In connection with the processing of data, Delta Bio 2000 Ltd., as the Data Controller (Service Provider) hereby informs Users of the website about the personal data processed on the website, the principles and practices followed in the processing of personal data, the organizational and technical measures taken to protect personal data, as well as the ways and means of exercising the rights of the persons concerned. The Service Provider shall treat the personal data recorded confidentially, in accordance with data protection legislation and international recommendations, and in accordance with this Statement.

By using the website, you accept as a User the provisions of this Privacy Statement.

Privacy Policy in PDF format

Privacy Policy in PDF format

1. Delta Bio 2000 Ltd. processes the data of persons who have logged in to the site or registered to use the service during the operation of the website and the DeltaGene program in order to provide them with an appropriate service. Delta Bio 2000 Ltd. processes and protects personal data in accordance with the applicable data protection legislation when using the system.

2. Delta Bio 2000 Ltd. may keep the following data about individual Users and patients:
Personal data:
Name;

• Name;
• Address;
• Place and date of birth;
• Mother's name;
• Social security number;
• E-mail address and telephone number;
• Occupation;
• Marital status;
• Family medical history

Specific data may include:

• general data on health status;
• description of the disease;
• disease details;
• pathology;
• previous treatments and their effectiveness;
• sample type;
• molecular diagnostic test results of the sample;
• acquired and inherited genetic variations;
• name of treating physician(s);
• details of previous medical treatments

3. Delta Bio 2000 Ltd. uses information about individual Users for the following purposes:

• registration for the purpose of using the Delta Bio 2000 Ltd. IT system;
• for the purposes of providing, monitoring, revising, or improving the services related to the system;
• for Delta Bio 2000 Ltd. to fulfil its contractual obligations and exercise its rights vis-à-vis the User, as part of its consumer protection procedures and to fulfil any similar contractual obligations; and to communicate with the User in connection with the above;
• for the purpose of providing the User with molecular diagnostic tests, in the course of which the data will be shared with the authorised medical practitioner, biologist, medical assistant of Delta Bio 2000 Ltd.;
• IVDR for medical device development;
• to send the User personalised information by email, post or telephone about new clinical trials, new scientific discoveries, new diagnostic and therapeutic procedures, if the User has requested or authorised this in their personal settings;
• to request a medical second opinion for the User, where the User can make a specific statement in their personal settings to allow the sharing of personal data;
• the User themselves may share their data with other Users (patients and doctors) within the system;
• for statistical, analytical analysis in an anonymised form combined with data from other Users and for publication;
• the anonymised data of the User to enable the system to provide better decision support for the treatment of similar Users (patients);
• the anonymised User data in a statistical context to assist third parties in the development of new diagnostic methods.

4. Delta Bio 2000 Ltd. shall keep information about the User only for as long as it is strictly necessary to reach the purpose for which it was collected and is suitable for the purpose for which it was collected, or for as long as permitted by any contract or law. Delta Bio 2000 Ltd. will not collect information to an extent that is unnecessary or information that is unnecessary or inappropriate for the purpose for which it is collected.

5. Upon the User's request, Delta Bio 2000 Ltd. shall provide information on the data handled by it or processed by it or by a data processor commissioned by it, on their source, the purpose, legal basis and duration of the data processing, the name, address, and activities of the data processor, and – in the case of the transfer of the User's data – the transfer's legal basis and recipient.

6. Delta Bio 2000 Ltd. will not disclose personal data related to the User to third parties without the User's consent, except in cases where it is necessary or desirable to disclose information about the User to other companies, financial institutions, or public authorities (as defined by law) for crime prevention or consumer protection reasons; if required or permitted by law, or if Delta Bio 2000 Ltd. is required to do so by a public authority, and if it is necessary to do so in order to fulfil its obligations. Without the User's permission, Delta Bio 2000 Ltd.'s contracted partners are entitled to access the User's personal data, which the User expressly consents to when submitting the sample. Furthermore, even without the User's permission, Delta Bio 2000 Ltd. is entitled to use the results of the anonymised sample for scientific and educational purposes.

7. In the event that the User's personal data is shared with third parties by Delta Bio 2000 Ltd., Delta Bio 2000 Ltd. will comply with the provisions of data protection legislation in all cases. Delta Bio 2000 Ltd.'s contracted partners are entitled to know the personal data of the User.

8. In accordance with data protection legislation, the User has the right to request information about the processing of their personal data at any time. This information is free of charge.
Delta Bio 2000 Ltd. will comply with such a request of the User within 30 (thirty) days from the date of its submission, in writing, at the request of the person concerned.
If you wish to contact Delta Bio 2000 Ltd. with a request regarding the processing of your User data, Delta Bio 2000 Ltd. requests that you contact Delta Bio 2000 Ltd. via the contact details on the website www.deltagene.hu (e.g., by e-mail to info@deltabio.eu) or via the admin interface.

9. Through the contact details indicated above, the User is entitled to:

• request information about the processing of their personal data;
• request the rectification, erasure or blocking of their data, except for mandatory processing;
• object to the processing of their personal data in the cases provided for by data protection legislation;
• apply to the relevant authorities and courts in the event of a breach of their rights and in the case provided for by data protection legislation, and;
• claim compensation for any damage caused to the User in connection with the unlawful processing of their data or in connection with a breach of data security requirements.

10. Delta Bio 2000 Ltd. informs the User that the national legislation of each country may lay down more detailed rules on data protection than those described in this Data Protection Information.

11. Delta Bio 2000 Ltd. is obliged to ensure the protection of User information. Delta Bio 2000 Ltd. has put in place reasonable physical, electronic, and managerial procedures to protect the User's personal data, in particular against unauthorized access, alteration, transferring, disclosure, deletion or destruction, accidental destruction or damage, and inaccessibility due to changes in the technology used.
Delta Bio 2000 Ltd. is particularly attentive in this activity to prevent any unlawful or unauthorized action in the handling of the User's data by the means at its disposal. Notwithstanding these measures, Delta Bio 2000 Ltd. cannot fully guarantee the security of the User's data.

12. Delta Bio 2000 Ltd. protects the security of User information by: using encryption where possible; using password protection where applicable; and restricting access to information (for example, by limiting access to only those employees who need it to achieve the purposes described above).
Delta Bio 2000 Ltd. requests that User help in the protection of information by not using obvious login names or passwords and by changing their passwords regularly.
Delta Bio 2000 Ltd. also requests User to protect their password from being disclosed to third parties.

The Data Processing Policy of Delta Bio 2000 Research, Development, Trade and Services Ltd. (hereinafter referred to as the "Service Provider") sets out the procedures for the traditional (manual) and electronic processing of personal and health data of persons served by the Service Provider and persons who otherwise come into contact with the Service Provider (e.g., business partners, etc.).
The Service Provider/Data Controller processes the data of persons who have logged in to the site or registered to use the service during the operation of the website and the DeltaGene program, in order to provide them with appropriate service. Its aim is to protect the personal and health data of the person concerned throughout the entire process of data processing, transmission, and storage, both within and outside the operations of the Service Provider.
The Service Provider intends to fully comply with the legal requirements for the processing of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council. This policy is based on Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of personal data of natural persons and on the free movement of such data, taking into account the content of Act CXII of 2011.

Data Controller's data, contact details
Név: Delta Bio 2000 Research, Development, Trade and Service Ltd.
Address: 62 Temesvári krt. Szeged, H-6726 Hungary
Company registration number: 06-09-011882
Name of the registering court: Szeged General Court, Court of Companies
Tax number: 14138373-2-06
Telephone: +36-30-403-3046
Email: info@deltabio.eu

1. SCOPE OF THE POLICY

The scope of the policy covers

• care provided on the Provider's premises where health, human genetic, and personal identification data are processed;
• all natural and legal persons who process or come into contact with personal, health, and human genetic data in connection with the Provider's activities;
• any data that are personal data under data protection legislation and any data that are human genetic data.

1.1 Abbreviations and interpretative provisions used in the Policy

carer: the treating doctor, health professional, other person involved in the treatment of the person concerned, pharmacist;
consent: the voluntary and explicit expression of the will of the person concerned, based on adequate information, by which they signify their unambiguous agreement to the processing of personal data relating to them, either in full or in relation to specific operations;
contracted partner: a natural person or legal entity that has entered into a contract with Delta Bio 2000 Ltd. and that, in the course of its professional activity, offers, distributes Delta Bio 2000 Ltd.’s services to its patients, assists in providing the services. A Healthcare Provider is not entitled to enter into contract on behalf of Delta Bio Ltd.
data controller: the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data;
data processing: any operation or set of operations performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
data processor: a natural or legal person who processes personal data on behalf of the Controller;
person concerned: an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier, or based on one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the natural person;
EEA state: member state of the European Union and other states party to the Agreement on the European Economic Area, and a state whose nationals enjoy the same status as nationals of a state party to the Agreement on the European Economic Area under an international treaty concluded between the European Union and its member states and a state not party to the Agreement on the European Economic Area;
genetic counselling: a counselling procedure in which a person authorised by law to do so provides information on the benefits or risks of clinical genetic testing, explores the possible implications of the results of human genetic testing, and helps to understand the nature of the disease;
genetic data: information about the hereditary characteristics of the person concerned, obtained from the processing of a genetic sample or from medical records, which is indicative of the individual's risk of, inherited susceptibility to, or physical or behavioural characteristics associated with a genetic disease, and which may be relevant to the identification of the individual;
genetic screening test: human genetic test carried out on members of a defined population indiscriminately, as part of a screening programme, the aim of which is to identify those asymptomatic individuals who are at risk, by identifying their genetic characteristics;
health data: human genetic test carried out on members of a defined population indiscriminately, as part of a screening programme, the aim of which is to identify those asymptomatic individuals who are at risk, by identifying their genetic characteristics;
human genetic testing: laboratory analysis of a genetic sample to detect congenital variants in the genome (genes, chromosomes) that cause or predispose to a genetic disease associated with or predictive of adverse health effects of germline origin (inherited) or developed early in foetal life, with the purpose of clinical genetic testing, genetic screening, or genetic testing for research purposes;
medical documentation: a record, register, or any other form of data, irrespective of its medium or form, containing medical and personal identification data, which comes to the knowledge of the patient's provider (the Service Provider) during the course of treatment;
personal data: data that can be associated with the person concerned, in particular the name, the identification number, and one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity, and the conclusions which can be drawn from the data regarding the person concerned;
third party: any natural or legal person, public authority, agency, or any other body other than the person concerned, the Controller, the Processor, or the persons who, under the direct authority of the Controller or Processor are authorised to process personal data; third country: any state that is not an EEA state.
treatment: any activity with the purpose of preserving health, preventing, detecting, diagnosing, and treating a disease, maintaining, or improving the level of impairment due to the disease, aimed at the direct examination, treatment, care, medical rehabilitation, or processing of the test samples of the person concerned, including the provisions of medicines, medical aids, spa care, rescue and ambulance services and obstetric care;

• personal data on belonging to a national or ethnic minority, political opinion or party affiliation, religious or other ideological beliefs, memberships of representative bodies, sex life,
• personal data concerning health, pathological addiction, criminal offences

Terms used in this Policy that are not defined in Section 1.1 have the meaning given to them in data protection legislation.

1.2. The legal environment governing health data management
REGULATION No 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation)
Act XLVII of 1997 on the processing and protection of health and related personal data
Act CLIV of 1997 on Health Care
Decree No 2/1997 (XII.21.) NM on certain aspects of the processing of health and related personal data
Act CVIII of 2001 on certain aspects of electronic commerce services and information society services.
Act XXI of 2008 on the protection of human genetic data, the rules for human genetic testing and research and the operation of biobanks
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information

1.3. Understanding and using the Policy
The Policy shall be made available to all employees of the Service Provider, and all employees shall be familiar with and comply with the Policy at least to the extent required by their job description and position.
All persons concerned shall be informed of the provisions of the Policy that apply to them.
The Data Protection Officer designated by the Service Provider is responsible for ensuring that the Policy is kept up to date.

2. RULES ON DATA PROCESSING

2.1 Service Provider's data management philosophy
2.1.1.1 The Service Provider considers it important that personal data are processed only in cases and to the extent necessary to achieve the legitimate aim and in accordance with the provisions of data protection legislation. As a matter of principle, it states that patient records are the property of the Provider and must be maintained and preserved for the benefit and in the interest of the patient.
2.1.2 Provider is committed to the principle that high quality patient care can only be achieved with high quality documentation.

2.2. Principles of data management
2.2.1. The Service Provider shall at all times respect the principles of data processing set out in the data protection legislation and shall conduct its processing in compliance with them. The principles of data processing are as follows:

• Lawfulness, fairness, and transparency: personal data must be processed lawfully and fairly and in a transparent manner for the person concerned.
• Purpose limitation: personal data must be collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes.
• Data minimisation: personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
• Accuracy: personal data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without delay.
• Limited storage: personal data must be kept in a form which permits identification of the person concerned for no longer than is necessary for the purposes for which the personal data are processed.
• Integrity and confidentiality: personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by implementing appropriate technical or organisational measures.
• Accountability: the Controller is responsible for compliance with the above principles and must be able to demonstrate such compliance.

2.2.2. The Service Provider shall ensure that the data management principles are applied in the context of the data management activities it carries out, both in the preparation of the planned data management activities and throughout the entire process of the data management activities.

2.3 Lawfulness of the processing of personal data
2.3.1 Personal data may only be processed where there is an appropriate legal basis. The processing of personal data is lawful if one of the following conditions is met:

• the person concerned has given their consent to the processing of their personal data for one or more specific purposes;
• the processing is necessary for the performance of a contract to which the person concerned is a party or for the purposes of taking steps at the request of the person concerned prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the Controller is subject;
• processing is necessary for the protection of the vital interests of the person concerned or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
• processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the which require the protection of personal data, in particular where the person concerned is a child.

2.3.2 In addition to the above, special categories of personal data may only be processed if the additional requirements set out in the data protection legislation are met. Such requirements include, among others:

• the person concerned has given their explicit consent to the processing of mentioned personal data for one or more specific purposes;
• processing is necessary for compliance with the obligations of the Controller or the person concerned arising from legal provisions governing employment and social security and social protection and for the exercise of specific rights;
• processing is necessary for the protection of the vital interests of the person concerned or of another natural person where the person concerned is physically or legally incapacitated and is unable to give their consent;
• processing relates to personal data which have been explicitly made public by the person concerned;
• processing is necessary for the establishment, exercise, or defence of legal claims;
• processing is necessary for preventive health or occupational health purposes, to assess the ability of an employee to perform their job.

2.3.3. As set out above, processing is lawful if it is necessary in the context of a contract or the intention to conclude a contract. If the processing is carried out in the performance of a legal obligation to which the Controller is subject, or if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing must have a legal basis in European Union law or the law of a member state.
Processing shall be regarded as lawful where it is carried out for the purpose of protecting the life of the person concerned or the interests of another natural person referred to above. Personal data should in principle be processed on the basis of the vital interests of another natural person only if there is no other legal basis for the processing in question.

2.3.4 The legitimate interest of the Controller, including the Controller with whom the personal data may be shared, or of a third party may provide a legal basis for the processing. Without the User's consent, Delta Bio 2000 Ltd.’s contracted partners are entitled to access the User's personal data, which the User expressly consents to when submitting the sample. In addition, Delta Bio 2000 Ltd. is entitled to use the results of the anonymised sample for scientific and educational purposes without the User's consent.
Such legitimate interest may, for example, exist where there is a relevant and appropriate relationship between the person concerned and the Controller, such as in cases where the person concerned is a client of the Controller or is employed by the Controller.
The processing of personal data strictly necessary for the purpose of fraud prevention is also a legitimate interest of the Controller concerned. Processing of personal data for direct marketing purposes may also be considered to be based on legitimate interest.
In order to establish the existence of a legitimate interest, it is necessary to carefully assess, inter alia, whether the person concerned could reasonably expect, at the time and in the context of the collection of the personal data, that processing would take place for the purposes in question. The interests and fundamental rights of the person concerned may prevail over the interests of the Controller where personal data are processed under circumstances in which the person concerned does not expect further processing.
The processing of personal data for purposes other than those for which they were originally collected is permitted only if the processing is compatible with the original purposes for which the personal data were originally collected. In this case, a separate legal basis other than the legal basis which made the collection of the personal data possible is not necessary.

2.4. Purpose of data processing – during registration/login to the Website/DeltaGene programme

2.4.1. The purpose of the data processing is to provide additional services and contact. The legal basis for registration data processing is the consent of the person concerned. The persons concerned by data processing are the registrated Users of the website/DeltaGene. The User can give their consent to the processing of the data by intentionally ticking the checkbox on the website or in the DeltaGene program.

2.4.2 Data processing is performed until the consent given on the website is withdrawn. The person concerned may withdraw their consent to the processing at any time by sending an e-mail to the contact e-mail address.

2.4.3. Data may be obtained from multiple sources. The Service Provider may obtain the personal data of the person concerned from the following sources:

• 2.4.3. Data may be obtained from multiple sources. The Service Provider may obtain the personal data of the person concerned from the following sources: Service Provider receives the personal data of the person concerned directly from the person concerned when they order a service from the Service Provider and, in this context, fills in an order form or contract for each of the requested tests and provides the Service Provider the samples necessary to perform the requested test.
• From the physician of the person concerned: Service Provider may also obtain the personal data of the person concerned from the treating physician, if the requested service is ordered from the Service Provider by the treating physician, with the person concerned being informed at the same time. In addition, the Service Provider may also receive personal data from the treating physician of the person concerned where the requested service is ordered directly from the Service Provider by the person concerned, but they request the Service Provider to obtain the necessary specimen and/or documentation from their treating physician.
• From a third party: the Service Provider may receive the personal data of the person concerned from a third party where the person concerned has given an authorisation to a third party to order the services or where it is permitted by law.

2.4.4. Deletion of the data will take place upon withdrawal of consent to data processing, but no later than 3 days after receipt of the withdrawal letter. The person concerned may withdraw their consent to data processing at any time by sending an e-mail to the contact e-mail address (info@deltabio.eu). The contact data processed in the DeltaGene programme will be deleted if no service has been ordered and the person concerned requests the deletion of their data.
The health data requested within the DeltaGene programme are necessary for the purpose of consultation and contract fulfilment. The Data Controller and its employees are entitled to access the data. Method of storage of data: electronic. Modification or deletion of personal data can be requested by e-mail or by letter using the contact details provided above.
Personal data processed on deltagene.hu, purpose and duration of processing

• Name of the Data Controller: Delta Bio 2000 Ltd.
• Name of processing: collection of contact details
• Purpose of the processing: to contact persons inquiring on the website (callback, email correspondence)
• Legal basis for processing: voluntary consent of the person concerned (Act CXII of 2011, § 5 (1) a))
• Actual place of processing: 62 Temesvári krt. Szeged, H-6726 Hungary
• Automation of data management: automated and manual
• Deadline for deletion of data: upon the User's personal request by telephone or in writing
• Scope of subjects concerned: persons interested in the Service Provider's tests

2.4.5. Personal data may be transferred, and different processing operations may be combined if the person concerned has given their consent or if permitted by law and if the conditions for processing are met for each individual personal data item.
Personal data (including sensitive data) may be transferred from the country to a Controller or processor in a third country, irrespective of the data medium or the means of transmission, if the person concerned has given their explicit consent, or if the law so permits, and adequate level of protection for the transferred personal data is ensured in the processing of the data in the third country. Transfers to EEA states shall be considered as transfers within the territory of Hungary.

3. THE RIGHTS OF THE PERSON CONCERNED

3.1. The rights of the person concerned under the GDPR
The person concerned is entitled to:

• request information about the processing of their data and access to their data (right of access),
• request rectification of their data,
• request the erasure of their data (right to be forgotten),
• request restriction of the processing of their data,
• request data portability,
• object to the processing of their personal data.

3.2. Access

3.2.1. The person concerned shall have the right to receive feedback on whether their personal data are being processed and, if such processing is taking place, the right to access their personal data and certain information relating to the processing.
3.2.2. The right of access includes, inter alia, the following information: the purposes of the processing, the categories of data processed, the recipients to whom the data have been disclosed.
3.2.3. The person concerned also has the right to request a copy of the personal data processed by the Controller.

3.3. Rectification

3.3.1 The person concerned shall have the right to have inaccurate personal data concerning them rectified or incomplete personal data completed at their request, and the Service Provider shall take the necessary and reasonable measures to ensure accurate processing.

3.4. Erasure

3.4.1. In certain cases specified in data protection legislation, the person concerned has the right to have their personal data erased at their request, and the Controller may be obliged to erase such data. For example, if the personal data are no longer necessary for the purposes for which they were collected, or if the person concerned withdraws the consent on the basis of which the processing was carried out, and there is no other legal basis for the processing.

3.5. Restriction

3.5.1. In certain cases provided for in data protection legislation, the person concerned has the right to obtain from the Controller, at their request, restriction of processing. Examples include where the person concerned contests the accuracy of the personal data or where the person concerned has objected to the processing.
3.5.2. All those must be notified of the rectification, erasure, and restriction to whom the data were previously disclosed, unless this proves impossible or involves a disproportionate effort. The Controller shall inform the person concerned, at their request, of those recipients.

3.6. Data portability

3.6.1. In certain cases, as defined in data protection legislation, the person concerned has the right to receive personal data concerning them in a structured, commonly used, computer-readable format and the right to transmit such data to another Controller.
3.6.2. The person concerned may also have the right to request, where technically feasible, the direct transfer of personal data between Controllers.

3.7. Objection

3.7.1. In certain cases provided for in data protection legislation, the person concerned has the right to object to the processing of their personal data, in which case the Controller may no longer process those data. This may be the case, for example, where the processing is based on legitimate interests or where the processing is for direct marketing or profiling purposes.
3.7.2. The right to object must be explicitly brought to the attention of the person concerned at the time of the first contact at the latest, and the information must be clearly displayed and separated from all other information.

3.8. Exercise of the rights of the person concerned

3.8.1. The Service Provider shall inform the person concerned of the measures taken in response to their request to exercise the rights set out above as soon as possible, but no later than 30 days from the receipt of the request. If the Service Provider fails to take action on the request of the person concerned, it shall inform them without delay, but no later than 30 days after receipt of the request, of the reasons for the failure to take action and of the right the person concerned to lodge a complaint with the National Authority for Data Protection and Freedom of Information and to exercise their right to judicial remedy.
3.8.2. The Data Protection Officer is responsible for responding to and dealing with requests from persons concerned. The Data Protection Officer shall be informed immediately upon receipt of potential requests.


Scope of the Policy
This Policy shall enter into force on 25 May, 2018 and shall remain in force until revoked.