"Health Investment Company for Children's Hospital" EAD (HICCH) is an investment company that, for the purposes of its activities, processes personal data of individuals in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR), the Personal Data Protection Act, regulatory acts in the field of healthcare and the Company's Personal Data Protection Policy.

"Personal data" is any information that relates to an individual and through which he or she can be directly or indirectly identified.

"Health data" means personal data related to the physical or mental health of an individual. These data enjoy special protection, given their sensitive nature, and are processed by medical professionals bound by an obligation of professional secrecy.

"Processing of personal data" are actions and activities that can be performed with respect to personal data by automated or other means.

 

This policy provides information on:

1. Who is the controller of personal data?

"Health Investment Company for Children's Hospital" EAD is a personal data administrator, performing this activity at the address: Sofia, 15, Acad. Ivan Evstatiev Geshov Blvd.

 

2. Whose data is processed?

HICCH processes personal data regarding the following individuals:

  • Patients, and when necessary - their relatives;
  • Staff - current and former employees of the company, job applicants, as well as trainees;
  • Visitors to the medical facility;
  • Counterparties or potential counterparties of the company and their employees.

 

3. What are the purposes of the processing?

The need to process personal data is related to the main activity of the medical institution, the purpose of which is to provide medical services, fulfill legal obligations in the field of healthcare, fulfill the requirements of labor and social legislation with respect to employees, ensure the security of patients, employees and property through registration, physical security and access control, video surveillance, as well as other lawful purposes, such as accounting services, information related to the Commercial Act, maintenance and security of the company's website and IT systems, protection of the company's legitimate interests, including in court, etc.

 

4. Legal grounds for processing

HICCH processes personal data that are defined as special: about the state of health, genetic data or data about sex life or sexual orientation, only if one of the conditions under the General Regulation is met, in particular:

For the purposes of preventive or occupational medicine, for the assessment of the employee's working capacity, medical diagnosis, the provision of health or social care or treatment;

To protect the vital interests of the data subject or of another natural person, when the data subject is physically or legally incapable of giving consent;

To protect the public interest in the field of public health, such as the protection against serious cross-border threats to health or the provision of high standards of quality and safety of healthcare and medicinal products or medical devices;

In the presence of the person's explicit consent to the processing for one or more specific purposes, unless the legislation excludes the possibility of such consent.

Legal grounds for processing personal data under the General Regulation:

Legal obligations of the company;

Performance of a contract, including pre-contractual relations prior to its conclusion;

The legitimate interests of the company, insofar as they override the interests or fundamental rights and freedoms of the data subjects;

Freely expressed, specific, informed and unambiguous consent of the data subject. Consent already given may be withdrawn by the person at any time in the same manner in which it was given.

5. Transfer of personal data

HICCH provides personal data to:

Competent public authorities in implementation of legal provisions, including the National Health Insurance Fund, the Ministry of Health, the National Revenue Agency, the National Social Insurance Institute, etc.;

Related parties;

Commercial companies providing services to the company, including for information maintenance and security of IT systems.

HICCH takes the necessary measures to protect personal data to guarantee security and preserve their confidentiality.

Personal data are stored for the relevant periods, depending on the applicable legislation and the nature of the information.

The video surveillance records, the records of conversations in the "Information Registry" and the visitor registers are stored for a period of 60 (sixty) days in accordance with the Private Security Act.

Personal data contained in accounting documents are stored for the periods under Art. 12 of the Accountancy Act.

HICCH applies all appropriate technical and organizational measures to guarantee