Phone: +36 70 388 0697 Email: info@strokeneurorehab.com
Facebook Instagram TikTok
Phone: +36 70 388 0697

Data processing policy

Stroke Neuro Rehab Ltd.
Stroke Neuro Rehab Hungary
Internal data management and data security policy

Headquarters:
4200, Hajdúszoboszló, Brody Sandor Street 28-30. 
Location:
4200, Hajdúszoboszló, Brody Sandor Street 28-30. 

Managing Director: Petra Tóth-Viszlay

I. Scope of the regulations
The scope of this regulation covers: Stroke Neuro Rehab Ltd.Stroke Neuro Rehab Hungary to the activities of an enterprise in Hungary, all its organizational units and all its employees (hereinafter referred to as the enterprise).

II. Purpose of the regulations
1. The purpose of the Regulations is to ensure the protection of personal data in accordance with the Fundamental Law, the realization of informational self-determination, and to determine the data protection and data security rules governing data management with regard to personal data processed by the enterprise.

III. Governing legislation
2. The enterprise must act in accordance with the provisions of the following legal acts during its data processing, as set out in these internal regulations:
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as GDPR)
 Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Infotv.)
 Act V of 2013 on the Civil Code (hereinafter referred to as: Civil Code)
 Act I of 2012 on the Labor Code (hereinafter referred to as: Mt.)
 Act LXXV of 2007 on the Hungarian Chamber of Auditors, on auditing activities and on public oversight of auditors (hereinafter referred to as: Kkt.)

IV. Interpretative provisions
3. Terms defined in the GDPR, of which the following terms should be highlighted in accordance with the nature of these internal regulations:

the) personal data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) data management: any operation or set of operations which is performed on personal data or data files, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

c) data controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law.

d) data processor: the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

e) addressee: the natural or legal person, public authority, agency or any other body to which the personal data are disclosed, whether or not it is a third party. Public authorities which have access to personal data in the context of an individual investigation in accordance with Union or Member State law shall not be considered recipients; the processing of those data by such public authorities shall be in accordance with the applicable data protection rules in accordance with the purposes of the processing.

f) third party: the natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct control of the controller or processor, are authorised to process personal data.

g) registration system: a collection of personal data, structured in any way – centralized, decentralized, or according to functional or geographical aspects – that is accessible based on specific criteria.

h) data protection incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

i) representative: a natural or legal person established or resident in the European Union and designated in writing by the controller or processor pursuant to Article 27, who represents the controller or processor in relation to the obligations incumbent on the controller or processor under this Regulation.

j) enterprise: a natural or legal person engaged in economic activity, regardless of its legal form, including partnerships and associations engaged in regular economic activity.

Additional concepts:

k) data asset inventory: a document used to assess the scope and nature of personal data processed by the data controller.

l) technical and organizational measures: procedures, appropriately defined by the controller, taking into account the nature, scope, circumstances and purposes of the processing and the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure and demonstrate that the processing of personal data is carried out in accordance with the GDPR. These measures shall be reviewed by the controller and updated where necessary.

V. Principles of data processing
4. The company processes data lawfully and fairly, and in a manner that is transparent to the data subject (lawfulness, fairness and transparency).

5. The company collects personal data only for specified, explicit and legitimate purposes and does not process them in a manner incompatible with these purposes (purpose limitation).

6. The company processes data in a manner that is appropriate and relevant to its purpose(s) and limited to what is necessary (data economy). Accordingly, the company does not collect or store more data than is strictly necessary to achieve the purpose of the processing.

7. The company's data processing is accurate and up-to-date. The company takes all reasonable steps to ensure that personal data that are inaccurate for the purposes of the processing are erased or rectified without delay (accuracy).

8. The company stores personal data in a form that allows the identification of data subjects only for the time necessary to achieve the purposes of processing the personal data, taking into account the storage obligation specified in the relevant legislation (limited storage).

9. The company ensures adequate security of personal data by applying appropriate technical or organizational measures, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage to personal data (integrity and confidentiality).

10. The company is responsible for compliance with the principles detailed above, and the company demonstrates this compliance (accountability). Accordingly, the company ensures the continuous enforcement of the provisions of this internal regulation, the continuous review of its data processing and, if necessary, the modification and supplementation of data processing procedures. The company prepares documentation to demonstrate compliance with legal obligations.

VI. Legal basis for data processing

11. The processing of personal data is lawful only if and to the extent that at least one of the legal grounds specified in points 13-18 is met:

12. The data subject has given his/her consent to the processing of his/her personal data for one or more specific purposes (hereinafter: data processing based on consent).

13. The processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the data subject's request prior to entering into a contract (hereinafter referred to as: processing based on a contract).

14. Data processing is necessary for the fulfillment of a legal obligation applicable to the enterprise (hereinafter: data processing based on a legal obligation).

15. Data processing is necessary to protect the vital interests of the data subject or another natural person (hereinafter: data processing based on vital interests).

16. The processing of data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the undertaking (hereinafter referred to as: processing based on official authority).

17. Data processing is necessary for the purposes of the legitimate interests pursued by the company or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (hereinafter referred to as: processing based on legitimate interests).

18. The company always processes data based on only one legal basis for the processing of a given set of personal data. The legal basis for data processing may change during data processing.

VII. Data Asset Inventory

19. The enterprise shall prepare a data asset inventory in order to establish technical and organizational measures in accordance with the obligations prescribed by the GDPR and the laws and regulations regarding the data processing carried out within the scope of its activities. The data asset inventory shall include all data sets managed by the enterprise.

20. In connection with the data management activities of the enterprise, the following are defined in the data asset inventory:
a) the data subject [e.g. customer, employee]
b) the name and purpose of the data processing [for example, the provision of functional rehabilitation activities based on a legal obligation, subcontracted data processing]
c) scope of the processed data [name, address, telephone number, e-mail address, commission fee]
d) scope of potentially processed special data [health data]
e) legal basis for data processing [contract, law, legitimate interest]
f) duration of data management [8 years according to the Accounting Act]
g) who can access personal data within the company's organization [administrative staff, subcontractors performing healthcare activities]
h) to whom the data may be transmitted [e.g. chamber, other authority]
i) the company does not employ a data processor, only the managing director, trainers working in the subcontractor and the website manager have access to personal data
21. The company does not carry out data processing activities VIII. Rights of the data subject and their enforcement

22. The company provides the following to data subjects in accordance with the provisions of the GDPR. Right to information

23. The data subject has the right to information regarding all legal bases for data processing.

24. The enterprise provides information to the data subjects in a concise, transparent, understandable and easily accessible form, formulated in a clear and understandable manner.

25. Information shall be provided in writing or by other means, including, where appropriate, electronic means. Information at the request of the data subject

26. At the request of the data subject, verbal information may also be provided, provided that the data subject's identity has been verified in another way.

27. The enterprise shall inform the data subject without undue delay, but in any case within 30 days of receipt of the request, of the measures taken in response to the data subject's request regarding other data subject rights.

28. If necessary, taking into account the complexity of the request and the number of requests, the 30-day deadline may be extended by a further 60 days. The undertaking shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within 30 days of receipt of the request. If the data subject submitted the request electronically, the information shall be provided electronically, if possible, unless the data subject requests otherwise.

29. Information and action must be provided free of charge.

30. If the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the undertaking, taking into account the administrative costs involved in providing the requested information or communication or taking the requested action:
a) charge a reasonable fee, or
b) may refuse to take action on the request.

31. The burden of proving that the request is manifestly unfounded or excessive shall be on the undertaking. Mandatory information

32. If the enterprise has obtained the data directly from the data subject (including in particular customers), the enterprise shall in any case provide information on the following:
a) the identity and contact details of the undertaking's representative, if any;
b) we do not employ a separate data protection officer, the executive director holds this position
Petra Toth-Viszlay
phone: +36 70/388-0697

c) the purpose of the planned processing of personal data and the legal basis for the processing
d) in the case of data processing based on legitimate interest, the legitimate interests of the company or a third party;
e) where applicable, the recipients of the personal data
f) where applicable, the fact that the undertaking intends to transfer personal data to a third country or to an international organisation,

33. At the time of first obtaining personal data, the company shall, in addition to the above, inform the data subjects of the following:
a) the period of storage of personal data (8 years)
b) the right of the data subject to request from the company access to personal data concerning him or her, their rectification, erasure or restriction of processing in the case of data processing under certain legal bases, and to object to the processing of such personal data in the case of data processing under certain legal bases, as well as the right of the data subject to data portability;
c) the right to withdraw data processing based on consent at any time, which does not affect the lawfulness of the data processing carried out on the basis of consent before its withdrawal;
d) the right to submit a complaint to the supervisory authority (National Data Protection Authority, hereinafter referred to as the Authority or NAIH);
e) whether the provision of personal data is based on legal regulations and is a prerequisite for concluding a contract, and whether the data subject is obliged to provide the personal data. Failure to provide data shall preclude the conclusion of the contract.

34. If the company intends to further process personal data for a purpose other than the purpose for which they were collected, it shall inform the data subject of this different purpose and of any relevant additional information referred to in point 34 prior to further processing.

35. The undertaking may comply with the mandatory information in several ways. a) The company publishes the information contained in point 34 (under the title “Data Processing Information”) on its website in a way that is easy to find and easily accessible to anyone.

36. If the enterprise did not obtain the data processed in the course of performing healthcare activities based on a legal obligation directly from the data subject, the enterprise does not have the information obligation to the data subject as described in points 33 and 34. Right of access

37. The data subject has the right of access in relation to all legal bases for data processing.

38. The data subject has the right to receive feedback from the company as to whether his or her personal data is being processed and, if such processing is taking place, to have access to the personal data and the following information:
a) the purposes of data processing;
(b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed by the undertaking
d) where applicable, the planned period for which the personal data will be stored
e) the right of the data subject to request from the company the rectification of personal data concerning him or her, the erasure of such data or restriction of its processing in the case of data processing based on certain legal grounds, and the right to object to the processing of such personal data in the case of data processing based on certain legal grounds;
f) the right to lodge a complaint with the supervisory authority;
g) if the data were not collected from the data subject, all available information on their source;
h) the fact of automated decision-making, including profiling, and at least in these cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.

39. The enterprise shall provide the data subject with a copy of the personal data subject to data processing.

40. For additional copies requested by the data subject, the enterprise may charge a reasonable fee based on administrative costs, the amount of which is included in the enterprise's pricing policy, other regulations, or other documents. Right to rectification

41. The data subject has the right to rectification in relation to all legal bases for data processing.

42. The company shall, upon request of the data subject, rectify inaccurate personal data concerning the data subject without undue delay. The data subject shall have the right to request that incomplete personal data be completed, including by means of a supplementary statement. Right to erasure (to be forgotten)

43. The data subject does not automatically have the right to erasure (to be forgotten) in relation to data processing related to all legal bases.

44. The company shall erase personal data concerning the data subject without undue delay if one of the following reasons applies:
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) the data subject withdraws his/her consent which forms the basis of the data processing (in the case of data processing based on consent) and there is no other legal basis for the data processing;
c) the data subject objects to the data processing and there is no overriding legitimate reason for the data processing in the case of data processing legal grounds applied in accordance with points 17 and 18 (data processing based on public authority or legitimate interest)
d) the personal data have been processed unlawfully;
(e) the personal data must be erased for compliance with a legal obligation under Union or Member State law applicable to the undertaking;

45. The enterprise will not comply with the data subject's request for erasure if the data processing is necessary to comply with a legal obligation applicable to the enterprise requiring the processing of personal data.

46. If the enterprise receives a request for erasure, the enterprise will first examine whether the request for erasure actually originates from the right holder. To this end, the enterprise may request data used to identify the contract between the data subject and the enterprise (e.g. contract number, contract date), the identification number of the document issued by the enterprise to the data subject, and the personal identification data recorded about the data subject (however, the enterprise may not request additional data as identification that is not recorded about the data subject).

47. If the business must comply with the deletion request, it must do everything possible to ensure that the personal data is deleted from all databases.

48. The company shall record the deletion in order to be able to prove that the deletion has taken place. The record shall be signed by the company's representative, Petra Tóth-Viszlay, or by the person(s) who are authorized to do so under the contract. The record of deletion shall include:
a) the name of the person concerned
b) the type of personal data deleted
c) the date of deletion.
49. The company shall inform all those to whom the personal data has been transmitted of the obligation to erase. Right to restriction of data processing

50. The data subject has the right to restriction in relation to all legal bases for data processing.

51. The enterprise shall restrict data processing at the request of the data subject if one of the following applies:
a) the data subject disputes the accuracy of the personal data, in which case the restriction shall apply for a period of time enabling the company to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their use;
c) the company no longer needs the personal data for the purposes of data processing, but the data subject requires them for the establishment, exercise or defense of legal claims; or
f) the data subject has objected to the processing in the case of legal grounds for data processing applied in accordance with points 17 and 18 (data processing based on public authority or legitimate interest); in this case, the restriction applies for the period until it is determined whether the legitimate grounds of the enterprise override those of the data subject.

52. If data processing is subject to restrictions pursuant to the previous point, such personal data may, with the exception of storage, only be processed with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons of the European Union or of a Member State.

53. The company shall inform all those to whom the personal data has been transmitted of the obligation. Objection

54. The data subject has the right to object in the case of data processing based on public authority or legitimate interest.

55. In the event of the data subject's objection, the enterprise may no longer process the personal data, unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

56. If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for this purpose.

57. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for this purpose. Right to data portability

58. The data subject has the right to data portability in the case of data processing based on consent or contract, if the data processing is carried out by automated means.

59. The company shall ensure that the data subject receives the personal data concerning him or her, which he or she has provided to the company, in a structured, commonly used and machine-readable format and that the data subject may transmit these data to another data controller.

IX. Records of data processing activities
60. The enterprise keeps records of data processing activities in order to be able to monitor and verify compliance with the GDPR, following the principle of accountability.

61. The enterprise shall keep at least the following records of the data processing activities carried out under its responsibility:
a) record of data transfer
b) registration of requests for the enforcement of data subject rights and the responses given by the enterprise
c) registration of official requests and the responses given by the enterprise
d) registration of requests for termination of data processing
e) customer registration
f) registration of marketing inquiries
g) registration of subcontracts
h) registration of data protection incidents.

62. The enterprise shall keep records of the data processing activities specified in point 62 carried out under its responsibility with the following content:
a) the name and contact details of the undertaking and, if any, the name and contact details of the undertaking's representative;
b) the purposes of data processing;
c) description of the categories of data subjects and the categories of personal data;
d) categories of recipients to whom personal data are or will be disclosed
(e) where applicable, information on the transfer of personal data to a third country;
(f) the deadlines for erasing the different categories of data;

63. The enterprise shall keep records in writing, on paper and in electronic format.

64. The company uses the following forms when establishing contact with and registering Patients:
a) General Patient Consent Statement (ARNI practical training method, for people with neurological and brain injuries) Annex 2
b) Stroke Neuro rehab Treatment Sheet Annex 3
c) Application form for treatment Annex 4

X. Data security provisions
65. The enterprise shall implement appropriate technical and organizational measures, taking into account the state of science and technology and the costs of implementation, the nature, scope, circumstances and purposes of data processing, and the risk of varying likelihood and severity to the rights and freedoms of natural persons, in order to guarantee a level of data security appropriate to the degree of risk.

66. According to the previous provisions, the enterprise is obliged to guarantee the confidentiality, integrity and availability of the data it processes.

67. In order to determine the appropriate level of data security measures, the enterprise assesses each data file it manages in terms of its protection needs and classifies it into a security level.

68. To determine the security level of each data processing operation, the following must be analyzed:
a) the risk and expected damage associated with unauthorized access, alteration, deletion of processed personal data, damage to hardware and software devices;
b) whether the damaged data file can be restored, as well as the costs of any restoration, the availability of data sources necessary for the reproduction of personal data, and the possibility of replacing lost data from manual background records;
c) whether it is justified to apply differentiated security standards in view of the nature of the personal data processed;
d) other risk elements that threaten data security;

69. In order to achieve the security of data processing, the enterprise applies physical, logical and administrative controls together.

70. The undertaking shall apply at least the following physical controls:
a) in order to avoid unauthorized access to the data it processes both electronically and on paper, the enterprise ensures that unauthorized persons cannot physically access the processed data [locking offices and operating rooms; placing monitors in such a way that only authorized persons can see the data on them; only data carriers audited by the enterprise can be connected to computers;

71. The company applies at least the following logical controls: a) the company ensures that only those with the appropriate authorization (manager and contracted trainers) have access to the data it processes (binding access to the internal computer network to a username and password; )

72. The undertaking shall apply at least the following administrative controls:
a) the enterprise ensures that any access to personal data can be tracked in documentation
b) the enterprise ensures the development of a document management procedure so that documents containing personal data received in error are filtered out as soon as possible and are made available to the smallest possible circle of persons.

XI. Handling of data protection incidents
73. In the absence of appropriate and timely action, a data breach may cause physical, material or non-material damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft or misuse, financial loss, damage to reputation, breach of the confidentiality of personal data protected by professional secrecy, or other significant economic or social disadvantage to the natural persons concerned.

74. The enterprise shall report the data protection incident to the authority without undue delay and, if possible, no later than 72 hours after it became aware of the data protection incident.

75. A data breach does not need to be notified to the authority if the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

76. If the notification is not made within 72 hours, the reasons justifying the delay must be attached.

77. If it is necessary to report a data protection incident to an authority, the report shall include:
(a) describe the nature of the data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data affected by the breach;
(b) the name and contact details of the data protection officer or other contact person for further information must be provided;
c) the likely consequences of the data protection incident must be described;
d) describe the measures taken or planned by the undertaking to remedy the data protection incident, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

78. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the enterprise shall inform the data subject about the personal data breach without undue delay.

79. The information provided in accordance with point 79 must clearly and intelligibly explain to the data subject the nature of the data protection incident and must state:
(a) the name and contact details of the data protection officer or other contact person for further information;
b) the likely consequences of the data protection incident must be described;
c) describe the measures taken or planned by the undertaking to remedy the data protection incident, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

80. The data subject does not need to be informed if any of the following conditions are met:
(a) the undertaking has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the data breach, in particular measures that make the data unintelligible to persons not authorised to access the personal data, such as the use of encryption;
b) the enterprise has taken further measures following the data protection incident to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
(c) the provision of information would involve a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly available information or a similar measure shall be taken which ensures that the data subjects are informed in a similarly effective manner.

XII. Management of customer data
81. The legal basis for data processing is based on the contract, in relation to the party signing the contract and the personal data relating to it.

82. The legal basis for the processing of personal data (such as the contact details included in the contract) that becomes available to the enterprise in the framework of the performance of the contract referred to in the previous point is based on the legitimate interest of the enterprise.

83. The balancing test(s) performed regarding the processing of the given range of personal data form an annex to this policy.

XIII. Data processing related to employment
The company does not employ or plan to employ any employees.

XIV. Provisions regarding the use of a data processor
84. If data processing is carried out on behalf of the enterprise by someone else [server service, website operation], the enterprise may only use data processors who provide adequate guarantees for the implementation of appropriate technical and organizational measures to ensure compliance with the GDPR requirements and the protection of the rights of data subjects.

85. The data processor may not use an additional data processor without the prior written ad hoc or general authorization of the enterprise.

86. In relation to the data processing carried out by the data processor, the enterprise and the data processor shall enter into a contract. This contract shall specify the subject matter, duration, nature and purpose of the data processing, the type of personal data, the categories of data subjects, and the obligations and rights of the enterprise.

87. The contract referred to in the previous point shall, in particular, require that the data processor:
a) processes personal data exclusively on the basis of the written instructions of the enterprise,
b) ensures that persons authorised to process personal data undertake a confidentiality obligation or are subject to an appropriate confidentiality obligation based on law;
c) apply data security measures at least at the level required by the enterprise;
d) respects the above-mentioned conditions for the use of the additional data processor;
e) taking into account the nature of the data processing, assists the enterprise to the extent possible, by means of appropriate technical and organizational measures, in fulfilling its obligation to respond to requests related to the exercise of the data subject's rights;
f) assists the enterprise in fulfilling its obligations under the data protection incident, taking into account the nature of the data processing and the information available to the data processor;
g) undertakes to immediately inform the company in the event of a data protection incident occurring;
h) after the end of the provision of the data processing service, delete or return all personal data to the enterprise, at the enterprise's discretion, and delete existing copies, unless EU or Member State law requires the storage of personal data.

88. The data processor and the person with access to personal data may process this data only in accordance with the instructions of the enterprise.

XIV. Effective and final provisions

89. These regulations shall enter into force on May 25, 2018.

Annex 1
Balance of interests test – regarding contractual contact details –
SAMPLE


Subject of data processing: Processing of certain personal data of contact persons (hereinafter: data subjects) included in the contract for the performance of auditing activities based on the statutory obligation pursuant to Section 45 of the Hungarian Accounting Act (hereinafter: contract).

Legitimate interest legal basis: After examining the provisions of Article 6 of the GDPR, the company concluded that the lawfulness of the processing of data of natural persons (data subjects) who are not signatories to the contract can be based on the legitimate interest of the data controller pursuant to Article 6 (1) f) of the GDPR.

To be treated
personal data: Name, work telephone number and work email address of the contact person (data subject) under the contract. Personal data is provided by the person signing the contract as the data controller's client.

Purpose of data processing: Maintaining contact necessary to fulfill the obligations set out in the contract.

Legitimate interest: To facilitate the effective performance of the contract by the company.

Rights of the data subject that may be violated: Right to be named; identification of a natural person based on other data

Balancing of interests: The enterprise has the interest of performing its activities as efficiently as possible, in order to be able to devote sufficient time to the professional fulfillment of its contractual obligations. Administrative tasks and needs related to the fulfillment of the contract (for example, obtaining documents) can be implemented and satisfied as efficiently as possible by maintaining contact with a person employed by the enterprise's client who is responsible for these tasks and is competent to perform them. The enterprise has a relevant and appropriate relationship with the data subject, since the data subject is employed by the data controller's client.

Guarantees: The company processes the data of the data subject solely for the purpose of fulfilling the provisions of the contract. The company is also bound by the confidentiality provisions of the contract. The company has strict internal data management procedures in place, and only authorized persons have access to the data; the data will not be forwarded.

Summary: Based on the above, the company considers that its legitimate interest in processing the data of the contact persons included in the contract concluded with the customer can be established, and the legitimate interest is not overridden by the rights and freedoms of the individual.

Date: Budapest, May 25, 2018.
……………………………………………
Petra Toth-Viszlay
executive
Stroke Neuro Rehab Ltd.

Annex 2
GENERAL PATIENT – CONSENT STATEMENT (ARNI practical training method, for people with neurological and brain injuries)
Annex 3
CONTROL PANEL
Annex 4
APPLICATION FORM FOR TREATMENT

Central reservations, information

E-mail: kozpont@strokeneurorehab.com

By phone: +36703880697
(Monday-Friday 9:00-17:00)
Center phone number: +36708037481
(Monday-Friday 9:00-17:00)
Camp information, registration: tabor@strokeneurorehab.com
Course interest and application for professionals: course@strokeneurorehab.com
General information, inquiries, those looking for SNR®/ARNI trainers, book orders: info@strokeneurorehab.com
© Stroke Neuro Rehab ® 2025 All rights reserved.
Shopping Basket
Scroll to Top
Stroke Neuro Rehab
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.