Data Protection Policy
Bulgaria Medical Travel Partner LTD may need to collect and use certain types of information about the Individuals who come into contact with Bulgaria Medical Travel Partner LTD in order to carry out our work. This personal information is collected and dealt with appropriately whether it is collected on paper, stored in a computer database, or recorded on other material and there are safeguards to ensure this under the Data Protection Law 2002. To perform the activity of intermediation in organising and conducting treatment of foreign citizens in the Republic of Bulgaria, Bulgaria Medical Travel Partner Ltd. collects relevant medical information from its clients. Pursuant to the Personal Data Protection Act, Bulgaria Medical Travel Partner Ltd. is registered as a data controller of sensitive information and complies with the instruction on personal data processing and protection against unlawful forms of processing in “Clients” Register of Bulgaria Medical Travel Partner Ltd., approved by the Commission for Personal Data Protection under Art. 23, para. 4 of the Personal Data Protection Act and shown below:
Art. 1. There rules of procedure aim to regulate:
- the Clients Register keeping, maintenance and protection which stores personal data of the persons that sought the services of Bulgaria Medical Travel Partner Ltd;
- the obligations of persons processing personal data and the liability they bear in the event of failure to perform such obligations;
- the required technical and organisational measures for the protection of the personal data of the aforementioned persons against unlawful processing (accidental or unlawful destruction, accidental loss or change, unlawful disclosure or access, unauthorised modification or dissemination and against any other unlawful forms of processing personal data);
- personal data are any information relating to a natural person who is identified or can be identified directly or indirectly by reference to an identification number or to one or more specific factors that are property of the patient or the client. Personal data are an integral part of the official information. If announcement of documents containing personal data is required, such documents shall be duly provided;
- processing of personal data is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, alignment or combination, blocking, erasure or destruction.
Purpose of the register
Art. 2. The register collects and stores personal data of the clients and persons who sought the services of Bulgaria Medical Travel Partner Ltd. in relation to its main activity, i.e. intermediation in organising treatment in Bulgaria in order to:
- identify the persons and relationships;
- comply with the statutory requirements of the Health Act, Medical Institutions Act, Insurance Code, Social Security Code, Accounting Act, State Archives Act, etc.;
- use the data collected of the relevant persons for business purposes;
- for all actions relating to the availability, modification and termination of the services offered by Bulgaria Travel Partner Ltd., such as preparation of any documents of the persons in this regard (contracts, additional agreements, documents certifying their medical status, certificates, statements, other certificates, etc.);
- establish connection with the person by phone, send correspondence relating to the performance of its obligations under the general contractual terms or other civil contracts;
- keep the accounts regarding the remunerations received in relation to the services provided.
Keeping the register
Art. 3. The register is kept on paper and electronically.
Art. 4. (1) Hard copies containing personal data are stored in folders of each client which are arranged in a cupboard.
(2) The cupboard shall be in a room intended for individual work of the manager of Bulgaria Medical Travel Partner Ltd.
(3) Only the person processing personal data is granted access to the files. Any possibility of granting another person access to personal data for their processing is limited and explicitly regulated in these Rules of Procedure.
Art. 5. (1) In the event of keeping the register electronically, personal data are entered on a hard disk on an isolated computer.
(2) Computers are housed in an isolated room intended for individual work of the person processing personal data in the register.
(3) Access to the operating system containing files for personal data processing is granted only to the person processing personal data through a password used to open these files. The protection of electronic data against unauthorised access, damage, loss or destruction is ensured by the maintenance of anti-virus programs, regular backups of data on separate disks and keeping of the information on paper.<
Personal data stored in the register
Art. 6. The register supports the following data types:
- physical identity: name, personal identification number, address, telephone, passport details
- corporate information: unified identification code/BULSTAT. Number of insurance policy, tax number
- information on the medical status and documents certifying such status
- documents certifying education: document proving acquired education, qualification or competence,
- model form in the General Terms and Conditions of the contracts and on the website.
Collecting, processing and storing personal data
Art. 7. Personal data in Clients Register are collected upon the establishment of communication on the part of the client with a representative of Bulgaria Medical Travel Partner Ltd.
- interview with the person
- on paper: written documents such as applications, requests for specific services and regarding current issues in the process of work submitted by the person;
- from external sources (from medical, insurance, social security and other institutions in compliance with statutory requirements).
Art. 8. In all cases in which it is required pursuant to a legal obligation, the persons whose data must be processed in the register shall submit the necessary personal data to the controller and to a person assigned for their processing, person processing personal data.
The staff processing personal data shall inform the person of the need to collect personal data and the purposes for which the data will be used.
Art.9. In addition to the aforementioned persons and in the cases specified herein above, limited access to personal data is granted to the accountant for the processing of personal data of the persons regarding the preparation of payment documents relating to the transfer of amounts and issuing invoices.
Art. 10. In the event that any change of personal data is needed, the persons shall provide these changes to the staff processing personal data at his or her request based on a legal obligation.
Art. 11. (1) To protect personal data in case of emergency, accidents and disasters, the media where personal data are stored (both hard copies and electronic media), the computer systems and servers used for their processing shall be available only in premises protected against fire with extinguishing agents and provided backup power supply.
(2) Before starting the processing of personal data, Bulgaria Medical Travel Partner conducts a training for the persons who will process personal data as determined by the company where they become familiar with the necessary actions to be undertaken in case of emergency, accidents and disasters (fire, flood, etc.), in particular:
- notify the competent rescue services;
- cut the electricity supply from the affected building;
- leave the building after locking the premises in which personal data are stored or processed, if possible;
- notify the person responsible for personal data protection or another authorised representative of Bulgaria Medical Travel Partner Ltd.
Art. 12 (1)The assessment of the impact on the processed data from the register under Art. 11, para. 1 of the Ordinance is provided as follows:
1. for the Clients Register: an average level of impact;
(2) The impact assessment should be updated every two years or in the event of change in the nature of the processed personal data and the number of the affected natural persons.
Art. 13 Under this Instruction, pursuant to Art. 13 of the Ordinance, Bulgaria Medical Travel Partner Ltd. determines the average level of protection for Clients Register.
Art. 14 (1) After achieving the purpose of processing personal data or before suspending the processing of personal data, pursuant to Art. 25 of the Personal Data Protection Act, Bulgaria Medical Travel Partner:
- destroys them in compliance with the procedures for the destruction of the different types of media set out in this Instruction; or
- if it is provided for in the law and the purposes of processing are identical, Bulgaria Medical Travel Partner Ltd. transfers the relevant data to another data controller. In this case Bulgaria Medical Travel Partner Ltd. shall inform the Commission for Personal Data Protection in advance.(2) After achieving the purpose of processing, Bulgaria Medical Travel Partner Ltd. may keep the processed personal data as anonymous data for scientific and statistical purposes where in these cases Bulgaria Medical Travel Partner Ltd. shall inform the Commission for Personal Data Protection.
Allowing individuals to access their personal data
Art. 15. Clients have the right to access their personal data for which they submit a written application to the Manager to be persons processing personal data, including electronically, personally or through an authorised person. The submission of the application is free.
Art. 16. The application should contain a person’s name and other identifying data: personal identification number, workplace, description of the request, preferred form of providing access to personal data, signature, date and mailing address; power of attorney when the application is submitted by an authorised person. The application is recorded in the general reference register of the controller.
Art. 17. Access to the person’s data is provided in the form of:
- information provided orally;
- written statement;
- review of the data by the person himself or herself or an authorised person;
- providing a copy of the required information.
Art. 18. The term for examining the application and giving a decision is 14 days as from the date of submission of the application, respectively 30 days, when more time is needed for collecting the person’s personal data in the event of any difficulty in the activity of the controller. The decision is communicated to the applicant in writing, personally against signature or by mail with acknowledgement of receipt. When the data are non-existent or cannot be provided on a legal basis, the applicant is denied access to the data by means of a reasoned decision. The refusal to grant access may be appealed by the person before the authority specified in the letter and within the set term.
Art. 19. Access to the persons’ personal data contained on technical media is granted only to the person processing personal data.
Art. 20. In addition to the persons processing personal data, persons directly engaged in the preparation and verification of the legality of persons’ documents also have lawful access to such data, in particular these are: manager, chief accountant and the persons providing consultations in relation to the services provided. The persons processing personal data are obliged to grant these persons access at their request.
Art. 21. A person’s documents shall not be exported outside the building of the controller, unless this is duly required by the legal authorities (courts, prosecutor’s office, investigation authorities). These authorities’ access to personal data is lawful.
Art.22 (1) No consent is required by the person if the his or her personal data are processed only by a competent personal data state authority or under its control in relation to committing crimes, administrative offences and delict. These persons are granted access to personal data and where needed, they are also provided the relevant conditions to work in the premises of the company.
(2) State audit authorities who have duly identified themselves with the relevant documents are also granted lawful access. Such documents are written orders of the competent authority stating the legal basis, the name of the persons and for the purposes of their activity they need to be provided access to the personal files of the staff.
(3) In the event of any change in the status of the company (reorganisation, liquidation and other) requiring transfer of the personal data registers from the company to another data controller, the register is transferred after the authorisation of the Commission for Personal Data Protection and in accordance with the procedure for the submission of the relevant application as specified herein above.
Art. 23. The data controller communicates his or her decision on granting or refusing access to the personal data of the relevant person to the third parties within 30 days as from the submission of the application, or respectively the request.
Art. 24. The personal data back up on technical media is performed regularly every 30 days by the person processing personal data in order to save updated information of the relevant persons. The information is recorded on disks and access to such disks is provided only to the person processing personal data.
For the purposes of these Rules of Procedure:
§ 1. Data controller is Bulgaria Medical Travel Partner Ltd.,
§ 2. The person processing personal data is the Manager Veselina Iv. Dimova
§ 3. These Rules of Procedure are issued pursuant to Art. 24, para. 4 of the Personal Data Protection Act.
§ 4. These Rules of Procedure shall enter into force on16 May 2016 and after all persons for whom these Rules of Procedure create individual rights and obligations become aware of their contents against signature.
§ 5. A copy of these Rules of Procedure is available to the clients.
This Policy will be updated when necessary to establish the best practices in data management, security and control and to ensure compliance with all changes and amendments to the Personal Data Protection Act of 2002.
If you have any inquiries or questions related to this Policy, please don’t hesitate to contact the employee who is responsible for data protection in Bulgaria Medical Travel Partner Ltd:
Signed Date: November, the 7th , 2016
Vesselina Iv. Dimova