerned, the circumstances of the illness or death, the cause of death, communicated by him or her or by another person, or detected, examined, measured, mapped or derived by the healthcare network; and any data which may be associated with or affect the foregoing (e.g. behaviour, environment, occupation); 

health record: any record, register or any other form of data, irrespective of its medium or form, containing medical and personal identification data, which comes to the knowledge of the patient’s provider (the Provider) during the course of treatment; 

EEA State: a Member State of the European Union and another State party to the Agreement on the European Economic Area, and a State whose nationals enjoy the same status as nationals of a State party to the Agreement on the European Economic Area under an international treaty concluded between the European Union and its Member States and a State not party to the Agreement on the European Economic Area; 


data subject: an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 

genetic data: information about the hereditary characteristics of a specific data subject, derived from the processing of a genetic sample or from medical records, which is indicative of the individual’s risk of, inherited susceptibility to, or physical or behavioural characteristics associated with a genetic disease and which may be relevant to the identification of the individual;  Genetic screening test: a human genetic test performed indiscriminately on members of a defined population as part of a screening programme, the aim of which is to identify those at risk from an asymptomatic population of individuals providing a genetic sample by revealing their genetic characteristics; 

Genetic counselling: a counselling procedure in which a legally authorised person provides information on the benefits or risks of clinical genetic testing, explores the possible implications of the results of human genetic testing and helps to understand the nature of the disease; 

‘medical treatment’ means any activity aimed at preserving health and at the direct examination, treatment, care, medical rehabilitation or processing of the test material of a person concerned for the purpose of preventing, detecting, diagnosing, treating, curing, maintaining or correcting the deterioration of the condition resulting from a disease, including the provision of medicines, medical aids, spa care, rescue and ambulance services and obstetric care; 

 

third party: any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data third country: any State which is not an EEA State 

consent: a voluntary and freely given indication of the data subject’s wishes, based on adequate information, by which he or she signifies his or her unambiguous agreement to the processing of personal data relating to him or her, either in full or in relation to specific operations 

human genetic testing: laboratory analysis of a genetic sample to detect congenital variants in the genome (genes, chromosomes) which are associated with or predictive of adverse health effects, whether of germ cell origin (inherited) or developed early in foetal life, which are congenital – causing or predisposing to genetic disease – and which may be clinical genetic testing, genetic screening testing and genetic testing for research purposes, depending on the purpose of the test; 

special data:– personal data revealing racial or ethnic origin, membership of national or ethnic minorities, political opinions or political party affiliations, religious or philosophical beliefs, membership of an interest group or membership of a representative body, sex life,

– personal data concerning health, pathological addiction and personal data concerning criminal offences;

personal data: data which can be associated with the data subject, in particular the name, the identification mark and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the data subject, and the inference which can be drawn from the data concerning the data subject;

Terms used in this Policy that are not defined in Section 1.1 shall have the meaning given to them in data protection legislation. 

1.2. Legal context governing healthcare data processing 

  • REGULATION (EU) No 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation)
  • Act XLVII of 1997 on the processing and protection of health and related personal data 
  • Act CLIV of 1997 on Health Care 
  • Decree No 2/1997 (XII.21.) NM on certain aspects of the processing of health and related personal data 
  • Act CVIII of 2001 on certain aspects of electronic commerce services and information society services.
  • Act XXI of 2008 on the Protection of Human Genetic Data, the Rules for Human Genetic Testing and Research and the Operation of Biobanks 
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information 

1.3. Familiarisation with and use of the Code 

The Regulations shall be made available to all employees of the Service Provider, and all employees shall be familiar with and comply with the Regulations at least to the extent required by their job function and assignment. 

All persons concerned shall be informed of the provisions of the Code that apply to them.

  1. RULES ON DATA MANAGEMENT

2.1 Service Provider’s data management philosophy 

2.1.1. The Service Provider considers it important that personal data is processed only in cases and to the extent necessary for the fulfilment of a legitimate purpose and in accordance with the provisions of data protection legislation. As a matter of principle, it states that patient records are the property of the Provider and must be maintained and preserved for the benefit and in the interest of the patient. 

2.1.2 The Provider is committed to the principle that good quality patient care can only be achieved with good quality documentation. 

2.2 Principles of data management 

2.2.1 The Service Provider shall at all times respect the principles of data processing set out in data protection legislation and shall conduct its data processing in compliance with them. The principles of data processing are as follows:

  • Lawfulness, fairness and transparency: personal data must be processed lawfully and fairly and in a transparent manner for the data subject. 
  • Purpose limitation: personal data must be collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes. 
  • Data minimisation: personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. 
  • Accuracy: Personal data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without undue delay. 
  • Limited storage: personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 
  • Integrity and confidentiality: personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by implementing appropriate technical or organisational measures.
  •  Accountability: the controller is responsible for compliance with the above principles and must be able to demonstrate such compliance. 

2.2.2. The Service Provider shall ensure that the data management principles are applied in the context of its data management activities, both in the preparation of the planned data management activities and throughout the entire process of the data management activities. 

2.3 Lawfulness of the processing of personal data 

2.3.1 Personal data may only be processed where there is an appropriate legal basis. The processing of personal data is lawful if one of the following conditions is met: 

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which the data subject is a party or is necessary for the purposes of taking steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary for the protection of the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

2.3.2 In addition to the above, special categories of personal data may only be processed if the additional requirements set out in the data protection legislation are met. Such requirements include, among others: 

  • the data subject has given his or her explicit consent to the processing of those personal data for one or more specific purposes; 
  • processing is necessary for compliance with the obligations of the controller or the data subject arising from legal provisions governing employment and social security and social protection and for the exercise of specific rights; 
  • processing is necessary for the protection of the vital interests of the data subject or of another natural person where the data subject is physically or legally incapacitated and is unable to give his or her consent; 
  • the processing relates to personal data which have been explicitly made public by the data subject; 
  • processing is necessary for the establishment, exercise or defence of legal claims; 
  • processing is necessary for preventive health or occupational health purposes, to assess the ability of an employee to perform his or her job.

2.3.3. The processing is considered lawful if it is necessary in the context of a contract or the intention to conclude a contract. If the processing is carried out in the performance of a legal obligation to which the controller is subject, or if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing must have a legal basis in Union law or the law of a Member State.

Processing shall be regarded as lawful where it is carried out for the purpose of protecting the life of the data subject or the interests of another natural person referred to above. Personal data should in principle be processed on the basis of the vital interests of another natural person only if there is no other legal basis for the processing in question.

2.3.4 The legitimate interest of the controller, including the controller with whom the personal data may be shared, or a third party may provide a legal basis for the processing.Such legitimate interest may be, for example, where there is a relevant and appropriate relationship between the data subject and the controller, such as in cases where the data subject is a client of the controller or is employed by the controller.

The processing of personal data strictly necessary for the purpose of preventing fraud also constitutes a legitimate interest of the controller concerned. Processing of personal data for direct marketing purposes may also be considered to be based on legitimate interest.

In order to establish the existence of a legitimate interest, it is necessary to carefully consider, inter alia, whether the data subject could reasonably expect, at the time and in the context of the collection of the personal data, that processing for the purposes in question would take place. The interests and fundamental rights of the data subject may prevail over the interests of the controller where personal data are processed in circumstances in which the data subjects do not expect further processing.

The processing of personal data for purposes other than those for which they were originally collected should be permitted only if the processing is compatible with the original purposes for which the personal data were originally collected. In this case, a separate legal basis other than the legal basis which allowed the collection of the personal data is not necessary.

2.4. Purpose of data processing – during registration/login to the Website/DeltaGene programme 

2.4.1. The legal basis for registration data processing is the consent of the data subject. The data subjects are the registration users of the website/DeltaGene programme. The user can give his/her consent to the processing of the data by deliberately ticking the checkbox on the website or in the DeltaGene programme. 

2.4.2 The data processing is carried out for the duration of the processing until the consent given on the website is withdrawn. The data subject may withdraw his/her consent to the processing at any time by sending an e-mail to the contact e-mail address.

2.4.3. The source of the data can be more than one. The Service Provider may obtain the personal data of the data subject from the following sources: 

  • Directly from the data subject: the Service Provider receives the data subject’s personal data directly from the data subject when the data subject personally orders a service from the Service Provider and, in this context, fills in an order form or contract for each of the requested tests or provides the Service Provider with the samples necessary to perform the requested test. 
  • From the treating physician of the person concerned: The Service Provider may also receive the personal data of the data subject from the treating physician of the data subject, if the requested service is ordered by the treating physician of the data subject from the Service Provider with the simultaneous information of the data subject. Furthermore, the Service Provider may also receive personal data from the treating physician of the data subject where the requested service is ordered directly from the Service Provider by the data subject, but the data subject requests the Service Provider to obtain the necessary specimen and/or documentation from the treating physician of the data subject. 
  • From a third party: the Service Provider may receive the data subject’s personal data from a third party where the data subject has given an authorisation to a third party to order the services or where this is permitted by law.

2.4.4 The deletion of the data will take place upon withdrawal of consent to data processing, but no later than 3 days after receipt of the withdrawal letter. The data subject may withdraw his or her consent to the processing at any time by sending an e-mail to the contact e-mail address (info@deltabio.eu). The contact data processed in the DeltaGene programme will be deleted if no service has been ordered and the data subject requests the deletion of his or her data. 

The health data requested within the DeltaGene programme are necessary for the purpose of consultation and contract fulfilment. The data controller and its employees are entitled to access the data. Method of storage of data: electronic. Modification or deletion of personal data can be requested by e-mail or by letter using the contact details provided above

Personal data processed on deltagene.hu, purpose and duration of processing 

  • Name of the data controller: Delta Bio 2000 Ltd.
  • Name of the processing: contact details
  • Purpose of the processing: contacting (callback, email correspondence) with the interested parties on the website
  • Legal basis for processing: voluntary consent of the data subject (Act CXII of 2011, § 5 (1) a))
  • 6726 Szeged, Temesvári körút 62.
  • Data processing automated: automated and manual
  • Deadline for deletion of data: at the personal request of the user by telephone or in writing
  • Data subjects: persons interested in the Service Provider’s investigations

2.4.5 Personal data may be transferred and different processing operations may be combined if the data subject has given his or her consent or if permitted by law and if the conditions for processing are met for each individual personal data item.

Personal data (including sensitive data) may be transferred from the country to a controller or processor in a third country, irrespective of the data medium or the means of transmission, if the data subject has given his or her explicit consent or if the law so permits and the third country ensures an adequate level of protection for the personal data concerned in the processing of the data transferred. Transfers to EEA States shall be deemed to be transfers within the territory of Hungary.

 

  1. THE RIGHTS OF DATA SUBJECTS 

3.1. Data subject’s rights under the GDPR 

The data subject is entitled to: 

  • Request information about the processing of their data and access to their data (right of access), 
  • access to his or her data, to obtain access to his or her data and to request the rectification of his or her data, 
  • access to his or her data, request the rectification of his or her data, request the erasure of his or her data (right to be forgotten), 
  • request the restriction of the processing of his/her data, 
  • request data portability, 
  • object to the processing of your personal data.

3.2. Access 

3.2.1 The data subject shall have the right to receive feedback on whether or not his or her personal data are being processed and, if such processing is taking place, the right to access his or her personal data and certain information relating to the processing.

3.2.2 The right of access includes, inter alia, the following information: the purposes of the processing, the categories of data processed, the recipients to whom the data have been disclosed.

3.2.3 The data subject also has the right to request a copy of the personal data processed by the controller.

3.3. Correction

3.3.1 The data subject shall have the right to have inaccurate personal data concerning him or her corrected or incomplete personal data completed at his or her request, and the Service Provider shall take the necessary and reasonable measures to ensure accurate processing.


3.4. Deletion

3.4.1 In certain cases specified in data protection legislation, the data subject has the right to have personal data concerning him or her erased at his or her request and the controller may be obliged to erase such data. For example, if the personal data are no longer necessary for the purposes for which they were collected or if the data subject withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing.

3.5. Limitation

3.5.1 In certain cases provided for in data protection legislation, the data subject has the right to obtain from the controller, at his or her request, restriction of processing. For example, where the data subject contests the accuracy of the personal data or where the data subject has objected to the processing.

3.5.2 Rectification, erasure and restriction must be notified to all those to whom the data were previously disclosed, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of those recipients.

3.6. Data portability

3.6.1 In certain cases, as defined in data protection legislation, the data subject has the right to receive personal data concerning him or her in a structured, commonly used, machine-readable format and the right to transmit such data to another controller.

3.6.2 The data subject may also have the right to request, where technically feasible, the direct transfer of personal data between controllers.

 

3.7 Objection

3.7.1 In certain cases specified in data protection legislation, the data subject has the right to object to the processing of his or her personal data, in which case the controller may no longer process those data. This may be the case, for example, where the processing is based on legitimate interests or where the processing is for direct marketing or profiling purposes.

3.7.2 The right to object must be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and the information must be clearly displayed and separated from all other information.
3.8. Exercise of the rights of the person concerned

3.8.1 The Service Provider shall inform the data subject of the measures taken in response to the data subject’s request to exercise the rights set out above as soon as possible, but no later than 30 days from the date of receipt of the request. If the Service Provider fails to take action on the data subject’s request, it shall inform the data subject without delay, but no later than 30 days after receipt of the request, of the reasons for the failure to take action and of the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information and to exercise his/her right to judicial remedy.

3.8.2. The Data Protection Officer is responsible for responding to and dealing with requests from data subjects. The Data Protection Officer shall be informed immediately upon receipt of potential requests. 

Scope of the Policy

This Policy shall enter into force on 25 May 2018 and shall remain in force until revoked.

Privacy Policy