PERSONAL DATA PROCESSING AND PROTECTION POLICY
In the course of their activities as healthcare institutions registered and operating in accordance with the requirements of the Health Establishments Act, “Specialized Eye Hospital for Active Treatment Vision” Ltd. and Medical Center “Eye Laser Center Vision” Ltd. collect, record, organize, store, use, and disclose by transmission personal data of natural persons (also referred to as “data subjects”), which constitutes personal data processing.
With this Policy, we aim to inform you what personal data of yours we will process, for what purposes and on what legal grounds, to which categories of recipients we may provide it, and for what periods we store it.
This Policy covers the activities related to personal data processing within the provision of inpatient and outpatient care, including hospitalizations and the storage of mandatory medical documentation.
A brief version of this information will be provided to you on-site at the healthcare facility when we require you to provide personal data, and the full and up-to-date version of the Policy is also published on our official website – https://www.visionclinic.bg.
“Specialized Eye Hospital for Active Treatment Vision” Ltd. and Medical Center “Eye Laser Center Vision” Ltd. are joint data controllers when they determine joint purposes and means of personal data processing, as well as their respective responsibilities for fulfilling obligations related to the exercise of data subjects’ rights and ensuring transparency and awareness. The companies also determine separate purposes and means for processing personal data, which are included in this Personal Data Protection Policy covering their activities as both independent and joint data controllers. Detailed information about the purposes for which the companies jointly process personal data, as well as how you can exercise your rights as a data subject regarding this processing, is provided below.
Joint Processing of Personal Data
“Specialized Eye Hospital for Active Treatment Vision” Ltd. and Medical Center “Eye Laser Center Vision” Ltd., in their capacity as joint controllers, prepare this joint information document on personal data protection, fulfilling their obligations for informing data subjects and transparency. Data subjects may exercise their data protection rights with respect to and against each of the controllers.
Creation and maintenance of common technical measures (IT solutions – software and hardware, website) for the processing of patients’ personal data and ensuring information security.
The IT infrastructure, including medical software and online appointment systems, is jointly used by both companies, with access to personal data controlled and aligned with the functional role of each employee.
The database containing patients’ personal data, including medical information, is maintained through a unified information system and is jointly used by “Specialized Eye Hospital for Active Treatment Vision” Ltd. and Medical Center “Eye Laser Center Vision” Ltd., adhering to strict access rules corresponding to the employees’ functional roles and the principles of confidentiality and data minimization.
Legitimate interest – Article 6(1)(f) of the GDPR – when processing is necessary for the purposes of the legitimate interests pursued by the controller.
Provision of shared administrative services for the patient – access control to buildings and premises, registration of visitors and patients, appointment booking system for medical consultations, examinations, procedures, and surgeries.
Legitimate interest – Article 6(1)(f) of the GDPR – when processing is necessary for the purposes of the legitimate interests pursued by the controller.
Building and maintaining a joint website presenting the services of both companies under a unified brand “Vision,” without distinguishing between the data controllers.
Legitimate interest – Article 6(1)(f) of the GDPR – the interest of both companies to offer services through a joint digital channel.
Receiving and processing online appointment bookings via a website form linked to a shared email, accessible to employees of both companies.
Legitimate interest – Article 6(1)(f) of the GDPR – interest in effective coordination of services.
Managing video surveillance through a shared system (NVR) located on the premises, used by both companies.
Legitimate interest – Article 6(1)(f) of the GDPR – protection of individuals and property on shared premises.
Using shared staff (registrars) employed by one company but processing data for both.
Legitimate interest – Article 6(1)(f) of the GDPR – organizational efficiency in registration activities.
Processing data via shared hospital software, accessed by employees of both companies, with functional differences but technically indivisible separation.
Legitimate interest – Article 6(1)(f) of the GDPR – processing through a centralized system.
Providing a common contact point for exercising data subjects’ rights.
Legitimate interest – Article 6(1)(f) of the GDPR – when processing is necessary for the purposes of the legitimate interests pursued by the controller.
Offering personalized products and services to existing clients and direct marketing to potential clients, including sending personalized offers and collecting and disclosing information about customer satisfaction.
Consent – Article 6(1)(a) of the GDPR.
When the healthcare institutions decide how and why to process personal data, they act as a data controller (“Controller”) within the meaning of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR” or “General Regulation”).
What personal data we process
“Personal data” means any information relating to an identified or identifiable natural person by which they can be directly or indirectly identified. We process the following categories and types of personal data regarding patients, their legal representatives, and accompanying persons. This information is contained in the medical documentation approved by the competent authorities and is necessary for their identification:
Basic Information
Names, unique citizen number (personal ID number), address, date of birth, as well as provided contact details – phone number, email address; identity document data;
Health-related Data (so-called sensitive personal data)
Medical history, diagnoses, previous illnesses, treatments and therapies performed; results from medical examinations and tests such as laboratory analyses, imaging diagnostics, ophthalmological tests, and other specialized medical investigations; information on prescribed medications and assigned treatments; surgical interventions and operative procedures performed at “Specialized Eye Hospital for Active Treatment Vision” Ltd. and Medical Center “Eye Laser Center Vision” Ltd.; history of allergies, contraindications, and medical risks; data on visual acuity, refraction, and other ophthalmological parameters; other information contained in medical documentation.
In the case of hospitalization, data related to the issuance of outpatient records, medical history (case history), operation logs, anesthesiology records, and other mandatory documents according to Ordinance No. 49/2010 and the internal hospital rules are also processed.
Financial and Administrative Information
Health insurance booklet number, insurance data and National Health Insurance Fund (NHIF) information; financial and payment data: billing and payment information for medical services;
Other
Other information provided in response to inquiries made by you.
Certain forms on the Website may contain free-text fields where you can choose to provide information that constitutes personal data relating to you or to a third party. When providing such information is not necessary or there is no legal basis for processing by the Administrator, the data will be deleted within 1 month of receipt, in accordance with the Personal Data Protection Act.
Purposes and legal bases for processing personal data
We process your personal data that do not constitute sensitive personal data when scheduling an appointment and visiting a specialist of your choice, including when you fill out a contact form available on our website, for providing additional services beyond the healthcare provided – for example, related to accommodation, identification, and contact details that we collect for legal representatives (parents, guardians, custodians) or persons accompanying the patient. In these cases, we rely on the legal basis under Article 6(1)(c) of the GDPR – compliance with a legal obligation applicable to the controller, such bases arising from the Health Act, the Health Insurance Act, the Healthcare Establishments Act, their implementing regulations, and the National Framework Agreement.
In connection with our activities, we may process categories of personal data that are not special and for purposes such as maintenance and security of our website; to provide you with information about additional services or to send you a feedback request related to the services you have already used; for the protection of the legitimate interests of the company, including through legal means. In these cases, we may rely on the existence of a legitimate interest and will carefully assess the necessity and proportionality of the processing according to the specific purpose and the rights and freedoms of the data subject.
We will immediately cease processing personal data based on legitimate interest upon objection by the data subject, unless there are compelling legal grounds for continuing which override the interests, rights, and freedoms of the data subject, or when the data are necessary for the establishment, exercise, or defense of legal claims.
When processing special categories of personal data, we rely on specific legal bases applicable according to the purpose of processing.
Medical diagnosis and treatment – performing examinations, diagnosing and monitoring diseases;
Provision of health services – prescribing treatment and medications, surgical interventions and procedures, monitoring condition and medical consultations;
Management of medical records – storing information about your health condition in accordance with legal requirements;
Compliance with legal obligations – maintaining medical documentation pursuant to the Health Act, the Healthcare Establishments Act, and subordinate regulations;
Reporting to the National Health Insurance Fund (NHIF) – when medical services are provided under health insurance;
Ensuring continuity of care – providing information to other medical facilities or for continuation of treatment.
The processing of your personal data is carried out on the following legal bases:
-
Article 9(2)(h) of the GDPR – processing is necessary for medical diagnosis, treatment, and provision of healthcare by a licensed healthcare establishment, while respecting professional confidentiality;
-
Article 6(1)(b) – performance of a contract for the provision of healthcare services; and Article 6(1)(c) of the GDPR – processing is necessary for compliance with legal obligations related to health insurance, medical documentation, and reporting to competent authorities;
Provision of healthcare when the patient is unconscious or in emergency life-threatening situations, and processing data of minors and incapacitated persons;*
Article 6(1)(d) of the GDPR in conjunction with Article 9(2)(c) of the GDPR – when processing is necessary to protect the vital interests of the patient or when the data subject is physically or legally incapable of giving consent.
-
Billing and payment processing;
-
Appointment management and patient communication – notifications for upcoming appointments, test results, and treatment reminders;
-
Development of our services and/or establishing circumstances and protecting our rights and interests;
-
For establishing, exercising, or defending legal claims, or whenever courts act in their capacity as judicial authorities – in disputes concerning the quality of provided medical services or claims for damages.
Article 6(1)(f) of the GDPR – when processing is necessary for the legitimate interests of the controller, and when the processing involves health data and is for the purpose of establishing, exercising, or defending legal claims, or whenever courts act as judicial authorities – Article 9(2)(f) of the GDPR.
*When the patient is a minor and/or legally incapacitated, personal data is provided by a parent or guardian, and the processing is subject to the legal bases mentioned above. In all cases, we make reasonable efforts to verify whether the holder of parental/guardianship rights is authorized to provide personal data of the minor/incapacitated patient.
Providing personal data in the course of activities performed by medical and non-medical specialists in healthcare institutions is mandatory.
To whom personal data is disclosed or transferred
Health data is processed by healthcare institutions, doctors, and other medical specialists, as well as non-medical specialists with higher non-medical education working within the national healthcare system, pursuant to the Health Act. When processing health data, all these persons are bound by professional confidentiality obligations.
Health information is provided to third parties only on the grounds specified in Article 28 of the Health Act, such as:
-
Another healthcare facility, for continuation of the patient’s treatment;
-
State health control authorities for prevention of epidemics and spread of infectious diseases;
-
Medical expertise and social security authorities;
-
Within the powers provided by law to the Ministry of Health, the National Health Information Center, the National Health Insurance Fund (NHIF), regional health inspectorates, and the National Statistical Institute.
How Do We Protect Your Personal Data?
The security of your personal data is important to us, and that is why we apply various organizational and technical measures to ensure that your data is protected and kept confidential. We have systems and procedures in place to prevent unauthorized access, improper modification or disclosure, misuse, or loss of information.
We protect your personal data by maintaining a range of security measures and rules in compliance with applicable laws and regulations. Some of the key measures we apply to ensure a high level of data security include, among others:
Physical, Organizational, and Technical Protection Measures
-
Designation of controlled access zones;
-
Designation of data processing premises, including those housing our servers, with restricted access;
-
Specification of the organization of physical access;
-
Use of technical means for physical protection, such as secured rooms and locked cabinets.
Personnel Protection
-
Ensuring staff are familiar with the specifics of personal data processing, data protection legislation, this policy, and other internal regulations;
-
Confidentiality of information;
-
Training of personnel on data protection and security practices.
Document Protection
-
Defining retention periods for personal data;
-
Applying data minimization principles – we only collect data that is relevant and limited to what is necessary for the stated purposes;
-
Establishing rules for dissemination, destruction procedures, and regular audits and controls over data processing.
In some cases, and in accordance with the level of technological advancement, we may apply additional security techniques such as:
-
Encryption – converting information into code to prevent unauthorized access;
-
Pseudonymization – applying processing techniques that reduce the likelihood of identifying a specific individual directly or indirectly.
We maintain strict internal access control – access to your personal data is granted only to those employees who need the information in order to perform their professional duties properly.
We also provide ongoing training on data protection for all employees and enforce continuous internal monitoring of the implementation of confidentiality measures.
When we provide you (or when you choose to receive) a password that gives you access to our client portal/site, you are responsible for keeping that password confidential and for complying with any security guidelines we provide.
Please do not share your passwords/access keys with anyone.
