Privacy and Personal Data Protection Policy of the Companies Within The Group Derma Act
This Policy is applied in relation to “Medical Center Derma Act EOOD a company with registered office, management address and correspondence address – Bulgaria, Sofia, 150 “Cherni vrah” Blvd, UIC 203973510, which together with its subsidiaries/affiliates (listed in Appendix No. 1) constitute the group of Bulgarian enterprises DERMA ACT (hereinafter referred to as the “Group/s” or the “Clinic” the “Administrator”). DERMA ACT is a medical facility, personal data controller, performing this activities at the address: Sofia, blvd. Cherni Vrah No. 150, Sofia, blvd. Cherni Vrah No. 155 and st. Fern No. 6B.
All companies of the Group are administrators of personal data and process personal data in accordance with the Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR), the Personal Data Protection Act, healthcare regulations and the Policy of the company for the protection of personal data. The policy also applies to the collection, processing and sharing of personal data for internal administrative purposes between companies within the Group.
Definitions
"Personal data" is any information that relates to a natural person and by which he can be directly or indirectly identified.
"Health data" means personal data relating to the physical or mental health of an individual. These data enjoy special protection, given their sensitive nature, and are processed by medical professionals bound by an obligation of professional secrecy.
"Special category of personal data" means personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the sole purpose of identifying an individual, health data status or data about the sex life or sexual orientation of the natural person;
"Processing" means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission, distribution or otherwise making the data available, arranging or combining, limiting, erasing or destroying;
"Data subject" means a natural person whose personal data is processed within the Group;
"Processor of personal data" means a natural or legal person, public body, agency or other structure that processes personal data on behalf of the controller;
"Third party" means a natural or legal person, public body, agency or other body other than the data subject, the controller, the personal data processor and the persons who, under the direct supervision of the controller or the personal data processor, have the right to process the personal data;
"Personal Data Security Breach" means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of Personal Data that is transmitted, stored or otherwise processed;
"Medical facilities" means companies of the Group that provide medical services in accordance with the Medical Facilities Act;
"Supervisory authority" means the Commission for the Protection of Personal Data in the Republic of Bulgaria.
Grounds for collecting, processing and storing your personal data
The Group collects and processes your personal data for medical purposes and for the purpose of offering cosmetic and medical services, and more specifically on the following grounds:
- Compliance with a legal obligation that applies to the Group;
- For the purposes of the legitimate interests of the Group or a third party;
- Express consent received from you as a customer;
- Fulfilment of the Group's obligations under a contract with you;
Derma-Act processes personal data regarding the following natural persons:
- Patients, and, when necessary - also their relatives;
- Personnel - current and former employees of the company, job candidates, as well as trainees;
- Counterparties or potential counterparties of the company.
Purposes and principles in the collection, processing and storage of your personal data
We collect and process the personal data that you provide to us in connection with the use of the website www.derma-act.bg and the use of cosmetic and medical services, including for the following purposes:
- sending a newsletter, if you wish so;
- personalization of a party;
- accounting purposes;
- protection of information security;
- ensuring the performance of the contract for the provision of the relevant service.
We observe the following principles when processing your personal data:
- legality, good faith and transparency;
- limitation of processing purposes;
- relevance to the purposes of the processing and minimization of the data collected;
- accuracy and timeliness of data;
- limitation of storage in order to achieve the objectives;
- integrity and confidentiality of the processing and ensuring an appropriate level of personal data security.
When processing and storing personal data, the Collector may process and store personal data in order to protect their legitimate interests, as follows:
The need to process personal data is related to the main activity of the medical facility, the purpose of which is to provide medical services, fulfil the legal obligations in the field of health care, fulfil the requirements of labour and social legislation in relation to employees, guarantee the safety of patients, employees and property through registration, accounting services, information related to the Commerce Act, maintenance and security of the company's website and IT systems, protection of the company's legitimate interests, including by court order, etc.
What types of personal data does our company collect, process and store
The company performs the following operations with the personal data provided by you for the following purposes:
Impact assessment – based on the impact assessment carried out, the personal data protection officer considers that the "User registration in" operation is permissible to be carried out and provides sufficient guarantees to protect the rights and legitimate interests of the data subjects in accordance with the GDPR requirements.
Sending newsletters and advertising messages - the purpose of this operation is to administer the process of sending newsletters to customers who have indicated that they wish to receive them. Given the limited scope of the personal data collected, the Personal Data Protection Officer considers that conducting an impact assessment is not necessary to carry out the operation.
Exercising the right of withdrawal or making a complaint – the purpose of this operation is to administer the process of exercising the right of withdrawal or complaint by the customer. Given the limited scope of the personal data collected, the Personal Data Protection Officer considers that conducting an impact assessment is not necessary to carry out the operation.
The Collector processes the following categories of personal data and information for the following purposes and on the following grounds:
DERMA ACT processes personal data that are defined as special: on the state of health, genetic data or data on sex life or sexual orientation, only in the presence of any of the conditions under the General Regulation, and in particular:
- In order to protect vital interests of the data subject or another natural person, where the data subject is physically or legally unable to give their consent;
- In order to protect the public interest in the field of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices;
- In the presence of the person's express consent to the processing for one or more specific purposes, unless the legislation excludes the possibility of such consent.
For the purposes of preventive or occupational medicine, to assess the employee's capacity for work, medical diagnosis, provision of health or social care or treatment;
DERMA ACT processes the following categories of personal data and information for the following purposes and on the following grounds:
- Ordinary personal data: names, social security number, passport data, address, place of residence, telephone, e-mail, gender, health insurance number, financial information, other relevant information related to the provision of a health/medical service;
Special category of personal data: health status, genetic data. Most often, such data are contained in the medical documentation (ambulatory sheets, other documents, part of the medical history, consultations and opinions, prescriptions with a prescribed treatment regimen, images and examinations, etc.).
In urgent and emergency cases, personal information about a patient can also be collected from his relatives and friends.
In the event that a Group company decides to process data subjects for marketing purposes, it shall take the necessary measures to obtain prior informed consent from the data subject.
Video surveillance and call center
In the objects that are owned or managed by a company in the Group, video surveillance systems have been built, as a result of which video recordings (video images) of the data subjects - visitors and/or patients - are collected. In these cases, the data subjects are informed about the video surveillance being carried out, by placing information signs/pictograms in prominent places in the objects and premises.
A single call center has been created for the medical facilities of the Group, through which patients can reserve an appointment for an examination or consultation with the relevant medical specialist. Incoming and outgoing calls made with the call center are recorded, thus, through the audio recordings, the following personal data can be collected - names of the person and contact phone number.
Data for registration and receipt of the newsletter (names, e-mail)
Purpose for which the data is collected: 1) Establishing a connection with the user and sending information to them, 2) For sending a newsletter.
Grounds for processing your personal data – with the acceptance of the general terms and conditions and registration without registration, or upon the conclusion of a written contract, a contractual relationship is created between the Collector and you, on the basis of which we process your personal data – Art. 6, para.1, l. (b) GDPR.
Your data for sending a newsletter is processed on the basis of your express consent - art. 6, para.1, l. (a) GDPR.
Grounds for data processing: you have provided express consent for the processing of his personal data for one or more specific purposes - 6, para. 1, l. (a) of GDPR at the time of registration and confirmed consent.
Delivery data (names, phone, e-mail, address)
Purpose for which the data is collected: Fulfilment of contractual obligations of the collector regarding the processing of personal data.
Basis for processing your personal data – with the acceptance of the general terms and conditions and registration or placing an order without registration, or upon the conclusion of a written contract, a contractual relationship is created between the Collector and you, on the basis of which we process your personal data – Art. 6, para.1, l. (b) GDPR.
The Collector does not collect or process personal data related to the following: reveal racial or ethnic origin; reveal political, religious or philosophical beliefs, or trade union membership;
Personal data are collected by the Collector from the persons to whom they relate.
The Company does not perform automated decision making.
The Company does not collect and process data on persons under the age of 18, except with the express consent of their parents or legal representatives.
Period of storage of your personal data
The Collector stores your personal data for a period not longer than the existence of your account. Upon deletion of your account or successful completion, the Collector shall take reasonable care to delete and destroy all of your data without undue delay or to anonymize it (i.e. make it in a form that does not reveal your identity).
The Collector shall notify you in the event that the data storage period needs to be extended in order to fulfil a legal obligation or in view of the legitimate interests of the Collector or other.
The Collector shall store the personal data of the legal representatives of its commercial partners for the period of performance of the contract, to comply with the legitimate interests and legal obligations of the Collector, and this period may exceed the term of the concluded contract.
More specifically, the Group companies store the information provided to them within the time limits set according to the regulations and in compliance with the principle of "restriction of storage", and more specifically:
Personal data of patients are stored in accordance with the legally defined terms for the relevant medical documentation;
The personal data of workers/employees contained in the labor insurance documentation is stored for a period of 50 (fifty) years in accordance with the Law on the National Archive Fund, the Law on Accounting, the Social Security Code and the Tax Insurance Procedural Code;
The personal data of job applicants who are not approved for appointment in any of the companies of the Group are stored for a period not longer than 6 (six) months from the end of the procedure, after which they are returned to the person or destroyed in an appropriate way. Personal data may be stored for a longer period for the purpose of making job offers only with the consent of the job applicant;
The recordings from the technical means of video surveillance are stored for 2 (two) months from their preparation;
Audio recordings of telephone conversations with the call center are stored for up to 12 (twelve) months and 1 (one) day after they were made;
Personal data contained in accounting documents are stored within the terms of Article 12 of the Accounting Act.
Your rights in the collection, processing and storage of your personal data. Withdrawal of consent to the processing of your personal data
If you do not want all or part of your personal data to continue to be processed by the Company for specific or all processing purposes, you can withdraw your consent at any time by a free text request sent to e-mail office@derma-act.bg.
The Collector may request from you to verify your identity and consistency with the data subject by asking you to enter an e-mail address and password to access the website at the Company's office before an employee of ours.
With the withdrawal of consent to the processing of personal data which is required for the creation and maintenance of an account in the on-line store, your account will become inactive. Of course, you will be able to browse the online store and the offered products and place orders or make a new registration.
If there is an order placed by you that is being processed, the earliest time when you can withdraw your consent to processing personal data is upon successful completion of the order.
Right of access
You have the right to request and receive confirmation from the Collector as to whether personal data related to you are being processed, and if you are a registered user, you can at any time see in your account the personal data that you have provided and that are being processed for you.
You have the right to access the data relating to you, as well as the information relating to the collection, processing and storage of your personal data.
Upon request, the Collector provides you with a copy of the processed personal data related to you in an electronic or other appropriate form.
The provision of access to the data is free of charge, but the Collector reserves the right to impose an administrative fee in case of repetitive or excessive requests.
Right to rectification or completion
The right to erasure ("the right to be forgotten")
You have the right to ask the Collector to delete part or all of your personal data, and the Collector has the obligation to delete them without undue delay when any of the following grounds are present:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- you have withdrawn your consent, on which the data processing is based, and there is no other legal grounds for the processing;
- you have objected to the processing of your personal data, including for direct marketing purposes, and there are no legal grounds for the processing that have precedence;
- the personal data were processed unlawfully;
- the personal data must be deleted in order to comply with a legal obligation under the EU law or the law of a member state that applies to the Collector;
- the personal data were collected in connection with the provision of services to the information society.
The Collector is not obliged to delete the personal data, if they stores and process them:
- to exercise the right to freedom of expression and the right to information;
- to comply with a legal obligation that requires processing provided for in the EU law or member state law applicable to the Collector or for the performance of a task in the public interest or in the exercise of official powers conferred on them;
- for reasons of public interest in the field of public health;
- for the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes;
- for the establishment, exercise or defence of legal claims.
In the event of exercising your right to be forgotten, the Company will delete all your data, except for the following information:
- information that is necessary to verify that your right to be forgotten has been exercised - e-mail, IP address;
- technical information about the functioning of the online store, which information cannot be linked in any way to your person;
- e-mail with which you have registered in the online store.
To exercise your right to be forgotten, it is necessary to submit a free text request by e-mail to the Collector to office@derma-act.bg.
The administrator may request from you to verify your identity and consistency with the data subject.
If there is an order placed by you that is being processed, the earliest you can ask to be "forgotten” is upon successful completion of the order.
The administrator does not delete the data that they have a legal obligation to store, including for protection in connection with legal claims made against them or to prove their rights.
Right to restriction
You have the right to request from the Collector to restrict the processing of data related to you when:
- you dispute the accuracy of the personal data, for a period that allows the Collector to verify the accuracy of the personal data;
- the processing is illegal, but you do not want the personal data to be deleted, but only to have its use restricted;
- The Collector no longer needs the personal data for the purposes of processing, but you require them to establish, exercise or defend your legal claims;
- You have objected to the processing pending verification of whether the legal grounds of the Collector take precedence over your interests.
Right to data portability
You can at any time download or receive the data that is stored and processed about you in connection with the use of the Collector's services, directly through your account or by e-mail request.
You can ask the Collector to directly transfer your personal data to an administrator specified by you, when this is technically feasible.
Right to be informed
Right to object
You can object at any time to the processing of personal data by the Collector. Your rights in the event of a violation of the security of your personal data
If the Collector detects a violation of the security of your personal data, which may create a high risk for your rights and freedoms, they shall notify you without undue delay about the violation, as well as about the measures that have been taken or are about to be taken.
The Collector is not obliged to notify you if:
- they have taken appropriate technical and organizational measures to protect the data affected by the security violation;
- they have subsequently taken measures to ensure that the violation will not result in a high risk for your rights;
- notification would require a disproportionate effort.
Persons to whom your personal data shall be provided
For the purposes of processing your personal data and providing the service in its full functionality and in view of your interests, the Collector may provide the data to persons who are data processors. Said processors of personal data comply with all requirements for legality and security when processing and storing your personal data. In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to file a complaint with the Commission for Personal Data Protection as follows:
Name: Commission for Personal Data Protection Headquarters and management address: Sofia 1592, 2 Tsvetan Lazarov Bvd. Address for correspondence: Sofia 1592, 2 Tsvetan Lazarov Bvd. Telephone: 02 915 3 518 Web page: www.cpdp.bg
You can exercise all your rights regarding the protection of your personal data by sending an email to office@derma-act.bg in a free form that contains a statement to that effect and identifies you as the owner of the data.
In the Group
Out of the Group
Personal data may be shared with different categories of recipients. For example, when fulfilling legal obligations for the administrator, personal data may be provided to the National Revenue Agency, National Health Information System, National Insurance Institute, Executive Agency "Main Labor Inspectorate", National Health Insurance Fund, Regional Health Insurance Fund, Ministry of Health, Executive Agency for Medicines, Executive Agency "Medical Audit", competent law enforcement, law enforcement bodies, as well as other state bodies and institutions.
The Group transmits data to other natural/legal persons who provide a certain type of product or service to an administrator from the Group, including services for information maintenance and security of IT systems, accounting services, archive and others.
The Group maintains partnership relations with other independent administrators of personal data – insurance companies, higher educational institutions of medicine, medical institutions outside those in the Group, doctors in individual practice and others. In connection with this partner relationship, it is possible for the parties to share certain data with each other, for example, in the provision of health/medical services, in the acquisition of professional and scientific qualifications, etc. In these cases, the controllers of the Group inform the data subjects of these categories of recipients in an appropriate manner, as well as enter into an additional agreement with the relevant independent administrator, which guarantees the privacy and confidentiality of the personal data that is shared.
When there is the figure of joint administrators between a company from the Group and an administrator outside the Group, they determine in a transparent manner their respective responsibilities for fulfilling the obligations under Regulation (EU) 2016/679 by agreement between them.
TRANSFER OF PERSONAL DATA TO THIRD PARTIES OUTSIDE THE EU AND EEA
The companies of the Group may transfer personal data to countries outside the European Union and the European Economic Area only in compliance with the requirements of Regulation (EU) 2016/679 and, in particular, those listed in Chapter V thereof.
The transfer is carried out on the basis of a decision of the European Commission regarding the adequate level of protection provided by the third country in question.
In the absence of such a decision by the European Commission, the transfer to a third party may only take place if appropriate guarantees are in place and provided that applicable rights of data subjects and effective legal remedies are available
Appropriate guarantees are acceptance of mandatory company rules, standard data protection clauses, an approved code of conduct or an approved certification mechanism.
Alternatively, transfer of personal data to a third party may be carried out after the express consent of the data subject or when there are other grounds specified in Article 49, paragraph 1 of Regulation (EU) 2016/679.
MEASURES FOR THE PROTECTION OF PERSONAL DATA
The companies of the Group have implemented technical and organizational measures to protect the personal data of individuals from unauthorized access, errors or abuse. The companies in the Group undertake to respect all the rights of natural persons, guaranteed by European and national laws, related to the protection of their personal data.
Each Group Company has adopted internal rules and procedures of an organizational and technical nature, including defining access levels that ensure data confidentiality.
The companies in the Group comply with every regulatory requirement, according to their subject of activity, taking into account the specific circumstances, the forms of data collection, the legal grounds and the purpose of their processing. Personal data in the Group is processed only by persons expressly authorized for this purpose, who are informed of their obligations related to the protection of personal data and have undertaken a commitment of confidentiality.
The premises where personal data is processed and stored are restricted access only to the employees processing this data. The companies in the Group conduct initial and follow-up training of their employees/workers regarding the policies and procedures for the protection of personal data.
This Policy for the protection of personal data has been drawn up and accepted by all companies in the Group in their capacity as administrators of personal data, with a view to fulfilling their obligations to provide information to data subjects under Art. 13 and Art. 14 of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation).
This Policy for the protection of personal data has been approved by the companies in the Group and is in force from 25.05.2018
Appendix No. 1
MC Derma-Act EOOD UIC 203973510
MC Derma-Act Infinity OOD UIC 206353137
MC Derma-Act Nexaa OOD UIC 207704500
Derma-Act Invest EOOD, UIC 202325076
Know Skin Ltd. UIC 205464914
Derma-Act Urban EOOD UIC 202072993