Privacy statement

The Multi-Profile Hospital for Active Treatment and personal data protection

The Multi-Profile Hospital for Active Treatment follows the highest levels of personal data privacy. This Personal Data Protection Policy applies to personal data we collect through the website and Nadezhda mobile, and in providing our services.

The information we collect

It is possible that we collect personal data about you when you use our website and Nadezhda Mobile, or when you choose our services. In most cases you provide this information to us, and you choose and agree to send us information pertaining to you, while in other cases we ask for your personal data to comply with an obligation under law, to sign an agreement, or to defend our legitimate interest, or your vital interest. Depending on the services you use, we can collect and process the following information about you:

Name, PIN, ID card details, address, date of birth, education and qualification degree, additional qualification and legal capacity, health data, genetic and biologic material, contact telephone number, e-mail address, etc.

The sensitive personal data we collect shall be used to provide health care and treatment, as well as medical diagnosis.

How we use and share your information

We process your personal data we collect with the following purposes:

• Regarding the website and Nadezhda mobile services: booking an examination appointment, for initial examination (assisted reproduction), promotional campaigns, laboratory results, and to answer your requests, or other correspondence.
• Regarding the services provided within the medical establishment: tests, treatment, and medical diagnosis, assisted reproduction, video and audio recording, with the purpose of your protection and providing higher quality of service and healthcare level.

All personal data which you are providing to us voluntarily by using our online registration forms, shall be used for evaluation of our work, or for the purpose of providing the specific service you are registering for.

The Multi-Profile Hospital for Active Treatment uses third parties to support certain activities or in implementation of a statutory obligation, namely: outside consultations with specialists, AR centers, the National Revenue Agency, the Social Security Institute, the National Health Insurance Fund, municipalities, accounting companies, hosting and website maintenance and communication companies.

In some cases, the third parties in these sectors may receive your data.

The Multi-Profile Hospital for Active Treatment, however, shall always supervise and ensure the highest degree of secuity for your data.

An integral part of this Policy of the Multi-Profile Hospital for Active Treatment for Women’s Health Nadezhda OOD is the use of CCTV and call recording systems.

Providing personal data is mandatory in certain cases, for us to comply with our legal requirements and failure to provide personal data could result in a refusal to provide our service.

How long do we keep your personal data?

We keep all data we have collected for you until the time limit of the provided service, or within the time limits stipulated in the laws in force.

Security

Multi-Profile Hospital for Active Treatment Nadezhda shall take measures to protect your personal data from accidental loss and unregulated access, use, change, or disclosure. There are policies and procedures, designated to protect the information from loss, misuse and illegal disclosure. Furthermore, we take additional measures for information security, including access control, strict physical security and reliable practices for collection, storage. and processing of information.

Transfer between countries

The transfer, storage, and processing of personal data, collected through the Website and Nadezhda Mobile, has been secured with state-of-the-art technical equipment. Multi-Profile Hospital for Active Treatment Nadezhda shall not transfer your data outside of the limits of the European Economic Area. The Multi-Profile Hospital for Active Treatment Nadezhda shall have the right to also provide your personal data to third parties, who will process the data in compliance with the instructions, and under the responsibility of the hospital, or under a law.

Access, rectifications, and withdrawal

You have the right to request from Multi-Profile Hospital for Active Treatment Nadezhda to provide you with information regarding your collected and stored personal data. You also have the right to request from Multi-Profile Hospital for Active Treatment Nadezhda to rectify, delete, or update such personal data.

You have the right to withdraw your consent for collection, storage, and use of your personal data by Multi-Profile Hospital for Active Treatment Nadezhda at all times.

We hereby inform you that under this legislation, you also have the right to an apeal regarding the manner your data is processed to the supervisory authority, the Personal Data Protection Commission, with an address: 1592 Sofia, 2 Professor Tsvetan Lazarov Blvd., or www.cpdp.bg.

Some of your rights, such as removal of data or objections against processing, shall be limited by te laws in force.

Changes in this Personal Data Protection Policy.

This personal data protection procedure is subject to change over time. These changes shall be immediately effective after their disclosure. Regularly reviewing this page shall guarantee that you are aware of the information we collect, how and for what reasons the Multi-Profile Hospital for Active Treatment is using this information, and under what circumstances (if they happen) we will be sharing this information with third parties.

If you have questions regarding personal data protection, you can contact the Multi-Profile Hospital for Active Treatment and our Personal Data Protection Official:

Attorney-at-law Sergey Nikolov

Sofia, 3 Blaga Vest St, 1330 Sofia

E-mail: [email protected]

Telephone: 0887801257

Conditions for use

The information on this website shall be presented entirely with a general education purpose, and in no way it should be used as a substitute for a competent opinion by a medical professional. The use of this website is entirely at the discretion of the consumers. The information provided on this website should not be perceived as being precise, up-to-date, or exhaustive, despite it having been precise, up-to-date, or exhaustive at the time of publishing. The Multi-Profile Hospital for Active Treatment Nadezhda shall not be responsible for any damages or lost profits, which have occurred as the result of a decision taken solely based on the information published on this website, without an additional consultation with a competent medical professional. Furthermore, the website may contain references to certain laws and provisions, and they could be amended over time and shall be interpreted solely and entirely for the specific moment in time.

Our organization shall not assume any liability related to errors, omissions, or unauthorized change in the contents of this Website. The complete content of this Website and all the services provided by it, shall not contain any guarantees for completeness, precision and timeliness, and therefore we could not be held responsible for any contractual or non-contractual substantial and insubstantial damages suffered after using this Website.

 

PERSONAL DATA PROTECTION POLICY AND AND CCTV POLICY

 

Object and scope of the policy

In view of the safety and security of the employees, visitors, the hospital building and the processed personal data, the Multi-Profile Hospital for Active Treatment for Female Health Nadezhda OOD (hereinafter referred to as the Hospital) uses a CCTV system in some of the areas of its buildings, as well as recording of all incoming calls to the Hospital. The policy regarding the use of CCTV systems and sound recordings details the CCTV and sound recording system of the Hospital and the safety personal data protection measures undertaken, the privacy policy and other rules and legitimate interests of the individuals, who are within the range of the cameras.

This policy defines the procedures which need to be followed in processing personal data. The procedures and principles, stated herein, shall be respected by the organization, its employees, contractors, or other parties, who act on behalf of the organization.

This policy is integral to the General Personal Data Protection Policies of Multi-Profile Hospital for Active Treatment for Female Health Nadezhda OOD.

Compliance with the applicable personal data protection texts

• The Hospital shall use its CCTV and sound recording systems in compliance with Regulation (EU) N. 2016/679 of the European Parliament, and the national laws in force in the Republic of Bulgaria.
• Regarding the use of the CCTV systems, the Hospital has completed an evaluation of the legal interests, risk evaluation, and a balancing test, to determine the degree of impact on the privacy of hospital visitors, employees and patients, in relation to protecting its legal interest.
• Decision-making process

The Hospital has drafted this policy after consulting with a representative of the employees and has reached the conclusion that the use of the CCTV is necessary for the purpose of safety and security, and is comparable to them.

• Transparency
  The CCTV use policy is available on the Hospital website, at https://www.nadezhda.bg, and in the Hospital building.
• Regular Review

Every two years, Multi-Profile Hospital for Active Treatment for Female Health Nadezhda OOD shall perform a regular review and evaluation of the compliance with the personal data protection requirements, and the first review shall be completed at latest on December 31, 2020. The hospital shall assess the following, among other things, within the regular review scope:

• whether the system continues to serve the purpose announced;
• whether there are adequate alternatives available; and
• whether this policy is still in compliance with regulation N. 2016/679.

• Privacy Protection.

To improve privacy protection, the Hospital has stipulated for the following, if necessary:

• image blurring (to create a partially or completely unrecognizable image, as the case may be),
• limiting the recordings storage periods, in compliance with the security requirements (please refer to article 7 herein below), and
• strict management of the operators’ rights regarding access to the internal video surveillance system (CCTV).

Surveillance areas

There are cameras installed in different places in the Hospital building, including: In the common premises, at the central entrance in front of the hospital establishment; the patient rooms, the laboratories, at the emergency exits; at the entrance of the parking lots; in the meeting rooms; along the halls; around the buildings, to protect the outside perimeter.

The location of the cameras shall be re-reviewed carefully to guarantee that areas not of significance for the objectives pursued only receive the minimum coverage. Surveillance outside of the territory of the building has been reduced to a minimum.

Surveillance shall not be performed in areas related to increased privacy expectations, such as restrooms and hospital lavatory rooms. By way of exception, in case of needs justified in a timely manner, related to security, cameras may also be installed in those areas, and in all cases this shall be done after evaluation of the impact, and after notifying the personal data protection official and requesting a permission by the Personal Data Protection Commission. In these cases, a special notice shall be posted at a visible location within said premises.

By way of exception, in case of security-related needs, which have been properly justified and proven, hidden cameras may be used, when necessary for the prevention, investigation, discovery, and legal prosecution of criminal offenses. The use of hidden cameras shall be the subject of preliminary approval by the Personal Data Protection Commission and systematic notification of the personal data protection official. The use of hidden cameras shall always be proportionate to the burden of the presumed criminal act.

Each case of using hidden cameras shall be documented in detail, and the following shall be included:

• a clearly defined objective, which could not have been achieved using alternative means of investigation, which breaches privacy to a lesser degree;
• evaluation of the impact regarding the area within the scope of hidden video cameras and affected individuals;
• strictly limited time period;
• strictly limited locations;
• strict limitation of the users who have access, and clear determination of the identity of such users;
• deleting the recordings immediately after they are no longer necessary for the purposes of this investigation.

Sound recording

All incoming phone calls to the Hospital shall be recorded, and prior to the start of the call, the callers shall be notified that this call will be recorded.

Collected personal data and purpose of the collection

• The CCTV is a conventional and a static system. It records digital images and has movement sensors. Movements caught by the cameras in the surveillance areas shall be recorded, including the time, date, and the location. All cameras shall be operational at all times. The quality of the image shall allow the identification of the areas within the range of the camera as appropriate. Almost all cameras are stationary, very few of them can be used by operators to zoom into the image in a particular situation, due to security concerns. Operators trained for this purpose shall following the privacy protection and access rights settings.
• The recorded phone calls are used to guarantee that patients are correctly referred to the treating physicians when booking an appointment. The same measures for protection of personal data shall be applied to the phone calls recordings, within the stipulated time limits.
• Purpose and legal grounds for the use of CCTV
  The Hospital shall only use the CCTV system for the purposes of:
  – security and safety;

– protecting the hospital assets;

– providing emergency medical care; and

– improving the level of healthcare and medical activity.

When necessary, the CCTV system shall add to the other physical security systems, such as access control systems and physical intrusion control systems.

Limitation of purpose – The system shall not be used for any other purposes, such as observation of the work of the employees, or the other staff, or to control presence at work. The system shall be used as an investigation tool, or as evidence for internal investigations or disciplinary procedures, exclusively for the purposes of investigating an incident related to physical security, or in extraordinary circumstances – within the limits of а criminal investigation.

The legal grounds for CCTV shall be in the legitimate interest of the Hospital, including in its capacity as an Employer. Regarding the CCTV systems in patient rooms, processing based on explicit written consent of the patient shall be applied.
The legal grounds for a phone call recording is the agreement of the individual.

• Special data categories:

The Hospital CCTV does not have the purpose of capturing images (for example by image zooming or targeting) or processing images in any other manner (such as indexing, profiling), which disclose the so-called “special categories of data”.

An exception from this principle is its use for the purposes of medical diagnosis, providing health or social care and observation – article 9, paragraph 2, item g of the Regulation, in case there is CCTV is in patient rooms.

 

Access to the collected personal data

• Access to the video recordings, the phone call recordings and the CCTV live feed is limited to a few precisely defined individuals on a need-to-know basis. In its internal organization, the Hospital shall determine who has the right: to see the CCTV feed in real time; to see the recordings; to copy, download, delete, or change certain recordings. The Hospital shall stipulate the possibility of having employee representatives be part of the examination of the materials.
• All employees, who have access rights, including security guards, employed by an outside subcontractor, shall undergo basic personal data protection training. All new employees shall undergo training, and new seminars on matters involving personal data protection shall be organized at least once every two years for all employees, who have access rights.
• After the training, each employee shall sign a privacy statement. This statement shall also be signed by all external subcontractors and their staff.
• The management and the employees, who work in human resources, shall not have access, other than within disciplinary procedures, which are the direct consequence of an accident related to physical security, and with a mandate by the designating authority.

Access can also be provided to law enforcement authorities if this is necessary for the purposes of investigation or a prosecution of a criminal act.

Any breach in security related to cameras shall be filed in the investigation record and shall immediately be reported to the personal data protection official.

 

Personal Data Protection and Guarantees

The following technical and organizational measures have been taken to ensure the security of the CCTV systems and personal data protection:

• The servers that the recordings are kept at shall be found in safe premises, protected using physical security measures; network firewalls protect the information infrastructure logic perimeter; the computer mainframes, which store the data, have an extra layer of security protection.
• Administrative measures include the obligation of having individual reliability check by all engaged subcontractors, who have access to the system (including the staff for maintenance of the equipment and the systems).
• All employees (external and internal) shall sign non-disclosure and privacy agreements.
• The access rights of users shall be provided only for the resources, which are necessary to perform their obligations.
• Only the system administrator, specifically designated for this purpose by the controller, shall amend or remove access rights of employees. Granting, changing, or revoking access rights shall follow strict criteria.
• The Hospital shall keep an updated list of all individuals with access to the system at all times and this list shall detail their access rights.
• The Personal Data Protection Officer shall be consulted prior to the purchase or installing a new CCTV system.

 

Public awareness information

The Hospital applies multitude awareness measures, which involve the following:

• a detailed notice containing information regarding the use of CCTV has been installed at each of the entrances of the Hospital, including at the parking lots entrances;
• notices with pictograms shall be placed in the buildings to notify individuals of the video surveillance and provide awareness for obtaining additional information;
• The policy for use of video surveillance systems has been published on the Hospital website and can also be found at the Information/Registration Desk, along with more detailed information regarding the practices of the Hospital regarding video surveillance.
• When calling the Hospital, individuals shall be notified that the call is being recorded, and they can get more information on this matter on the Hospital website.

The notice the Hospital posts on-site is published in the application.

 

Rights of data subjects

The Data Subjects shall have access rights to the personal data that they need, kept by the Hospital, and they shall have the right to rectify and supplement this data. All requests for access, rectification, blocking and/or deleting personal data as the result of the use of cameras, shall be sent to the Personal Data Protection Official /PDPO/, namely: Sergey Nikolov

The official shall send a confirmation of receipt to the sender within 10 workdays after receiving the request. If possible, PDPO shall send a specific response regarding the request within up to 30 calendar days. In case this is not possible, the sender shall be notified of the follow-up steps and the reasons for the delay. Even in most complex cases, at latest within three months, the request must be granted, or  a justified final response shall be given, which refuses to grant the request.

For data protection purposes, the Hospital may request the senders to explicitly verify their identity (for example by presenting an identity document), and to clarify the date, time, place and circumstances, wherein they have been recorded by the cameras, or recorded on the phone. Senders shall also provide an updated personal photo, which would allow security staff to recognize them on the viewed recordings.

In case of irregularities or apparent misuse by the data subject in exercising the data subject rights, the Hospital may consult with the Personal Data Protection Official regarding the request, and/or to redirect the data subject to the Personal Data Protection Official, which shall take a decision regarding the eligibility of the request, and the respective follow-up actions.

 

Legal remedies

Each data subject shall have the right to file an application to the supervisory authority – the Personal Data Protection Commission, 1592 Sofia, 2 Professor Tsvetan Lazarov Blvd., or to www.cpdp.bg, if the data subject is of the opinion that his/her rights have been breached as the result of processing the personal data pertaining to that data subject by the Hospital.

It is recommended, prior to filing a claim, the affected individuals would contact the Hospital Personal Data Protection Official, by calling the following number: 0887801257, and at e-mail: [email protected]

 

POLICY OF MC NADEZHDA REPRODUCTIVE SOFIA OOD, UIC: 200580103 REGARDING THE USE OF VIDEO AND SOUND RECORDING SYSTEMS

Objective and scope of the policy

In view of the safety and security of the employees, visitors, the medical establishment building, the property, and the processed personal data, the Medical Center Nadezhda Reproductive Sofia OOD (hereinafter referred to as MC) uses a CCTV system in some of the areas of its buildings, as well as recording of all incoming calls to the establishment. The policy regarding the use of CCTV systems and sound recordings details the CCTV and sound recording system of the MC and the safety personal data protection measures undertaken, the privacy policy and other rules and legitimate interests of the individuals, who are within the range of the cameras.

This policy defines the procedures which need to be followed in processing personal data. The organization shall follow the procedures and principles set forth herein at all times, and must ensure the same for its employees, contractors, or other parties who act in the name of the organization.

This policy is integral to the common Personal Data Protection Policies of MC NADEZHDA REPRODUCTIVE SOFIA OOD.

Compliance with the applicable personal data protection texts

• The medical establishment shall use its CCTV and sound recording systems in compliance with Regulation (EU) N. 2016/679 of the European Parliament, and the national laws in force in the Republic of Bulgaria.
• Regarding the use of the CCTV systems, the MC has completed an evaluation of the legal interests, risk evaluation, and a balancing test, to determine the degree of impact on the privacy of MC visitors, employees, and patients, in relation to protecting its legal interest.
• Decision-making process

The MC has drafted this policy after consulting with a representative of the employees, and has reached the conclusion that the use of the CCTV is necessary for the purpose of safety and security, and is comparable to them.

• Transparency
  The CCTV use policy is available on the website of the medical establishment at the following address: https://www.nadezhda.bg, as well as in the MC building.
• Regular Review

Every two years, MC NADEZHDA REPRODUCTIVE SOFIA OOD shall perform a regular review and evaluation of the compliance with the personal data protection requirements, and the first review shall be completed at latest on December 31, 2020. Within the regular review scope, MC shall assess the following:

• whether the system continues to serve the purpose announced;
• whether there are adequate alternatives available; and
• whether this policy is still in compliance with regulation N. 2016/679.

• Privacy Protection

To improve privacy protection, the MC has stipulated for the following, if necessary:

• image blurring (to create a partially or completely unrecognizable image, as the case may be),
• limiting the recordings storage periods, in compliance with the security requirements (please refer to article 7 herein below), and
• strict management of the operators’ rights regarding access to the internal video surveillance system (CCTV).

Surveillance areas

There are cameras installed in different places in the medical establishment building, including: In the common premises, at the central entrance in front of the hospital establishment; the patient rooms, the laboratories, at the emergency exits; at the entrance of the parking lots; in the meeting rooms; along the halls; around the buildings, to protect the outside perimeter.

The location of the cameras shall be re-reviewed carefully to guarantee that areas not of significance for the objectives pursued only receive the minimum coverage. Surveillance outside of the territory of the building has been reduced to a minimum.

Surveillance shall not be performed in areas related to increased privacy expectations, such as restrooms and hospital lavatory rooms. By way of exception, in case of needs justified in a timely manner, related to security, cameras may also be installed in those areas, and in all cases this shall be done after evaluation of the impact, and after notifying the personal data protection official and requesting a permission by the Personal Data Protection Commission. In these cases, a special notice shall be posted at a visible location within said premises.

By way of exception, in case of security-related needs, which have been properly justified and proven, hidden cameras may be used, when necessary for the prevention, investigation, discovery, and legal prosecution of criminal offenses. The use of hidden cameras shall be the subject of preliminary approval by the Personal Data Protection Commission and systematic notification of the personal data protection official. The use of hidden cameras shall always be proportionate to the burden of the presumed criminal act.

Each case of using hidden cameras shall be documented in detail, and the following shall be included:

• a clearly defined objective, which could not have been achieved using alternative means of investigation, which breaches privacy to a lesser degree;
• evaluation of the impact regarding the area within the scope of hidden video cameras and affected individuals;
• strictly limited time period;
• strictly limited locations;
• strict limitation of the users who have access, and clear determination of the identity of such users;
• deleting the recordings immediately after they are no longer necessary for the purposes of this investigation.

Sound recording

All incoming phone calls to the MC shall be recorded, and prior to the start of the call, the callers shall be notified that this call will be recorded.

Collected personal data and purpose of the collection

The CCTV is a conventional and a static system. It records digital images and has movement sensors. Movements caught by the cameras in the surveillance areas shall be recorded, including the time, date, and the location. All cameras shall be operational at all times. The quality of the image shall allow the identification of the areas within the range of the camera as appropriate. Almost all cameras are stationary, very few of them can be used by operators to zoom into the image in a particular situation, due to security concerns. Operators trained for this purpose shall following the privacy protection and access rights settings.

• The recorded phone calls are used to guarantee that patients are correctly referred to the treating physicians when booking an appointment. The same measures for protection of personal data shall be applied to the phone calls recordings, within the stipulated time limits.
• Objective and legal grounds for the use of CCTV

MC shall only use the CCTV for the following purposes:

– security and safety;

– protecting the hospital assets;

– providing emergency medical care; and

– improving the level of healthcare and medical activity.

When necessary, the CCTV system shall add to the other physical security systems, such as access control systems and physical intrusion control systems.

Limitation of purpose – The system shall not be used for any other purposes, such as observation of the work of the employees, or the other staff, or to control presence at work. The system shall be used as an investigation tool, or as evidence for internal investigations or disciplinary procedures, exclusively for the purposes of investigating an incident related to physical security, or in extraordinary circumstances – within the limits of а criminal investigation.

The legal grounds for CCTV shall be in the legitimate interest of the MC, including in its capacity as an Employer. Regarding the CCTV systems in patient rooms, processing based on explicit written consent of the patient shall be applied.

The legal grounds for a phone call recording is the agreement of the individual.

• Special data categories

The MC CCTV does not have the purpose of capturing images (for example by image zooming or targeting) or processing images in any other manner (such as indexing, profiling), which disclose the so-called “special categories of data”.

An exception from this principle is its use for the purposes of medical diagnosis, providing health or social care and observation – article 9, paragraph 2, item g of the Regulation, in case there is CCTV is in patient rooms.

Access to the collected personal data

• Access to the video recordings, the phone call recordings and the CCTV live feed is limited to a few precisely defined individuals on a need-to-know basis. In its internal organization, MC shall determine who has the right: to see the CCTV feed in real time; to see the recordings; to copy, download, delete, or change certain recordings. MC shall stipulate the possibility of having employee representatives be part of the examination of the materials.
• All employees, who have access rights, including security guards, employed by an outside subcontractor, shall undergo basic personal data protection training. All new employees shall undergo training, and new seminars on matters involving personal data protection shall be organized at least once every two years for all employees, who have access rights.
• After the training, each employee shall sign a privacy statement. This statement shall also be signed by all external subcontractors and their staff.
• The management and the employees, who work with human resources, shall not have access, other than within disciplinary procedures, which are the direct consequence of an accident related to physical security, and with a mandate by the designating authority.

Access can also be provided to law enforcement authorities if this is necessary for the purposes of investigation or a prosecution of a criminal act.

Any breach in security related to cameras shall be filed in the investigation record and shall immediately be reported to the personal data protection official.

Personal Data Protection and Guarantees

The following technical and organizational measures have been taken to ensure the security of the CCTV systems and personal data protection:

• The servers that the recordings are kept at shall be found in safe premises, protected using physical security measures; network firewalls protect the information infrastructure logic perimeter; the computer mainframes, which store the data, have an extra layer of security protection.
• Administrative measures include the obligation of having individual reliability check by all engaged subcontractors, who have access to the system (including the staff for maintenance of the equipment and the systems).
• All employees (external and internal) shall sign non-disclosure and privacy agreements.
• The access rights of users shall be provided only for the resources, which are necessary to perform their obligations.
• Only the system administrator, specifically designated for this purpose by the controller, shall amend or remove access rights of employees. Granting, changing, or revoking access rights shall follow strict criteria.
• MC shall keep an updated list of all individuals with system access at all times and shall detail their access rights.
• The Personal Data Protection Officer shall be consulted prior to the purchase or installing a new CCTV system.

Data protection time limits

The images and phone calls recordings shall be kept for a term of 30 days. After this term expires, the images shall be deleted in the same order they have been recorded in the system. In case of security-related incident, the respective recording may be preserved for a term exceeding the regular term, for a duration necessary for the follow-up investigation of the incident. Said recording has been strictly documented, and the recording needs shall be reviewed on a regular basis.

Public awareness information

MC applies multiple awareness measures, which involve the following:

• a detailed notice containing information regarding the use of CCTV has been installed at each of the entrances of the buildings of the medical establishment, including at the parking lots entrances;
• notices with pictograms shall be placed in the buildings to notify individuals of the video surveillance and provide awareness for obtaining additional information;
• the policy for use of video surveillance systems has been published on the medical establishment website and can also be found at the Information/Registration Desk, along with more detailed information regarding the practices of MC regarding video surveillance.
• When calling MC, individuals shall be notified that the call is being recorded, and they can get more information on this matter on the medical establishment website.

The notice MC posts on-site is published in the application.

Rights of data subjects

The Data Subjects shall have access rights to the personal data that they need, kept by MC, and they shall have the right to rectify and supplement this data. All requests for access, rectification, blocking and/or deleting personal data as the result of the use of cameras, shall be sent to the Personal Data Protection Official /PDPO/, namely: attorney-at-law Sergey Nikolov

The official shall send a confirmation of receipt to the sender within 10 workdays after receiving the request. If possible, PDPO shall send a specific response regarding the request within up to 30 calendar days. In case this is not possible, the sender shall be notified of the follow-up steps and the reasons for the delay. Even in most complex cases, at latest within three months, the request must be granted, or  a justified final response shall be given, which refuses to grant the request.

For data protection purposes, MC may request senders to explicitly verify their identity (for example by presenting an identity document), and to clarify the date, time, place, and circumstances, wherein they have been recorded by the cameras, or recorded on the phone. Senders shall also provide an updated personal photo, which would allow security staff to recognize them on the viewed recordings.

In case of irregularities or apparent misuse by the data subject in exercising the data subject rights, the medical establishment may consult with the Personal Data Protection Official regarding the request, and/or to redirect the data subject to the Personal Data Protection Official, which shall take a decision regarding the eligibility of the request, and the respective follow-up actions.