Lots of people are suffering in medical disease, thus they often get in touch with health care institutions. They are not in aware with their rights and obligations. The patients often do not know what to do when he or she get in trouble, if his or her rights are violated during the cure or these rights are infringed by the health care institutions.
In Hungary the patients rights are regulated in lots of acts. For instance the Act CLIV of 1997 on Health Law or Act XCV of 2005 on Medicinal Products for Human Use and on the Amendment of Other Regulations Related to Medicinal Products (the Drug Economy Act), or the Decree No. 3/2009 (II. 25) of the Minister of Health on the Detailed Rules Relating to the Promotion of Medicinal Products and Medical Devices for Human Use, the Registration of Persons Performing Promotion Activities and the Commercial Practices Related to Medicinal Products and Medical Devices Aimed at Consumers etc. Hungary is also affected by the European Union regulations like for instance Directive 2001/83/EC (marketing of medical products), Directive 2017/2103/EU and etc.
It can be seen well, that the amount of the national and international regulations of the Health and Pharmaceutical Law are lot and the clients (who are the patients too) do not understand these regulations. Therefore in this heading, I want to publish articles and studies about medical, health and pharmaceutical issues to help the clients to understand the maze of the medical regulations in Hungary.

Pursuant to the information of the website of European Medical Agency (EMA), the Regulation EU 2017/745 on Medical Devices (MDR) which was adopted in April 2017 came into application on 26 May 2021.

The MDR changes the European legal framework for medical devices and introduces new principles and supportive responsibilities for EMA and national competent authorities in the assessment of certain categories of medical products.

The new and revised responsibilities that are contained by the new regulation are the followings:

  • medicines with integral devices, for instance: pre-filed syringes and inhalers;
  • ancillary medical substances to supporting the proper function of the device, including the following examples: drug-eluting stents, bone cement including an antibiotic, catheters covered with heparin or an antibiotic agent, condoms which are coated with spermicides;
  • such medical devices which are made from those substances that are absorbed by the human body to achieve their intended purpose for the patients health;
  • borderline products for which there is uncertain which regulatory framework can be applied. The borderline products includes the followings: medical products, medical devices, cosmetics, biocidal products, herbal medicines and food supplements.

According to EMA, the Agency has worked closely with the European Commission, the national competent authorities and the pharmaceutical and medical device companies to ensure appropriate transition to the new regulation.

The EMA will make an updated guidance on quality requirements for medical devices in human medicines and medical devices which contains an updated Q&A to support the implementation of the MDR to the new regulatory framework.

The EMA also informs the interested persons that the MDR replaces the current Directives for medical devices (93/42/EEC and 90/385/EEC). The Regulation on in vitro diagnostic medical devices will replace Directive 98/79/EC when it comes into apply on 26 May 2022.

The content of this article is derived from the EMA’s website: ema.europa.eu.

The Government Decree 464/2020 (22 October) on the Government Decree 431/2020 (18 September) on the Defensive Measures of the Pandemic Readiness Period (hereinafter: Decree or D.) 

The following measures were ordered by the Hungarian Government based on the Act CLIV of 1997 on the Health Care Sec. 247 (1b) point c).

The Decree Sec. 1 (1) was supplemented by points j) and k) which are the followings:

1. Wearing of the medical mask, occupational safety mask and those masks which are made of textile or other materials (hereinafter: mask) shall be required to everyone excepting the person underage of six, the athletes, the coaches, the referees and their assistants, the participants of the sport event at the venue of the sport event as well as the speaker for the duration of the speech at the assembly held outdoor under the Act of Assembly within the points j) and k) of this Decree.

The mask shall be worn in such way that the nose and mouth of the particular person be continuously covered.

The D. Sec. 2 was also supplemented by the Subsec. (4a) and (4b).

2. That person who does not wear the mask the way described in the point 1 for the call of the organizer, the organizer of the sport event is obliged to exclude the infringing visitor from visiting the event. The organizer is also obliged to ensure that the visitor leave the venue of the sport event.

It is the same way when the particular person does not wear mask for the call of the organizer of the assembly, the organizer is obliged to call the infringer person for leaving the venue of the assembly.

3. Both the participant of the sport event and the participant of the assembly are obliged to keep those provisions which were mentioned above.

4. The Decree shall enter into force on the day following of its proclamation.

From 1 July 2020 significant changes will enter into force in the national social security system. The former Act LXXX of 1997 on the Eligibility for Social Security Benefits and the Private Pensions and the Fundings for These Services (hereinafter: SSBA or Social Security Benefits Act) will be replaced by the new Act CXXII of 2019 on Entitlements to Social Security Benefits and on Funding These Services (hereinafter: new SSBA or Social Security Benefits Act) after 23 years. The new Social Security Benefits Act contains more several new rules compared to the former Social Security Benefits Act and it also includes the implementing decrees. That article – due to its size limits – describes the more important changes only.

The new Social Security Benefits Act Sec. 6 (1) – contrary to the former Social Security Benefits Act Sec. 5 (1) – no longer contains the concept of person engaged in auxiliary activities in the sphere of the insured person for example pensioner entitled to draw pensions own his own right. The sphere of the insured person is clarified by the new SSBA Sec. 6 (1). From 1 July the flat rate contribution base will be introduced by the new social security law which qualifies as a new legal institution in the Hungarian social security system. The flat rate contribution base rate is 18.5 per cent contrary to the former rate of 8.5 per cent of health insurance and labor market contributions which was regulated in the previous Social Security Act Sec. 19 (3). The former health insurance and labor market contribution comprised: 4 per cent health insurance contributions provided in kind, 3 per cent health insurance contributions provided in money and 1.5 per cent in labor market contributions.

The new SSBA applies stricter rules then the former Social Security Benefits Act. Pursuant to the new SSBA Sec. 24 and 27 (2) the contribution base is 30 per cent of the minimum wage which shall be paid even if the income of the employee is smaller than the minimum wage.

In case of business partner and private entrepreneur the health insurance and labor market contributions shall be paid based on the mandatory minimum wage/guaranteed wage minimum instead of the former 150 per cent. The social security contribution base (Szocho) is still remains 112.5 per cent.

Increased maximum of family contribution allowance availing after the children will be introduced as a new element. The maximum of the allowance will be enforceable opposite to the rate of 18.5 per cent of the social contributions. The maximum rate of the family allowance is equal to rate of the social contribution base which is grown from the previous rate of 8.5 per cent to 18.5 per cent based on the new Social Security Benefits Act.

The rate of pension contribution is still 10 per cent.

The further renewal of the new Social Security Benefits Act is comprised in its Sec. 46 (2)-(3). The essence of the amendment in short if persons liable to pay do not fulfill their health service contributions (hereinafter: ESZO) payment obligation and the amount of arrears exceed the threefold monthly amount of ESZO, the social security number (TAJ number) will be invalid in connection with the requisitioning of the health service. The health service is not available free of charge except if the debt was paid retroactively before the health service was availed.

The ESZO unified monthly amount is 7710 HUF, which is daily 257 HUF. The ESZO shall be paid until the 12th day of the current month.

It is important to note that the National Tax and Customs Administration (hereinafter: state tax authority or NAV) shall supply the data of the arrears derived from non-fulfillment of the health service payment obligation to the Administrative Agency. The record is kept by the Headquarters of Hungarian State Treasury (MÁK).

Two more new benefits will be introduced from January 2020. One benefit is the adoption allowance, the other is the grandparent child-care benefits. The person entitled to adoption allowance who adopts or raising child who has reached the age of two. The person entitled to grandparent child-care benefits availing by grandparents who was insured person in one year of the two years preceding the benefits. The maximum amount of the benefit is 70 per cent of double the minimum wage.

The person who is insured in other member country of the European Economic Area (EEA) and avail of health service based on paying health service contribution, the natural person must refund that cost which charge the Health Insurance Fund. The specified amount of unjust requested health service contributions (ESZO) will be cancelled on the tax invoice by the state tax authority. The amount of unjust requested ESZO will be prescribed on the tax invoice as tax obligation by the Health Insurance Fund based on its data supply.

Further renewal is introduced by the new Social Security Benefits Act. Pursuant to the new SSBA Sec. 52 (3) an agreement for the provision of healthcare services may be concluded subject to assessment of the state of health of the person initiating the conclusion of the agreement, with the proviso that the agreement shall not cover healthcare services to be provided in connection with any disease, health impairment identified by the said medical examination. The medical examination for health assessment is subject to a fee. The medical examination for health assessment shall be ordered by the regulatory body empowered to conclude the agreement to be carried out by the healthcare service provider designated by the minister in charge of the health insurance system, according to the procedure therein provided for.

The SSBA Sec. 52 (4) states the following: an agreement for acquiring pensionable income and service time shall become operative on the day on which it is executed, at the earliest on the first day of the month to which it pertains. No arrangements shall be permitted for any preceding period. After that, payments of pension contributions shall be made by the twelfth day of the month following the month to which it pertains. Any default in payment shall result in termination of the agreement.

To summarize the above-mentioned two subpoints, it is indispensable to be assessed the state of health of the person who initiating the conclusion of the agreement to conclude an arrangement for the provision of healthcare services.

In addition to the aforementioned points, the health insurance rules have not changed.

It is worth to note that, in connection with the changes of the tax rules which concern the social security system that the vocational training scholarship will be tax-free and particular educational grants too. Additional change is to notify the state tax authority about the starting and terminating of the operation of the enterprises.

The simplified contribution to public revenues (EKHO) of the pensioners was reduced to 9.5 per cent and  the 17.5 per cent social security contribution (Szocho) will not have to be paid for them either.

These changes will enter into force from 1 July 2020. The article described the more important changes and amendments in short only to give an assistance in the complex and constantly changing Hungarian social security system.

The Government Decree No. 140/2020 (21 April) on the Action Plan about the Necessary Relief of Tax Payment to Mitigation of the Economical Effect of the COVID-19 (hereinafter: Decree) Sec. 20 (1)-(3) carry into effect some changes during the pandemic period.

The employees who do not receive their wages during their leave because of the present situation, are still entitled to avail of the health service contribution for the duration of the epidemiological (pandemic) period.

From 1st May 2020, the employer – by the 12th day of the month following the current month – assesses, declares and pays the health service contribution after the employee.

At the employer request, the national tax and customs authority permits the employer to pay the amount of the health service contribution assessed and declared above until the 60th day after the end of the State of Emergency.

It can be stated from the provision of the Decree mentioned above that the employees are considered as insured person in the absence of their payment for the duration of the State of Emergency because of that situation. It shall be deemed that the employment relationship would be still existing, therefore the employer’s further obligation to assesses, declares and pays the health service contribution to the national tax and customs authority.

It seems to be that the legislator’s purpose was to exempt employees from the obligation to payment of the health service contribution under the general rules in the absence of their wages because of the present situation for the duration of the epidemiological period. The employer exempt the employees from extra burden.

In addition to this, the legislator has also introduced an alleviation on the employer side, according to it the assessed and declared health service contribution mentioned above, shall be payed by the employer within 2 months after the end of the State of Emergency. The economy stagnates, the investments fail and the production is minimal for the duration of the State of Emergency. So the financial sources and liquidity of the employer are reduced to the minimal. The employer can easier gets over the income loss resulting from the current situation and he/she can optimize better his/her sources and income with this alleviation.

It is very important to note that these current special provisions mentioned above are valid only for the duration of the State of Emergency. These provisions shall be expired at the end of the State of Emergency and the general rules will be applicable to the parties.

Source of the picture: pexel.com

Information on the COVID-19 in connection with the personal data processing and the employment law

The source of the picture is: Hungarian Medical Chamber (MOK)

In the recent past days the Hungarian Government declared the State of Emergency in its Government Decree 40/2020 (III.11) on Declaring of the State of Emergency based on the Fundamental Law of Hungary Article 53 (1).

Parallel to the provisions of the Government Decree, some directions of the GDPR and the Hungarian Labor Code shall be followed by the employers. The SAMKÓ LEGAL set up a short information document about the relevant applicable provisions in connection with the epidemiological situation.

The short document will help to understand that how these provisions of the GDPR, Labor Code and the relevant other laws and decrees shall be applied by the employers and other parties of the employment relationship. The short information document of the SAMKÓ LEGAL is available at down below of the page in PDF format.

Budapest on 23rd March 2020


The Algopyrin and the substances of metamizole

On 19th February 2020 the National Institute of Pharmacy and Nutrition (OGYÉI) published on its webpage that the medicines of metamizole content will be issued without prescription by the doctors. The above-mentioned date before these medical substances were issued with prescriptions only by the doctors. The OGYÉI composed a list about those medicine substances which are exempt from the obligation of the issue of prescription.

Medical substances

According to the information of the OGYÉI, the applicant filed his/her application for review in connection with the issue of medicine substances of metamizole without prescription. The OGYÉI examined the application of review and the whole data relating to the case. It found that in the case of medical substances of metamizole content that the conditions are not met with those contents which are included the Decree of Ministry for Health (DMH) No. 52/2005 (18 NOV) on the Marketing of Medicines for Human Use. Therefore the classification of these medical substances were reclassified by the OGYÉI.

It means that it does not have to be claimed prescriptions for Algopyrin and those medical substances which contain metamizole. If you would like to more information about the aforementioned medical substances, please visit the website of OGYÉI at https://www.ogyei.gov.hu/main_page.

List of those medical substances which will be issued without prescriptions after the aforementioned date by pharmacy
ALGOPYRYN 500 mg pillsNot subject to prescription.
ALGOZONE 500 mg pillsNot subject to prescription.
FLAMBORIN 500 mg/ml drops for oral solutionNot subject to prescription.
METAPYRIN 500 mg film-coated pillsNot subject to prescription.
NODORYL FORTE 500 mg pillsNot subject to prescription.
PANALGORIN 500 mg pillsNot subject to prescription.
SUPPOSITORIUM NORAMINOPHENAZONI 100 mg FoNo VII. PARMANot subject to prescription.
SUPPOSITORIUM NORAMINOPHENAZONI 200 mg FoNo VII. PARMANot subject to prescription.
TABLETTA ANALGETICA FoNo VII. PARMANot subject to prescription.

The content of this article also including the table above are derived from the webpage of the National Institute of Pharmacy and Nutrition (OGYÉI).

National Institute of Pharmacy and Nutrition (https://www.ogyei.gov.hu/main_page)

The source of this whole article is OGYÉI.

III. Basic concepts

The definition of personal data

Pursuant to the GDPR personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The controller shall be fully liable for every damages that may occur to the data subject in connection with the data management. [GDPR Article 4, point 1]

Processing of special categories of personal data 

Besides of the definition of personal data, the GDPR Article 9 gives a short list about the special categories of personal data which are revealing the follows:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;

The following data also belong:

  • the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
  • Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6 (1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority. [GDPR Article 10]

The data management shall be progressed with caution during the processing of special categories of personal data.

The tasks of the controller and the processor are also especially the record of the data, the enumeration of the processed data, the safety data storage, and if it necessary, performing the impact assessment.

The data subject (patient/patients)

The most important task and aim is the protection of the patients. It ensures their data shall be processed appropriately and the unauthorized person does not have access to these data.

Pursuant to the GDPR Article 4 data subject shall mean a natural person who has been identified or is identifiable by reference to any information. The legal persons data shall be not protected by the data protection regulation.


Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. [GDPR Article 4, point 7]


Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. [GDPR Article 4, point 2]

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects. [GDPR Article 26]

Restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future. [GDPR Article 4, point 3]

During the data management, it can be occurred that the data process shall be restricted by the controller because of the request of the data subject.


The processor assists for the controller work. It is worth to notice in connection with the data processing that the processor has not got individual decision-making power and the right to dispose. The processor does his/her work following the instructions of the controller. Data processor shall mean a natural or legal person or unincorporated organization that is engaged in processing operations within the framework of and under the conditions set out by law or binding legislation of the European Union, acting on the controller’s behalf or following the controller’s instructions. The Info Act Sec. 25/C states that where processing is carried out by a person or body, such processors must be able to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner to ensure the lawfulness of data processing and the protection of the rights of the data subject. Before the commencement of processing the data processor shall provide proof to the data controller of having such guarantees. Pursuant to the Info Act Sec. 25/D (3) point a) the data processor acts only on instructions from the controller made out in writing. Relating to the Info Act 25/D (3) point c) the processor assists the data controller by any appropriate means to ensure compliance with the provisions on the data subject’s rights. Basically this means that the processor assists the data controller’s work with auxiliary technical activities. These activities can be the followings for instance: collecting or transmission. [GDPR Article 4, point 8 with Info Act Sec. 25/C and Sec. 25/D (3) points a), c)]


Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. All person shall be regarded as recipient, who get the data for any purpose. [GDPR Article 4, point 9]

The consent of the data subject (patient)

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. [GDPR Article 4, point 11]

Supervisory authority

In Hungary, the National Authority for Data Protection and Freedom of Information (NAIH) is responsible for carrying out supervisory and official tasks. The NAIH safeguards the security of the data, enforces the data protection laws, responsible for the appropriate functioning of the data protection and enforce the application of the GDPR and Info Act. Draws the attention of the controller and processor to their obligations and inform the affected persons to their rights. Besides this, the NAIH conducts the official investigation and keep inner records. [GDPR Article 4, and 51]

Personal data breach

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. [GDPR Article 4, point 12]

Genetic data

Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. [GDPR Article 4, point 13]

Biometric data

Biometric data means personal data resulting from specific technical processing relating to the physical, physio­logical or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. [GDPR Article 4, point 14]

Data concerning health

Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. [GDPR Article 4, point 15]

Psychological secret

The Ethics Code of the Psychologists (ECP) point 5.1. describes the concept of the psychological secret. The psychologists are burdened by the obligation of the psychological secret relating to every single psychological and personal data which came to his/her attention. The ECP states that the psychologist may only inform these data to an authorized person and he/she shall be obligated to handle the data confidentially. Besides the above-mentioned and described obligations, the ECP prescribes that the psychologists obligation of confidentiality still exist after the end of his/her relationship with client.

Pursuant the ECP point 5.1.1. psychologists secrets shall include all psychological and personal data which obtained in the course of their professional activities, as well as other data relating to the treatment that is required, ongoing or completed, and which is known in connection with the treatment regardless he/she has known these data with written or oral communication or during any other psychological care. [Ethics Code of the Psychologists point 5, 5.1, 5.1.1]

It important to notice that, in addition to the notion of the psychological data, the ECP use the term of the personal identification data in the concept of psychological secret. It can be said that the sphere of the processed data was narrowed, (specified) to the particular data, like as the personal identification data.

In the interpretation of the ECP, it can be preposterous because during the psychological care, not only the psychological and personal data will be recorded  but also the physical, physiological or intellectual data which can be connected to the patients psychological status. It would be better the use of the concept of personal data. This concept gives a wider sphere of the data to be stored. To avoid the confusion, the sphere of the personal identification data like as the name, residence, the dwelling place, the social security number, etc. should be mentioned as an example in the concept of personal data.

Psychological data

Pursuant to the ECP point 5.1.2. psychological data in particular are the follows: those data which are related to the data subject’s mental and psychical state, the behavior, the data which are also related to performing adoptive parenting, foster parents, guardian tasks, or those data which are related to exclusion the ability of performing the above-mentioned tasks, or aptitude or its exclusion or those data which are related to pathological passion, detected, examined, measured, mapped and derived data furthermore those data which can be related to the previous ones and also those data which influence the previous mentioned data. [Ethics Code of the Psychologists point 5.1.2]

During the psychological cares, the psychologist must ensure the right process, storage and protect of the patient’s personal data. Formerly it shall be applied the Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interest. By making the Info Act the aforementioned act was repealed. In the health care from 25th May 2018 besides the Info Act, the GDPR is applicable primary in Hungary.

Medical confidentiality

The HCA (Act CLIV of 1997 on the Health Care; Health Care Act) Sec. 25 (1)-(7) regulate the legal institution of the medical confidentiality. According to the Commentary, the rule of the medical confidentiality shall not only applied to the doctors but also to every single health care provider. The medical confidentiality include the patients all personal data, within is this particularly their health care data which are related to their health status and which are come to the knowledge of those persons who are involved in the health care during the patients treatment. The patients have the rights that these data, particularly those data which are related to their health status shall be communicated only to the authorized persons and these data shall be processed confidentially by those persons who are involved in the health care. All of these data are called uniformly medical confidentiality by the Health Law and the Medical Science. [HCA Sec. 25 (1); Commentary on the Health Care Act]

It is worth to note that the HCA also use the concept of personal identification data. In itself this is not a problem but it would be better to use the notion of personal data in the introduction of this chapter of HCA because this concept include a wider sphere of the patient health data. All in all it can bear on more report content than the previous notion.

Enterprise, group of undertakings, supervisory authority

The GDPR determines the concept of enterprise in the following way: it is a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity. [GDPR Article 4, point 18]

The GDPR determines the concept of group of undertakings in the following way: it means a controlling undertaking and its controlled undertakings. [GDPR Article 4, point 19]

According to the GDPR the supervisory authority is an independent public authority to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union. The public authorities are provided by the member States of the European Union. [GDPR Article 4, point 21 and Article 51 (1)]

Right to information

Although the right to information is one of the patients fundamental rights during the treatment, it is still closely connected to the data management. Namely during the treatment the patient, the doctor and the health care provider exchange the information between each other. The patient asks questions to the doctor in relation with his/her health status or the treatment and the doctor answer them in connection with the aforementioned questions. Pursuant to the HCA the patient has the right to get detailed information about his/her health status, the treatments (interventions), planned schedule, the decision-making power related to the treatments, the possible alternative procedures, the methods, the process and outcome of the treatment, about the further treatments and the recommended lifestyle. Furthermore, the patient has the right to asks questions or get to know about his/her results of the performed health treatments and interventions, their failure and their different results and their reasons. The patient also has the right to get to know those doctors and persons name, qualification with their position who were contributed during the patient treatment. Here also belongs the consent based on information because the patient may only agree to the treatment if he/she has the proper information. The conditions required for information are provided by the health care provider. If the patient speaks in foreign language, he/she has a right to use the help of interpreter. Before the treatment, the doctor must inform the patient about the costs and fees of the treatment if the patient health status makes it possible. [HCA Sec. 13 (1)-(9)]

The right to information of the health document

The patient has the right to get to know about his/her health document with its content like as the data related to his/her health treatments. The patient may make extract and copy about these documents. The patient also has a right to get the medical report or a written summarized opinion about his/her health status. The patient entitled to choose the authorized person who has the right to look into the documents behalf of him/her. [HCA Sec. 24 (1)-(13)]

The aforementioned list is not complete. It solely describes the basic concepts which occur during the health data management based on the GDPR, the Info Act and the Health Care Act. The concepts which were missed out from the GDPR are the following: main establishment, representative, binding corporate rules, supervisory authority concerned, cross-border processing, relevant and reasoned objection, information society service, international organisation, third party, filing system, profiling, pseudonymisation. The missed concepts will be discussed in separate articles, if it necessary.

The third part of the article will discuss the legal base of the health data management and the prevailing basic principles which occur during the data management.

The following article is written about the personal data management in the health care and consists of four parts. The first part of the article gives a short introduction about the personal data management in connection with the health care.

The second part describes the concepts of the health data management. It is worth to note that, this part discussing not just the basic concepts of the data management but also those special notions which emerges rather in the field of the health care data management. First of all, the basic concepts of the GDPR will be discussed. These concepts are in the tight connection with the notions of the Info Act.

The third part of my article gives a short summary about the legal base of the health care data management and their applicable principles.

The fourth part of my article describes of the legal background of the health data management which shall be applied in the health care. This part also discuss those rules of the Health Care Act in force, which are in connection with the data management.

I. About the data management of the health care in general

In today’s information society it is indispensably important the accurate, adequate and safe personal data management. The secure personal data management as also important in the health care as in the other fields of the life. The safe health data management is very important in the health care, because every single (sensitive) personal data will be recorded here. The right to life and human dignity are fundamental rights and because of their delicate nature, they are benefited increased protection. Pursuant to the Fundamental Law of Hungary (hereinafter: FLH) Article II: ,,Human dignity shall be inviolable. Everyone shall have the right to life and human dignity; the life of the fetus shall be protected from the moment of conception.” The same statement can be found in the Act CLIV of 1997 on the Health Care (hereinafter: HCA or Health Care Act). According to the HCA Sec. 10 (1) ,,The right to human dignity of the human shall be kept in respect during the health care.” The patients fundamental rights are protected by the State in this way.

The human, in this case, the patients are embodied by the personal data. The personal data as personality rights show the human as living being, in their full complexity. In the health care the submitted personal data are very sensitive. These personal data make the patients completely identifiable during the health care from the birth data through the determined diagnosis to those data which are contained by the treatment plan. These personal data belong to the patients privacy. No one can know about these personal health data except the doctor or any health expertise.

The Life Science and Pharmaceutical Law (aka. Health Law) is a mixed field of law because it includes the main fields of law, such as: the Administrative Law, the Criminal Law and the Civil Law. In addition to the public law nature of the Health Law it must be taken account its private law nature in detail, during the personal data management too, because the patients are in civil law (aka. private law) relationship with the health care provider when they are receiving the treatment. On the other hand, in legal relationship of the health care institutions (aka. health care provider) and the patients, the primary standpoint is the enforcement of the patients personality rights (e.g.: personal data). These rights are not only fundamental rights, but personality rights too. In this legal relationship, the patients will be identified through their personal data.

The health care is available in the state sphere (aka. public health care sector) or in the private health care (aka. private health care sector). The patients choose any options, but the appropriate and safe data management is the obligation of every single health care provider given by the law.

As the result of the above-mentioned facts, in the further parts of my article will summarize in essence the concept of the personal data, the sphere of the personal data or the method of their storage and management.

Source: pexel.com

II. Legal alignment

Since 25th May 2018 the regulation of the data management has become stricter because the legal framework of the Member State were replaced by the uniform Union legislation. It means that the Data Protection Directive 95/46/EC was replaced by the uniform European Union General Data Protection Regulation No. 2016/679. (hereinafter: GDPR). This decree has been entered into force since 2016 but it shall be applied since last year, 25th May in the Member States of the European Union. During the legal alignment in Hungary, the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (aka. Info Act) was adjusted to the GDPR. The Info Act. Sec. 1 sets out its purpose. Pursuant to the Info Act. Sec. 1 ,,The purpose of this Act is to lay down the fundamental rules for data processing operations within the categories it covers with a view to ensuring that the right to privacy of natural personsis respected by data controllers, and to enforcing the right to have access to and disseminate information of public interest and public information to ensure the transparency of public affairs.” The Info Act Sec 1 is aligned to the GDPR Article 1 which is proved to us by the fact that this Act is intended to protect the right to privacy of the natural person or aka. data subject. The GDPR emphasize the same standpoint, when it describes that it protect personal data of the data subject. Both laws put the protection in the foreground. It can be seen well that the personal data are the part of the privacy. At the same time the concept of personal data and the concept of privacy are synonyms. It can be perceived a small difference between both words. The Info Act determines the notion of privacy in a broader sense because the privacy does not only just exactly includes the personal data of the particular natural person such as name, residence, phone number, political and religious views, body weight, blood type, etc. but it involves also other data which refer to the private life such as the right to protection of privacy or those data which refer to the family life of the particular person. However the legislator considered these two notions synonym in terms of the data protection legislation.

The Info Act follows the provisions of GDPR regarding to the basic concepts, the principles, the lawfulness of processing, the consent to the processing or the rights and obligations of the data subject taking into account its specific characteristic in its Sec. 3-19. These general rules and conceptual definitions shall be applied during the health care data management by the particular health care provider.

Next to the GDPR and the Info Act, the data management is regulated directly by the Act XLVII of 1997 on the Management and Protection of Health and Related Personal Data (hereinafter: Health Personal Data Act, aka. HPDA) in Hungary while the other related decrees of the health care regulate indirectly the data management. The direct regulation means that the above-mentioned laws shall be applied to the data management in the health care. For instance: Fundamental Law of Hungary – FLH, Health Care Act – HCA, Health Personal Care Data Act – HPDA, Info Act and GDPR. The indirect regulation means that those laws shall be applied which are needed in a special-part field of the health care beyond the general data of the patients which are characterized to the particular field of health care. Basically the indirect regulation also intended to protect the personal data of the patients but here more special data will be given which are characterized to the professional field of the health care. The legislator also wants to protect these rights by the creation of the relevant legislation. Here is some examples from the sphere of the special data regulation: Decree of Ministry for Human Resources 5/2016 (29 Feb) on the Announcement and Order of the Related Interventions of Particular Prosthesis or Decree of Ministry for Human Resources 1/2014 (16 Jan) on the Report Order of the Infectious Diseases, etc.

It is very important that during the data management, the health personal data of the data subject, in this case, of the patients shall be respected maximally by the health care provider (e.g. clinic, hospital, private practice, center for diagnostic, etc.). Not only the related rules of data management and data subject belong here which are laid down in the GDPR and Info Act, but also those rules which are related to the rights to personality of the Act V of 2013 on the Civil Code (hereinafter: CCA). These rules can be found in its Sec. 2:42-55. Because of the sensitivity of the personal data especially the health care data, it is very important that the listed laws and decrees shall be taken account by the controller and processor.

During the health care data management, the following laws shall be applied by the health care provider:

  • Fundamental Law of Hungary (FLH);
  • European Union General Data Protection Regulation (Decree No. 2016/679 of The European Parliament and the Council);
  • Act CLIV of 1997 on the Health Care (HCA);
  • Act XLVII of 1997 on the Management and Protection of Health and Related Personal Data (HPDA);
  • Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Info Act);
  • Act V of 2013 on the Civil Code.

In the second part of my article the general definitions will be discussed.

Source: GDPR, Info Act and the above-mentioned laws and decrees.