Data Protection

Medical Partner Ltd.

Privacy Notice

Regarding the FOODTESTPlus Food Intolerance Test and Dietetic Evaluation

This Privacy Notice (“Notice”) informs the data subject about the personal data processed during the data processing activities set out below, in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”).

1. Data Controller and Contact Information

Data Controller Company Name:
Medical Partner Ltd. (hereinafter: “Data Controller”)

Registered Office:
2049 Diósd, Álmos fejedelem utca 27.

Postal Address:
2049 Diósd, Álmos fejedelem utca 27.

Company Registration Number:
13-09-134939

Email Address:
hello@foodtestplus.com

The Data Protection Officer’s details of the Data Controller are as follows:

2. Processing of Personal Data in Connection with the FOODTESTPlus Food Intolerance Test

2.1 Description of the Service

The Data Controller processes the data defined below of individuals who register for the FOODTESTPlus food intolerance test for the purpose of performing the test on the person who has registered. In doing so, the registration for the food intolerance test is recorded via an electronic request form, an appointment for laboratory sample collection is arranged with the ordering party, the laboratory test is performed, and the result (report) determined during the test is sent to the ordering party.

2.2 The Group of Data Subjects

  • Patient registering for the test.
    In the event that the individual registering for the test is a child who has not yet reached the age of 18, the person exercising parental supervision over the child is also included.

2.3 Purposes of Data Processing

  1. Communication:
    To contact persons ordering the FOODTESTPlus food intolerance test in order to arrange the performance of the test (hereinafter: Communication).
  2. Sending Informative Materials:
    To send by email to the patient materials related to the test, sample collection, result interpretation, and food intolerance.
  3. Creation of a Personal Client Account:
    After prior registration, a personal client account is created for the patient (hereinafter: myFOODTESTPlus account) that ensures secure data transmission during the use of the health service and thereafter.
  4. Test Execution:
    To perform the FOODTESTPlus food intolerance test, evaluate the results, and send the test result (report) to the patient (hereinafter: Test).
    Note: In the case of laboratory sample collection, an electronic request form link is provided by email; if the electronic request form is not completed, it must be filled in on-site at the blood collection location to order the service. Completion of the electronic request form—or as a preparation thereof by prior registration—creates a personal client account for the patient (hereinafter: myFOODTESTPlus account), which ensures secure data transmission.
  5. Other:
    In the event of sample collection performed by an independent health care service provider (hereinafter: HCP) who is in a contractual relationship with the Data Controller, the data necessary for the test are transmitted by the sender to the Data Controller for the purposes of performing the test, evaluating the results, and sending the test result (report) to the sender.
  6. Fulfillment of Legal Obligations:
    The Data Controller retains and further processes certain data after performing the test in order to comply with legal obligations (hereinafter: “Fulfillment of Legal Obligations”).
  7. Follow-up:
    The Data Controller further processes the data subject’s contact information after the test for the purpose of directly requesting information from the data subject about the effectiveness of the test, any further (side) effects, and certain additional characteristics of the test, and to provide further relevant information regarding the test to the participants (hereinafter: Follow-up).

2.4 Method of Data Collection

In the case of Communication:

In the case of the Test:

  • For laboratory sample collection, the electronic request form link is provided by email; if the electronic request form is not completed, the form must be filled in on-site at the collection location. Data is collected through the completion and submission of the electronic request form and the consent statement for data processing.
    Data is collected directly from the data subject/patient.

Other:

  • In cases of sample collection and data recording performed by a physician who is independent of, but contractually related to, the Data Controller (hereinafter: HCP), the necessary data for the test are transmitted online by the submitting physician to the Data Controller.
  • In the case of paper-based data collection, the Data Controller—or in the case of data recorded by the submitting HCP, the submitter—records and stores the data of the data subject in electronic form (or transmits them in the case of the submitter) in order to realize the purpose of the data processing.

2.5 Data Processed

For Communication:

  • Surname, first name, date of birth, telephone number, email address.

For the Test:

  • Surname, first name, place and date of birth, mother’s name, address, telephone number, email address, as well as the test result (report) determined by the Data Controller.

Other – in the case of sample collection and data recording performed by an independent physician:

  • Surname, first name, place and date of birth, mother’s name, as well as the test result (report) determined by the Data Controller.

For Fulfillment of Legal Obligations:

  • The test result (report) determined by the Data Controller – retention of health data (as described in section 2.7.3).
  • Surname and first name, address – based on the requirements of the Accounting Act (as described in section 2.7.3).

For Follow-up:

  • Surname, first name, telephone number, email address.

The Data Controller is not responsible for the accuracy of the processed data; providing accurate and correct data is the responsibility of the patient. If the patient’s data change or require correction due to any typographical errors during the data processing period, the patient is entitled to have the data corrected as described in section 4.2.

2.6 Duration of Data Processing

For Communication:

  • In the case of client portal registration (myFOODTESTPlus account), until the data subject requests termination of the account.
  • In other cases, until the commencement of the test.

For the Test:

  • The data is processed until the test is performed and the test results are communicated to the patient or to the submitting HCP. After the completion of the test, the Data Controller does not delete the data but continues to process them in accordance with section 2.3.4.

For Fulfillment of Legal Obligations:

  • Based on the record retention obligation under the Accounting Act: 8 years.
  • Based on the obligation to retain health data: 30 years from the date of data collection.

For Follow-up:

  • For the period necessary to assess the effectiveness and long‑term effects of the test, up to 3 years.

2.7 Legal Basis for Data Processing

For Communication – Preparation of the Contract:
The Data Controller processes the data for the purpose of preparing the contract aimed at performing the FOODTESTPlus food intolerance test. Considering that without providing personal data the Data Controller cannot prepare the contract, the patient is obliged to provide personal data to the Data Controller. In the event that the data is not provided, the Data Controller is entitled to refuse to conclude a contract with the patient.

For the Test – Conclusion and Performance of the Contract, as well as the Data Subject’s Consent:
The Data Controller processes the data provided by the data subject in order to conclude and perform the contract for the FOODTESTPlus food intolerance test.
The test result, as health data, is processed by the Data Controller on the basis of the patient’s explicit consent and is sent to the patient or the submitting HCP (see section 2.10.1).
Considering that without providing and processing personal data the Data Controller cannot conclude and perform the contract, the patient is obliged to provide personal data to the Data Controller and, in the case of the submitting HCP, to consent to the transmission of the report by the Data Controller to the submitting HCP. If the patient does not consent to the processing of the test result, the Data Controller is entitled to refuse the performance of the contract.

For Fulfillment of Legal Obligations – Legal Obligation:
The Data Controller processes the data in order to fulfill the following legal obligations:

  • The obligation to retain records prescribed by the Accounting Act: section 169(2) of Act C of 2000,
  • The obligation to retain health data: section 30(1) of Act XLVII of 1997,
  • Data transmission to the Electronic Health Services Space (EESZT): The obligation prescribed for the Data Controller pursuant to Act XLVII of 1997 on the processing and protection of health and related personal data (section 35/N) as well as the detailed rules regarding the Electronic Health Services Space set out in Regulation 39/2016 (XII. 21.) EMMI. The detailed data processing information for the EESZT is available at: https://eegeszsegugy.gov.hu/GDPR.
    Considering that the data processing under this point is a legal obligation of the Data Controller, providing personal data is mandatory; failure to provide the data may result in the refusal to conclude or perform the contract.

For Follow-up – Legitimate Interest:
The Data Controller has its own legitimate interest as well as a public interest in further developing the Test, increasing the accuracy of the test results obtained during the Test, and enhancing the safety of the Test, for which it collects experiential information not otherwise obtainable by later contacting the test participants. For this purpose, the contact data of the data subjects who participated in the Test are processed on the basis of Article 6(1)(f) of the GDPR.

2.8 Processing of Children’s Data

2.8.1

If the FOODTESTPlus food intolerance test is performed on a child under the age of 18, the Data Controller processes, for the purpose of the test, the following data of the child:

  • Surname, first name, place and date of birth, mother’s name, address, as well as the test result (report) determined by the Data Controller.

If the FOODTESTPlus food intolerance test is performed on a child under the age of 18, the Data Controller also processes the following data of the person exercising parental supervision over the child:

  • Surname and first name, address, email address, telephone number.

If the FOODTESTPlus food intolerance test is performed on a child under the age of 18, the test report is sent to the myFOODTESTplus account of the parent exercising parental supervision.

2.8.2

In the case of a test performed on a child under 18, where, according to this policy, consent is required for the processing of personal data, the consent is given by the parent exercising parental supervision. The parent must state in the consent that they are entitled to exercise parental supervisory rights over the child.

2.9 Access to Data by the Data Controller

Access to the processed data is granted by the Data Controller to the following persons:

  • Data Protection Officer
  • Test Coordinator
  • Laboratory staff

2.10 Data Transfer

Data is transferred to:

Independent Data Controller:
(No further details provided in the original text regarding the independent data controller’s registered office or task.)

Health Service Providers:

  • Through the test performed by the HCP, data collection, sample collection, and the completion of the consent statement for processing health data are carried out. The HCP transmits the sample to the Data Controller for the purpose of performing the test, after which the test result is sent by the Data Controller to the submitting HCP, as an independent data controller. The name of the respective health service provider is specified in the individual consent statements.

Data Processors:

  • Data Processor: United Parcel Service, Inc., and our subsidiaries and affiliated companies (collectively “UPS”)
    Registered Office: Ave Ariane 5 Brussels, B-1200, Belgium
    Task: Transportation of the collected sample to the Data Controller performing the test.
  • Data Processor: Hexagon Consulting Ltd.
    Registered Office: 1135 Budapest, Lehel utca 61, 6th floor, office 604.
    Task: Development and operation of the myFOODTESTPlus IT system.

2.11 Automated Decision-Making and Profiling

The Data Controller does not perform automated decision-making, including profiling.

3. Processing of Data in Connection with the Written Dietetic Evaluation

3.1 Description of the Service

On the website myfoodtestplus.com, after prior registration, a personal client account is created for the patient (hereinafter: myFOODTESTplus account) which ensures secure data transmission. Registration is carried out via the account using a questionnaire; based on the personal data provided (including the provision of health data) and the result of the food intolerance test, a personalized written dietetic consultation is prepared. The completed written dietetic consultation is delivered by the Data Controller to the patient through the patient’s myFOODTESTplus account, and the patient is also notified by email.

3.2 Group of Data Subjects

  • The patient applying for the written dietetic evaluation.
    In the event that the individual applying for the test is a child under the age of 18, the person exercising parental supervision over the child is also included.

3.3 Purposes of Data Processing

  1. Dietetic Evaluation:
    To provide a personalized written dietetic evaluation based on the result of the FOODTESTPlus food intolerance test and the data provided by the patient ordering the consultation, by preparing a summary material detailing the recommended diet plan and its specifics, and to deliver it to the patient via the myFOODTESTplus account (hereinafter: Dietetic Evaluation).
  2. Fulfillment of Legal Obligations:
    The Data Controller retains and further processes certain data after the evaluation in order to fulfill legal obligations (hereinafter: Fulfillment of Legal Obligations).

3.4 Method of Data Collection

For Written Dietetic Evaluation:

  • Online – by filling in the questionnaire available in the personal client account.
    Data is collected directly from the data subject/patient.

3.5 Data Processed

For the Written Dietetic Evaluation, the following data are processed, as well as the answers provided to the questions, as personal data:

  • Surname and first name
  • Gender
  • Date of birth
  • Telephone number
  • Email address
  • “Do you perform physical or intellectual work?”
  • Height (cm)
  • Weight (kg)
  • Has there been any change in weight in the last 3 months?
    • If yes, how did your weight change?
    • What was the weight change in kilograms?
  • Your level of physical activity?
  • Based on which symptoms do you suspect food intolerance?
  • What other symptoms do you experience?
  • Have you been examined for the above complaints?
  • Are your complaints chronic?
    • If yes, have the causes of your complaints been determined?
  • Are you following any doctor-prescribed diet?
    • If yes, which diet?
    • If you follow any other diet, what is it?
  • Do you adhere to your dietary regimen?
  • Have you experienced nausea after consuming food or beverages? If yes, which ones?
  • Have you previously been medically diagnosed with gluten sensitivity (celiac disease)?
  • Have you previously been medically diagnosed with lactose intolerance?
  • Have you previously been diagnosed with an IgE-mediated food allergy?
    • If yes, to which foods are you allergic? (This is not referring to the food intolerance test results)
  • Questions regarding the dietary regimen.
  • The result of the food intolerance test (report).

For Fulfillment of Legal Obligations:

  • The test result (report) determined by the Data Controller – retention of health data (as provided in section 3.7.4).
  • Surname, first name, address – based on the requirements of the Accounting Act (as provided in section 3.7.4).

The Data Controller is not responsible for the accuracy of the processed data; providing accurate and correct data is the patient’s responsibility. Should the patient’s data change or require correction due to any typographical error during the period of data processing, the patient is entitled to have the data corrected as described in section 4.2.

3.6 Duration of Data Processing

For Written Dietetic Evaluation:

  • The data is processed for the duration of the consultation. After the consultation is completed, the Data Controller does not delete the data, but continues processing them in accordance with section 3.3.2.

For Fulfillment of Legal Obligations:

  • Based on the record retention obligation under the Accounting Act: 8 years.
  • Based on the obligation to retain health data: 30 years from the date of data collection.

3.7 Legal Basis for Data Processing

For Written Dietetic Evaluation – Conclusion and Performance of the Contract, as well as the Data Subject’s Consent:
The Data Controller processes the personal data provided by the data subject for the purpose of providing the Dietetic Consultation in order to conclude and perform the contract, whereas the special (health) data provided during the evaluation is processed based on the patient’s explicit consent.
Considering that without providing and processing personal data the Data Controller cannot conclude and perform the contract, the patient is obliged to provide personal data to the Data Controller and, in the case of the submitting HCP, to consent to the transmission of the report by the Data Controller to the submitting HCP. If the patient does not consent to the processing of health data, the Data Controller is entitled to refuse the performance of the contract.

For Fulfillment of Legal Obligations – Legal Obligation:
The Data Controller processes the data in order to fulfill the following legal obligations:

  • The obligation to retain records prescribed by the Accounting Act: section 169(2) of Act C of 2000,
  • The obligation to retain health data: section 30(1) of Act XLVII of 1997.
    Considering that the processing under this point is a legal obligation of the Data Controller, providing personal data is mandatory; failure to provide may result in the refusal to conclude or perform the contract.

3.8 Processing of Children’s Data

3.8.1

If the written dietetic evaluation is carried out in relation to a child under the age of 18, the Data Controller processes, for the purpose of the evaluation, the following data of the child:

  • Surname and first name
  • Gender
  • Date of birth
  • The person exercising parental supervision (name; email address, address, telephone number)
  • “Do you perform physical or intellectual work?”
  • Height (cm)
  • Weight (kg)
  • Has there been any change in weight in the past 3 months?
    • If yes, how did your weight change?
    • What was the weight change in kilograms?
  • Your level of physical activity?
  • Based on which symptoms do you suspect food intolerance?
  • What other symptoms do you experience?
  • Have you been examined for the above complaints?
  • Are your complaints chronic?
    • If yes, have the causes of your complaints been determined?
  • Are you following any doctor-prescribed diet?
    • If yes, which diet?
    • If you follow any other diet, what is it?
  • Do you adhere to your dietary regimen?
  • Have you experienced nausea after consuming food or beverages? If yes, which ones?
  • Have you previously been medically diagnosed with gluten sensitivity (celiac disease)?
  • Have you previously been medically diagnosed with lactose intolerance?
  • Have you previously been diagnosed with an IgE-mediated food allergy?
    • If yes, to which foods are you allergic? (Not referring to the food intolerance test results)
  • Questions regarding the dietary regimen.
  • The result of the food intolerance test (report).

If the written dietetic evaluation is carried out in relation to a child under 18, the Data Controller also processes the following data of the person exercising parental supervision:

  • Surname and first name, address, email address, telephone number.

If the written dietetic evaluation is carried out in relation to a child under 18, the report is sent to the parent exercising parental supervision.

3.8.2

For an evaluation concerning a child under 18, in cases where, according to this policy, consent is required for the processing of personal data, consent is provided by the parent exercising parental supervision. The parent must state in the consent that they are authorized to exercise parental supervisory rights over the child.

3.9 Access to Data by the Data Controller

Access to the processed data is granted by the Data Controller to the following persons:

  • Data Protection Officer
  • Dietitian
  • Nutrition Consultant

3.10 Data Transfer

Data is transferred to:

Data Processors:

  • Data Processor: Hexagon Consulting Ltd.
    Registered Office: 1135 Budapest, Lehel utca 61, 6th floor, office 604.
    Task: Development and operation of the myFOODTEST IT system.
  • Data Processor: Majoross Nóra – Dietitian
  • Data Processor: Várallyay Gabriella e.v. – Dietitian, Functional Nutrition Consultant

3.11 Automated Decision-Making and Profiling

The Data Controller does not perform automated decision-making, including profiling.

4. Rights of the Data Subject

4.1 Right of Access

The Data Subject is entitled to obtain from the Data Controller confirmation as to whether their personal data are being processed, and if so, to obtain access to the personal data and to the following information:

  • The purposes of the data processing with respect to the personal data in question,
  • The categories of personal data,
  • The categories of recipients to whom the personal data have been or will be disclosed, including, in particular, recipients in third countries or international organizations (in the case of data transfers to third countries or international organizations, the Data Subject is entitled to request information on whether the transfers are made under appropriate safeguards),
  • The intended duration of storage of the personal data, or, if that is not possible, the criteria used to determine that period,
  • The rights of the Data Subject (the right to rectification, erasure or restriction of processing, the right to data portability, as well as the right to object to such processing),
  • The right to lodge a complaint with a supervisory authority,
  • If the data was not obtained from the Data Subject, any available information regarding its source.

If the Data Subject submits their request electronically, the requested information shall be provided in a widely used electronic form, unless the Data Subject requests otherwise.

The Data Controller may, prior to fulfilling the request, ask the Data Subject to clarify the content of the request, the requested information, or the specific data processing activities.

If the Data Subject’s right of access adversely affects the rights and freedoms of others – in particular, trade secrets or intellectual property – the Data Controller is entitled to refuse to fulfill the request to the extent necessary and proportionate.

Should the Data Subject request the information in multiple copies, the Data Controller is entitled to charge a fee proportional to the administrative costs incurred.

If the personal data indicated by the Data Subject are not processed by the Data Controller, the Data Controller shall also inform the Data Subject in writing.

Right to Rectification

The Data Subject is entitled to request the rectification of personal data concerning them. If the personal data are incomplete, the Data Subject is entitled to request that they be completed.

The Data Subject may request rectification or completion exclusively in writing – either by postal mail sent to 2049 Diósd, Álmos fejedelem utca 27 or by email sent to support@foodtestplus.com.

In exercising the right to rectification or completion, the Data Subject must indicate which data are inaccurate or incomplete and must also provide the Data Controller with the accurate and complete data. The Data Controller is entitled, in justified cases, to ask the Data Subject to prove the corrected data in an appropriate manner (primarily by documentary evidence).

The Data Subject shall effect the rectification or completion without undue delay.

Following the fulfillment of the Data Subject’s request for rectification, the Data Controller shall immediately inform those persons with whom the Data Subject’s personal data were disclosed, unless this is impossible or would require disproportionate effort. At the request of the Data Subject, the Data Controller shall inform them of these recipients.

Right to Erasure (“Right to be Forgotten”)

The Data Subject is entitled to request that the Data Controller erase their personal data without undue delay if any of the following conditions applies:

  • The personal data provided by the Data Subject are no longer necessary for the purpose for which they were collected or processed,
  • The Data Controller processed the personal data (including special categories of data) on the basis of the Data Subject’s consent, the Data Subject withdraws their consent in writing, and there is no other legal basis for the processing,
  • The Data Subject objects to the processing based on the Data Controller’s legitimate interest, and there is no compelling legal reason for the processing that prevails over the Data Subject’s interests, rights, and freedoms,
  • The Data Controller has processed the personal data unlawfully,
  • The Data Controller is required to erase the data in order to comply with a legal obligation,
  • The Data Subject objects to the processing and there is no overriding legitimate reason for the processing.

The request for erasure must be submitted in writing and must specify which personal data are to be erased and on what grounds.

If the Data Controller complies with the Data Subject’s erasure request, it shall delete the personal data from all its records and inform the Data Subject accordingly.

In the event that the Data Controller is obliged to erase the personal data, the Data Controller shall take all reasonable measures – including technical measures – to inform any other data controllers to whom the personal data have been disclosed so that they erase the data as well. The Data Controller shall, in its notification, inform these other data controllers that the personal data are to be erased, including the deletion of links to such personal data or copies thereof.

Following the fulfillment of the Data Subject’s right to erasure, the Data Controller shall promptly inform those persons to whom the Data Subject’s personal data were disclosed, unless this is impossible or would require disproportionate effort. At the request of the Data Subject, the Data Controller shall inform them of these recipients.

The Data Controller is not obliged to erase the personal data in cases where the processing is necessary:

  • For the exercise of the right to freedom of expression and information,
  • For compliance with a legal obligation imposed on the Data Controller,
  • For the performance of a task carried out in the public interest or in the exercise of official authority,
  • For the realization of public interest in the area of public health,
  • For archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes, provided that the exercise of the Data Subject’s right to be forgotten would likely render impossible or seriously jeopardize the processing,
  • For the establishment, exercise, or defense of legal claims.

Right to Restriction of Processing

The Data Subject is entitled to request that the Data Controller restrict the processing of their personal data if one of the following conditions applies:

  • The Data Subject contests the accuracy of the personal data (in which case the restriction remains until the Data Controller verifies the accuracy),
  • The Data Controller has processed the personal data unlawfully, but the Data Subject requests restriction rather than erasure,
  • The Data Controller no longer requires the personal data for the processing purposes, but the Data Subject needs them for the establishment, exercise, or defense of legal claims,
  • The Data Subject objects to the processing of the personal data based on the Data Controller’s legitimate interest and there is no overriding legal reason for the processing; in this case, the restriction remains in force until it is determined whether the Data Controller’s legitimate interest prevails over the Data Subject’s rights.

In the event of restriction, the personal data shall be stored (except for the purpose of storage) and shall not be further processed except with the Data Subject’s consent, for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of public interest or important public interest in an EU or Member State.

The Data Controller shall inform the Data Subject in advance when the restriction is lifted.

Following the fulfillment of the Data Subject’s right to restrict processing, the Data Controller shall immediately inform those persons to whom the Data Subject’s personal data were disclosed, unless this is impossible or would require disproportionate effort. At the Data Subject’s request, the Data Controller shall provide information about these recipients.

Right to Object

Since the Data Controller does not process personal data on the basis of public interest or in the exercise of official authority, but may process data based on its legitimate interests, the right to object may arise for such processing.

If the processing is based on the Data Controller’s legitimate interests, the Data Subject is entitled to object to the processing of their personal data. In such cases, the Data Controller shall cease further processing of the personal data unless it can demonstrate that:

  • The processing is justified by compelling legitimate reasons on the part of the Data Controller which prevail over the Data Subject’s interests, rights, and freedoms, or
  • The processing is related to the Data Controller’s legal claims, exercise, or defense.

Right to Object in the Case of Direct Marketing:
The Data Subject is entitled to object to the processing of their personal data for direct marketing purposes carried out by the Data Controller. In contrast to processing based on legitimate interests, in the event of an objection the Data Controller shall not evaluate whether it may continue processing the data, but must cease processing for that purpose immediately.

If the Data Subject objects to the processing for direct marketing, the Data Controller shall no longer process the data for that purpose.

Right to Data Portability

The Data Subject is entitled to receive the personal data concerning them, which are processed by the Data Controller, in a structured, commonly used, machine-readable format and is entitled to have these data transmitted to another data controller without hindrance from the Data Controller.

The right to data portability applies to personal data that:

  • The Data Subject has provided to the Data Controller,
  • The processing is based on the Data Subject’s consent or on a contractual basis,
  • And the processing is carried out by automated means.

If technically feasible, the Data Controller shall, upon request, transmit the data directly to the data controller indicated by the Data Subject without creating an obligation for the data controllers to implement technically compatible systems.

The Data Controller shall provide the data portability free of charge.

If the right to data portability adversely affects the rights and freedoms of others (e.g., trade secrets or intellectual property), the Data Controller is entitled to refuse the request to the necessary extent.

Data portability does not mean that the data are deleted; the Data Controller shall retain the data for as long as it has a proper purpose or legal basis for processing them.

4.7 Right to Legal Recourse

4.7.1 Contacting the Data Controller
If the Data Subject considers that the processing of their personal data by the Data Controller is detrimental to them, they should contact the Data Controller at any of the contact addresses specified in section 1 of this Notice. The Data Controller is committed to upholding the rights related to the processing of personal data and will carefully investigate any complaint and inform the Data Subject of the outcome.

4.7.2 Right to Bring a Lawsuit (Right to Initiate Proceedings)
The Data Subject – independent of the right to lodge a complaint – may bring a lawsuit if the processing of their personal data has violated their rights under the GDPR.

A lawsuit against the Data Controller, which has its domestic place of business in Hungary, may be initiated before Hungarian courts.

The Data Subject may also initiate the lawsuit before the court in their place of residence, in accordance with the current provisions of Section 22(1) of the Information Act. Information on Hungarian courts is available at: http://birosag.hu/torvenyszekek.

Considering that the Data Controller does not act as a public authority exercising official powers, the Data Subject may also initiate proceedings before the competent court in the EU Member State where they have their habitual residence.

4.7.3 Right to Lodge a Complaint
If the Data Subject considers that the processing of their personal data by the Data Controller violates applicable data protection laws, in particular the provisions of the GDPR, they are entitled to lodge a complaint with the National Authority for Data Protection and Freedom of Information.

The National Authority for Data Protection and Freedom of Information may be contacted as follows:

  • Website: http://naih.hu/
  • Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
  • Postal Address: 1530 Budapest, Pf.: 5.

The Data Subject is also entitled to lodge a complaint with another supervisory authority established in the EU Member State where they have their habitual residence, place of work, or where the alleged infringement occurred.

4.7.4 Other Legal Redress Options
The Data Subject is entitled to delegate the lodging of a complaint, to have the decision of the supervisory authority reviewed by a court, to initiate legal proceedings, and to assert their right to compensation by engaging a nonprofit organization or association established in accordance with the law of an EU Member State whose objectives include serving the public interest and protecting the rights and freedoms of data subjects with respect to personal data.

Other Provisions

If the Data Controller has reasonable doubts regarding the identity of the person submitting a request under sections 4.1–4.6, the Data Controller may require the provision of additional information necessary to verify the identity.

The Data Controller reserves the right to modify this Notice at any time. In the event of any modifications, the Data Controller will notify the Data Subject by publishing the updated Notice on its website at least 3 days prior to the modifications coming into effect.

Diósd, 2025.01.20

Medical Partner Ltd.
Acting on behalf of the Company: Schuman Ádám, Chief Executive Officer