Privacy Policy
1. Data Controller
Name: CORSO MRI DIAGNOSZTIKA Kft.
Address: 8800 Nagykanizsa, Ady Endre Street 6.
Representative of the Data Controller: Levente Németh, Managing Director
Contact information for the Data Controller regarding data protection:
corsomri@gmail.com
Pursuant to Article 37 of the GDPR, our company is not required to appoint a Data Protection Officer. Our Data Protection Officer: Levente Németh
This notice constitutes a unilateral commitment by the Data Controller in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) and the relevant national legislation. This Policy may be unilaterally amended and/or revoked by the Data Controller at any time, with simultaneous notification to the Data Subjects. Such notification shall be provided by publication on the website or, depending on the nature of the change, by direct notification to the Data Subjects.
2. Purpose of Data Processing
2.1 Provision of service(s) to natural persons, including:
Identifying the service user and distinguishing them from other users or interested parties
Maintaining contact, managing and recording contact information
Processing personal data necessary for the provision of the service
Legal basis for data processing: performance of the service.
Providing data is a prerequisite for the establishment of the service. Based on your prior notification and voluntary consent, we process, collect, record, organize, use, and store your personal data only to the extent necessary and always for a specific purpose. If you fail to provide the data, the Data Controller will be unable to perform the ordered service. In certain cases, the processing of your data is based on legal requirements and is mandatory. In such cases, we will specifically draw your attention to this fact. Furthermore, in certain cases, our Company or a third party has a legitimate interest in processing your personal data, such as the operation, development, and security of our website.
Scope of processed data:
- Name
- Address
- Email address
- Phone number
Possible consequence of failure to provide data: non-performance of the service.
2.2 Provision of services to legal entities, including:
Identification of the User, distinguishing them from other interested parties
Maintaining contact, managing and recording contact information
Personal contact, related documents
Performance of the service
Legal basis for data processing: Legitimate interest—The data controller has a legitimate interest in recording the contact person’s data for the purpose of performing the service.
Scope of data processed:
Name, address
Email address
Phone number
Planned duration of data processing: fulfillment of the assignment + rules regarding the retention period for documents required by law.
2.3 Issuing invoices and other mandatory documentation related to the provision of services.
Legal basis for data processing: Legal compliance (VAT Act, Accounting Act, Personal Income Tax Act). Providing this data is a prerequisite for the conclusion of the contract. If the data is not provided, the Data Controller will be unable to perform the ordered service.
Scope of data processed:
Name
Permanent address
Email address (if remote invoice printing or e-invoicing is enabled)
Possible consequence of failure to provide data: non-performance of the service.
Planned duration of data processing: expiration of the order + rules regarding the retention period for documents as prescribed by law.
2.4 Data processing related to the GDPR
Data processing, data transfer records, data protection incidents, data subject requests, and inquiries
Legal basis for data processing: legal obligation
Name
Data Protection ID
Data subject’s request, date, type, content, description of the event
Outcome and consequences of the data subject’s request
Date, documentation, and outcome of the incident
Names of participants
3. Advertising of service(s), provision of information to data subjects
Service, location, contact, registration
Legal basis for data processing: legitimate interest—the data controller’s legitimate interest is direct marketing. Scope of processed data: email address, name.
By using a service, the data subject provided the data controller with the following data. In this notice, the data controller informs the data subject of the data processed in connection with the recorded activities, reclassifies the purpose of data processing by invoking legitimate interest, and uses it for the purpose of direct marketing.
Source of data: the data controller lawfully processed the data subjects’ data for other data processing purposes.
Planned duration of data processing: until objection is raised
4. Data Subjects
Natural persons who use the data controller’s services, natural persons acting on behalf of legal entities, and the contact persons of partners with whom the data controller has a contractual relationship.
5. Information on the Use of Data Processors
During data processing, the data controller transfers the data to the data processor(s) contracted with it for the performance of the contract.
Categories of recipients: IT operator, web hosting provider, web content developer, accounting service provider, bank terminal.
6. Persons Authorized to Access the Data
The data controller shall not disclose the data to third parties, with the exception of the data processor(s) specified in Section 5. The recorded data may only be accessed by the data controller’s employees and the designated employees of the data processor(s).
7. Processing of Data Received from Third Parties
If the Partner provides the Data Controller with data pertaining to a natural person other than themselves (e.g., in the case of a reservation), it is the sole responsibility of the User/Partner to ensure that such data was provided with the consent, knowledge, and appropriate notification of the natural person. The Data Controller is not obligated to verify the existence of these conditions. The Data Controller draws the Partner’s attention to the fact that if the Partner fails to fulfill this obligation and the Data Subject subsequently asserts a claim against the Data Controller, the Data Controller may pass on the asserted claim and the amount of related damages to the Partner.
8. Rights of Data Subjects
The Data Subject may, using the contact details specified in Section 1, request from the Data Controller
information regarding the processing of their personal data,
correction, modification, or supplementation of their data,
object to the processing of their data and request the erasure or blocking of their data, (with the exception of mandatory data processing)
seek legal remedy before a court
file a complaint with the supervisory authority or initiate proceedings
The Data Subject may exercise the above rights at any time.
The Data Subject may also submit a request to the Data Controller via one of the contact addresses specified in Section 1.
request the transfer of their data to another data controller, provided that the data processing is based on a contract or consent and the Company processes the data using automated means.
May withdraw their previously given consent to data processing
The Data Controller shall process or reject (with justification) the request within one month of its submission—or, in exceptional cases, within a longer period permitted by law. The Data Controller shall inform the Data Subject of the outcome of the investigation in writing.
8.1 Cost of Providing Information
The Company provides the measures and necessary information free of charge on the first occasion.
If the Data Subject requests the same data a second time within one month, and such data has not changed during that period, the Data Controller will charge an administrative fee.
The basis for calculating the administrative fee is the hourly rate derived from the current minimum wage.
The number of working hours spent providing the information is billed at the aforementioned hourly rate.
Furthermore, in the case of a request for information in paper form, the printing cost of the response at cost price and the postage cost.
8.2 Refusal to Provide Information
If the data subject’s request is clearly unfounded, the data subject is not entitled to the information, or the Company, as the data controller, cannot prove that the data subject possesses the requested information, the data controller shall reject the request for information.
If the data subject’s request is excessive—particularly due to its repetitive nature—the Company may refuse to act on the request if the data subject submits a request to exercise their rights under Articles 15–22 regarding the same matter for the third time within one month.
8.3 Right to Object
The data subject has the right to object at any time to the processing of their personal data based on legitimate interests or the exercise of official authority.
In such a case, the Company may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or that are related to the establishment, exercise, or defense of legal claims.
If the Data Controller determines that the objection is well-founded, it shall cease data processing—including data transfer and further data collection—as soon as possible. It shall notify all parties to whom it has previously transferred the Data Subject’s data of the objection.
Processing the request is free of charge, except for unfounded or excessive requests, for which the Data Controller may charge a reasonable fee corresponding to its administrative costs. If the Data Subject disagrees with the decision made by the Data Controller, they may bring the matter before a court. The adjudication of data protection lawsuits falls within the jurisdiction of the court; at the Data Subject’s discretion, the lawsuit may also be filed before the court of the Data Subject’s place of residence or stay. Foreign nationals may also file a complaint with the competent supervisory authority in their country of residence.
9. Transfer of Data to a Third Country or International Organization
The Data Controller will NOT transfer the Data Subject’s personal data or recordings to a third country outside the European Economic Area or to an international organization.
10. Information on data security measures
The Data Controller processes the data in a closed system in accordance with the requirements of its Information Security Policy. The Data Controller ensures default and built-in data protection. To this end, the Data Controller implements appropriate technical and organizational measures to ensure that:
strictly regulate access to data;
grant access only to those persons who need the data to perform their duties, and even then, allow access only to the data that is strictly necessary for the performance of those duties;
carefully select the data processors it engages and ensure data security through an appropriate data processing agreement;
ensure the integrity, authenticity, and protection of the data being processed.
The Data Controller shall implement reasonable physical, technical, and organizational security measures to protect the data subject’s data, particularly against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, use, access, or processing. The Data Controller shall immediately notify the Data Subject in the event of known unauthorized access to personal data or the use thereof that poses a high risk to the Data Subject. If the transfer of the Data Subject’s data is necessary, the Data Controller shall ensure the adequate protection of the transferred data, for example by encrypting the data file.
The Data Controller bears full responsibility for the processing of the Data Subject’s data carried out by third parties. The Data Controller also ensures, through appropriate and regular backups, that the Data Subject’s data is protected against destruction or loss.
11. Data Processing Related to the Website
11.1 Information Regarding the Data of Visitors to the Company’s Website
Visitors to the website must be informed about the use of cookies on the website, and their consent must be requested for this purpose—with the exception of session cookies that are technically essential. The purpose of data processing: to ensure the proper functioning of the website. These cookies are necessary to allow visitors to browse the website and use its features and the services available through the website seamlessly and fully, including, among other things, recording the actions performed by the visitor on the relevant pages or identifying the logged-in user during a visit. The duration of data processing for these cookies applies exclusively to the visitor’s current visit; once the session ends or the browser is closed, this type of cookie is automatically deleted from your computer.
The legal basis for this data processing is Section 13/A(3) of Act CVIII of 2001 on Certain Issues Concerning Electronic Commerce Services and Information Society Services (Elkertv.), which provides that a service provider may process personal data that is technically indispensable for the provision of the service for the purpose of providing that service. Provided that all other conditions are the same, the service provider must select and, in all cases, operate the tools used in the provision of information society services in such a way that personal data is processed only if it is absolutely necessary for the provision of the service and the fulfillment of other purposes specified in this Act; however, even in such cases, only to the extent and for the duration necessary.
Accepting or allowing the use of cookies is not mandatory. You can reset your browser settings to reject all cookies or to notify you when the system is sending a cookie. While most browsers automatically accept cookies by default, these settings can generally be changed to prevent
Cookies used on the website: technically essential session cookies. Cookies that enhance usability: these remember the user’s preferences, such as how the user prefers to view the site. These types of cookies essentially consist of settings data stored in the cookie.
The legal basis for data processing is the visitor’s consent.
Purpose of data processing: To increase the efficiency of the service, enhance the user experience, and make the website more convenient to use. This data is primarily stored on the user’s device; the website merely accesses it and uses it to recognize the visitor.
Legal basis for data processing: the data subject’s consent. Purpose of data processing: website analysis,
Information on technical data generated during the visit: During operation, data from the visitor’s computer that is generated while using the service and recorded by the service provider’s system as an automatic result of technical processes is technically logged.
This data cannot be linked to other personal user data. Only the service provider has access to this data. Data processed during a visit: While using the website, the following data regarding the visitor and the device used for browsing may be recorded and processed: the visitor’s IP address, browser type, operating system characteristics of the device used for browsing, time of visit, and the page, feature, or service visited. We retain this data for a maximum of 90 days and may use it primarily to investigate security incidents.
11.2 Registration
Registration is required to log in to the website; this is generated by the individual and protected by a password. The scope of personal data processed includes: the individual’s name (last name, first name), email address, phone number, social security number, date of birth, and gender. The purpose of processing personal data is:
1. Provision of services offered on the website.
2. Contact via email, phone, or SMS.
3. Providing information about the Company’s services and terms and conditions.
4. Analysis of website usage.
The legal basis for data processing is the data subject’s consent.
Recipients of personal data and categories of recipients: the Company’s employees performing tasks related to customer service and healthcare services; the Company’s IT service provider and employees providing hosting services, acting as data processors.
Duration of personal data storage: until the registration/service remains active, or until the data subject withdraws their consent (or requests deletion).
11.3 Rules for Presence on Social Media
The Company maintains a presence on the following social media platforms: Facebook. Categories of data subjects: natural persons who follow the Company’s social media page. The legal basis for data processing when following the Company’s social media page is the data subject’s voluntary consent. Categories of data subject to processing: The Company does not process data posted on the social media page by visitors or by individuals sharing content; the purpose of the Company’s social media presence is to share and promote content related to the Company’s services on the social media page and to maintain contact with followers regarding the aforementioned topics. The Company processes the names of its followers but does not process other data posted by followers on the social media platform; such data is subject to the provisions of the social media platform’s privacy policy. Categories of data recipients: the Company’s agents responsible for managing its social media platform, and the Company’s management. Duration of data processing: until the data subject withdraws their consent.
12. Processing of Health Data in Connection with Contract Performance
As a healthcare provider, the Company processes the health data of natural persons who enter into contracts with it in accordance with applicable laws. The data controller is obligated to maintain medical confidentiality. Data subjects: all natural persons who enter into a contractual relationship with the Company and provide their voluntary, explicit consent, based on adequate information, to the processing of their health data for the purpose of providing healthcare services.
Legal basis for data processing: performance of a contract, consent of the data subject, compliance with a legal obligation.
Purpose of data processing: registration for the purpose of providing healthcare services, provision of appropriate healthcare services, and promotion of the preservation, improvement, and maintenance of the data subject’s health.
Recipients of personal data: the Company’s employees who provide healthcare services and its data processors.
The scope of personal data processed: data relating to the data subject’s health that provide information about the data subject’s past, present, or future physical or mental health, including a number assigned to a natural person for the purpose of identifying them for medical purposes, sign, or data; information derived from the testing or examination of a body part or bodily substance—including genetic data and biological samples; and any information relating, for example, to the data subject’s disease, disability, risk of disease, medical history, clinical treatment, or physiological or biomedical condition. The retention period for health data recorded in medical records is 30 years from the date of data collection. The retention period for the final report is 50 years. The retention period for images produced by diagnostic imaging procedures is 10 years, and the corresponding findings must be retained for 30 years.
13. Applicable Laws
The laws governing data processing activities carried out by the Data Controller:
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: “GDPR”),
Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: “Info Act”), as well as Act XXXVIII of 2018 on the amendment of Act CXII of 2011 on the right to informational self-determination and freedom of information in connection with the European Union’s data protection reform, and on the amendment of other related acts
Act C of 2000 on Accounting (hereinafter: “Accounting Act”),
Act V of 2013 on the Civil Code (hereinafter: “Civil Code”),
Act CLV of 1997 on Consumer Protection (hereinafter: “Consumer Protection Act”)
Act C of 2003 on Electronic Communications (“Ehtv”)
Act CLXV of 2013 on Complaints and Reports in the Public Interest (“Complaints Act”)
Act XLVIII of 2008 on the Fundamental Conditions and Certain Restrictions of Commercial Advertising Activities (“Commercial Advertising Act”)
Legal Remedies
You have the right to
request information about the processing of your data
request the correction, modification, or supplementation of your personal data processed by us
object to the processing of your data and request the erasure or blocking of your data (except in cases of mandatory data processing)
seek legal remedy before a court
file a complaint with the supervisory authority or initiate proceedings (https://naih.hu/panaszugyintezes-rendje.html)
Supervisory Authority: National Authority for Data Protection and Freedom of Information (Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C, mailing address: 1530 Budapest, P.O. Box 5). Phone: +36 (1) 391 1400, email: ugyfelszolgalat@naih.hu
Nagykanizsa, January 1, 2026