DR. SHTEREV Hospital collects, processes and stores personal data of individuals pursuant to its purpose and daily activities and in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR), The Personal Data Protection Act (national law), Bulgarian healthcare regulations and this Personal Data Protection Policy. 

Policy Definitions:

“Personal data” means any information relating to a natural person (data subject) through which he or she can be directly or indirectly identified.

“Data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

“Processing of personal data” means any operation or set of operations which is performed on personal data or on sets of personal data, whether they are performed by a person or by automated or other means.

“Controller of personal data” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

The present Policy provides information about the:

Data Controller:

SAGBAL "DR. SHTEREV" EOOD, registered at the Registry Agency, Commercial register and register of Non-Profit Legal Entities with a Unified Identification Code (UIC): 131134991, headquartered in Sofia, 1330, Krasna Polyana District, Razsadnika, 25-31 Hristo Blagoev St., tel.02 / 9200901, email: contact@shterevhospital.com

And

“Reproductive Health Medical Center” OOD, registered at the Registry Agency, Commercial register and register of Non-Profit Legal Entities with a Unified Identification Code (UIC): 131153995, headquartered in Sofia, 1330, Krasna Polyana District, Razsadnika, 25-31 Hristo Blagoev St., tel.02 / 9200901, email: contact@shterevhospital.com

Purposes of the processing as well as the legal basis for the processing of personal data and data concerning health:

The processing of personal data is directly related to the responsibility of the healthcare institution to provide medical services and to fulfill its legal obligations in the field of healthcare.

The controllers of personal data (mentioned above in pt.1 and pt.2) process personal data in relation to exercising their statutory powers, ensuing from their capacity as healthcare establishments pursuant to The Medical Establishments Act as well as competencies provided to them by Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR), the Health Insurance Act, the National Framework Contract for medical activities, the Health Law, etc.

All employees as well as medical professionals at DR. SHTEREV Hospital lawfully process personal data and data concerning health pursuant to Article 6 of the GDPR to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person.

Pursuant to Article 9, paragraph 2, letter “h” of the GDPR all medical professionals, employed by DR. SHTEREV Hospital have the right to access data concerning health and process that data as well as any other personal data of their patients in accordance with their professional duties. The abovementioned provision allows the processing of personal data, data concerning health or data concerning a natural person's sex life or sexual orientation when processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in the GDPR. In addition, the Health Law in Bulgaria authorizes medical and healthcare institutions, physicians, pharmacists, and other healthcare professionals to collect, process, use, and store data concerning health.

Furthermore, processing of certain categories of personal data by employees of DR. SHTEREV Hospital is also related to the fulfillment of the requirements of the labor legislation in Bulgaria regarding the employees, as well as to ensuring the safety of patients and their personal data.

Processing of personal data for direct marketing ensues when the data subject has given consent to the processing of his or her personal data for this specific purpose. The data subject has the right to object at any time to processing of personal data concerning him or her for such marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Recipients or categories of recipients of personal data:

Access to personal data and data concerning health of a natural person for collecting, correcting, storing, processing and deleting personal data and data concerning health is carried out by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

In addition Bulgarian national law (in the Health law) sets a statutory duty of professional secrecy for medical professionals and staff in medical establishments by prohibiting disclosure of patient information obtained in the course of providing a service.

Thus, in compliance with the Health Law, DR. SHTEREV Hospital can only provide data concerning health to third parties when:

1. treatment continues in another medical establishment;
2. there is a threat to the health or life of others (upon notification to the person concerned);
3. it is necessary for the identification of a human corpse or for the identification of the causes of death;
4. it is necessary for the prevention of epidemics and the spread of infectious diseases by the authorities from the State Health Control
5. it is necessary for the purposes of drafting an expert medical assessment and for social security purposes;
6. it is necessary for the purposes of medical statistics or for medical research once the patient identifying data has been deleted;
7. it is necessary for the objectives of the Ministry of Health, the National Center for Health Information, the National Health Insurance Fund, the Regional Health Inspectorates and the National Statistical Institute;
8. it is necessary for the purposes of a licensed insurance agent under Insurance Laws (such as a life insurance agent, child insurance agent, permanent health insurance agent, accident insurance agent and others)

Data Protection Actions:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, DR. SHTEREV Hospital has implemented appropriate technical and organizational actions to ensure a level of security appropriate to the risk, including but not limited to:

- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

In addition, DR. SHTEREV hospital employs security on location under the Private Security Act and uses security measures such as video recording, physical security and access control systems.

Moreover, as all the data collected, stored and/or processed is stored electronically and/or on paper, DR. SHTEREV Hospital provides physical protection at the premises where personal data is stored and for the computers on which it is stored. 

DR. SHTEREV Hospital has implemented all the necessary and permissible data protection measures in order to ensure the highest level of protection and security for the confidentiality of its patients, employees and clients.

Period for which the personal data will be stored or the criteria used to determine that period:

All personal data collected is stored in accordance with the conditions stipulated by the GDPR and the national legislation of the Republic of Bulgaria, observing the deadlines set in the regulations for the different categories of data by type and nature.

The content and form of the data concerning health as well as the terms and conditions for its processing and storage are determined by regulations issued from the Minister of Health and coordinated by the National Statistical Institute.

DR. SHTEREV Hospital stores all of the recordings from its security systems according to the conditions and for the terms stipulated in the Private Security Act.

DR. SHTEREV Hospital stores voice recordings of inquiries and conversations made through its official communication channels for the minimum time allowed by the legislation in Bulgaria.

DR. SHTEREV Hospital stores employee data necessity for the performance of contracts and in compliance with the legal obligations of the labor legislation in Bulgaria.

Rights of the data subjects:

Every individual, whose data is processed by DR. SHTEREV Hospital has the following rights:

Right of access to his or her personal medical records including the right to receive a copy of all or part of the information contained therein

At the request of the data subject, DR. SHTEREV Hospital shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, DR. SHTEREV Hospital may charge a reasonable fee based on administrative costs.

Online access to laboratory test results, imaging test readings and more is available through the official website of DR. SHTEREV Hospital. To obtain access to this data concerning health DR. SHTEREV Hospital issues every patient an individual online ID and password, which can only be acquired in person. Obtaining information regarding a patient’s online ID and password over the phone is strictly prohibited.  

Right to rectification of the personal data

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary declaration.

Right to erasure of personal data, which has been obtained or is being processed without a legal basis

The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where one of the grounds listed in Article 17, paragraph 1 of the GDPR applies.

However, to the extent that processing is necessary for reasons of public interest in the area of public health in accordance with Article 9, paragraph 2, letter “h” of the GDPR (which addresses the case when processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional) the right of erasure at the request of the data subject does NOT apply.

Right to restriction of processing

Any individual whose personal data is processed at DR. SHTEREV Hospital has the right to submit a request for restriction of processing of his personal data in the cases referred to in Article 18 of the GDPR, for example in the case of a legal dispute pending its resolution or for purposes of establishing, exercising or defending legal claims.

 Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to object to the processing of personal data

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing.  Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, has the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Right to withdraw consent for processing of personal data

Where the processing is based on obtained consent from the data subject, the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint with a supervisory authority

In accordance with the Personal Data Protection Act and the General Data Protection Regulation, any natural person who considers that his or her right to the protection of his / her personal data has been infringed may file a complaint with the Data Protection Commission, situated at  Prof. Tsvetan Lazarov Blvd. #2, Sofia 1592

The abovementioned rights, with the exception of filing a complaint with a supervisory authority, may be exercised by submitting a written request at the following address: 25-31 Hristo Blagoev Str., Razsadnika, Krasna Polyana District, Sofia, 1330

The request is submitted in person by the data subject or by a duly authorized person named in a notarized power of attorney, a copy of which is attached to the request.

The answer to a request submitted by a data subject is prepared on paper and can be received by the data subject at the address at which the request was made. Alternatively, the response can be sent to an email address specified by the data subject in the request form.