PERSONAL DATA PROTECTION POLICY of “VEREYA MEDICAL CENTER” Ltd.

PERSONAL DATA PROTECTION POLICY of “VEREYA MEDICAL CENTER” Ltd.

SUBJECT MATTER

The purpose of this Policy is to inform the current and future patients, contractors, workers, and employees of “Vereya Medical Center” Ltd., having its registered office and management address at 9 Mitropolit Metodi Kusev Blvd., Stara Zagora (the “Company”), in its capacity as a data controller, regarding the personal data processed by the Company, and to ensure the lawful, fair, and transparent processing of personal data.

This Policy has been prepared in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as well as Bulgarian legislation in the field of personal data protection and medical law, and aims to guarantee the rights of natural persons in connection with the protection of their personal data when such data is processed by the Company.

DEFINITIONS

For the purposes of this Policy, the following terms shall have the meanings set out below:

• PDPA – Personal Data Protection Act.

• CPDP – Commission for Personal Data Protection.

• GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

• Person responsible for personal data – at “Vereya Medical Center” Ltd., the person responsible for personal data is the manager of the Company.

• Data controller – the Company, hereinafter referred to as the Company or the Controller.

• Data processor – a person or organization which, on the basis of a contract, processes personal data provided by the Company for agreed purposes. Despite terminological differences, other controllers or recipients with whom the Company interacts may also be regarded as data processors – banks, couriers, postal operators, as well as state authorities and institutions.

• Data protection notices – separate notices containing information provided to data subjects at the time the Company collects information about them. These notices may be general (e.g. addressed to workers and employees or published on the Company’s website) or may relate to processing for a specific purpose.

• Data processing – any activity related to the use of personal data. This includes receiving, recording, storing, carrying out an operation or a series of operations with the data, such as organizing, editing, retrieving, using, disclosing, deleting, or destroying it. Processing also includes the transfer of personal data to third parties.

• Consent – any freely given, specific, informed, and unambiguous indication of the wishes of the data subject by which, through a statement or a clear affirmative action, he or she signifies agreement to the processing of personal data relating to him or her.

• Personal data – any information relating to a natural person that can directly or indirectly lead to his or her identification. Personal data is information which, together with other information, may lead to the establishment of the identity of an identifiable natural person. Such information may include a name, date of birth, personal identification number, address, identity document number, telephone number, email address, data concerning health status, online identifiers, data concerning terminal electronic communication devices, and others.

The Personal Data Protection Policy of “Vereya Medical Center” Ltd., as well as the internal rules and procedures adopted on its basis for the processing of personal data, contain the main rules and provide information on:

1. Data subjects

2. Categories of personal data

3. Purposes and principles of personal data processing

4. Methods of collection and means of processing personal data

5. Provision and disclosure of personal data

6. Consequences of refusal to provide personal data

7. Rights of data subjects

8. Protection of personal data

9. Periods for processing and storage

10. Methods of contacting the Company

1. Data subjects

The Company collects and processes personal data necessary for the exercise of its rights and obligations as a medical institution, employer, supplier of goods and services, and contractual counterparty, in compliance with the requirements of applicable legislation. The Company collects personal data from the following categories of data subjects:

1.1. 1.1. Patients

1.2. 1.2. Contractors

1.3. 1.3. Workers, employees, and persons engaged under civil contracts

1.4. 1.4. Job applicants

2. Categories of personal data

The personal data collected about individuals differ depending on their relationship with “Vereya Medical Center” Ltd.

2.1. Patients

The Company collects and processes its patients’ personal data only to the minimum extent necessary for proper diagnosis and treatment, as well as in fulfillment of its legal obligations. The possible data we collect and process for our patients include:

data relating to the patient’s physical identity – name, age, personal identification number or date of birth, health condition;

identity document number, address, telephone number, email address, insurance identification number;

physiological identity – height, weight, blood type, blood count, and other data related to the functions of the human body, requested or necessary for the provision of healthcare services;

cultural identity – hobbies, lifestyle, where necessary for the diagnosis of a specific illness;

social identity – education, habits, work activity, place of work, profession, labor category;

family identity, marital status, family relations;

data related to identifying environmental risk factors and necessary for the provision of healthcare services.

In some cases, it is also necessary to collect personal data concerning a patient’s representative, e.g. a contact person, parent, or guardian.

The Controller does not process personal data related to patients’ sex life, racial or ethnic origin, political, religious, or philosophical beliefs, trade union membership, or genetic identity.

2.2. Contractors

Including their employees, representatives, etc. For the conclusion and performance of contracts with the Company’s contractors that are legal entities, personal data concerning at least one of the following persons is processed:

– the legal representative of the contractor;

– an authorized representative of the contractor;

– a contact person expressly designated by the contractor;

– an employee of the contractor whose official duties are related or necessary to the performance of the contract with our Company.

For these persons, the following are collected:

– identification data – first name, surname, job title/position;

– contact details – telephone, address, email address;

– data regarding the person’s authority in relation to the contractor and the contract.

For the conclusion and performance of contracts with natural persons who are contractors of the Company, personal data necessary for the fulfillment of the Company’s legal obligations is collected, as follows: name, personal identification number (date of birth), permanent and/or current address, telephone number, identity card details or passport data, email address.

2.3. Workers, employees, and persons engaged under civil contracts. For these persons, the Company collects the following data:

– Identification: name, personal identification number (date of birth), permanent and/or current address, telephone number, identity card details or passport data, email address;

– Education and professional qualifications: data related to education, work experience, professional and personal qualifications, and skills;

– Health data: health condition, disability assessment decisions, medical certificates, sick leave certificates, and all related documentation.

2.4. 2.4. Job applicants For job applicants, the following personal data is collected:

– Identification: name, personal identification number (date of birth), permanent and/or current address, telephone number, identity card details or passport data, email address;

– Education and professional qualifications: data related to education, work experience, professional and personal qualifications, and skills;

– Health data at the job application stage are collected only if the individual has voluntarily provided them.

3. Purposes and principles of personal data processing

“Vereya Medical Center” Ltd. collects and uses personal data solely for the following PURPOSES:

• diagnosis and treatment of patients, health prevention, and supervision;

• provision and reporting of medical services, as well as performance of the obligations of “Vereya Medical Center” Ltd. in its capacity as a medical institution arising from the Health Act, the Medical Institutions Act, the agreements with the Regional Health Insurance Fund under the National Framework Contract, and the preparation of the necessary related medical documentation and the provision of health and medical-statistical information to the competent authorities – the Ministry of Health, the National Statistical Institute, the Regional Health Inspectorate, the National Center for

Public Health, the Executive Agency “Medical Audit”;

• human resources management, payment of salaries, and fulfillment of the employer’s related obligations for withholding and payment of health and social insurance contributions, taxes, as well as other rights and obligations of the Company in its capacity as an employer; financial and accounting activities;

• administration of relations with contractors – suppliers and clients of the Company, and provision of goods and services;

• conclusion of valid and binding contracts and their proper performance; maintaining contact with contractors and sending valid communications to them; exercising and protecting the rights and interests of the Controller under contracts with contractors; maintaining active business relationships;

• security, including the maintenance and protection of the

Controller’s property and the premises it uses, security and control of access by external persons, and guaranteeing the safety of employees and third parties;

• any other lawful business purpose, as well as other cases permitted or required by applicable law or regulation.

When collecting and processing personal data, “Vereya Medical Center” Ltd. observes the following main PRINCIPLES:

• personal data is collected for specific, explicit, and lawful purposes and is not further processed in a manner incompatible with those purposes;

• personal data is relevant to the purposes for which it is collected;

• personal data must be accurate and, where necessary, kept up to date;

• personal data is erased or corrected when it is established that it is inaccurate or does not correspond to the purposes for which it is processed;

• the data subject is informed in advance about the processing of his or her personal data;

• personal data is kept in a form that permits identification of the individuals concerned for no longer than is necessary for the purposes for which the data is processed.

4. Methods of collection and means of processing personal data

“Vereya Medical Center” Ltd. collects personal data in one of the following ways:

4.1. Personal data of our potential and actual patients, contractors, workers, employees, and persons engaged under civil law relationships may be collected or received directly from the data subject; from another person, of which the Controller shall inform the data subject; from an authority or institution where there is a valid legal basis for obtaining the data; as well as through access to public registers, but only where there is a clear intention to conclude a contract or for the purposes of pursuing our legitimate interests.

4.2. We also collect patients’ personal data through the use of medical equipment and apparatus for diagnosis and treatment.

4.3. Personal data and information about a natural person may reach us in the form of documents, forms, templates, applications, letters, and correspondence.

4.4. We may also collect personal data of a natural person when they visit premises where we have established an access control regime, installed an access control system, or installed a video surveillance system. Places where video surveillance is carried out are clearly marked with information signs.

4.5. We may collect or receive personal data through our website http://mcvereya.bg/, including through our inquiry form or through the use of “cookies,” of which every user of the website is duly informed.

“Vereya Medical Center” Ltd. mainly uses non-automated means of processing personal data. These are all means in which the decision to process personal data or to perform a specific processing activity involves human intervention. We process incoming documents on paper and electronic media in a non-automated manner, including contracts, written or oral correspondence, medical documentation, declarations of intent of the data subject, and others. This type of data processing is carried out both on paper or another physical medium and in electronic form, through the use of computer systems, peripheral devices, medical equipment and apparatus, as well as through specialized software, such as accounting, clerical, medical, and reporting software.

The Company does not use fully automated means for processing personal data. These are means in which the decision regarding the processing of personal data or the performance of a specific processing action is carried out without human intervention. In particular, obtaining information through the Company’s website by means of “cookies” may be considered such a type of processing.

5. Provision and disclosure of personal data

“Vereya Medical Center” Ltd. does not disclose personal data to third parties and recipients unless there is a legal basis for receiving the data, as well as, for example, in the following cases:

• for the performance of some of its activities, the Company enters into contracts with third parties acting as personal data processors of data provided by the Company. Such parties may include, for example, a company providing accounting and payroll services, an occupational health service, the developer of the Company’s website and hosting provider, and other medical institutions, such as a hospital facility under Article 8, para. 3 of the Medical Institutions Act;

• other recipients of data, who depending on the specific case may be processors, other controllers, or third parties, may also include:

– state authorities and organizations entrusted with public functions within the scope of their powers – the National Revenue Agency, National Social Security Institute, Ministry of Interior, Consumer Protection Commission, National Health Insurance Fund, Regional Health Inspectorate, Ministry of Health, Executive Agency “Medical Audit,” National Center for Public Health and Analyses, and others. The Company provides the data in fulfillment of its statutory obligations;

– banks, for the purposes of payments of remuneration and in performance of contractual relations. The Company uses the services of licensed banking institutions, which is considered a sufficient guarantee for the security of the provided data;

– courier companies and postal operators, for the purposes of correspondence and carrying out deliveries to/from natural or legal persons. The Company uses the services of licensed courier and postal operators, which is a guarantee of the security of the provided data;

– companies or natural persons who jointly use premises with “Vereya Medical Center” Ltd. or are landlords, with regard to personal data to which employees of such companies may have access, as well as video surveillance data, if surveillance is carried out on such premises.

In all cases, the Company provides data to recipients only to the minimum extent necessary.

• In cases where data is provided to employees, clients, or service providers of a processor or recipient, the Company:

– requires sufficient guarantees from the processor or recipient for compliance with legal requirements and good practices for the processing and protection of personal data;

– enters into a written agreement or another legal act having the same effect, regulating the obligations of the processor and meeting the requirements of Article 28 of Regulation (EU) 2016/679;

– informs the individuals whose data will be provided to a processor, recipient, or other controller.

6. Consequences of refusal to provide personal data

The personal data requested from patients by the doctors and other employees of “Vereya Medical Center” Ltd. is consistent with the services offered and our legal obligations and is mandatory in nature. In the event of refusal to voluntarily provide the necessary personal data, the Company will not be able to provide its services.

The explicit consent of the natural persons whose data is processed is not always necessary where we have another legal basis for processing, for example a statutory obligation under the Health Act or another law.

Where personal data is processed on the basis of the data subject’s consent, such consent may be withdrawn at any time, without affecting the lawfulness of processing carried out before the withdrawal.

Informed consent within the meaning of the Health Act does not constitute consent within the meaning of the General Data Protection Regulation.

7. Rights of data subjects – access to personal data, amendment, correction, restriction of processing, and erasure

7.1. In relation to their personal data, including data obtained through video surveillance, every natural person has the following rights:

• Right to be informed – to request and obtain confirmation from “Vereya Medical Center” Ltd. as to whether their personal data is being processed by the Company;

• Right of access to the data and information relating to the collection, processing, and storage of their personal data by the Company;

• Right to rectification and updating of personal data where it is inaccurate or has changed;

• Right to erasure (“the right to be forgotten”), right to restriction of processing, or return of personal data where the personal data is no longer necessary for the purposes for which it was collected or processed; where the collection and processing were based on the data subject’s consent, but the subject has withdrawn it; pursuant to Article 21 of the GDPR; where the processing is unlawful, etc. The right to erasure, restriction, or return does not apply where the Controller is complying with a legal obligation, performing a task carried out in the public interest or exercising official authority vested in the Controller, as well as for reasons of public interest in the area of public health, archiving in the public interest, scientific or statistical purposes, or for the establishment, exercise, or defense of legal claims;

• Right to object to the processing or disclosure to third parties of his or her personal data in the absence of consent or a legal basis;

• Right to lodge a complaint with the Controller, the Commission for Personal Data Protection, and before the courts.

7.2. 7.2. Procedure for exercising rights

• The right of access to personal data is exercised by a request from the affected natural person, sent to the Company’s registered office address or to the Company’s official email address [email protected]. The request should contain the following information: name, address, and other identifying data of the person; legal basis of the right and the specific case in which it is exercised; description of the request; preferred form for provision of the information; signature, date of submission of the application, and correspondence address. Where an application is submitted by an authorized person, an explicit notarized power of attorney must be attached, and in the event of the death of the natural person, his or her rights shall be exercised by an heir, who must attach a certificate of heirs to the request.

• Within two weeks of receiving the request, the Company shall notify the applicant whether the legal grounds for granting the request are present. Where the request