Privacy and Personal Data Protection Policy
“OCSMC-IPSMC in Dermatology Dr. Victoria Ivanova” Ltd.
- Subject and scope
“OCSMC-IPSMC in Dermatology Dr. Victoria Ivanova” Ltd (hereinafter referred to as the “Controller”), registered under the laws of the Republic of Bulgaria and entered in the Commercial Register at the Registry Agency with UIC: 207376509, with head office and address of management in the city of Sofia. Sofia, ul. Damyan Gruev 1, floor 3, tel.: 0882 345 670.
The purpose of this Policy is to provide clear and comprehensive information to personal data subjects about the established standards for personal data protection, which the Controller applies in accordance with the requirements of Regulation (EU) 2016/679 (hereinafter referred to as the “Regulation”) and the applicable legislation.
This Policy regulates the protection of individuals in connection with the processing of their personal data by the Controller, incl. in connection with the services provided by the website https://www.tvoitakoja.com property of the Controller.
Contact details of the Controller:
Sofia, ul. Damyan Gruev 1, floor 3
Phone: 0882 345 670
Email: info@tvoitakoja.com
- Definitions
The following definitions have been adopted in accordance with Regulation (EU) 2016/679:
“Personal data” means any information relating to an identified natural person or a natural person who can be identified, directly or indirectly, through the use of an identifier (“data subject”);
‘Special category of personal data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the sole purpose of identifying a natural person, data on the state of health or data on the sex life or sexual orientation of the natural person;
“Processing” means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or other means by which the data is made available, arrangement or combination, restriction, deletion or destruction;
“Data subject” means a natural person whose personal data is processed;
“Controller” is “OCSMC-IPSMC in Dermatology Dr. Victoria Ivanova” Ltd, which only determines the purposes and means for the processing of personal data;
“Processor” means a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller;
‘Third party’ means a natural or legal person, public authority, agency or other body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are entitled to process personal data;
“Supervisory Authority” means the Commission for Personal Data Protection in the Republic of Bulgaria.
Terms not defined in the text above have the meaning given to them in Regulation (EU) 2016/679 (the full text of the Regulation is available at the following link: https://eur-lex.europa.eu/legal-content/BG/TXT/?uri=celex%3A32016R0679).
- Principles and purposes of processing
The Controller processes personal data transparently, in good faith and lawfully. The purposes for which they are collected are specific, explicitly stated and legitimate, and personal data are not further processed in a way incompatible with these purposes. Data is kept to a minimum and limited to what is necessary in relation to the objectives. They are stored in good faith and in accordance with statutory deadlines.
The Controller processes personal data for the following purposes:
- Medical consultation, diagnosis, treatment and monitoring of patients, incl. assistance in booking, changing or cancelling an appointment, prepayment of services and packages, etc.
- Performing manipulations and medical procedures in the amount necessary for the healing process.
- Performing cosmetic procedures, incl. assistance in booking, changing or cancelling an appointment, prepayment of services and packages, etc.
- Preparation of medical and reporting documentation in connection with the implementation of concluded contracts.
- Selling products.
- For the purposes of direct marketing, incl. sending information and/or advertising content about services and procedures, promotions, newsletter, etc. by the provided e-mail – only after providing consent.
- Compliance with the requirements of labour and social legislation regarding personnel.
- Ensuring the security of individuals through video surveillance, registration, physical security and access control.
- Other lawful purposes, such as accounting services, maintenance and security of the Controller’s website and IT systems, protection of the Controller’s legitimate interests, including in court, etc.
The Controller stores personal data for the period for which they are necessary to fulfill the purposes for which they were collected, including to comply with regulatory requirements, tax system, labor, social security law, accounting standards.
- Categories of data subjects and categories of personal data
3.1. Patients/service users
The Controller collects personal data directly from patients/users of services in the provision of medical/cosmetic services, as well as for administrative and internal business purposes, including for legal interests related to the presence/stay and/or performance of a medical/cosmetic procedure of a patient/user of services.
When providing medical/cosmetic services, the Controller may collect and process the following personal data:
- names, date of birth / personal identification number, passport data, address, telephone, e-mail, gender, incl. special category of personal data, such as health status, as well as other relevant information related to the provision of the medical and/or cosmetic service.
The Controller collects and processes personal data of minors and/or underage subjects of personal data with the explicit consent of a parent/legal representative, and for the purposes of the same, the same amount of personal data of the parent/legal representative of the minor/minor is collected.
The Controller may participate in clinical trials. In the event that the data subject is invited to take part in a clinical trial, he or she will receive prior information about the nature and nature of the study, as well as what personal information is necessary for its inclusion.
In case the Controller decides to process data of subjects for marketing purposes, the Controller takes the necessary measures to obtain prior informed consent from the data subject.
In case the patient/user of services gives his/her explicit written consent to take photographs/videos before, during and/or after the procedure/s for the purpose of publishing and promoting the activities of “AMSP-IPSMP of Dermatology Dr. Victoria Ivanova” EOOD, the patient/user of services could be presented in a publication of the Controller on its website https://tvoitakoja.com, on social networks and/or any other platform for marketing purposes.
3.2. Staff – current and former employees of the company, job applicants, as well as trainees
3.2.1. Job candidates/ trainees
The Controller may collect and process the following personal data:
- information contained in the candidate’s CV/autobiography, such as names of the person, contact details (address, telephone number and e-mail), copies of documents for professional and educational qualifications, etc. When this is necessary, in view of the regulatory requirements for medical and other specialists, candidates for a certain vacant job position, it is possible that additional information, including sensitive personal data, may be requested from the person. In these cases, the Controller informs the person of the specific legal basis on which the information must be provided, as well as of the consequences of not providing it.
3.2.2. Employees – The Controller collects and processes the following categories of personal data from workers/employees:
- names, personal identification number, passport details, education and qualifications, profession, work experience, remuneration, bank account details and others; as well as
- Special category of personal data: information on health status contained in hospital sheets, documents certifying permanent incapacity for work and/or other documents required according to the applicable legislation for the relevant position or in order to exercise specific rights of the worker/employee.
In general, the Controller does not process personal data of workers/employees based on consent. However, consent may be required in certain situations where it is required under applicable law, including for the processing of a special category of personal data.
3.3. Visitors – visitors who are not patients and/or users of the Controller’s services, incl. patient/service user attendants; see item 3.5.
3.4. Business partners, suppliers and their employees.
The Controller processes personal data of individuals who represent or work for business partners and suppliers. The Controller can process ordinary personal data such as: names, address, telephone, e-mail address and other data that are relevant in the specific case.
When concluding and executing a contract with a supplier (of goods or services), including the accompanying documentation such as handover protocols, invoices, etc., the Controller processes the following data of the legal entities: three names of the legal representative of the company, two names of a contact person under the contract, e-mail and telephone, as well as other data related to the documentation .
3.5. Video surveillance
In the building in which the Controller operates, including the common areas in front of and in the same, video surveillance systems have been built in order to ensure security, as a result of which video recordings (video images) of the data subjects – visitors and/or patients are available . In these cases, the data subjects are informed about the video surveillance being carried out, by placing information signs in prominent places.
3.6. Internet users
This group of data subjects communicates with the Controller through the website, by sending an electronic message through the contact form on the website; an electronic message to the e-mail indicated on the website for contacts and/or making a connection through a social network/supported online platform of the Controller; and/or by phone call to the contact number(s) indicated on the website and/or indicated on a social network.
The Controller collects and processes the following personal data of Internet users: names, e-mail, telephone number, the information (inquiry, request to schedule a consultation and/or other) that the user himself has provided through one of the methods listed above.
The Controller does not process personal data provided by electronic message through social networks and/or other online platforms. Users are redirected to the website, the e-mail indicated on the website and/or to a telephone number, through which they can send their inquiry, having previously familiarized themselves with the Controller’s Privacy Policy and protection of personal data.
Cookies are used on the Controller’s main website – https://www.tvoitakoja.com. When users access, it is possible to collect data such as: type of operating system, Internet service provider and others. For more information, please see Cookie Policy.
There is a contact form on the Controller’s website. When filling in, the user provides the following information: name and surname, telephone and e-mail.
On the website of the Controller, users have the opportunity to give their consent to receive newsletters from the Controller to their e-mail, containing information about current and future promotions, news and other information in the field of clinical and aesthetic dermatology for commercial and marketing purposes related to with the activity of the Controller.
- Personal data storage terms
The Controller stores the information provided to him within the terms set according to the regulations and in compliance with the principle of “restriction of storage” and, more specifically, the personal data of:
- patients/users of services:
- are stored in accordance with the legally defined terms for the relevant medical documentation;
- processing for the purpose of booking an appointment, organizing a schedule and planning the Controller’s commitments; pre-contractual relations – up to 5 years from termination of the contractual basis; for inquiries that do not lead to the provision of a service – 12 months;
- when providing the desired service, incl. consultation and performance of a medical/cosmetic procedure and performance of contractual obligations in this regard – upon conclusion or performance of a contract – up to 5 years from termination of the contractual basis/performance of the consultation/service or until withdrawal of consent.
- workers/employees’ data contained in the labour insurance documentation are stored for a period of 50 (fifty) years.
- trainees – no longer than 5 years from the end of training;
- job applicants’ data who are not approved for appointment are stored for a period not longer than 12 months from the end of the procedure, after which they are returned to the person or destroyed in an appropriate way.
- business partners, suppliers and their employees – up to 5 years from termination of the contractual basis and/or according to legal provisions and regulatory requirements.
- recordings from technical means of video surveillance are stored for a period of 30 days from their preparation, according to the Law on private security activities.
- Personal data contained in accounting documents are stored within the terms of Article 12 of the Accounting Law.
- Internet users (including visitors to the website, sending inquiries through the contact form or directly through the e-mail of the Controller) – up to 12 months, unless the correspondence concerns pre-contractual relations.
- Rights of the subjects of personal data
All natural persons whose data are processed by the Controller have the following rights:
- right of access to his personal data, including to receive a copy of them;
- right to correct or supplement inaccurate or incomplete personal data;
- right to delete personal data that are processed without a legal basis;
- right to limit the processing – in the presence of a legal dispute until its resolution;
- right to portability of personal data, through a structured, widely used and machine-readable format;
- the right to object to the processing of their personal data when there are legal grounds for this.
In accordance with the Personal Data Protection Act and the General Data Protection Regulation, any natural person who believes that his right to the protection of his personal data has been violated may file a complaint with the Supervisory Authority – the Personal Data Protection Commission at the address: Sofia 1592, Prof. Blvd. Tsvetan Lazarov” No. 2, website: www.cpdp.bg.
The above-mentioned rights can be exercised by submitting a written application in person or by courier to the address: city of Sofia, 1 Damyan Gruev St., floor 3, to “OCSMC-IPSMC in Dermatology Dr. Victoria Ivanova” Ltd .
The application is made personally by the data subject or by a person expressly authorized by him with a power of attorney. The application should contain the following information:
- identification of the person – name and personal identification number;
- contacts – address, telephone, e-mail;
- description of the request.
The Controller informs about the actions taken in relation to the application within 1 month of receiving the application. In the event that the subject of personal data requires more actions, this period may be extended by another 2 months, with the Controller informing the subject of the extension of the period, indicating the reasons for the delay.
In case the Controller is unable to identify the data subject, he is not obliged to respond to this request.
- Recipients of personal data
Personal data may be shared with different categories of recipients. For example, when fulfilling legal obligations for the Controller, personal data may be provided to the National Revenue Agency, National Social Security Institute, Executive Agency “General Labour Inspectorate”, National Health Insurance Fund, Regional Health Insurance Fund, Ministry of Health, to competent law enforcement authorities, law enforcement bodies, as well as to other state bodies and institutions.
The Controller transmits data to other physical/legal entities that provide a certain type of product or service, including information/technical support services for the website, the online platform for process administration, accounting services, financial institutions, licensed postal operators and others. In this case, the Controller concludes a written agreement with the specific service provider, who has provided sufficient guarantees for the application of appropriate technical and organizational measures in such a way that the processing takes place in accordance with the requirements of Regulation (EU) 2016/679 and provides protection of the rights of data subjects.
Personal data is not provided to other persons within the EU, nor to third countries or international organizations.
- Final provisions
With this Policy “OCSMC-IPSMC in Dermatology Dr. Victoria Ivanova” Ltd., in its capacity as the “Controller” of personal data, guarantees that it will observe a policy of confidentiality and privacy regarding personal data and will take measures for maximum protection of the subjects of personal data.
“OCSMC-IPSMC in Dermatology Dr. Victoria Ivanova” Ltd. reserves the right to change, supplement and update this policy at any time without the need for permission, and each update is published on the Controller’s website.
The privacy and personal data protection policy comes into force on 12/27/2023.