Privacy Notice
Private psychiatry and psychotherapy practice — Dr. Levente Attila Paranici, sole proprietor
Effective from: 8 July 2026
This translation is provided for information purposes. The official, legally binding version is the Hungarian version.
Introduction
The purpose of this notice is for Dr. Levente Attila Paranici, sole proprietor (hereinafter: the Controller), to provide patients (hereinafter: the Data Subject) with clear, concise and easily understandable information about the processing of personal and health data in the context of his private psychiatry and psychotherapy practice.
The Controller processes data in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and in compliance with the following legislation: Regulation (EU) 2016/679 (GDPR); Hungarian Act CXII of 2011 on Informational Self-Determination (Infotv.); Hungarian Act CLIV of 1997 on Healthcare (Eütv.); Hungarian Act XLVII of 1997 on the Processing and Protection of Health Data (Eüak.); the legislation governing the Hungarian Electronic Health Service Space (EESZT), in particular EMMI Decree 39/2016 (XII. 21.); and Hungarian Act C of 2000 on Accounting (Számv. tv.). Terms used in this notice have the meaning defined in Article 4 GDPR and Section 3 of the Eüak.
1. The Controller's details
| Name | Dr. Levente Attila Paranici, sole proprietor |
|---|---|
| Professional capacity | psychiatrist, psychotherapist |
| Registered seat / practice address | 4400 Nyíregyháza, Pazonyi tér 9–10., ground floor 1., Hungary |
| Tax number | 68432502-1-35 |
| Phone | +36 70 501 5012 |
| paranici.levente@gmail.com | |
| Website | www.paranicilevente.hu |
Under Article 37 GDPR, the Controller is not obliged to appoint a data protection officer (DPO); for any data protection matter, the Data Subject may contact the Controller directly at the details above.
2. Categories of data processed, purposes and legal bases
| Data category | Specific data | Purpose / legal basis |
|---|---|---|
| Identification and contact data | name, birth name, place and date of birth, mother's name, social security number (TAJ), address, phone number, e-mail address | identification, communication, keeping medical records; Art. 6(1)(b), (c) GDPR; Sec. 4 Eüak. |
| Health data | medical history, current complaints, mental status, diagnoses (ICD code), medication, treatment recommendation, treatment documentation, outpatient reports | establishing a diagnosis, treatment plan, documenting care, legal obligation; Art. 9(2)(h) GDPR; Sec. 4 Eüak.; Sec. 136 Eütv. |
| Invoicing data | name, billing address, date of service, amount | issuing invoices, accounting obligation; Art. 6(1)(c) GDPR; Sec. 169 Számv. tv. |
| Appointment and contact data | name, phone number, e-mail address, requested appointment, information voluntarily provided by the Data Subject | scheduling, responding to enquiries; Art. 6(1)(b), (a) GDPR (consent) |
| Personal psychotherapy process notes | the treating professional's own reflections, personal notes on the therapeutic process | exclusively for the professional's internal use; details in Section 8; Art. 6(1)(f) GDPR (legitimate interest) |
Where processing is based on the Data Subject's consent, it may be withdrawn at any time; withdrawal does not affect the lawfulness of prior processing. For the establishment, exercise or defence of legal claims, the Controller may process the necessary data under Art. 6(1)(f) GDPR (legitimate interest).
3. Source of the data
The primary source of the data processed is the Data Subject. With the Data Subject's consent, the Controller may also process documents originating from other healthcare providers (e.g. referral, previous discharge summary). Health data may be obtained from third parties without consent solely in cases defined by law.
4. Retention periods
| Type of data | Retention period |
|---|---|
| Medical documentation (outpatient reports, medical history) | at least 30 years from recording (Sec. 30(1) Eüak.) |
| Discharge summary | at least 50 years (Sec. 30(1) Eüak.) |
| Accounting documents (invoices) | 8 years (Sec. 169 Számv. tv.) |
| Appointment and contact data | until the treatment relationship ends or consent is withdrawn; where no treatment relationship is established, no longer than 6 months after the enquiry is answered |
| Personal psychotherapy process notes | for the duration of the active therapeutic relationship, then no longer than 3 years after its conclusion |
Upon expiry of the retention period, the Controller permanently deletes or physically destroys the data.
5. Data processors
The Controller engages the following data processors, which may act, in accordance with Article 28 GDPR, solely on the Controller's instructions:
| Processor | Activity | Data concerned |
|---|---|---|
| Cloudent (healthcare software) | software supporting medical record keeping and communication with the EESZT system | identification data, health data, outpatient reports |
| CloudEHR (online invoicing module) | issuing and storing electronic invoices; automated data reporting to the Online Invoice system of the Hungarian Tax Authority (NAV), as required by law | invoicing data (name, address, date of service, amount) |
| Cloudflare, Inc. (Cloudflare Pages) | static hosting and content delivery for the website; the website collects no personal data and uses no cookies | technical log data (IP address) generated when visiting the website, held by the hosting provider |
| Google Ireland Limited (Ireland) | e-mail service (Gmail), online consultation platform (Google Meet) | data shared in e-mail correspondence, communication transmitted during online consultations |
| Apple Distribution International Ltd. (Ireland) | online consultation platform (FaceTime), with end-to-end encryption | communication transmitted during online consultations |
| Accounting service provider | bookkeeping and tax services; the accountant has no access to personal data identifying Data Subjects — only invoice numbers and amounts are shared | no direct access to personal data; aggregated financial data |
6. Data transfers – recipients
The Controller transfers data to third parties solely in the following cases:
- Hungarian Electronic Health Service Space (EESZT): on a mandatory basis, in fulfilment of a legal obligation (Art. 6(1)(c) and Art. 9(2)(h) GDPR; EMMI Decree 39/2016 (XII. 21.)).
- National Tax and Customs Administration of Hungary (NAV): under the invoice data reporting obligation (Annex 10 of the Hungarian VAT Act), in an automated manner via the CloudEHR invoicing module. The reporting covers solely the accounting content of invoices; diagnoses, treatment or other health data are not transferred.
- Other healthcare provider (referral, consultation, transfer of care): to the extent necessary for care, based on the Data Subject's consent (Art. 9(2)(h) GDPR).
- Authorities, courts: solely under a legal obligation, upon a documented official request.
- A third party designated by the Data Subject: upon the Data Subject's express written request.
The Controller does not transfer data to third countries (outside the EEA). The Google and Apple services used operate within the European Economic Area; regarding Cloudflare, Inc. (USA), the website's hosting provider, any third-country processing is safeguarded by the EU–US Data Privacy Framework and the EU Standard Contractual Clauses (SCC). The Controller does not conduct regular settlements with insurers or other funders within the private practice.
7. Data security measures
In accordance with Article 32 GDPR, the Controller applies technical and organisational measures proportionate to the risks, in particular: devices protected by strong, unique passwords; electronic medical documentation stored in an encrypted folder; access restriction (only the Controller has access to personal data); regular backups; paper documents stored in a lockable place; two-factor authentication for EESZT access as required by law.
In the event of a data breach, the Controller acts in accordance with Articles 33–34 GDPR: where required, it notifies the supervisory authority within 72 hours and, in case of high risk, informs the Data Subject without undue delay.
8. Personal psychotherapy process notes
In the course of psychotherapeutic work, the Controller may create personal working notes (in the professional literature: "personal notes", "therapist's process notes"), which, from a legal and professional standpoint, do not form part of the official medical documentation. These notes serve exclusively the professional support of the therapeutic process, psychotherapeutic reflection and the tracking of therapeutic dynamics.
Rules governing personal process notes:
- they are not uploaded to the EESZT system;
- they are not part of the outpatient report or any other official medical documentation;
- they are not accessible to third parties and are not released;
- they serve exclusively the Controller's own professional use as treating clinician;
- they are stored separately and securely, in line with data protection and confidentiality principles;
- in the event of a request from an authority or court, they are handled in accordance with, and within the limits of, the applicable legislation.
Retention: for the duration of the active therapeutic process, then for no longer than 3 years after the therapeutic relationship ends; thereafter the notes are permanently deleted or destroyed.
9. Online consultation
The Controller also offers online consultations, primarily via FaceTime (Apple; end-to-end encrypted) and Google Meet (encrypted transmission). The platform is chosen together with the Data Subject. The Controller makes no audio or video recording of online consultations; recording is possible solely with the express, prior written consent of both parties. Online consultation is not suitable for acute psychiatric crises and does not replace emergency care.
10. Data processing on the website
The Controller's website (www.paranicilevente.hu) is a static site that places no cookies, uses no analytics or marketing tracking tools, and collects no personal data about visitors. The website is hosted by the Cloudflare Pages service. The site's fonts are served by fonts.bunny.net, an EU-based, GDPR-compliant service that stores no visitor data.
11. The Data Subject's rights
- Right of access (Art. 15 GDPR): to request information about the data processed and a copy thereof.
- Right to rectification (Art. 16): to have inaccurate data corrected and incomplete data completed.
- Right to erasure (Art. 17): to request the deletion of data in the cases defined by the GDPR. Erasure cannot be carried out where processing is based on a legal obligation (in particular the mandatory retention of medical documentation under Sec. 30 Eüak.).
- Right to restriction of processing (Art. 18): in the cases defined by the GDPR.
- Right to data portability (Art. 20): to receive data processed on the basis of consent or contract in a structured, machine-readable format.
- Right to object (Art. 21): to object to processing based on legitimate interest.
- Withdrawal of consent (Art. 7(3)): consent may be withdrawn at any time where processing is based on consent.
The Controller does not make decisions based solely on automated processing and does not carry out profiling.
12. Submitting and handling requests
The Data Subject may submit requests in writing to the Controller's postal or e-mail address indicated in Section 1. The Controller informs the Data Subject of the measures taken within one month of receiving the request; in justified cases this period may be extended by a further two months, of which the Data Subject is informed within the original deadline. Information and measures are free of charge on first request. Before fulfilling a request, the Controller appropriately verifies the Data Subject's identity, having regard to the special protection of health data.
13. Remedies
If the Data Subject considers that the processing has infringed their rights, it is recommended to first contact the Controller directly. The Data Subject may also lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH; 1055 Budapest, Falk Miksa utca 9–11.; postal address: 1363 Budapest, Pf. 9.; phone: +36 (1) 391-1400; e-mail: ugyfelszolgalat@naih.hu; web: www.naih.hu). Under Article 77 GDPR, a complaint may also be lodged with the supervisory authority of the EU member state of the Data Subject's habitual residence or place of work. Judicial remedy is available before the competent court.
14. Professional confidentiality
Under Section 138 of the Eütv. and the ethical rules of the Hungarian Medical Chamber, the Controller is bound by strict medical confidentiality: all information obtained in the course of psychiatric and psychotherapeutic care is protected by secrecy. Exceptions to confidentiality are solely those defined by the applicable legislation, in particular: a situation directly and gravely endangering the life of the Data Subject or the life or physical integrity of another person; a well-founded suspicion of child abuse or neglect (mandatory reporting under the child protection system); a statutory obligation to provide data to authorities or courts; a notifiable condition posing a public health risk.
15. Final provisions
The Controller reserves the right to amend this notice in line with legislative changes or changes in its activities. The version currently in force is available at www.paranicilevente.hu and at the practice. This notice is effective from its entry into force until the next amendment.