Personal Data Protection Policy and CCTV Policy of the Companies Within the Group Derma Act

Personal Data Protection Policy and CCTV Policy

This Policy is applied in relation to "Medical Center Derma Act EOOD a company with registered office, management address and correspondence address - Bulgaria, Sofia, 150 "Cherni vrah" Blvd, UIC 203973510, which together with its subsidiaries/affiliates (listed in Appendix No. 1) constitute the group of Bulgarian enterprises DERMA ACT (hereinafter referred to as the "Group/s" or the "Clinic").

 

All companies of the Group are administrators of personal data and process personal data in accordance with the regulatory requirements of the Regulation and the current Bulgarian legislation. The policy also applies to the collection, processing and sharing of personal data for internal administrative purposes between companies within the Group.

 

In view of the safety and security of the employees, visitors, the CLINIC building and the processed personal data, the DERMA ACT (hereinafter referred to as the CLINIC) uses a CCTV system in some of the areas of its buildings, as well as recording of all incoming calls to the CLINIC. The policy regarding the use of CCTV systems and sound recordings details the CCTV and sound recording system of the CLINIC and the safety personal data protection measures undertaken, the privacy policy and other rules and legitimate interests of the individuals, who are within the range of the cameras.

 

This policy defines the procedures which need to be followed in processing personal data. The procedures and principles, stated herein, shall be respected by the organization, its employees, contractors, or other parties, who act on behalf of the organization.

 

This policy is integral to the General Personal Data Protection Policies of DERMA ACT.

  • The CLINIC shall use its CCTV and sound recording systems in compliance with Regulation (EU) N. 2016/679 of the European Parliament, and the national laws in force in the Republic of Bulgaria.
  • Regarding the use of the CCTV systems, the CLINIC has completed an evaluation of the legal interests, risk evaluation, and a balancing test, to determine the degree of impact on the privacy of CLINIC visitors, employees and patients, in relation to protecting its legal interest.
  • Decision-making process

The CLINIC has drafted this policy after consulting with a representative of the employees and has reached the conclusion that the use of the CCTV is necessary for the purpose of safety and security, and is comparable to them.

  • Transparency
    The CCTV use policy is available on the CLINIC website, at https://www.derma-act.bg and in the CLINIC building.
  • Regular Review

Every two years, DERMA ACT shall perform a regular review and evaluation of the compliance with the personal data protection requirements, and the first review shall be completed at latest on December 31, 2020. The CLINIC shall assess the following, among other things, within the regular review scope:

  • whether the system continues to serve the purpose announced;
  • whether there are adequate alternatives available; and
  • whether this policy is still in compliance with regulation N. 2016/679.

 

  • Privacy Protection.

To improve privacy protection, the CLINIC has stipulated for the following, if necessary:

  • limiting the recordings storage periods, in compliance with the security requirements (please refer herein below), and
  • strict management of the operators’ rights regarding access to the internal video surveillance system (CCTV).

There are cameras installed in different places in the CLINIC building, including: In the common premises, at the central entrance in front of the CLINIC establishment; the patient rooms, the laboratories, at the emergency exits; at the entrance of the parking lots; in the meeting rooms; along the halls; around the buildings, to protect the outside perimeter.

 

The location of the cameras shall be re-reviewed carefully to guarantee that areas not of significance for the objectives pursued only receive the minimum coverage. Surveillance outside of the territory of the building has been reduced to a minimum.

 

Surveillance shall not be performed in areas related to increased privacy expectations, such as restrooms and CLINIC lavatory rooms. By way of exception, in case of needs justified in a timely manner, related to security, cameras may also be installed in those areas, and in all cases this shall be done after evaluation of the impact, and after notifying the personal data protection official and requesting a permission by the Personal Data Protection Commission. In these cases, a special notice shall be posted at a visible location within said premises.

 

By way of exception, in case of security-related needs, which have been properly justified and proven, hidden cameras may be used, when necessary for the prevention, investigation, discovery, and legal prosecution of criminal offenses. The use of hidden cameras shall be the subject of preliminary approval by the Personal Data Protection Commission and systematic notification of the personal data protection official. The use of hidden cameras shall always be proportionate to the burden of the presumed criminal act.

 

Each case of using hidden cameras shall be documented in detail, and the following shall be included:

  • a clearly defined objective, which could not have been achieved using alternative means of investigation, which breaches privacy to a lesser degree;
  • evaluation of the impact regarding the area within the scope of hidden video cameras and affected individuals;
  • strictly limited time period;
  • strictly limited locations;
  • strict limitation of the users who have access, and clear determination of the identity of such users;
  • deleting the recordings immediately after they are no longer necessary for the purposes of this investigation.

All incoming phone calls to the CLINIC shall be recorded, and prior to the start of the call, the callers shall be notified that this call will be recorded.

  • The CCTV is a conventional and a static system. It records digital images and has movement sensors. Movements caught by the cameras in the surveillance areas shall be recorded, including the time, date, and the location. All cameras shall be operational at all times. The quality of the image shall allow the identification of the areas within the range of the camera as appropriate. Almost all cameras are stationary, very few of them can be used by operators to zoom into the image in a particular situation, due to security concerns. Operators trained for this purpose shall following the privacy protection and access rights settings.
  • The recorded phone calls are used to guarantee that patients are correctly referred to the treating physicians when booking an appointment. The same measures for protection of personal data shall be applied to the phone calls recordings, within the stipulated time limits.

The CLINIC shall only use the CCTV system for the purposes of:
– security and safety;
– protecting the CLINIC assets;
– providing emergency medical care; and
– improving the level of healthcare and medical activity.

 

When necessary, the CCTV system shall add to the other physical security systems, such as access control systems and physical intrusion control systems.

 

Limitation of purpose – The system shall not be used for any other purposes, such as observation of the work of the employees, or the other staff, or to control presence at work. The system shall be used as an investigation tool, or as evidence for internal investigations or disciplinary procedures, exclusively for the purposes of investigating an incident related to physical security, or in extraordinary circumstances – within the limits of а criminal investigation.

 

The legal grounds for CCTV shall be in the legitimate interest of the CLINIC, including in its capacity as an Employer. Regarding the CCTV systems in patient rooms, processing based on explicit written consent of the patient shall be applied.

 

The legal grounds for a phone call recording is the agreement of the individual.

The CLINIC CCTV does not have the purpose of capturing images (for example by image zooming or targeting) or processing images in any other manner (such as indexing, profiling), which disclose the so-called “special categories of data”.

 

An exception from this principle is its use for the purposes of medical diagnosis, providing health or social care and observation – article 9, paragraph 2, item g of the Regulation, in case there is CCTV is in patient rooms.

  • Access to the video recordings, the phone call recordings and the CCTV live feed is limited to a few precisely defined individuals on a need-to-know basis. In its internal organization, the CLINIC shall determine who has the right: to see the CCTV feed in real time; to see the recordings; to copy, download, delete, or change certain recordings. The CLINIC shall stipulate the possibility of having employee representatives be part of the examination of the materials.
  • All employees, who have access rights, including security guards, employed by an outside subcontractor, shall undergo basic personal data protection training. All new employees shall undergo training, and new seminars on matters involving personal data protection shall be organized at least once every two years for all employees, who have access rights.
  • After the training, each employee shall sign a privacy statement. This statement shall also be signed by all external subcontractors and their staff.
  • The management and the employees, who work in human resources, shall not have access, other than within disciplinary procedures, which are the direct consequence of an accident related to physical security, and with a mandate by the designating authority.

 

Access can also be provided to law enforcement authorities if this is necessary for the purposes of investigation or a prosecution of a criminal act.

 

Any breach in security related to cameras shall be filed in the investigation record and shall immediately be reported to the personal data protection official.

The following technical and organizational measures have been taken to ensure the security of the CCTV systems and personal data protection:

  • The servers that the recordings are kept at shall be found in safe premises, protected using physical security measures; network firewalls protect the information infrastructure logic perimeter; the computer mainframes, which store the data, have an extra layer of security protection.
  • Administrative measures include the obligation of having individual reliability check by all engaged subcontractors, who have access to the system (including the staff for maintenance of the equipment and the systems).
  • All employees (external and internal) shall sign non-disclosure and privacy agreements.
  • The access rights of users shall be provided only for the resources, which are necessary to perform their obligations.
  • Only the system administrator, specifically designated for this purpose by the controller, shall amend or remove access rights of employees. Granting, changing, or revoking access rights shall follow strict criteria.
  • The CLINIC shall keep an updated list of all individuals with access to the system at all times and this list shall detail their access rights.
  • The Personal Data Protection Officer shall be consulted prior to the purchase or installing a new CCTV system.

The CLINIC applies multitude awareness measures, which involve the following:

  • a detailed notice including notices with pictograms, containing information regarding the use of CCTV has been installed at each of the entrances of the CLINIC, including at the parking lots entrances;
  • notices with pictograms shall be placed in the buildings to notify individuals of the video surveillance and provide awareness for obtaining additional information;
  • The policy for use of video surveillance systems has been published on the CLINIC website and can also be found at the Information/Registration Desk, along with more detailed information regarding the practices of the CLINIC regarding video surveillance.
  • When calling the CLINIC, individuals shall be notified that the call is being recorded, and they can get more information on this matter on the CLINIC website.

 

The notice the CLINIC posts on-site is published in the application.

The Data Subjects shall have access rights to the personal data that they need, kept by the CLINIC, and they shall have the right to rectify and supplement this data. All requests for access, rectification, blocking and/or deleting personal data as the result of the use of cameras, shall be sent to the Personal Data Protection Official /PDPO/, namely: Derma Act at the address indicated here, at phone +359 700 700 23, or at the email address office@derma-act.bg . Contact phones are paid.

 

The official shall send a confirmation of receipt to the sender within 10 workdays after receiving the request. If possible, PDPO shall send a specific response regarding the request within up to 30 calendar days. In case this is not possible, the sender shall be notified of the follow-up steps and the reasons for the delay. Even in most complex cases, at latest within three months, the request must be granted, or a justified final response shall be given, which refuses to grant the request.

 

For data protection purposes, the CLINIC may request the senders to explicitly verify their identity (for example by presenting an identity document), and to clarify the date, time, place and circumstances, wherein they have been recorded by the cameras, or recorded on the phone. Senders shall also provide an updated personal photo, which would allow security staff to recognize them on the viewed recordings.

 

In case of irregularities or apparent misuse by the data subject in exercising the data subject rights, the CLINIC may consult with the Personal Data Protection Official regarding the request, and/or to redirect the data subject to the Personal Data Protection Official, which shall take a decision regarding the eligibility of the request, and the respective follow-up actions.

Each data subject shall have the right to file an application to the supervisory authority – the Personal Data Protection Commission, 1592 Sofia, 2 Professor Tsvetan Lazarov Blvd., or to www.cpdp.bg , if the data subject is of the opinion that his/her rights have been breached as the result of processing the personal data pertaining to that data subject by the CLINIC.
It is recommended, prior to filing a claim, the affected individuals would contact the CLINIC Personal Data Protection Official, namely: Derma Act at the address indicated here, at phone +359 700 700 23, or at the email address office@derma-act.bg .

MC Derma-Act EOOD UIC 203973510

MC Derma-Act Infinity OOD UIC 206353137

MC Derma-Act Nexaa OOD UIC 207704500

Derma-Act Invest EOOD, UIC 202325076

Know Skin Ltd. UIC 205464914

Derma-Act Urban EOOD UIC 202072993