MDC PREVENTICA EOOD, Sofia, Vitosha area, 2 Donka Ushlinova Str., entr. 4

GENERAL RULES FOR THE PROTECTION OF PATIENTS' PERSONAL DATA IN MDC PREVENTICA EOOD, Sofia

1. Essence

This policy defines the basic principles through which MDC PREVENTICA EOOD, Sofia (Controller) processes the personal data of PATIENTS and indicates the responsibilities of departments and employees during the personal data processing.

Users of this document are all employees, permanent or temporary, and all contractors who work on behalf of MDC PREVENTICA EOOD, Sofia.

ІІ. Applicable legislation

• Constitution of the Republic of Bulgaria
• General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - EU GDPR 2016/679)
• Personal Data Protection Act

III. Legality of the personal data processing

Processing is legally compliant if at least one of the following conditions is met:

Data subject has consented to the processing of their personal data for one or more specific purposes;

Processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the data subject’s request prior to the conclusion of a contract;

Processing is necessary to comply with a legal obligation that applies to the controller;

The processing is necessary to protect the vital interests of the data subject or of another natural person;

Processing is necessary for the performance of a task of a public interest or in the exercise of official powers conferred to the controller;

Processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the personal data protection, in particular where the data subject is a child.

ІV. Controller of personal data

For the purposes and use of this policy, the controller is MDC PREVENTICA EOOD, Sofia, Vitosha area, 2 Donka Ushlinova Str., entr. 4

The responsibility for ensuring proper processing of personal data rests with anyone who works for or with MDC PREVENTICA EOOD, Sofia and also has access to the personal data processed. The persons who have access to the personal data in MDC PREVENTICA EOOD, Sofia, are: doctors, midwives, nurses, nursing secretaries (it refers to non-medical persons who work under the direction of a medical officer and assist in the registration and completion of normative documents such as directions, certificates, hospital lists, etc.), accountants (if there is an invoice issued to the individual).

1. Data Protection Officer
2. Personal Data Protection Officer shall be the primary point of contact for employees and shall link all staff members on data protection matters.

Our Data Protection Officer can be contacted directly here:

Website: preventica.bg

E-mail:  office@preventica.bg

Telephone: 024399001

1. Place in the organization:

Data Protection Officer (DPO) reports directly to the Manager of MDC PREVENTICA EOOD, Sofia.

1. VI. Supervisory Authority

Supervisory authority shall be the Commission for Personal Data Protection.

The Commission for Personal Data Protection is an independent public authority that provides protection for individuals in the processing of their personal data and in the access to such data.

Contacts: Address: Sofia, 1592 2 Professor Tsvetan Lazarov Blvd.          

Information and Contact Center - tel. 02/91-53-518

Reception room - opening hours: 9:00 am - 5:30 pm

E-mail: kzld@cpdp.bg

Website: www.cpdp.bg

VІI. Collection and processing and sharing of personal data

Personal data are used and processed only with the explicit permission of the Management of MDC PREVENTICA EOOD, Sofia. MDC PREVENTICA EOOD, Sofia must decide whether to carry out the data protection impact assessment for each data processing activity, according to the Data Protection Impact Assessment guidelines.

According to Art. 6, para. 1b, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - EU GDPR 2016/679 with regard to the processing of personal data is lawful where it is necessary to comply with a legal obligation that applies to the controller.

MDC PREVENTICA EOOD, Sofia processes personal data of patients on a statutory basis according to:

HEALTH ACT

MEDICAL ESTABLISHMENTS ACT

Including their by-laws, especially the various Regulations that have been issued based on these two laws.

In order to fulfil its legal obligations, MDC PREVENTICA EOOD, Sofia collects and processes the following personal data without the need for declared consent:

PERSONAL IDENTITY NUMBER, FULL NAME, CELL PHONE, LOCALITY,

gender, date of birth,

+ medical information

+ in cases where health insurance status is required (concerns patients who are under NHIF funding).

IF NECESSARY, ISSUANCE OF A TEMPORARY DISABILITY DOCUMENT (sick leave note):

∙ Place of work

∙ Profession

∙Title

∙ Address

Where it is required to correct, modify or delete personal data records, the Controller shall ensure that such requests are processed within a reasonable time.

Personal data are processed and used only for the purposes for which it was originally collected. The data collected and processed may be made available to third parties. Depending on the specific patient and their insurance and illness, MDC PREVENTICA EOOD, Sofia provides the collected personal data to the following third parties, who are data controllers, and with whom MDC PREVENTICA EOOD, Sofia has concluded agreements, namely:

• National Health Insurance Fund /NHIF/,
• National Social Security Institute /NSSI/,
• Representatives of the Judiciary and the Prosecutor's Office
• Executive Agency for Medical Audit /IAMO/

If in the course of treatment it is necessary to perform specialized laboratory tests or other treatment, the data shall also be shared with the following companies, for which the patient shall be explicitly informed:

• MDL Cibalab EOOD, UIC 130206384
• ACIBADEM CITY CLINIC DIAGNOSTIC AND CONSULTATION CENTER TOKUDA EAD, UIC 175092750
• ACIBADEM CITY CLINIC UNIVERSITY TOKUDA MULTIPROPHILE HOSPITAL FOR ACTIVE TREATMENT EAD, UIC 175077093

VІІI. Types of Personal Data

MDC PREVENTICA EOOD, Sofia is registered under the law on the MEDICAL ESTABLISHMENTS ACT and as such collects from personal data subjects both "ordinary" and "special (sensitive)" data:

• national civil identifier (Personal Identity Number, Foreigner Identity Number or other);
• names of the patient;
• date of birth or age;
• a social security number (in the terms of a private insurer or payer), a European Health Insurance Card (EHIC) number and identifiers of regulations assimilated to it;
• insurer (in the terms of a private insurer or payer);
• place of residence
• address (only in cases where this is necessary for the issuance or completion of normative documents specimens of the NHIF, sick leave note, etc.);
• occupation, place of work (only in cases where the issue of a sick leave note is necessary);
• contact e-mail;
• gender;
• Medical Record: medical diagnosis, history, objective status, therapy, medical diagnostic and imaging tests.
• medical documentation – according to medical standards.

1. Term of Personal Data Storage

The retention period of patients' personal data is determined on the basis of the Section V. of the Health Act, as well as in the medical standards. The general medical record is at least 5 (five) years according to the Health Act.

Video records shall be stored within a period of not more than 30 days in accordance with the Private Security Act.

Personal data from online forms for appointment within a period of not more than 60 (sixty) days.

1. Principles of Personal Data Processing

1. Processing is based on your consent;
2. Processing is necessary for compliance with our legal obligation - Obligations of the medical institution to provide the personal data of patients to different authorities – e.g. Executive Agency "Medical Audit", RHI (Regional Health Inspections), Voluntary health insurance funds, NHIF, etc.
3. Processing is necessary to protect your (vital) interests (or the interests of another person) - MDC PREVENTICA EOOD, Sofia keeps a health record (file) for all patients in order to improve future treatment and diagnosis.
4. Storage of personal data for the collection and production of statistics for medical purposes after anonymisation of patients' personal data.
5. The processing of your data is necessary for the performance of a contract with you or our intention to conclude a contract (if so, enter contract information);
6. Processing is necessary in order to carry out the following task in the public interest;

ХI. Data Subject's Right

Each subject shall be entitled to:

• Transparent information, communication and conditions for the exercise of the data subject's rights
• Information to be provided for the collection of personal data by the data subject
• Information to be provided where the personal data come from the data subject
• Right of access of the data subject
• Right to rectification
• Right of deletion (right to be forgotten)
• Right to restriction of processing
• Obligation to notify in case of rectification or deletion of personal data or restriction of processing
• Right to data portability
• Right to object and automated individual decision making
• Automated individual decision making, including profiling

ХII. Basic Principles in Personal Data Processing

1. With due diligence and transparency: The principles of fair and transparent processing require the data subject to be informed of the existence of a processing operation and of its purposes. The principles of fair and transparent processing are related to the obligation of MDC PREVENTICA EOOD as a controller for the provision of information.
2. Goal limitation: MDC PREVENTICA EOOD undertakes to collect the personal data for specific, explicit and legitimate purposes and the personal data should not be further processed in a way incompatible with these purposes.
3. Minimising data: Personal data must be appropriate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
4. Precision: MDC PREVENTICA monitors the accuracy of personal data and keeps it up to date. All reasonable measures are taken to ensure the timely deletion or rectification of inaccurate personal data, given the purposes for which they are processed.
5. Storage limitation: MDC PREVENTICA EOOD stores the personal data in a form that allows the identification of the data subject for a period not longer than necessary for the purposes for which the personal data are processed. Personal data may also be stored for longer periods, in so far as they will be processed solely for archiving purposes, statistical purposes, subject to the appropriate technical and organisational measures provided for in the Regulation, in order to ensure the rights and freedoms of the data subject.
6. Accountability: MDC PREVENTICA EOOD ensures compliance with the basic principles of accountability described in the Regulation by ensuring that the processing of personal data is carried out in accordance with the rules of the Regulation.
7. Integrity and confidentiality: MDC PREVENTICA EOOD processes personal data in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organizational measures.

XIII. Provision of Information

Provision of information in writing when collecting personal data from the data subject.

MDC PREVENTICA EOOD shall provide the data subject with information including identification of the controller, purposes of processing, recipients of personal data, storage period, etc., in a short, understandable and easily accessible form, in clear and simple language. The information shall be provided in writing or otherwise, including, where appropriate, by electronic means. If the data subject requests so, the information may be given orally, provided that the identity of the data subject is proven by other means. The information shall be provided free of charge.

In the event that the data subject intends to further process the personal data for a purpose other than that for which they were collected, MDC PREVENTICA EOOD shall provide the data subject prior to such further processing with information for that other purpose.

Provision of information in writing where the personal data do not come from the data subject

Where personal data relating to a data subject are not obtained from the data subject, MDC PREVENTICA EOOD shall provide the data subject with information including identification of the controller, purposes of processing, recipients of personal data, storage period, etc., in a short, understandable and easily accessible form, in clear and simple language. The information shall be provided in writing or otherwise, including, where appropriate, by electronic means. If the data subject requests so, the information may be given orally, provided that the identity of the data subject is proven by other means. MDC PREVENTICA EOOD shall provide the information:

• Within a reasonable time after receipt of the personal data, but within one month at the latest, taking into account the specific circumstances in which the personal data are processed;
• If the data are used for contacting the data subject, upon first contacting that data subject at the latest; or
• If disclosure to another recipient is envisaged, at the latest upon disclosure of the personal data for the first time. The information shall be provided free of charge.

Where MDC PREVENTICA EOOD intends to further process the personal data for a purpose other than that for which they were collected, it shall provide the data subject prior to such further processing with information for that other purpose.

XIV. Access to Personal Data

As a controller, MDC PREVENTICA EOOD shall provide access to their personal data to individuals.

MDC PREVENTICA EOOD shall provide confirmation within one month of receiving a request from the data subject whether personal data relating to the data subject are being processed.

Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards under Article 46 of the Regulation in relation to the transfer.

MDC PREVENTICA EOOD shall provide a copy of the personal data undergoing processing. For additional copies requested by the data subject, the controller may impose a reasonable fee on the basis of administrative costs. Where the data subject submits a request by electronic means, the information shall, where possible, be provided in a commonly used electronic form, unless otherwise requested by the data subject.

The period for the provision of the above information shall be one month from the receipt of the request by the data subject, but may be extended by two months. MDC PREVENTICA EOOD shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If the controller fails to act on the data subject's request, the controller shall notify the data subject without delay and within one month at latest of receipt of the request of the reasons for not acting and the possibility to lodge a complaint with a supervisory authority and seek judicial redress. The information shall be provided free of charge.

1. Rectification of Personal Data

MDC PREVENTICA EOOD shall correct without undue delay (within one month) the inaccurate personal data related to it at the data subject’s request. Given the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by adding a declaration. The period may be extended by two months. MDC PREVENTICA EOOD shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If MDC PREVENTICA EOOD fails to act on the data subject's request, shall notify the data subject without delay and within one month at latest of receipt of the request of the reasons for not acting and the possibility to lodge a complaint with a supervisory authority and seek judicial redress. Rectification shall be done free of charge.

XVI. Deletion of Personal Data

MDC PREVENTICA EOOD shall delete personal data relating to the data subject without undue delay (within one month) at the data subject’s request. The period may be extended by two months. MDC PREVENTICA EOOD shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If MDC PREVENTICA EOOD fails to act on the data subject's request, the controller shall notify the data subject without delay and within one month at latest of receipt of the request of the reasons for not acting and the possibility to lodge a complaint with a supervisory authority and seek judicial redress. Deletion shall be done free of charge.

MDC PREVENTICA EOOD shall delete the data only if any of the following grounds is applicable:

• Personal data are no longer needed for the purposes for which they were collected or otherwise processed;
• The data subject withdraw their consent on which the data processing is based;
• The data subject object to the processing pursuant to Article 21, para. 1 of the Regulation and there are no legitimate grounds for the processing to prevail, or the data subject object to the processing of personal data for direct marketing purposes;
• Personal data have been unlawfully processed;
• Personal data must be deleted in order to comply with a legal obligation under Union or Member State legislation applicable to the controller; – personal data have been collected in connection with the provision of information society services to a child.

XVII. Restriction of the Personal Data Processing

Restriction of processing means the marking of stored personal data in order to restrict its processing in the future. MDC PREVENTICA EOOD undertakes to restrict the processing of data within one month at the data subject’s request. The period may be extended by two months. MDC PREVENTICA EOOD shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If MDC PREVENTICA EOOD fails to act on the data subject's request, the controller shall notify the data subject without delay and within one month at latest of receipt of the request of the reasons for not acting and the possibility to lodge a complaint with a supervisory authority and seek judicial redress. The restriction shall be done free of charge.

The restriction should be carried out where one of the following conditions applies, namely:

• The accuracy of the personal data shall be contested by the data subject for a period allowing the controller to verify the accuracy of the personal data;
• Processing is unlawful, but the data subject does not want the personal data to be deleted, but instead requires the restriction of their use;
• The controller no longer needs personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims;
• The data subject has objected to the processing pursuant to Article 21, para. 1 of the Regulation in waiting the verification to be carried out on whether the legitimate grounds of the controller override the interests of the data subject.

Where a restriction on processing takes place, such data shall be processed, with the exception of their storage, only with the consent of the data subject either for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural person or for important reasons of public interest of the Union or of a Member State. Where a data subject has requested a restriction of processing, the controller shall inform the data subject before the restriction of processing is lifted.

Notification in Case of Rectification or Deletion of Personal Data or Restriction of Processing

MDC PREVENTICA EOOD is obliged to communicate any rectification, deletion or restriction of processing to any recipient to whom the personal data have been disclosed, unless this is impossible or requires disproportionate efforts. MDC PREVENTICA EOOD shall inform the data subject of these recipients if the data subject requests so.

XVIII. Ensuring the Portability of Personal Data

MDC PREVENTICA EOOD shall be obliged to provide the personal data of the data subject related to them and which have been provided to by the data subject in a structured, widely used and machine-readable format, where the processing is based on consent in accordance with or on a contractual obligation and the processing is carried out in an automated manner.

MDC PREVENTICA EOOD undertakes to transfer the data within one month at the data subject’s request. The period may be extended by two months. MDC PREVENTICA EOOD shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If MDC PREVENTICA EOOD fails to act on the data subject's request, the controller shall notify the data subject without delay and within one month at latest of receipt of the request of the reasons for not acting and the possibility to lodge a complaint with a supervisory authority and seek judicial redress. The transfer shall be done free of charge.

XIX. Termination of the Personal Data Processing

MDC PREVENTICA EOOD undertakes to terminate the processing of personal data in the following cases listed below, unless it proves that there are compelling legal grounds for the processing, which take precedence over the interests, rights and freedoms of the data subject, or for the establishment, exercise or protection of legal claims.

• Processing is necessary for the performance of a task of a public interest or in the exercise of official powers conferred to the controller;

or

• Processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the personal data protection, in particular where the data subject is a child.

MDC PREVENTICA EOOD undertakes to terminate the personal data processing for direct marketing purposes when the data subject objects to processing for direct marketing purposes.

1. Provision of Information
2. With regard to the right to object to the processing of personal data: MDC PREVENTICA EOOD shall provide information to the data subject on the right of the data subject to object to the processing of personal data at the time of the first contact with the data subject at latest, which information shall be provided through a notification in a clear manner and separately from any other information.

1. Right to object to the processing of personal data for direct marketing purposes: MDC PREVENTICA EOOD shall inform the data subject about the existence of a right to object to the processing of personal data for direct marketing purposes. MDC PREVENTICA EOOD is obliged to provide information on the right of the subject to object to the processing of personal data for the direct marketing purposes at the time of the first contact with the data subject at latest, which information is provided through a notification in a clear manner and separately from any other information. MDC PREVENTICA EOOD undertakes to terminate the personal data processing for direct marketing purposes when the data subject objects to processing for direct marketing purposes.

XXI. Ensuring Security of Processing by Introducing Technical and Organisational Measures

MDC PREVENTICA EOOD shall introduce appropriate technical and organizational measures to ensure and be able to demonstrate that the processing of personal data is carried out in accordance with the Regulation. Those measures shall be reviewed and, where necessary, updated.

Such measures shall be:

• Pseudonymisation and encryption of personal data;
• Ability to ensure the permanent confidentiality, integrity, availability and sustainability of processing systems and services;
• Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• A process of regularly testing, evaluating the effectiveness of technical and organisational measures to ensure the security of processing;
• Minimising data: only personal data that are necessary for each specific purpose of the processing shall be processed. This obligation relates to the volume of personal data collected, the degree of processing, the period of their storage and their accessibility. In particular, such measures shall ensure that, by default, personal data are not accessible to an unlimited number of natural persons without the intervention of the natural person;
• Cooperation with the supervisory authority for the protection of personal data in the performance of the obligations arising from the Regulation;
• Limitation of the number of persons having access to the data.

XXII. Processing of Personal Data on behalf of MDC PREVENTICA EOOD

When processing is carried out on behalf of MDC PREVENTICA EOOD, MDC PREVENTICA EOOD is obliged to use only processors who provide sufficient guarantees for the implementation of appropriate technical and organisational measures in such a way that the processing takes place in accordance with the requirements of the Regulation and to ensure the protection of the rights of the data subjects. The data processor may not include another data processor without the prior specific or general written permission of the controller. In the event of a general written authorisation, the processor shall always inform the controller of any intended changes to include or replace other processors, thereby enabling the controller to challenge those changes.

Processing by the processor shall be governed by a contract or other legal act which is binding on the processor vis-à-vis the controller and which regulates the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller.

XXIII. Cooperation with the supervisory authority

MDC PREVENTICA EOOD and the processor undertake to cooperate with the supervisory authority in the performance of its duties.

In the event of a personal data breach, MDC PREVENTICA EOOD, without undue delay and where feasible — no later than 72 hours after having become aware of it, undertakes to notify the personal data breach to the supervisory authority, unless there is a likelihood that the personal data breach will pose a risk to the rights and freedoms of natural persons. The notification to the supervisory authority shall contain the reasons for the delay where it is not submitted within 72 hours. Personal data processor shall notify the controller without undue delay after becoming aware of a personal data breach.

MDC PREVENTICA EOOD undertakes to document any personal data breach, including the facts related to the personal data breach, its consequences and the actions taken to address it.

XXIV. Communication of a personal data breach to the data subject

Where the personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, MDC PREVENTICA EOOD shall, without undue delay, be obliged to communicate the personal data breach to the data subject.

XXV. Compensation for damages suffered

MDC PREVENTICA EOOD or the personal data processor undertakes to compensate for any damage that a person may suffer as a result of data processing that violates the Regulation.

XXVI. Carrying out an impact assessment

Where there is a likelihood that certain types of processing, in particular where new technologies are used, and given the nature, scope, context and purposes of the processing, will pose a high risk to the rights and freedoms of natural persons before processing takes place, MDC PREVENTICA EOOD shall carry out an impact assessment of the intended processing operations on the personal data protection. A set of similar processing operations that present similar high risks may be considered in an assessment. When carrying out a data protection impact assessment, the controller shall seek the opinion of the designated data protection officer.