MDC PREVENTICA EOOD, Sofia, Vitosha area, 2 Donka Ushlinova Str., entr. 4
GENERAL RULES FOR THE PROTECTION OF PATIENTS' PERSONAL DATA IN MDC PREVENTICA EOOD, Sofia
This policy defines the basic principles through which MDC PREVENTICA EOOD, Sofia (Controller) processes the personal data of PATIENTS and indicates the responsibilities of departments and employees during the personal data processing.
Users of this document are all employees, permanent or temporary, and all contractors who work on behalf of MDC PREVENTICA EOOD, Sofia.
ІІ. Applicable legislation
III. Legality of the personal data processing
Processing is legally compliant if at least one of the following conditions is met:
Data subject has consented to the processing of their personal data for one or more specific purposes;
Processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the data subject’s request prior to the conclusion of a contract;
Processing is necessary to comply with a legal obligation that applies to the controller;
The processing is necessary to protect the vital interests of the data subject or of another natural person;
Processing is necessary for the performance of a task of a public interest or in the exercise of official powers conferred to the controller;
Processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the personal data protection, in particular where the data subject is a child.
ІV. Controller of personal data
For the purposes and use of this policy, the controller is MDC PREVENTICA EOOD, Sofia, Vitosha area, 2 Donka Ushlinova Str., entr. 4
The responsibility for ensuring proper processing of personal data rests with anyone who works for or with MDC PREVENTICA EOOD, Sofia and also has access to the personal data processed. The persons who have access to the personal data in MDC PREVENTICA EOOD, Sofia, are: doctors, midwives, nurses, nursing secretaries (it refers to non-medical persons who work under the direction of a medical officer and assist in the registration and completion of normative documents such as directions, certificates, hospital lists, etc.), accountants (if there is an invoice issued to the individual).
Our Data Protection Officer can be contacted directly here:
Website: preventica.bg
E-mail: office@preventica.bg
Telephone: 024399001
Data Protection Officer (DPO) reports directly to the Manager of MDC PREVENTICA EOOD, Sofia.
Supervisory authority shall be the Commission for Personal Data Protection.
The Commission for Personal Data Protection is an independent public authority that provides protection for individuals in the processing of their personal data and in the access to such data.
Contacts: Address: Sofia, 1592 2 Professor Tsvetan Lazarov Blvd.
Information and Contact Center - tel. 02/91-53-518
Reception room - opening hours: 9:00 am - 5:30 pm
E-mail: kzld@cpdp.bg
Website: www.cpdp.bg
VІI. Collection and processing and sharing of personal data
Personal data are used and processed only with the explicit permission of the Management of MDC PREVENTICA EOOD, Sofia. MDC PREVENTICA EOOD, Sofia must decide whether to carry out the data protection impact assessment for each data processing activity, according to the Data Protection Impact Assessment guidelines.
According to Art. 6, para. 1b, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - EU GDPR 2016/679 with regard to the processing of personal data is lawful where it is necessary to comply with a legal obligation that applies to the controller.
MDC PREVENTICA EOOD, Sofia processes personal data of patients on a statutory basis according to:
HEALTH ACT
MEDICAL ESTABLISHMENTS ACT
Including their by-laws, especially the various Regulations that have been issued based on these two laws.
In order to fulfil its legal obligations, MDC PREVENTICA EOOD, Sofia collects and processes the following personal data without the need for declared consent:
PERSONAL IDENTITY NUMBER, FULL NAME, CELL PHONE, LOCALITY,
gender, date of birth,
+ medical information
+ in cases where health insurance status is required (concerns patients who are under NHIF funding).
IF NECESSARY, ISSUANCE OF A TEMPORARY DISABILITY DOCUMENT (sick leave note):
∙ Place of work
∙ Profession
∙Title
∙ Address
Where it is required to correct, modify or delete personal data records, the Controller shall ensure that such requests are processed within a reasonable time.
Personal data are processed and used only for the purposes for which it was originally collected. The data collected and processed may be made available to third parties. Depending on the specific patient and their insurance and illness, MDC PREVENTICA EOOD, Sofia provides the collected personal data to the following third parties, who are data controllers, and with whom MDC PREVENTICA EOOD, Sofia has concluded agreements, namely:
If in the course of treatment it is necessary to perform specialized laboratory tests or other treatment, the data shall also be shared with the following companies, for which the patient shall be explicitly informed:
VІІI. Types of Personal Data
MDC PREVENTICA EOOD, Sofia is registered under the law on the MEDICAL ESTABLISHMENTS ACT and as such collects from personal data subjects both "ordinary" and "special (sensitive)" data:
The retention period of patients' personal data is determined on the basis of the Section V. of the Health Act, as well as in the medical standards. The general medical record is at least 5 (five) years according to the Health Act.
Video records shall be stored within a period of not more than 30 days in accordance with the Private Security Act.
Personal data from online forms for appointment within a period of not more than 60 (sixty) days.
ХI. Data Subject's Right
Each subject shall be entitled to:
ХII. Basic Principles in Personal Data Processing
XIII. Provision of Information
Provision of information in writing when collecting personal data from the data subject.
MDC PREVENTICA EOOD shall provide the data subject with information including identification of the controller, purposes of processing, recipients of personal data, storage period, etc., in a short, understandable and easily accessible form, in clear and simple language. The information shall be provided in writing or otherwise, including, where appropriate, by electronic means. If the data subject requests so, the information may be given orally, provided that the identity of the data subject is proven by other means. The information shall be provided free of charge.
In the event that the data subject intends to further process the personal data for a purpose other than that for which they were collected, MDC PREVENTICA EOOD shall provide the data subject prior to such further processing with information for that other purpose.
Provision of information in writing where the personal data do not come from the data subject
Where personal data relating to a data subject are not obtained from the data subject, MDC PREVENTICA EOOD shall provide the data subject with information including identification of the controller, purposes of processing, recipients of personal data, storage period, etc., in a short, understandable and easily accessible form, in clear and simple language. The information shall be provided in writing or otherwise, including, where appropriate, by electronic means. If the data subject requests so, the information may be given orally, provided that the identity of the data subject is proven by other means. MDC PREVENTICA EOOD shall provide the information:
Where MDC PREVENTICA EOOD intends to further process the personal data for a purpose other than that for which they were collected, it shall provide the data subject prior to such further processing with information for that other purpose.
XIV. Access to Personal Data
As a controller, MDC PREVENTICA EOOD shall provide access to their personal data to individuals.
MDC PREVENTICA EOOD shall provide confirmation within one month of receiving a request from the data subject whether personal data relating to the data subject are being processed.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards under Article 46 of the Regulation in relation to the transfer.
MDC PREVENTICA EOOD shall provide a copy of the personal data undergoing processing. For additional copies requested by the data subject, the controller may impose a reasonable fee on the basis of administrative costs. Where the data subject submits a request by electronic means, the information shall, where possible, be provided in a commonly used electronic form, unless otherwise requested by the data subject.
The period for the provision of the above information shall be one month from the receipt of the request by the data subject, but may be extended by two months. MDC PREVENTICA EOOD shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If the controller fails to act on the data subject's request, the controller shall notify the data subject without delay and within one month at latest of receipt of the request of the reasons for not acting and the possibility to lodge a complaint with a supervisory authority and seek judicial redress. The information shall be provided free of charge.
MDC PREVENTICA EOOD shall correct without undue delay (within one month) the inaccurate personal data related to it at the data subject’s request. Given the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by adding a declaration. The period may be extended by two months. MDC PREVENTICA EOOD shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If MDC PREVENTICA EOOD fails to act on the data subject's request, shall notify the data subject without delay and within one month at latest of receipt of the request of the reasons for not acting and the possibility to lodge a complaint with a supervisory authority and seek judicial redress. Rectification shall be done free of charge.
XVI. Deletion of Personal Data
MDC PREVENTICA EOOD shall delete personal data relating to the data subject without undue delay (within one month) at the data subject’s request. The period may be extended by two months. MDC PREVENTICA EOOD shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If MDC PREVENTICA EOOD fails to act on the data subject's request, the controller shall notify the data subject without delay and within one month at latest of receipt of the request of the reasons for not acting and the possibility to lodge a complaint with a supervisory authority and seek judicial redress. Deletion shall be done free of charge.
MDC PREVENTICA EOOD shall delete the data only if any of the following grounds is applicable:
XVII. Restriction of the Personal Data Processing
Restriction of processing means the marking of stored personal data in order to restrict its processing in the future. MDC PREVENTICA EOOD undertakes to restrict the processing of data within one month at the data subject’s request. The period may be extended by two months. MDC PREVENTICA EOOD shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If MDC PREVENTICA EOOD fails to act on the data subject's request, the controller shall notify the data subject without delay and within one month at latest of receipt of the request of the reasons for not acting and the possibility to lodge a complaint with a supervisory authority and seek judicial redress. The restriction shall be done free of charge.
The restriction should be carried out where one of the following conditions applies, namely:
Where a restriction on processing takes place, such data shall be processed, with the exception of their storage, only with the consent of the data subject either for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural person or for important reasons of public interest of the Union or of a Member State. Where a data subject has requested a restriction of processing, the controller shall inform the data subject before the restriction of processing is lifted.
Notification in Case of Rectification or Deletion of Personal Data or Restriction of Processing
MDC PREVENTICA EOOD is obliged to communicate any rectification, deletion or restriction of processing to any recipient to whom the personal data have been disclosed, unless this is impossible or requires disproportionate efforts. MDC PREVENTICA EOOD shall inform the data subject of these recipients if the data subject requests so.
XVIII. Ensuring the Portability of Personal Data
MDC PREVENTICA EOOD shall be obliged to provide the personal data of the data subject related to them and which have been provided to by the data subject in a structured, widely used and machine-readable format, where the processing is based on consent in accordance with or on a contractual obligation and the processing is carried out in an automated manner.
MDC PREVENTICA EOOD undertakes to transfer the data within one month at the data subject’s request. The period may be extended by two months. MDC PREVENTICA EOOD shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If MDC PREVENTICA EOOD fails to act on the data subject's request, the controller shall notify the data subject without delay and within one month at latest of receipt of the request of the reasons for not acting and the possibility to lodge a complaint with a supervisory authority and seek judicial redress. The transfer shall be done free of charge.
XIX. Termination of the Personal Data Processing
MDC PREVENTICA EOOD undertakes to terminate the processing of personal data in the following cases listed below, unless it proves that there are compelling legal grounds for the processing, which take precedence over the interests, rights and freedoms of the data subject, or for the establishment, exercise or protection of legal claims.
or
MDC PREVENTICA EOOD undertakes to terminate the personal data processing for direct marketing purposes when the data subject objects to processing for direct marketing purposes.
XXI. Ensuring Security of Processing by Introducing Technical and Organisational Measures
MDC PREVENTICA EOOD shall introduce appropriate technical and organizational measures to ensure and be able to demonstrate that the processing of personal data is carried out in accordance with the Regulation. Those measures shall be reviewed and, where necessary, updated.
Such measures shall be:
XXII. Processing of Personal Data on behalf of MDC PREVENTICA EOOD
When processing is carried out on behalf of MDC PREVENTICA EOOD, MDC PREVENTICA EOOD is obliged to use only processors who provide sufficient guarantees for the implementation of appropriate technical and organisational measures in such a way that the processing takes place in accordance with the requirements of the Regulation and to ensure the protection of the rights of the data subjects. The data processor may not include another data processor without the prior specific or general written permission of the controller. In the event of a general written authorisation, the processor shall always inform the controller of any intended changes to include or replace other processors, thereby enabling the controller to challenge those changes.
Processing by the processor shall be governed by a contract or other legal act which is binding on the processor vis-à-vis the controller and which regulates the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller.
XXIII. Cooperation with the supervisory authority
MDC PREVENTICA EOOD and the processor undertake to cooperate with the supervisory authority in the performance of its duties.
In the event of a personal data breach, MDC PREVENTICA EOOD, without undue delay and where feasible — no later than 72 hours after having become aware of it, undertakes to notify the personal data breach to the supervisory authority, unless there is a likelihood that the personal data breach will pose a risk to the rights and freedoms of natural persons. The notification to the supervisory authority shall contain the reasons for the delay where it is not submitted within 72 hours. Personal data processor shall notify the controller without undue delay after becoming aware of a personal data breach.
MDC PREVENTICA EOOD undertakes to document any personal data breach, including the facts related to the personal data breach, its consequences and the actions taken to address it.
XXIV. Communication of a personal data breach to the data subject
Where the personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, MDC PREVENTICA EOOD shall, without undue delay, be obliged to communicate the personal data breach to the data subject.
XXV. Compensation for damages suffered
MDC PREVENTICA EOOD or the personal data processor undertakes to compensate for any damage that a person may suffer as a result of data processing that violates the Regulation.
XXVI. Carrying out an impact assessment
Where there is a likelihood that certain types of processing, in particular where new technologies are used, and given the nature, scope, context and purposes of the processing, will pose a high risk to the rights and freedoms of natural persons before processing takes place, MDC PREVENTICA EOOD shall carry out an impact assessment of the intended processing operations on the personal data protection. A set of similar processing operations that present similar high risks may be considered in an assessment. When carrying out a data protection impact assessment, the controller shall seek the opinion of the designated data protection officer.