Rules for the processing and protection of personal data

Web application: www.meddiapp.com / www.meddimd.com
Mobile app:MEDDI app / MEDDI MD

MEDDI hub a.s., Na Florenci 2116/15, Nové Město, 110 00 Prague 1, ID No.: 062 30 458, registered in at the Municipal Court in Prague, insert B 25071, email: info@meddihub.com (hereinafter referred to as "Operator" or "Data Controller"), is an operator of Internet servers www.meddiapp.com a www.meddimd.com (hereinafter referred to as "Server.") and the mobile applications MEDDI app and MEDDI MD (hereinafter referred to as "Applications"). Internet Servers and/or Applications are online communication platforms in the delivery of healthcare that enables mutual electronic communication between the User-Patient and the accredited User-Provider Healthcare Provider. The subject of such communication will generally be professional consultations and expert opinions, regarding the health status of the User-Patients, and within the framework of these interactions it is possible to implement encryption-secured transmission of data and other information.

These rules on the processing and protection of personal data (hereinafter referred to as "Rules") regulate all handling of personal data in the context of the use of the Server and/or the Application, unless otherwise agreed between the respective entities. In order to fully use of the Server and/or the Application, registration of the User on the Server and/or the Application is required. The terms in these Rules beginning with capital letters shall have the same meaning as assigned to them in the general business terms and conditions of the Operator (hereinafter referred to as "VOP"), unless these Rules expressly provide otherwise. The GTC are available at www.meddiapp.com or www.meddimd.com and in the MEDDI app and/or MEDDI MD.

User means User-Patient and User-Provider.

• The User-Patient is a natural person who has reached the age of 18 years and has not been restricted in the scope of use Application, who has registered on the Server and/or the Application, and who, through the Server and/or Application and requests the provision of the Services.
• The User-Provider is a natural or legal person who is authorized to provide health 372/2011 Coll., on health services and conditions of their provision and Act No 95/2004 Coll. on the conditions for the acquisition and recognition of professional competence and specialised competence to practise the medical profession of physician, dentist and pharmacist, which has registered on the Server and/or the Application and which offers the provision of the Services through the Server and/or the Application.

1. WHO PROCESSES YOUR PERSONAL DATA (CALLED THE DATA CONTROLLER)
   Users' personal data are processed by the Server and/or Application Operator (identification data are listed above)
2. HOW WE OBTAIN THIS PERSONAL DATA (SOURCES OF PERSONAL DATA)
   

   The Operator processes personal data it receives from Users of the Server and/or the Application (Data Subjects) in the context of the establishment (registration) and subsequent administration of the User accounts of the Users for the Server and/or the Application and the personal data that the Operator (Data Controller) obtains when using the Server and/or the Application by the following Users.

   The MEDDI app can pull data from Google Fit, Health Kit (Apple Health) and other similar apps apps, whereby the User-Patient is always asked when activating them which data from these apps he wants to MEDDI app. The data is sent to the server www.meddiapp.com and the MEDDI mobile app sent via a secure and encrypted protocol at regular intervals without the need for interaction User-Patient, are retained in accordance with the relevant legislation for the necessary period of time and are only disclosed to the User-Patients to whom the personal data relates. The sharing of User-Patient data with the User-Provider can only be done with the User-Patient's prior consent.

3. WHAT PERSONAL DATA ARE PROCESSED (CATEGORIES OF PERSONAL DATA)
   

   These Rules apply exclusively to the handling of data about natural persons. The Operator, as the Controller Data Processor, processes:

   1. Identification (in particular name, surname, insurance number and address of residence) and contact (in particular e-mail address, telephone number) personal data of Users, to the extent specified in the registration form when setting up (registration) and administration of user accounts for the Server and/or the Application,
   2. a special category of personal data, consisting of data on the health status of the User-Patient, which obtained by the Data Controller when the User-Patient uses the Server and/or the Application or when the User-Patient interacts with the Server and/or the Application. interaction between Users,
   3. other personal data of Users obtained by the Data Controller when using the Server and/or the Application, e.g. In the context of Offers or Inquiries or during the interaction between Users.

   On the basis of the User's consent given in the Server and/or Application interface, processing may be carried out the location data of the device used in order to offer more relevant Offers and Requests.

   In the event that the User discloses any personal data of third parties on the Server and/or in the Application, the User shall to do so only in compliance with the conditions set out in the relevant legislation, including in particular any obtaining consent to the processing of personal data from such entities.

   In the event that the User discloses on the Server and/or the Application any personal data that is not provided by Operator, he/she does so entirely voluntarily. The Operator is not obliged to use the User's personal data in order to protect the privacy of the User. and technical complexity, the Provider is obliged to search for such personal data and notify the User of its disclosure, or destroy such personal data.

   The Operator monitors and stores records of Users' activity and interactions with the content placed on the Server and/or the Application in order to store, manage and archive them for further use by the User on the Server and/or in the Application by the Patient, in particular to satisfy Offers and Demands, including the possible conclusion of the relevant contract between the Users via the Server and/or Application interface. Furthermore, records of Users' activity are stored in order to increase the efficiency of the User search, tailoring the content of the Server and/or Application and tracking User preferences within the selected region. Thus, data on the frequency of visits to the Server and/or the Application, passwords searched for and displayed Offers and Requests and actions performed within the User's account.

4. HOW WE USE PERSONAL DATA (PURPOSES OF PROCESSING PERSONAL DATA)
   
   1. Processing for the purpose of concluding and performing the Contract with Users
      

      The data controller will process

      • Personal data referred to in point 3.1. for the establishment (registration) and administration of the User's account to the Server and/or the Application,
      • Personal data referred to in point 3.2. for the purpose of disclosure to the User-Healthcare Provider at the request of the User-Patient, when these named Users interact with each other in the Server and/or Application environment,
      • The personal data referred to in point 3.2. for the purpose of storage, management and archiving in case of further use at the request of the User-Patient within the Server and/or the Application,
      • The personal data referred to in point 3.3. for the purpose of storage, management and archiving in case of further use at the request of the User-Patient within the Server and/or the Application,
      • Personal data referred to in 3.1. to 3.3. for the purpose of fulfilling other contractual obligations of the Controller towards Users arising from the Contract, in particular the GTC.

      The Operator uses personal data for the purpose of fulfilling its contractual obligations to Users, as follows regulated in particular in the GTC. Personal data is thus used to enable the viewing of the content of the Server and/or the Application, managing the User's account, placing Offers and Requests and interacting between the User and the Operator and between Users with each other for the satisfaction of their Offers and/or Requests. At the same time, the personal data is processed for the purpose of User support or other actions regulated in the GTC. The processing of personal data for these purposes is carried out by the Operator to the extent strictly necessary.

      Other Users of the Server and/or the Application are provided with the personal data provided by the User to the extent necessary for the negotiation and performance of a contract between such Users through or with the assistance of the Server and/or Application solely after the User has disclosed such personal data himself or herself or after the User has authorized the interaction with another User.

   2. Processing for marketing purposes
      

      The Operator uses the User's contacts for marketing and sending commercial communications only if The User gives the Operator his/her express consent to use the contact details for marketing purposes. The User gives his/her consent at the time of registration or later via his/her User account. This consent is confirmed by the User as part of the completion of the registration via his/her email.

      As part of marketing activities, the Operator contacts the User in connection with information about news regarding the Server and/or the Application and their features.

      To communicate in this case, the Operator uses the telephone number or e-mail address of the Users, which the User fills in on the Server and/or in the Application for this purpose, or sends messages directly via User Interface.

      The provision of data for these purposes is entirely voluntary. Consent to the processing of personal data for marketing purposes can be revoked at any time or to change your preferences regarding the communications you receive, by by clicking on the link at the bottom of each email message and selecting the appropriate settings or by request sent to the Operator's email address.

5. ON THE BASIS OF WHICH WE PROCESS PERSONAL DATA (LEGAL TITLES OF PROCESSING PERSONAL DATA DATA)
   

   The Operator processes personal data in the operation of the Server and/or the Application under the following titles:

   • Conclusion and performance of the Contract - Users' personal data are processed to the extent necessary for the possibility of concluding, performing and, where applicable, enforcing claims arising from the Contract concluded with the Operator;
   • Consent - The operator is entitled to process personal data if you have provided it with personal data for their express consent to process it for a specific purpose, for the duration of the validity of such consent, or until such consent is withdrawn; the processing of personal data on the basis of consent occurs in particular when the processing of special categories of personal data relating to the health condition of Patients or processing of personal data for the purposes of marketing activities;
   • Legitimate interests of the Operator - personal data may also be processed in cases where certain processing is a legitimate interest of the Operator and at the same time such processing does not adversely affect the User's rights and freedoms to privacy; the processing of personal data may take place in particular for the purpose of ensuring the protection and security of Users.
6. TO WHOM WE PROVIDE YOUR PERSONAL DATA (RECIPIENTS OF PERSONAL DATA)
   

   Only employees (based on the employment relationship) process personal data at the Operator. with the Operator) and persons cooperating with the Operator on the basis of civil law contracts.

   The operator transfers personal data to other controllers or processors only if this is necessary for for the fulfilment of the individual purposes of the processing, in accordance with the relevant legal basis for the processing personal data. In particular, the Operator transfers personal data to external legal, economic and accounting consultants, external entities providing server, cloud or IT services to the Data Controller, entities operating payment instruments, e.g. GOPAY, etc. Personal data may also be transferred on the basis of legislation to the relevant public authorities.

   The Operator does not transfer the processed personal data to a third country or an international organisation.

7. PROCESSING PERIOD OF PERSONAL DATA
   

   For the purpose of fulfilling the contractual terms and conditions, the Operator processes personal data of the special categories listed in Section 3.2 for the duration of the registration until its termination or until the User has completed his the User withdraws consent to the processing of such personal data. Other personal data, in particular basic personal data obtained during registration and data on the progress of the enquiry, are processed for 6 months after the end of the enquiry. the validity of the registration, in particular for the purpose of processing the Complaint.

8. AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING
   

   The processing of personal data will not involve automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR.

9. COOKIES
   

   The Operator does not store data or access data stored in endpoints in an automated manner. Users' devices, even with regard to the storage of technical files.

10. HOW PERSONAL DATA IS SECURED
    

    The handling of personal data is carried out in full compliance with the applicable data protection legislation. The operator places great emphasis on technical and organisational security when processing personal data of the processed data. We have implemented and maintain the necessary appropriate technical and organisational measures, internal controls and information security processes in accordance with best commercial practice, consistent with the possible risk to you as a data subject. We also take into account the state of technological development in order to protect your personal data against accidental loss, destruction, alteration, unauthorised disclosure or access. These measures may include, but are not limited to, measures to ensure physical security, the adoption of reasonable steps to ensure accountability of employees who have access to your data, training employee training, regular backups, data recovery and incident management procedures, software protection devices on which personal data is stored, and other measures.

    In order to ensure compliance with the rules on the processing of personal data, an internal directive on the protection of personal data has been adopted personal data, and on the basis of this directive, the Operator has implemented an organisational and technical security measures to protect the personal data processed.

    All personal data is stored on electronic storage. Access to the storage is also password protected and through encrypted communication with the database. Within the Operator, access to personal data is only those employees who have an immediate need to handle it.

    In particular, under these measures, all employees and persons cooperating on the basis of civil law contracts shall be bound by a duty of confidentiality. The same level of protection for the processing of personal data we also require from our processors.

11. WHAT RIGHTS THE USER HAS IN RELATION TO THE PROCESSING AND PROTECTION OF PERSONAL DATA
    

    You can apply to the Operator in connection with the processing of your personal data under the following conditions set out in Articles 15 to 22 of the GDPR:

    • Right to withdraw consent to the processing of personal data
      

      You may withdraw your voluntary consent to the processing of personal data at any time free of charge. consent does not affect the processing of personal data that the Operator processes on the basis of other legal basis other than consent, i.e. in particular if the processing is necessary for the performance of a contract, a legal obligation or for other reasons specified in applicable law.

    • Right of access to personal data processed
      

      As part of your right of access to personal data, you can obtain the following information: whether your personal data are being processed by the Operator, for what purpose and what personal data are being processed, whether the personal data are personal data are transferred to other recipients, for how long personal data are processed and information about your your rights in relation to the personal data processed. At the same time, you have the possibility of obtaining a copy of your of the personal data processed.

    • Right to rectification of personal data processed
      

      As part of the right to rectification of personal data processed, you have the right to request rectification or completion of your incorrectly or incompletely processed personal data. We take reasonable measures to ensure to keep your personal data accurate and up to date. You can always contact us with questions, whether we are still processing your personal data.

    • Right to erasure of personal data processed
      

      If you contact us with such a request, we will delete all your personal data without undue delay, that we hold, unless we no longer need your personal data to perform our contractual or legal obligations or for the protection of our legitimate interests as described above... You are always entitled to request erasure the personal data processed, if the Operator's legal basis for processing it is your prior consent.

    • Right to restriction of processing of personal data
      

      You are entitled to ask the Operator to limit the scope of processing of your personal data in the following cases (i) you contest the accuracy of the personal data processed - the processing may be limited until decision, (ii) the processing is unlawful, but you only request the restriction of processing, not complete erasure, (iii) the controller no longer needs the personal data for the establishment, exercise or defence of legal claims or (iv) you have objected to the processing of personal data and this request has not yet been received by the Operator dealt with by the Operator.

    • Right to portability of processed personal data
      

      You are entitled to request the Operator to transfer your processed personal data in in a structured, commonly used and machine-readable format for the purpose of subsequent transmission to another controller. Alternatively, you have the right to request, in technically feasible cases, that they be transmitted directly to another administrator. This right may only be exercised on condition that such a request does not adversely affect the rights of and freedoms of other persons and is technically feasible.

    • Right to object to the processing of personal data
      

      You have the right to object in cases where your personal data is processed by the Operator on the basis of the legal title "legitimate interests of the controller" pursuant to Article 6(1)(f) GDPR. The Operator is not entitled to further process your personal data after the objection has been lodged, unless it proves compelling legitimate grounds for further processing which override your interests, rights and freedoms, or demonstrates the necessity of further processing for the establishment, exercise or defence of legal claims. In the case of personal data processed for direct marketing purposes, you may object at any time and the Operator will no longer process the personal data for this purpose.

      You are entitled to exercise the above rights with the Operator in the following ways:

      • a request in written documentary form (with an officially certified signature) delivered to the Operator's address; or
      • a request in written electronic form (e-mail with a recognised electronic signature) delivered to the following e-mail address address of the Operator; or
      • a request in written electronic form (data message) delivered to the Operator's data box; or
      • requests in written electronic form from the email address that is listed in your user profile.

      According to the legal provisions (Article 12 GDPR), the Operator is obliged to clearly identify the following when dealing with the request the applicant. In the event of submitting a request in a form other than that required above, you will be requested by the Operator to to be unambiguously identified by providing proof of identity or resubmission application using one of the methods required above. This is a precautionary security measure, to prevent unauthorised persons from accessing your personal data.

    • Complaint against the processing of personal data
      

      If you believe that the processing of your personal data by the Operator has violated the rules of the protection of personal data set out in the legislation (GDPR), you have the right to object to such processing file a complaint with the Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Prague 7. website of the Office: www.uoou.cz.

12. UPDATING THE PRIVACY POLICY
    

    We may modify or update this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective when posted at the following link www.meddiapp.com.

This privacy policy is valid and effective from 14.11.2022.

MEDDI hub a.s.