top of page
Logo11.png

Information about the Personal Data Controller:

"CENTRE FOR EUROPEAN HEALTH POLICIES" EOOD is a company registered under the Commercial Act of the Republic of Bulgaria with UIC 207108518, with its registered office and administrative address at: Sofia, postal code 1700, Studenski district, Vitosha residential complex, 25B Konstantin Petkanov Street, entrance V, apt. 80.

Operating through the website: "www.cehp.eu", hereinafter referred to as "the Site".

Contact Details:

Email address: info@cehp.eu.
In the following paragraphs you will find detailed information regarding the processing of your personal data depending on the legal basis on which we process them.

What is Personal Data?

Personal data is any information or set of information that identifies you or could be used to identify you (together with other information that you provide in the contact form).
The processing of personal data includes collecting, storing, transmitting, correcting, updating, deleting, destroying, and all other actions performed with your personal data.

Legal Bases and Purposes for Which We Use Your Personal Data

We process your personal data in connection with the provision of services. In the following paragraphs you will find detailed information regarding the processing of your personal data depending on the legal basis on which we process them.

Purposes of Processing:

  • Establishing your identity or that of the legal entity you represent.

  • Managing and responding to your inquiries.

  • Preparing an offer for entering into a contract.

  • Preparation and sending of an invoice/bill for the services you use from us.

  • To ensure the comprehensive service you require.

  • Retaining correspondence related to orders, handling inquiries, reporting issues, etc.

  • Sending notifications regarding everything related to the services you use from us.

Data Processed on this Legal Basis:

We process information regarding the type and content of the contractual relationship, as well as any other information related to the contractual relationship, including:

  • Contact personal data – names, email, phone number.

  • Sensitive data such as: medical information.

  • Information regarding the inquiry you submitted to us.

  • Correspondence related to the overall service – emails, letters, information regarding your requests for problem resolution, complaints, petitions, grievances, and feedback received from you.

  • IP address.
     

The processing of the aforementioned personal data is mandatory for us to provide you with comprehensive information about our services. In the forms through which personal data is entered, we clearly indicate whether the provision of data is mandatory or voluntary.

When We Delete the Data Collected on This Basis

Data collected on this basis is deleted 2 years after the termination of the contractual relationship, regardless of whether this is due to the contract’s expiration, dissolution, or another reason.

For the Fulfillment of Regulatory Obligations

It is possible that the law imposes an obligation on us to process your personal data. In such cases, we are required to carry out the processing, for example:

  • Obligations under the Law on Measures Against Money Laundering.

  • Fulfilling obligations related to distance selling and off-premises selling as provided in the Law on Consumer Protection.

  • Providing information to the Consumer Protection Commission or third parties, as provided for in the Law on Consumer Protection.

  • Providing information to the Commission for Personal Data Protection in connection with obligations under personal data protection regulations.

  • Obligations under the Accounting Act and the Tax and Social Security Procedure Code and other related regulatory acts for maintaining proper accounting records.

  • Providing information to the court and third parties in judicial proceedings in accordance with applicable legal acts.

  • Verifying age for online shopping.

When We Delete the Personal Data Collected on This Basis

Data collected pursuant to a legal obligation is deleted once the obligation for collection and storage has been fulfilled or ceases to apply, for example:

  • Under the Accounting Act for the storage and processing of accounting data (11 years).

  • For obligations to provide information to the court, competent state authorities, etc. as provided in current legislation (5 years).

Provision of Data to Third Parties

When required by law, it is possible to provide your personal data to the competent state authority, or to a natural or legal person.

Based on Your Consent

We process your personal data on this basis only after your explicit, unambiguous, and voluntary consent. We will not impose any adverse consequences on you if you refuse the processing of your personal data.
Consent is a separate legal basis for processing your personal data, and the purpose of processing is specified therein, which is not covered by the purposes listed in this policy. If you give us your consent, until its withdrawal or the termination of any contractual relationship with you, we prepare appropriate offers for products/services by carrying out detailed analyses of your key personal data.

Provision of Data to Third Parties

On this basis, we may provide your data to marketing agencies, Facebook, Google, or similar entities.

Withdrawal of Consent

Provided consents may be withdrawn at any time. Withdrawal of consent will not affect the performance of contractual obligations. If you withdraw your consent for processing personal data for any or all of the purposes described above, we will no longer use your personal data and information for those specified purposes. Withdrawal of consent does not affect the lawfulness of processing based on the consent given prior to its withdrawal.
To withdraw your consent, simply use our website or our contact details.

When We Delete the Data Collected on This Basis

Data collected on this basis is deleted upon your request or 12 months after its initial collection.

How We Protect Your Personal Data

To ensure adequate protection of the company’s data and that of our clients, we apply all necessary organizational and technical measures as provided in the Personal Data Protection Act.
The company has established rules to prevent misuse and security breaches, which help in protecting and ensuring the security of your data.
For maximum security in processing, transferring, and storing your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.

Rights of the Users

Every user of the site is entitled to all the rights for personal data protection according to Bulgarian law and European Union law.
Users can exercise their rights through the contact form or by sending an email to us.

Every user has the right to:

  • Information (regarding the processing of their personal data by the controller).

  • Access to their own personal data.

  • Correction (if the data is inaccurate).

  • Deletion of personal data (the right “to be forgotten”).

  • Restriction of processing by the controller or data processor.

  • Portability of personal data between different controllers.

  • Objection to the processing of their personal data.

  • The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them.

  • The right to legal or administrative remedy if the data subject’s rights have been violated.


The user may request deletion if one of the following conditions is met:

  • The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.

  • The user withdraws their consent on which the processing was based and there is no other legal basis for processing.

  • The user objects to the processing and there are no legal grounds that outweigh the user’s interests.

  • The personal data has been processed unlawfully.

  • The personal data must be deleted to comply with a legal obligation under EU law or the law of a Member State applicable to the controller.

  • The personal data was collected in connection with offering information society services to children and consent was given by the person responsible for the child.


If the user wishes to have their personal data deleted, they should submit their request to the Personal Data Controller via the email provided above.

The user also has the right to restrict the processing of their personal data by the controller when:

  • They contest the accuracy of the personal data. In this case, the restriction is for a period that allows the controller to verify the data’s accuracy.

  • The processing is unlawful, but the user does not want the data deleted and instead requests a restriction on its use.

  • The controller no longer needs the data for processing, but the user requires it for establishing, exercising, or defending legal claims.

  • They object to processing pending verification of whether the controller’s legal grounds override the user’s interests.

Right to Data Portability

The data subject has the right to receive the personal data concerning them that they have provided to the controller in a structured, commonly used, and machine-readable format, and to transmit those data to another controller without hindrance, when processing is based on consent or a contractual obligation and carried out by automated means. When exercising this right, the data subject also has the right to have the personal data directly transferred from one controller to another if technically feasible.

Right to Object

Users have the right to object to the processing of their personal data by the controller. The controller must cease processing unless it can demonstrate compelling legal grounds for processing that override the rights, interests, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. In case of an objection to processing for direct marketing purposes, processing should cease immediately.

Complaint to the Supervisory Authority

Every user has the right to file a complaint against unlawful processing of their personal data with the Personal Data Protection Commission or the competent court.

Rules regarding the mechanism for processing personal data and their protection against unlawful processing

Article 1.
These internal rules regarding technical and organisational measures and the acceptable type of protection of personal data govern the organisation of processing personal data of the company’s clients, as well as their protection.

Article 2.
The company is a personal data controller and, as such, maintains the following registers:
Register "Clients".

Article 3.
The "Clients" register collects and stores the personal data of the company’s clients for the purpose of:

  • Identifying the respective contracting parties.

  • Providing the company’s services, for which the personal data of the contracting parties is necessary.

  • Complying with the regulatory requirements of the Accounting Act and other relevant regulatory acts.

  • Using the collected data for official purposes only and exclusively after obtaining proper consent from the individuals for processing their personal data for the following purposes.

  • For all activities related to the establishment, modification, and termination of contractual relationships, as well as for the collection of receivables arising therefrom – for the preparation of any documents in this regard (contracts, additional agreements, any commercial, accounting, and other documents).

  • For establishing contact with individuals by phone, address and/or email, for sending correspondence related to the fulfilment of their obligations under the contracts concluded with the Company.

  • For maintaining accounting records.


Article 4.
(1). The "Clients" register stores the following types of personal data regarding the "Physical Identity" category of individuals: names, contact phone numbers, email, etc. These are provided on the basis of entering into and performing the contract.
(2). The personal data registers maintained by the company are protected by controlled access granted to authorized employees via a username and password identification procedure. The registers are maintained on an electronic medium in a cloud space managed by a data processor, which in turn applies the necessary measures for the protection of personal data.
(3). By exception, the company may also maintain paper registers. Data for employees and clients is stored in folders arranged in binders located in a secure storage area at the company’s office.

Chapter Three – PROCESSING OF PERSONAL DATA.

Article 5.
Collection of Personal Data:
(1). Personal data in the "Clients" register is collected either by direct provision from users and clients or automatically.
(2). When collecting personal data, the data subject must be informed of the purposes for which the data is being collected and processed.
(3). When personal data is collected and processed on paper for the company’s clients, it is stored in a secure storage area with restricted access by key and is used by authorised persons solely for fulfilling legal or contractual obligations.

Article 6.
(1). The company may delegate the processing of personal data to processors. The processing may be delegated to more than one processor in accordance with the specifics of their functions and to delineate their respective responsibilities.

Article 7.
The company may transfer personal data of its clients to third parties, for which the data subjects must be explicitly informed.
Chapter Four – PROTECTION OF PERSONAL DATA. OBLIGATIONS OF THE CONTROLLER.

Article 8.
Ensuring Access for Individuals to Their Personal Data:

(1). Every individual has the right to access their personal data. In cases where exercising this right might reveal personal data relating to a third party, the controller must provide access only to the portion pertaining solely to the individual.

(2.) To obtain access to personal data, data subjects may follow the procedure described in Regulation (EU) 2016/679 of the European Parliament and of the Council.

(3). When the data does not exist or cannot be provided on a particular legal basis, access shall be refused with a reasoned decision communicated to the applicant as specified above.

(4). In fulfilling its obligations to provide access, the company provides the data subject with the following information:

  • The data identifying the controller and the contact details.

  • The purposes for which the personal data is processed, as well as the legal basis for processing.

  • The recipients or categories of recipients to whom the personal data has been or will be disclosed, particularly recipients in third countries as defined by the Regulation or international organisations, along with their protection safeguards.

  • When possible, the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.

  • The existence of a right to request correction or deletion of personal data or to restrict its processing, as well as the right to object to such processing.

  • The right to file a complaint with the Personal Data Protection Commission.

  • The existence of any profiling procedure, if applicable.

(5). The controller must notify every recipient to whom the personal data has been disclosed of any correction, deletion, or restriction of processing, unless it is impossible or requires disproportionate effort. The controller shall inform the data subject of these recipients if requested.

Article 9.

(1). The transfer of personal data to a country - a member state of the European Union, as well as to another country - a member state of the European Economic Area, is carried out in compliance with current European and national legislation.

(2). The provision of personal data to a third country outside those mentioned in paragraph 1 is permitted only if that country ensures an adequate level of protection for personal data within its territory.


Article 10.
Retention Period for Personal Data:
"Clients" Register: The various carriers of accounting and tax information containing personal data from the "Clients" register – for the Company’s clients with whom a contract has been concluded – are retained for the periods specified in the Accounting Act and the Tax and Social Security Procedure Code.

Article 11.
Periodic Archiving
Archiving of personal data is performed periodically by the company, with access to archived data further restricted.

Article 12.
(1). The Company is obliged, upon receiving a request from an individual whose personal data is processed by the Controller, to delete the personal data without undue delay when any of the following conditions apply:

  • The personal data is no longer necessary for the purposes for which it was collected or processed.

  • The individual withdraws their consent on which the processing was based and there is no other legal basis for processing.

  • The individual objects to the automated decision-making applied by the Controller to their personal data and there are no other legal grounds that override this, or the individual explicitly objects to processing.

  • The personal data has been processed unlawfully.

  • The personal data must be deleted to comply with a legal obligation under European or national law.

  • The personal data was collected in connection with providing information society services to children.

(2). The Company has the right to refuse the actions in paragraph 1 in cases provided by law; in such event, it must notify the requesting individual.

Article 13.
(1) Data Portability:
The data subject has the right to receive the personal data they have provided to the Controller in a structured, commonly used, and machine-readable format and to transmit those data to another controller without hindrance, when:
(a) Processing is based on the consent of the data subject or on a contractual obligation;
(b) Processing is carried out by automated means.

Article 14.
(1). In the event of a personal data security breach, the Controller shall notify the Personal Data Protection Commission ("PDPC") without undue delay, but no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
(2). If the breach is likely to result in a high risk to the rights and freedoms of individuals, the company shall notify the data subject without undue delay.

Article 15.
The Controller shall implement appropriate technical and organizational measures to ensure that, by default, only the personal data necessary for each specific processing purpose is processed, considering the volume of data collected, the extent of processing, the retention period, and accessibility.

page_2.jpg

Privacy Policy

bottom of page