Privacy and Personal Data Protection Policy
This web page (hereinafter referred to as "WEBSITE") is administered by "Medical Centre Derma Act" Ltd. (hereinafter referred to as "www.derma-act.bg") with headquarters in Bulgaria, Sofia, 150 "Cherni Vrah” Blvd., floor 4 and p/o. correspondence address Sofia, 150 "Cherni Vrah” Blvd., floor 4, tel. 02/ 450 80 80, registered in the Commercial Register at the Registration Agency with UIC 203973510.
"MEDICAL CENTRE DERMA ACT" LTD. ( MC Derma Act) is a medical facility that, for the purposes of its activity, processes personal data of natural persons in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR), the Personal Data Protection Act, the normative acts in the field of health care and the Policy of the company on the protection of personal data.
"Personal data” is any information that relates to a natural person and through which they can be directly or indirectly identified.
"Health data” means personal data relating to the physical or mental health of a natural person. These data are under special protection, given their sensitive nature, and are processed by medical professionals bound by an obligation of professional secrecy.
"Processing of personal data” are actions and activities that can be performed with respect to personal data by automatic or other means.
"MEDICAL CENTRE DERMA ACT" LTD. is a personal data controller, performing this activity at the address: Sofia, 150 Cherni Vrah Blvd., 4th floor and 6V "Paprat” Str.
Grounds for collecting, processing and storing your personal data
Art. 1. The Collector collects and processes your personal data for medical purposes and for the purpose of offering cosmetic and medical services, and more specifically on the following grounds:
- Express consent received from you as a customer;
- Fulfilment of the Collector's obligations under a contract with you;
- Compliance with a legal obligation that applies to the Collector;
- For the purposes of the legitimate interests of the Collector or a third party;
MC Derma-Act LTD. processes personal data regarding the following natural persons:
- Patients, and, when necessary - also their relatives;
- Personnel - current and former employees of the company, job candidates, as well as trainees;
- Counterparties or potential counterparties of the company.
Purposes and principles in the collection, processing and storage of your personal data
Art. 2. (1) We collect and process the personal data that you provide to us in connection with the use of the website www.derma-act.bg and the use of cosmetic and medical services, including for the following purposes:
- sending a newsletter, if you wish so;
- personalization of a party;
- accounting purposes;
- protection of information security;
- ensuring the performance of the contract for the provision of the relevant service.
(2) We observe the following principles when processing your personal data:
- legality, good faith and transparency;
- limitation of processing purposes;
- relevance to the purposes of the processing and minimization of the data collected;
- accuracy and timeliness of data;
- limitation of storage in order to achieve the objectives;
- integrity and confidentiality of the processing and ensuring an appropriate level of personal data security.
(3) When processing and storing personal data, the Collector may process and store personal data in order to protect their legitimate interests, as follows:
The need to process personal data is related to the main activity of the medical facility, the purpose of which is to provide medical services, fulfil the legal obligations in the field of health care, fulfil the requirements of labour and social legislation in relation to employees, guarantee the safety of patients, employees and property through registration, accounting services, information related to the Commerce Act, maintenance and security of the company's website and IT systems, protection of the company's legitimate interests, including by court order, etc.
What types of personal data does our company collect, process and store
Art. 3. The company performs the following operations with the personal data provided by you for the following purposes:
Impact assessment – based on the impact assessment carried out, the personal data protection officer considers that the "User registration in" operation is permissible to be carried out and provides sufficient guarantees to protect the rights and legitimate interests of the data subjects in accordance with the GDPR requirements.
Sending newsletters and advertising messages - the purpose of this operation is to administer the process of sending newsletters to customers who have indicated that they wish to receive them. Given the limited scope of the personal data collected, the Personal Data Protection Officer considers that conducting an impact assessment is not necessary to carry out the operation.
Exercising the right of withdrawal or making a complaint – the purpose of this operation is to administer the process of exercising the right of withdrawal or complaint by the customer. Given the limited scope of the personal data collected, the Personal Data Protection Officer considers that conducting an impact assessment is not necessary to carry out the operation.
Art. 4. (1) The Collector processes the following categories of personal data and information for the following purposes and on the following grounds:
MC Derma-Act processes personal data that are defined as special: on the state of health, genetic data or data on sex life or sexual orientation, only in the presence of any of the conditions under the General Regulation, and in particular:
- In order to protect vital interests of the data subject or another natural person, where the data subject is physically or legally unable to give their consent;
- In order to protect the public interest in the field of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices;
- In the presence of the person's express consent to the processing for one or more specific purposes, unless the legislation excludes the possibility of such consent.
For the purposes of preventive or occupational medicine, to assess the employee's capacity for work, medical diagnosis, provision of health or social care or treatment;
Data for registration and receipt of the newsletter (names, e-mail)
Purpose for which the data is collected: 1) Establishing a connection with the user and sending information to them, 2) For sending a newsletter.
Grounds for processing your personal data – with the acceptance of the general terms and conditions and registration without registration, or upon the conclusion of a written contract, a contractual relationship is created between the Collector and you, on the basis of which we process your personal data – Art. 6, para.1, l. (b) GDPR.
Your data for sending a newsletter is processed on the basis of your express consent - art. 6, para.1, l. (a) GDPR.
Grounds for data processing: you have provided express consent for the processing of his personal data for one or more specific purposes - 6, para. 1, l. (a) of GDPR at the time of registration and confirmed consent.
Delivery data (names, phone, e-mail, address)
Purpose for which the data is collected: Fulfilment of contractual obligations of the collector regarding the processing of personal data.
Basis for processing your personal data – with the acceptance of the general terms and conditions and registration or placing an order without registration, or upon the conclusion of a written contract, a contractual relationship is created between the Collector and you, on the basis of which we process your personal data – Art. 6, para.1, l. (b) GDPR.
(2) The Collector does not collect or process personal data related to the following:
reveal racial or ethnic origin;
reveal political, religious or philosophical beliefs, or trade union membership;
(3) Personal data are collected by the Collector from the persons to whom they relate.
(4) The Company does not perform automated decision making.
(5) The Company does not collect and process data on persons under the age of 16, except with the express consent of their parents or legal representatives.
Period of storage of your personal data
Art. 5. (1) The Collector stores your personal data for a period not longer than the existence of your account. Upon deletion of your account or successful completion, the Collector shall take reasonable care to delete and destroy all of your data without undue delay or to anonymize it (i.e. make it in a form that does not reveal your identity).
(2) The Collector shall notify you in the event that the data storage period needs to be extended in order to fulfil a legal obligation or in view of the legitimate interests of the Collector or other.
Art. 6. The Collector shall store the personal data of the legal representatives of its commercial partners for the period of performance of the contract, to comply with the legitimate interests and legal obligations of the Collector, and this period may exceed the term of the concluded contract.
Your rights in the collection, processing and storage of your personal data
Withdrawal of consent to the processing of your personal data
Art. 8. (1) If you do not want all or part of your personal data to continue to be processed by the Company for specific or all processing purposes, you can withdraw your consent at any time by a free text request sent to e-mail email@example.com.
(2) The Collector may request from you to verify your identity and consistency with the data subject by asking you to enter an e-mail address and password to access the website at the Company's office before an employee of ours.
(3) With the withdrawal of consent to the processing of personal data which is required for the creation and maintenance of an account in the on-line store, your account will become inactive. Of course, you will be able to browse the online store and the offered products and place orders or make a new registration.
(4) If there is an order placed by you that is being processed, the earliest time when you can withdraw your consent to processing personal data is upon successful completion of the order.
Right of access
Art. 9. (1) You have the right to request and receive confirmation from the Collector as to whether personal data related to you are being processed, and if you are a registered user, you can at any time see in your account the personal data that you have provided and that are being processed for you.
(2) You have the right to access the data relating to you, as well as the information relating to the collection, processing and storage of your personal data.
(3) Upon request, the Collector provides you with a copy of the processed personal data related to you in an electronic or other appropriate form.
(4) The provision of access to the data is free of charge, but the Collector reserves the right to impose an administrative fee in case of repetitive or excessive requests.
Right to rectification or completion
Art. 10. You can correct or complete inaccurate or incomplete personal data related to you directly through your account on the website or by making a request to the Collector.
The right to erasure ("the right to be forgotten")
Art. 11. (1) You have the right to ask the Collector to delete part or all of your personal data, and the Collector has the obligation to delete them without undue delay when any of the following grounds are present:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- you have withdrawn your consent, on which the data processing is based, and there is no other legal grounds for the processing;
- you have objected to the processing of your personal data, including for direct marketing purposes, and there are no legal grounds for the processing that have precedence;
- the personal data were processed unlawfully;
- the personal data must be deleted in order to comply with a legal obligation under the EU law or the law of a member state that applies to the Collector;
- the personal data were collected in connection with the provision of services to the information society.
(2) The Collector is not obliged to delete the personal data,if they stores and process them:
- to exercise the right to freedom of expression and the right to information;
- to comply with a legal obligation that requires processing provided for in the EU law or member state law applicable to the Collector or for the performance of a task in the public interest or in the exercise of official powers conferred on them;
- for reasons of public interest in the field of public health;
- for the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes;
- for the establishment, exercise or defence of legal claims.
(3) In the event of exercising your right to be forgotten, the Company will delete all your data, except for the following information:
- information that is necessary to verify that your right to be forgotten has been exercised - e-mail, IP address;
- technical information about the functioning of the online store, which information cannot be linked in any way to your person;
- e-mail with which you have registered in the online store.
(4) To exercise your right to be forgotten, it is necessary to submit a free text request by e-mail to the Collector to firstname.lastname@example.org.
(5) The administrator may request from you to verify your identity and consistency with the data subject.
(6) If there is an order placed by you that is being processed, the earliest you can ask to be "forgotten” is upon successful completion of the order.
(7) The administrator does not delete the data that they have a legal obligation to store, including for protection in connection with legal claims made against them or to prove their rights.
Right to restriction
Art. 12. You have the right to request from the Collector to restrict the processing of data related to you when:
- you dispute the accuracy of the personal data, for a period that allows the Collector to verify the accuracy of the personal data;
- the processing is illegal, but you do not want the personal data to be deleted, but only to have its use restricted;
- The Collector no longer needs the personal data for the purposes of processing, but you require them to establish, exercise or defend your legal claims;
- You have objected to the processing pending verification of whether the legal grounds of the Collector take precedence over your interests.
Right to data portability
Art. 13. (1) You can at any time download or receive the data that is stored and processed about you in connection with the use of the Collector's services, directly through your account or by e-mail request.
(2) You can ask the Collector to directly transfer your personal data to an administrator specified by you, when this is technically feasible.
Right to be informed
Art. 14. You can ask the Collector to inform you about all recipients to whom the personal data for which rectification, deletion or restriction of processing has been requested, has been disclosed. The Collector may refuse to provide this information, if it would be impossible or would require a disproportionate effort.
Right to object
Art. 15. You can object at any time to the processing of personal data by the Collector.
Your rights in the event of a violation of the security of your personal data
Art. 16. (1) If the Collector detects a violation of the security of your personal data, which may create a high risk for your rights and freedoms, they shall notify you without undue delay about the violation, as well as about the measures that have been taken or are about to be taken.
(2) The Collector is not obliged to notify you if:
- they have taken appropriate technical and organizational measures to protect the data affected by the security violation;
- they have subsequently taken measures to ensure that the violation will not result in a high risk for your rights;
- notification would require a disproportionate effort.
Persons to whom your personal data shall be provided
Art. 17. For the purposes of processing your personal data and providing the service in its full functionality and in view of your interests, the Collector may provide the data to persons who are data processors. Said processors of personal data comply with all requirements for legality and security when processing and storing your personal data.
Art. 18. In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to file a complaint with the Commission for Personal Data Protection as follows:
Name: Commission for Personal Data Protection
Headquarters and management address: Sofia 1592, 2 Tsvetan Lazarov Bvd.
Address for correspondence: Sofia 1592, 2 Tsvetan Lazarov Bvd.
Telephone: 02 915 3 518
Web page: www.cpdp.bg
Art. 19. You can exercise all your rights regarding the protection of your personal data by sending an email to email@example.com in a free form that contains a statement to that effect and identifies you as the owner of the data.
MC Derma-Act implements all appropriate technical and organizational measures to guarantee the security of personal data, including taking on an express obligation by the employees for professional secrecy and confidentiality.
Access to the personal data processed by MC Derma-Act is only available to the employees of the medical facility whose main job duties are conditioned by the processing of the data of the specific personal data subject.
Personal data shall be stored on physical and electronic media, and access to it shall be limited only to employees of the medical facility having a direct or indirect relation with the relevant personal data subject.
All collected personal data shall be stored in accordance with and under the conditions stipulated by the (General Regulation on Data Protection) and the national legislation of the Republic of Bulgaria, observing the time limits set in the normative acts for the different categories data by type and nature.
The forms and content, as well as the conditions and procedure for processing, using and storing the medical documentation and for the exchange of medical and statistical information, are determined by regulations of the Minister of Health, agreed with the National Statistical Institute.
"Medical Centre Derma Act" Ltd. takes due care to protect the Customer's personal data which has became known when filling in the electronic form for making an application for registration and purchase on the Website www.derma-act.bg. This obligation lapses if the Customer has provided incorrect data.
In compliance with the current legislation and the clauses of these General Terms and Conditions, "Medical Centre Derma Act" Ltd. can use the Customer's personal data solely for the purposes provided for in these general terms and conditions.
"Medical Centre Derma Act" Ltd. has the right to use the information provided by the Customer through www.derma-act.bg for offering goods and/or services to the Customer, for promotions, sending advertising messages, congratulations, organizing raffles, inquiries, for statistical and any other lawful purposes, except in case of express disagreement of the Customer, sent to the following email address: firstname.lastname@example.org.
The purposes described above for which the data may be used are not exhaustively listed and do not create obligations for "Medical Centre Derma Act" Ltd. through www.derma-act.bg. Any other purposes for which the data is used will be in accordance with the Bulgarian legislation, applicable international acts, Internet ethics, rules of morality and good manners.
By registering in www.derma-act.bg and by expressing explicit consent after notification, the Customer agrees to receive personal messages about promotions and current offers to the e-mail address that they have entered during their registration. In the event that the customer does not wish to receive advertising messages, they can unsubscribe through a special embedded unsubscribe link contained in each advertising message.