Privacy Notice

Private psychiatry and psychotherapy practice — Dr. Levente Attila Paranici, sole proprietor
Effective from: 8 July 2026

This translation is provided for information purposes. The official, legally binding version is the Hungarian version.

Introduction

The purpose of this notice is for Dr. Levente Attila Paranici, sole proprietor (hereinafter: the Controller), to provide patients (hereinafter: the Data Subject) with clear, concise and easily understandable information about the processing of personal and health data in the context of his private psychiatry and psychotherapy practice.

The Controller processes data in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and in compliance with the following legislation: Regulation (EU) 2016/679 (GDPR); Hungarian Act CXII of 2011 on Informational Self-Determination (Infotv.); Hungarian Act CLIV of 1997 on Healthcare (Eütv.); Hungarian Act XLVII of 1997 on the Processing and Protection of Health Data (Eüak.); the legislation governing the Hungarian Electronic Health Service Space (EESZT), in particular EMMI Decree 39/2016 (XII. 21.); and Hungarian Act C of 2000 on Accounting (Számv. tv.). Terms used in this notice have the meaning defined in Article 4 GDPR and Section 3 of the Eüak.

1. The Controller's details

NameDr. Levente Attila Paranici, sole proprietor
Professional capacitypsychiatrist, psychotherapist
Registered seat / practice address4400 Nyíregyháza, Pazonyi tér 9–10., ground floor 1., Hungary
Tax number68432502-1-35
Phone+36 70 501 5012
E-mailparanici.levente@gmail.com
Websitewww.paranicilevente.hu

Under Article 37 GDPR, the Controller is not obliged to appoint a data protection officer (DPO); for any data protection matter, the Data Subject may contact the Controller directly at the details above.

2. Categories of data processed, purposes and legal bases

Data categorySpecific dataPurpose / legal basis
Identification and contact dataname, birth name, place and date of birth, mother's name, social security number (TAJ), address, phone number, e-mail addressidentification, communication, keeping medical records; Art. 6(1)(b), (c) GDPR; Sec. 4 Eüak.
Health datamedical history, current complaints, mental status, diagnoses (ICD code), medication, treatment recommendation, treatment documentation, outpatient reportsestablishing a diagnosis, treatment plan, documenting care, legal obligation; Art. 9(2)(h) GDPR; Sec. 4 Eüak.; Sec. 136 Eütv.
Invoicing dataname, billing address, date of service, amountissuing invoices, accounting obligation; Art. 6(1)(c) GDPR; Sec. 169 Számv. tv.
Appointment and contact dataname, phone number, e-mail address, requested appointment, information voluntarily provided by the Data Subjectscheduling, responding to enquiries; Art. 6(1)(b), (a) GDPR (consent)
Personal psychotherapy process notesthe treating professional's own reflections, personal notes on the therapeutic processexclusively for the professional's internal use; details in Section 8; Art. 6(1)(f) GDPR (legitimate interest)

Where processing is based on the Data Subject's consent, it may be withdrawn at any time; withdrawal does not affect the lawfulness of prior processing. For the establishment, exercise or defence of legal claims, the Controller may process the necessary data under Art. 6(1)(f) GDPR (legitimate interest).

3. Source of the data

The primary source of the data processed is the Data Subject. With the Data Subject's consent, the Controller may also process documents originating from other healthcare providers (e.g. referral, previous discharge summary). Health data may be obtained from third parties without consent solely in cases defined by law.

4. Retention periods

Type of dataRetention period
Medical documentation (outpatient reports, medical history)at least 30 years from recording (Sec. 30(1) Eüak.)
Discharge summaryat least 50 years (Sec. 30(1) Eüak.)
Accounting documents (invoices)8 years (Sec. 169 Számv. tv.)
Appointment and contact datauntil the treatment relationship ends or consent is withdrawn; where no treatment relationship is established, no longer than 6 months after the enquiry is answered
Personal psychotherapy process notesfor the duration of the active therapeutic relationship, then no longer than 3 years after its conclusion

Upon expiry of the retention period, the Controller permanently deletes or physically destroys the data.

5. Data processors

The Controller engages the following data processors, which may act, in accordance with Article 28 GDPR, solely on the Controller's instructions:

ProcessorActivityData concerned
Cloudent (healthcare software)software supporting medical record keeping and communication with the EESZT systemidentification data, health data, outpatient reports
CloudEHR (online invoicing module)issuing and storing electronic invoices; automated data reporting to the Online Invoice system of the Hungarian Tax Authority (NAV), as required by lawinvoicing data (name, address, date of service, amount)
Cloudflare, Inc. (Cloudflare Pages)static hosting and content delivery for the website; the website collects no personal data and uses no cookiestechnical log data (IP address) generated when visiting the website, held by the hosting provider
Google Ireland Limited (Ireland)e-mail service (Gmail), online consultation platform (Google Meet)data shared in e-mail correspondence, communication transmitted during online consultations
Apple Distribution International Ltd. (Ireland)online consultation platform (FaceTime), with end-to-end encryptioncommunication transmitted during online consultations
Accounting service providerbookkeeping and tax services; the accountant has no access to personal data identifying Data Subjects — only invoice numbers and amounts are sharedno direct access to personal data; aggregated financial data

6. Data transfers – recipients

The Controller transfers data to third parties solely in the following cases:

The Controller does not transfer data to third countries (outside the EEA). The Google and Apple services used operate within the European Economic Area; regarding Cloudflare, Inc. (USA), the website's hosting provider, any third-country processing is safeguarded by the EU–US Data Privacy Framework and the EU Standard Contractual Clauses (SCC). The Controller does not conduct regular settlements with insurers or other funders within the private practice.

7. Data security measures

In accordance with Article 32 GDPR, the Controller applies technical and organisational measures proportionate to the risks, in particular: devices protected by strong, unique passwords; electronic medical documentation stored in an encrypted folder; access restriction (only the Controller has access to personal data); regular backups; paper documents stored in a lockable place; two-factor authentication for EESZT access as required by law.

In the event of a data breach, the Controller acts in accordance with Articles 33–34 GDPR: where required, it notifies the supervisory authority within 72 hours and, in case of high risk, informs the Data Subject without undue delay.

8. Personal psychotherapy process notes

In the course of psychotherapeutic work, the Controller may create personal working notes (in the professional literature: "personal notes", "therapist's process notes"), which, from a legal and professional standpoint, do not form part of the official medical documentation. These notes serve exclusively the professional support of the therapeutic process, psychotherapeutic reflection and the tracking of therapeutic dynamics.

Rules governing personal process notes:

Retention: for the duration of the active therapeutic process, then for no longer than 3 years after the therapeutic relationship ends; thereafter the notes are permanently deleted or destroyed.

9. Online consultation

The Controller also offers online consultations, primarily via FaceTime (Apple; end-to-end encrypted) and Google Meet (encrypted transmission). The platform is chosen together with the Data Subject. The Controller makes no audio or video recording of online consultations; recording is possible solely with the express, prior written consent of both parties. Online consultation is not suitable for acute psychiatric crises and does not replace emergency care.

10. Data processing on the website

The Controller's website (www.paranicilevente.hu) is a static site that places no cookies, uses no analytics or marketing tracking tools, and collects no personal data about visitors. The website is hosted by the Cloudflare Pages service. The site's fonts are served by fonts.bunny.net, an EU-based, GDPR-compliant service that stores no visitor data.

11. The Data Subject's rights

The Controller does not make decisions based solely on automated processing and does not carry out profiling.

12. Submitting and handling requests

The Data Subject may submit requests in writing to the Controller's postal or e-mail address indicated in Section 1. The Controller informs the Data Subject of the measures taken within one month of receiving the request; in justified cases this period may be extended by a further two months, of which the Data Subject is informed within the original deadline. Information and measures are free of charge on first request. Before fulfilling a request, the Controller appropriately verifies the Data Subject's identity, having regard to the special protection of health data.

13. Remedies

If the Data Subject considers that the processing has infringed their rights, it is recommended to first contact the Controller directly. The Data Subject may also lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH; 1055 Budapest, Falk Miksa utca 9–11.; postal address: 1363 Budapest, Pf. 9.; phone: +36 (1) 391-1400; e-mail: ugyfelszolgalat@naih.hu; web: www.naih.hu). Under Article 77 GDPR, a complaint may also be lodged with the supervisory authority of the EU member state of the Data Subject's habitual residence or place of work. Judicial remedy is available before the competent court.

14. Professional confidentiality

Under Section 138 of the Eütv. and the ethical rules of the Hungarian Medical Chamber, the Controller is bound by strict medical confidentiality: all information obtained in the course of psychiatric and psychotherapeutic care is protected by secrecy. Exceptions to confidentiality are solely those defined by the applicable legislation, in particular: a situation directly and gravely endangering the life of the Data Subject or the life or physical integrity of another person; a well-founded suspicion of child abuse or neglect (mandatory reporting under the child protection system); a statutory obligation to provide data to authorities or courts; a notifiable condition posing a public health risk.

15. Final provisions

The Controller reserves the right to amend this notice in line with legislative changes or changes in its activities. The version currently in force is available at www.paranicilevente.hu and at the practice. This notice is effective from its entry into force until the next amendment.