PERSONAL DATA PROTECTION POLICY

Data for data controllers and contact details

‍

Administrator “Haylan - Home for Medical-Social Care” JSC, ID: 207648560

Registered office and management address: Sofia, 1766, Bl.Okolovrasten Pest № 251 E, fl. 12

Tel.: +359898700007

Email: care@haelan.bg

Website: www.haelan.bg

‍

Administrator “Haylan Care - Medical Center” Ltd., ID: 207312638

Headquarters and management address: Gr. Sofia, ul. Ring Road No. 251 E, ground floor

Tel.: +359893020202

Email: haelan.care1@haelan.bg

Website: www.haelan.bg

‍

Administrator “Haylan Care 2 — Medico-Dental Center” Ltd., ID: 201760855

Headquarters and management address: Gr. Sofia, ul. “Business Park Sofia” № 1, building № 2, floor. 1

Tel.: +359892202040

Email: haelan.care2@haelan.bg

Website: www.haelan.bg

‍

Administrator “Haylan Care 3 — Medical Center” Ltd., ID: 206470233

Headquarters and management address: Gr. Sofia, Mihail Tenev № 6, building D, ground floor

Tel.: +359893020202

Email: haelan.care3@haelan.bg

Website: www.haelan.bg

‍

Administrator “Pia Mater” Ltd., ID: 201409799

Headquarters and management address: Gr. Sofia, ul. Racho Petkov Kazandjiyatta № 4-6, office № 2

Tel.: +359884588446

Email: office@piamater.org; classes@piamater.org

Website: www.haelan.bg

‍

Administrator SAT Health AD, EIC 204705650

Headquarters and management address: Sofia, 1766, 251 E Okolovrasten Blvd., fl. 12

Tel.: +359 898 700 007

Email: office@sathealth.com

Website: www.sathealth.com

‍

DATA PROTECTION OFFICER AND CONTACT DETAILS:

Mariya Georgieva Nestorova

Bulgaria, Gr. Sofia, Ring Road 251E, floor 12, 1766

Telephone: +359882727270

E-mail: dpo@sathealth.com

‍

Subject, purpose and scope

‍

The companies Haylan/Haelan and Pia Mater (the administrators mentioned above) are owned by Haylan - Home for Medical and Social Care JSC, part of the SAT Health group.

Haelan is a group of medical centers with the leading company “Haylan - Home for Medical-Social Care” AD, carrying out activities for outpatient medical care within the meaning of the Law on Medical Institutions and provision of social services under the Law on Social Services. Haelan companies are focused on providing on-site and in-home medical and social services, integrated medical-social care, telemedicine and training services such as a registered Vocational Training Center (CPO).

We are personal data controllers according to the Personal Data Protection Act (PDPA) and process personal data, independently or by assignment to the data processor, in accordance with the adopted internal rules for operation and protection of personal data. We take strict care to protect the confidentiality of all categories of personal data that we receive, collect, process and store, ensuring and ensuring full compliance with the requirements of applicable national [1]and European [2]legislation in the field of personal data protection and the regulations applicable to our activity.

This Haelan Personal Data Protection Policy (the Policy) sets out the basic principles and rules related to the processing of personal data, the rights of the subjects of such data, the duties and responsibilities of Haelan as data controllers, respectively its employees, the processors of personal data on its behalf, as well as the functions of the personal data protection officer.

The policy is subject to update and may be amended and supplemented from time to time.

The policy is part of a comprehensive system of internal documents, technical and organisational measures that Haelan companies implement in order to ensure that employees and all other natural and legal persons who process personal data on behalf of Haelan strictly comply with the requirements of applicable European and national legislation and internal rules, thereby ensuring respect the rights of natural persons relating to their personal data.

We suggest that you familiarize yourself with this Policy in detail. By continuing to use this website and Haelan services, you confirm that you accept the terms and conditions for the processing and protection of personal data set out in the Policy.

_{[1]Personal Data Protection Act, vol., DV, no. 1 of 4.01.2002, subsequently amended and supplemented;}

_{[2]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR), in force from 25.05.2018.}

‍

Lawfulness of processing

‍

We process personal data in accordance with the following principles:

Legality, good faith and transparency

We process personal data lawfully, in good faith and in a transparent and clear manner for the subjects.

Legality

Any processing of personal data by us (by our employees and other processors on our behalf) is based on a valid legal basis and is carried out in compliance with the regulations and internal rules. The principle of alternativeness applies to legal bases, i.e. it is lawful to process data if:

o is necessary to comply with a legal obligation that applies to our business;

o is necessary for the performance of a contract to which the data subject is a party or to take steps, at the request of the data subject, prior to the conclusion of such a contract (e.g. contracts for medical services, contracts for social services, contracts of employment, contracts with persons in non-employment relationships, etc.) ;

o is necessary for the provision of outpatient medical care services, including consultations, medical-diagnostic activities, carrying out treatments, performing preventive medical examinations and examinations of a data subject in execution of a contract between us and other legal entities (for example, supplementary health insurance funds or employers);

o is necessary to protect the vital interests of the data subject or of another natural person;

o is necessary for the performance of a task in the public interest or in the performance of actions under a law or regulation (including processing related to the provision of information requested by a public authority);

o the data subject has given his consent to the processing of his personal data for one or more specific purposes, by providing relevant written documents and/or by other actions and technical means (including electronically);

o is necessary for the purposes of our legitimate interests or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Lawfulness of processing in relation to persons using medical services

We process personal data of persons using medical services in compliance with legal and contractual obligations, on the basis of:

o The Health Act, the Medical Institutions Act, other applicable laws and regulations;

o A contract with a subject, his legal representative or applicant for a medical service or a contract for integrated medical-social care;

o Requested by a subject, his legal representative or applicant, medical service and/or examination, and/or on-site consultation, and/or online consultation, and/or home visit for him, for his child/guardian/relative;

o A contract concluded between us and an employer for preventive medical examinations of its staff members;

o Contractual relations for the provision of health services to an entity for specialized outpatient medical care, including consultations, medical-diagnostic activities, carrying out treatment and performing preventive medical examinations, concluded between us and the supplementary health insurance fund chosen by the entity's employer;

o A contract concluded between us and other legal entities - our contractors for the provision of medical and telemedicine services, in which we work as a processor of personal data;

o Consent to the processing of the data of a subject for the purpose of providing services under patient programs, if he has provided such;

o To protect the vital interests of a data subject or other natural person;

o Consent to the processing of the data of a subject for marketing or other additional purposes, if he has provided such;

o Legitimate interests - for example, to analyze, develop and improve the quality of the medical services we provide to you, improve the systems, platforms and websites related to these services, protect property, physical and information security, etc.

Lawfulness of processing in relation to persons using social services

We process personal data of persons using social services, in compliance with legal and contractual obligations, on the basis of:

o Social Services Act and other applicable laws and regulations;

o A contract concluded by a subject or his legal representative, guardian or trustee (in short, applicant) for the provision of a social service to the subject or a contract for integrated medical-social care;

o A social service requested by an entity or applicant;

o To protect the vital interests of an entity enjoying a social service;

o Consent to the processing of data for marketing or other additional purposes, if the subject has provided such;

o Legitimate interests - for example, to analyze, develop and improve the quality of the social services we provide to you, improve the systems, platforms and web pages related to these services, protect property, physical and information security, etc.

Lawfulness of processing in relation to persons using training services at Centraza Vocational Training - CPO

We process personal data of persons using training services at the Center for Vocational Training - CPO in fulfillment of legal and contractual obligations, on the basis of:

o Law on Vocational Education and Training, Ordinance No. 2 of 22 June 2018 on Vocational Training Documents for Persons Over 16 Years of Age, Regulations of the National Agency for Vocational Education and Training (NAPOO) and other applicable laws and regulations;

o Consent provided by a subject through the vocational training requested by him;

o Legitimate interests - for example, to analyze, develop and improve the quality of the training services we provide to you, improve the systems, platforms and websites related to these services, protect property, physical and information security, etc.

Lawfulness of processing in relation to persons, patients' representatives (parents, guardians, trustees, proxies, applicants for medical and social services) and contact persons voluntarily appointed by a Haelan client (“Representatives” in short)

We process personal data of the persons “Representatives” in compliance with legal and contractual obligations, on the basis of:

o The Health Act, the Social Services Act, the Health Care Facilities Act, other applicable laws and regulations;

o Contracted or medical and/or social service requested by the subject, and/or integrated medico-social care, and/or examination, and/or on-site consultation, and/or online consultation, and/or home visit for his/her child, guardian or relative;

o A contract or a medical and/or social service requested by the subject, and/or examination, and/or on-site consultation, and/or online consultation, and/or home visit, for which another data subject is indicated as the contact person;

o To protect the vital interests of data subjects;

o Consent to the processing of the data of a subject for marketing or other additional purposes, if he has provided such.

Lawfulness of processing in relation to persons participating in a recruitment procedure at Haelan

We process personal data of persons applying for work on a legal, contractual (incl. pre-contractual - steps to conclude a contract) grounds, explicit consent provided by you or our legitimate interest:

o Legal basis for processing may be the requirements of the Labor Code, the Social Security Code, the Personal Income Tax Act and other normative acts;

o A contractual (pre-contractual) basis is when processing is necessary to take steps at the request of a subject prior to the conclusion of a contract;

o Consent of a subject is a basis for the processing of his data where he has expressly expressed such consent (for example in the application procedure for a job with us);

In some cases and subject to applicable law, the basis may be our legitimate interest.

Lawfulness of processing in relation to persons working for Haelan in non-employment relationships

We process personal data of persons in non-employment relationships, on the basis of the applicable civil, commercial and tax legislation, in our capacity as an employer (insurer) and in connection with the activity of the conclusion and execution of assignment contracts (civil contracts) and management contracts.

Lawfulness of processing in relation to Haelan's counterparties

We process personal data of natural persons who represent or are contact persons under a contract with our counterparty - a legal entity, on the basis of the applicable commercial and tax legislation, for the purposes of drafting, concluding and executing the contract and for making payments based on the contract.

Lawful processing in relation to persons visiting our medical centres and subject to video surveillance

The entrances, reception areas and corridors of Haelan medical centres are subject to video surveillance and video recording. When entering, exiting and residing in thesizons, data subjects may be subject to video surveillance. Video surveillance is not carried out in sanitary and hygienic rooms, medical offices, manipulation and other premises. In addition to this Policy, data subjects are informed about the video surveillance carried out by means of dedicated information plates located at the entrances of medical centers.

Video surveillance is carried out for legitimate purposes - to protect the health and life of employees and visitors in Haelan Medical Centers and in order to protect and preserve the property of our centers. The information collected by means of video surveillance, in the case of a crime committed, can be used within the framework of criminal proceedings (pre-trial and/or judicial) by the competent investigating authorities (Ministry of Interior, etc.), the prosecutor's office, the investigation andthe court.

Lawfulness of processing in relation to persons visiting our Websites and/or users of the services of the Websites

We process personal data of persons who visit our Websites and use the services of these sites (inquiry form, consultation request and newsletter subscription) for legitimate purposes - providing the services and/or information requested by the subjects, providing quality customer service and recruiting new customers.

The processing of personal data of the subjects of patient-data using the website for checking laboratory results is carried out on a contractual basis - execution of the contractual relationship with the patient (having agreed on a medical examination requested by the patient) or execution of contractual relations with the employer/supplementary health insurance fund.

Good faith and transparency

In compliance with the principle of transparency in the processing of personal data, we inform our employees, customers and other subjects whose data we process, in an appropriate, clear and understandable way, about the activity of collecting and processing personal data by us and about their rights in relation to the protection of their personal data, including through information on our website (see “Privacy Notices reliability”).

We assist data subjects in exercising their rights. Employees, as our representatives and those working for Haelan, in their capacity as processors of personal data, are informed of the rights of customers as subjects of personal data and undertake to provide them with information and assistance in accordance with the section “Obligation to assist the subjects of personal data in exercising their rights”.

Limitation of objectives

We process personal data for specific, explicitly specified in the relevant legal acts, and/or contracts and/or other documents, legitimate purposes and do not further process them in a manner incompatible with these purposes.

Data minimization

We process personal data that are appropriate, related to and limited to what is necessary in view of the purposes for which they are processed.

Accuracy actuality

We collect and process accurate personal data and take all reasonable measures to ensure that inaccurate personal data are corrected or deleted in a timely manner, taking into account the purposes for which they are processed.

We make every effort to keep personal data up to date. In compliance with the principle of accuracy and timeliness of the collected data and in order to correctly fulfill our obligations to customers and other data subjects, we encourage them to inform us about changes to their personal data and assist them in updating their data.

Limitation of storage

We store personal data in a form that allows the identification of the data subject for a period not longer than defined by a legal act or internal regulatory document, and if there is no such, for a period not longer than necessary for the purposes for which the personal data are processed.

After achieving the purpose of processing personal data or after the expiration of the specified storage period, as controllers, we are obliged to destroy them.

We do not destroy personal data and documents if they are necessary for judicial, administrative or complaint proceedings before us.

The specific terms of storage of the data of the subjects are indicated in the information for the individual categories of subjects under Art. 13 and Art. 14 “Privacy Notices” published on our website.

We store audio recordings of telephone conversations for a period of 5 (five) years after the end of the year in which the calls were made, after which they are automatically deleted, unless we are required to keep them for a longer period in order to comply with a legal requirement or our legitimate interest.

Where the processing of your data is based on consent, we cease the processing of your data and store your data for a period of 5 (five) years after you withdraw your consent for the purposes for which you initially consented.

We store the data contained in CCTV recordings for a period of 30 (thirty) days, after which they are automatically overwritten.

We store documents and data for which no special storage period is provided for a period of five years from the cessation of their use.

We store the data of the subjects sent by them through services from our Websites (inquiry form, request for consultation and subscription to the newsletter), for the periods specified in the information for the individual categories of subjects under Art. 13 and Art. 14 “Privacy Notices” or for a period of 5 (five) years from their receipt with us.

We do not store any credit or debit card information. This information is maintained and payments are processed by a third-party payment service provider in accordance with payment card and settlement industry security standards.

In the event of a legal dispute or proceedings requiring the retention of data and/or a request from a competent state authority, it is possible to retain data for longer than the specified periods until the final conclusion of the dispute or proceedings before all instances, as well as for a period of up to 5 (five) years from its conclusion.

Privacy, Integrity and Availability

We process personal data in a way that ensures an appropriate level of confidentiality, integrity and availability, including protection against unauthorized or unlawful processing and against loss, destruction or damage, applying appropriate technical and organizational measures and compliance with good practices enshrined in information security standards.

Accountability

We are responsible for compliance with the principles set out in this Policy and require compliance with them by our employees and all natural and legal persons who process personal data on our behalf and on our behalf.

Registration of processing activities

For the purposes of reporting as an administrator, we maintain in electronic format, a register of processing activities, which contains information about:

o the name and contact details of us and the data protection officer;

o the purposes of the processing;

o a description of the categories of personal data subjects and the types of personal data that are processed;

o the categories of recipients to whom the personal data may be disclosed, including recipients in third countries or international organisations;

o the basis for processing;

o the time limits for deletion (if it is possible to specify them);

o a general description of the technical and organisational security measures.

Personal data that Haelan processes

‍

Personal data depending on the source:

Personal data that are provided by the data subjects

We process personal data that are provided by the data subject by contract, on the initiative of the person, in order to perform a service or activity requested by the data subject or in connection with the exercise of his rights.

Personal data not provided by data subjects

When fulfilling our contractual obligations, when carrying out preventive examinations and examinations, we process personal data of patients that are provided to us by employers or supplementary health insurance funds.

When fulfilling legal and contractual obligations, we process personal data of representatives or contact persons of our patients/users of medical or social services, which data are provided to us by their relatives or legal representatives.

Personal data depending on the data subject:

In compliance with the regulations and our contractual obligations, we process data on:

o natural persons to whom we provide assistance through the provision of medical, social and integrated medico-social services (“patients” or “users of social services”). These are also the persons whom we consult about the possibility of providing services and who have contacted us in connection with the provision of the services;

o natural persons — children under the age of 18, to whom we provide assistance through the provision of medical services requested/agreed upon by their legal representatives;

o individuals to whom we provide training services;

o persons — legal representatives of patients/users of social services, applicants for medical and social services, and/or contact persons voluntarily appointed by the patient/user of social services;

o its employees and candidates for employment, in its capacity as employer;

o persons in non-employment relationships — natural persons with whom there is a contract for the assignment of a specific activity;

o counterparties — natural persons who represent legal entities and/or are contact persons under contract with legal entities with whom we have relations;

o persons who have made an inquiry, requested a consultation or a newsletter subscription through our Websites;

o persons who have made inquiries, complaints, applications, requests, requests, signals and other correspondence to us.

Personal data depending on the type of data

We process the following personal data for the performance of our regulatory or contractual obligations with natural or legal persons:

o for the users of medical and social services - names, personal identification number, age, gender, contact details — telephone, residential address, e-mail address; data on kinship with other persons; financial information — bank account;

o for the users of training services - names, personal identification number, date of birth, gender, nationality, address of residence, contact details — telephone and address; financial information — bank account; education data;

o for persons - representatives of patients and users of social services - names, contact details — telephone and e-mail address; data on kinship with our patients or users of social services; financial information — bank account;

o for natural persons who represent a counterparty — a legal person and/or are contact persons under a contract with legal persons — names and contact details — telephone and e-mail address;

o for persons applying for a job with us — names, personal identification number, age, gender, nationality, photo, contact details such as: e-mail, telephone and address, data on education, professional experience, personal and professional qualities and skills, data on work and insurance experience, data from profiles on the social network Linkedin; data from driving license (where required), data on the state of health relevant to the appointment of employment, criminal record;

o for persons in employment relationships - names, personal identification number, address of residence, contact details — telephone and e-mail address; financial information — bank account; data on education and professional experience; data on work and social experience; data from profiles on social network Linkedin; data of employees' children and others;

o for persons with non-employment relationships - names, personal identification number, residential address, contact details — telephone and e-mail address; financial information — bank account; data on education and professional experience; data from profiles on social network Linkedin;

o for persons who have sent inquiries, complaints, applications, requests, requests, alerts, subscription to newsletters and other correspondence to us, including through the Websites — names, contact details — telephone and e-mail address;

o for persons who have made requests to us to exercise their rights as data subjects - names, contact details — telephone and e-mail address, personal identification number or date of birth (for identification purposes).

o for visitors to our websites — when using our Websites, certain data is recognized and collected automatically (through so-called “cookies”). More information in this regard is published in “Cookie Policy”on our individual websites.

We process health data for the following purposes:

o for the provision of a medical service (including children) and/or a social service, and/or integrated medical-social care agreed/requested by a patient, social service applicant or employer/supplementary health insurance fund;

o for the provision of a training service requested by a natural person;

o in relation to the fulfillment of legal requirements for its employees and persons in non-employment relationships, including:

· when appointing employees;

· for the purposes of occupational medicine and health and safety at work;

· in connection with the exercise of their rights in the event of temporary incapacity for work;

· in relation to the exercise of their rights in the event of permanently reduced working capacity.

We process criminal records of employees and persons in non-employment relationships when a legal act requires the verification of a judicial record.

We process genetic data (to the extent that it may be contained in the results of genetic tests assigned to Haelan) of patients who have requested genetic testing.

We process video surveillance data for legitimate purposes, which may include the physical identification of Haelan employees and visitors to medical centers, through video recording images and their movement and residence in the medical center.

Information provided by Haelan when processing personal data

‍

In cases where we receive personal data from a data subject, we provide him with information about:

o data identifying the controller of personal data;

o contact details of the data protection officer;

o the purposes and legal basis for the processing of personal data, where applicable;

o the recipients or categories of recipients to whom the data may be disclosed;

o information on whether the provision of personal data is a statutory or contractual requirement or is necessary for the conclusion of a contract or the performance of an activity on our part requested by the data subject, as well as the possible consequences if these data are not provided;

o information on the rights of the data subject;

o the period for which the data are stored or the criteria determining the storage period;

o the right to complain to the Commission for Personal Data Protection (CPDP).

We provide the information described above by type of personal data subject and provide continuous access to its current version to interested parties in the following ways:

o on our Website www.haelan.bg in the section “Privacy Notices”;

o an internal shared directory for use by employees;

o We provide it on paper for familiarization at Haelan Medical Centers, as well as in person to data subjects or their representatives upon their explicit request.

Where personal data have not been obtained from the natural person to whom they relate, in addition to the information indicated above, we also provide him with information about the relevant categories of personal data that we process and about their source, unless the subject already has this information.

The above conditions do not apply in cases where personal data does not come from the data subject, but their receipt or disclosure is expressly permitted by EU or Bulgarian law and which provides for appropriate measures to protect the legitimate interests of the data subject.

Rights of the subjects of personal data

‍

According to Regulation 2016/679 and the applicable Bulgarian legislation, the subjects of personal data have the following rights:

Right of access

The data subject has the right to obtain from us information whether we process his personal data and if we process them, he has the right to access them and information about:

o the purposes of the processing;

o the relevant categories of personal data that are processed;

o the recipients or categories of recipients to whom his personal data are or may be disclosed, in particular recipients in third countries or international organisations, if such data transfers take place;

o the envisaged period for which the personal data will be stored and, if this is not possible, the criteria used to determine that period;

o the existence of the right to require us to rectify, delete or restrict the processing of your personal data, or to object to such processing, unless the processing is in compliance with a legal or contractual obligation;

o the right to appeal to the CPDP;

o the source of the personal data processed by us, where they are not collected by the data subject;

o the existence of automated decision-making, including profiling, as well as the significance and intended consequences of such processing for the data subject, if any.

Right to rectification

The data subject has the right to ask us to correct, without undue delay, his personal data that are inaccurate or no longer up to date, as well as to supplement them when the data is incomplete.

Right to erasure (right to be “forgotten”)

The data subject has the right to ask us to delete his or her personal data, and we have the obligation to delete them without undue delay where any of the following grounds applies:

a) the personal data are no longer necessary for the purposes for which they were collected or processed;

b) the data subject withdraws his consent on the basis of which his data are processed and there is no other legal basis for the processing;

(c) the data subject objects to the processing pursuant to Article 21 (1) of Regulation 2016/679 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) of Regulation 2016/679;

d) the personal data have been processed unlawfully.

We are obliged to terminate the processing of personal data in the cases of point c):

whenever we receive an objection for direct marketing purposes;

o in the event of an objection under (a), unless we prove that there are legal grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Right to restriction of processing

The data subject has the right to require us to restrict the processing of his or her personal data if:

o the processing is unlawful, but the subject does not want his personal data to be completely deleted, but instead requires the restriction of their use;

o we no longer need his personal data for the purposes for which they were processed, but the subject requires them for the establishment, exercise or defense of legal claims.

Data whose processing is restricted shall be processed only with the consent of their subject, except for their storage or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural person, or for important reasons of public interest.

Where a data subject has requested the restriction of processing, we inform him before the withdrawal of the restriction of processing.

When rectifying, deleting or restricting the processing of personal data, we report any action taken to each recipient to whom the personal data has been provided, unless this is impossible or requires disproportionate effort. We inform the data subject about these recipients if the data subject so requests.

Right to data portability

The data subject has the right to receive the personal data concerning him and which he has provided to us in a structured, widely used and machine-readable format and has the right to transfer this data to another controller without hindrance from us when the processing:

o is based on consent or a contractual obligation, and

o is carried out in an automated manner.

When exercising his right to data portability, the data subject has the right to obtain a direct transfer of his personal data from us to another controller, where this is technically feasible.

The exercise of the right to data portability shall not affect the right to erasure and shall not apply to processing necessary for the performance of a task in the public interest or in the exercise of official powers.

The right to data portability should not adversely affect the rights and freedoms of other persons.

Right to object

The data subject has the right to object to the processing of personal data concerning him or her if the processing is carried out on the basis of the performance of a task in the public interest or on the basis of the exercise of official powers conferred on us, or the processing was necessary for the purposes of our legitimate interests or of a third party. We are obliged to terminate the processing of personal data unless we prove that there are compelling legal grounds for the processing that override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Where we process personal data for the purposes of direct marketing, the data subject has the right at any time to object to the processing of personal data for such marketing, including profiling, insofar as it is related to direct marketing. In the event of an objection, we are obliged to terminate the processing of personal data for the purposes of direct marketing directed to that data subject.

At the time of the first contact with the data subject, we expressly inform him of his right to object, and the notification is presented in a clear manner and separately from any other information.

Right to protection against automated processing

The data subject has the right not to be subject to a decision based solely on the automated processing of personal data concerning him, including profiling, which has legal consequences for him or affects him to a significant extent.

Haelan applies internal rules and procedures that regulate the terms and conditions for receiving, considering and responding to requests from natural persons — subjects of personal data relating to the exercise of their rights under this section.

In order to exercise any of the rights listed above, it is necessary for the subjects to visit our head office, our medical center or request this by e-mail. care@haelan.bg with an attached free-text application signed with a qualified electronic signature (QE).

Obligations on Haelan to assist data subjects in exercising their rights

‍

We are obliged to provide the subjects whose personal data we process with information about their rights in a transparent and accessible way, in written or oral form, or otherwise, upon their request and after they have identified themselves.

We assist in the exercise of the rights of the subjects whose personal data we process and cannot refuse to take action unless we are able to identify the identity of the subject who made the request.

We provide the data subject with information on the actions taken at his request in relation to the exercise of his rights, without undue delay and in any case, within 1 (one) month of receipt of the request. If necessary, this period may be extended by a further 2 (two) months, taking into account the complexity and/or number of requests received. In these cases, we inform the data subject of any such extension within 1 (one) month of receipt of the request, indicating the reasons for the delay and the possibility of filing a complaint with the CPDP and seeking legal protection.

When the data subject submits a request by e-mail by means of an application signed with a qualified electronic signature (KPE) under the procedure of the Electronic Signature and Electronic Certificate Services Act, if possible, the information is provided in an identical manner, unless the data subject has requested otherwise. The right of the data subject to obtain a copy of the information (s) or to access his or her personal data by remote access to a secure system shall not adversely affect the rights and freedoms of other subjects whose data are processed by Haelan.

The information provided to data subjects at their request, as well as all our actions related to the exercise of the rights of the subjects, are free of charge to them. Where a data subject's requests are manifestly unfounded, excessive, or repeated too often, we may:

o charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the requested action; or

o refuse to take action on the request.

Where we have reasonable doubts as to the identity of the natural person making a request in order to exercise their rights, we may request the provision of additional information and/or documents necessary to confirm the identity of the data subject.

‍

Disclosure of information to external parties

‍

All data and information about the state of health that a patient/user of a social service shares with us in relation to their condition, as well as facts found in examinations and examinations carried out by medical professionals working in Haelan medical centers, as well as everything that these medical professionals have learned in the exercise of their profession regarding the patient/user of social service, is subject to medical secrecy within the meaning of the Health Act and the Code of Professional Ethics of Doctors in Bulgaria. Medical secrecy also extends to all medical documentation and illustrative material, as well as to the data and conclusions of the consultations carried out.

The disclosure of personal data to third parties in the cases described below takes place to the extent and to the extent permitted by Haelan's obligation to protect medical confidentiality in the exercise of the medical profession within the meaning of the Health Act and the Code of Professional Ethics of Doctors in Bulgaria.

We undertake not to sell, exchange, rent, disclose, provide, publish, use or otherwise disseminate facts and circumstances that constitute personal data for use by third parties in any form. The collected personal data are used only for the purposes stated above, on the grounds stated above.

As an exception and subject to applicable legal requirements, we may provide access to personal data to subjects or share it with strictly defined third parties, such as:

o State and regulatory bodies in the Republic of Bulgaria (such as: Executive Agency “Medical Supervision”, Agency for Quality of Social Services, National Agency for Vocational Education and Training, National Agency for Vocational Education and Training, National Agency for Vocational Education and Training, NRA, CPDP, Ministry of Interior, Public Prosecutor's Office, Court, etc.) at their explicit request or when we are legally obliged to do so;

o with legal persons-employers, supplementary health insurance funds or our contractors (when we act as a processor of personal data) — where there is a contractual and/or regulatory obligation to share data of subjects with them;

o specialized companies with whom we work on the basis of a written agreement, whereby they undertake to comply with the legislation in the field of personal data and to ensure an adequate level of data protection, such as:

· specialized companies for the selection of personnel or for evaluating the performance of personnel;

commercial banks and financial companies (for the purpose of payment of remuneration, payment of contracts or reimbursement of service expenses);

insurance companies and pension insurance companies when we provide our employees with additional social benefits such as insurance and supplementary pension insurance;

· providers of services for sports activities and relaxation activities;

· travel agencies, hotels and other organizations organizing accommodation, travel and activities in connection with business trips, company events and team buildings in which our employees participate;

· operators providing postal and courier services in the exchange of correspondence with subjects;

· companies providing our technical and operational support (e.g. laboratories, platform support providers, websites, IT systems and resources, medical device and equipment maintenance, data centers, hosting companies, telemedicine service partners, home food delivery partners, payment services, etc.), carrying out consulting or other activities (e.g. audit), providers of accounting, legal services, health and safety at work, medical and specialized insurers, providers of communication or logistics services, providers of technical solutions such as collective emails or text messages, providers of archive management and others where it is possible, exceptionally, to have access to your data.

In some cases, these parties act as processors of personal data on our behalf and in others as independent or joint controllers with us.

In some cases, we act as a processor of personal data, in which we exchange personal data of subjects with legal entities (e.g. preventive medical examinations and examinations or other activities) who act as controllers of the personal data of these subjects.

Following the principles of ensuring legality, transparency and security, we sign with personal data processors and joint controllers the relevant contracts or agreements as set out in section “Administrator and processor of personal data”.

In order to perform our duties qualitatively and provide our services, it is sometimes necessary to use the services of third parties that are beyond our control. Such are, for example: Microsoft, Google, LinkedIn, WhatsApp, Viber, Meta, Webflow, etc. These providers may at any time change the terms of their service and we cannot be held responsible for this.

‍

Administrator and processor of personal data

‍

Liability of Haelan

As controllers of personal data, we implement appropriate technical and organizational measures, including this Policy, with which we guarantee and are able to demonstrate that we process personal data in accordance with Regulation 2016/679 and the applicable national legislation, taking into account the nature, scope, context and purposes of the processing, as well as potential risks of varying probability and severity on the rights and freedoms of natural persons — subjects of personal data. The measures shall be reviewed and, where necessary, updated.

When assessing the appropriate level of security, we take into account the risks that may arise in the processing of personal data and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data.

Data protection at the design stage and by default

Haelan Companies have implemented safeguards and processes in accordance with good practices and established security standards.

At the time of the development of new business models/business processes/products/operating systems, as well as at the time of the processing itself, the most appropriate technical and organizational measures for the protection of personal data are introduced, including pseudonymisation, where such an approach is permissible.

Assessment of the impact on the protection of personal data

Where a particular type of processing, in particular involving the use of new technologies and/or having regard to the nature, scope, context and purposes of the processing, is likely to pose a high risk to the rights and freedoms of data subjects before the processing takes place, we carry out a data protection impact assessment of the envisaged processing operations.

Processor of personal data

Processors of personal data on our behalf are persons in non-employment relationships when they process personal data in or in connection with the performance of their contractual obligations.

Within the meaning of this Policy, personal data processors are also all legal entities that, on the basis of contracts concluded with us for the provision of services, perform any of the activities specified in the definition of processing available data.

When we commission the processing of personal data, we use self-processing personal data that provide sufficient guarantees for the application of appropriate technical and organizational measures in such a way that the processing takes place in accordance with the requirements of Regulation 2016/679, the applicable national legislation and ensures the protection of the rights of data subjects.

The processing carried out by the personal data processor is governed by a contract or other legal act, according to EU law or the applicable Bulgarian legislation, which regulates the nature and purpose of the processing, the duration of the processing, the type of personal data and the categories of data subjects, as well as our obligations and rights and the obligations and rights of the processor, as for the personal processor data shall include the obligations provided for in Regulation 2016/679.

Where a processor entrusted with the processing of personal data on our behalf by a contract or other legal act involves another personal data processor, for the performance of specific processing activities, that other person is subject to the same data protection obligations as the obligations provided for in the contract or act between us and the personal data processor. The other processor of personal data undertakes to provide sufficient guarantees for the application of appropriate technical and organizational measures so that the processing carried out by him complies with the regulatory requirements. In any case, the initial data processor is fully responsible to us for the performance of the obligations of the other personal data processor to whom he has assigned the performance of specific processing activities.

The processors of personal data on our behalf are presumed to be jointly and severally liable for the processes involved in this processing.

We reserve the right to carry out on-site audits of the personal data protection methods applied by the processors of personal data that we provide to them for processing. Processors of personal data are obliged not to impede the implementation of such audits and to assist us in carrying them out without undue delay.

Joint Administrators

We may process personal data jointly with other controller (s), jointly determining the purposes and means of the processing. In this case, we and the other controller inform the data subjects about the joint processing and regulate in a transparent way our responsibilities and obligations in an agreement that includes the obligations of the parties provided for in Regulation 2016/679.

Data transfer

Data transfer is any transfer of personal data by us to another controller or processor or to any third party. In any such case, we comply with the applicable requirements of national and European legislation, as well as our internal regulations.

Cooperation with the supervisory authority

At the request of the CPDP, our representatives and representatives of the organizations processing on our behalf cooperate with the CPDP in the exercise of its powers.

‍

Security of personal data and breach of security

‍

We implement appropriate technical and organisational measures to ensure a level of security appropriate to risks of varying probability and severity to the rights and freedoms of individuals and require this to be applied by processors on our behalf. We take steps to ensure that any natural person acting under our authority processes this data only at our direction, unless that person is required to do so under EU or Member State law.

In the event of a breach of the security of personal data, we apply an established internal procedure for action in the event of a breach of the security of the available data and for notification of the breach pursuant to Regulation 2016/679.

Protection Officer

the data

‍

We have appointed a personal data protection officer, publish their contact details on our Website and communicate them to the CPDP.

We ensure that the Data Protection Officer participates appropriately and in a timely manner in the resolution of all issues related to the protection of personal data.

Our employees assist the Data Protection Officer in the performance of his or her duties by providing the resources necessary for the performance of these functions, providing him with access to relevant registers, personal data and processing operations. We provide the Data Protection Officer with opportunities, including financial opportunities, to develop and maintain their expertise.

We take steps to ensure that the Data Protection Officer does not receive any instructions in relation to the performance of his or her duties. The Data Protection Officer may not be dismissed or sanctioned by us for the performance of his or her duties. The Data Protection Officer shall report his activities to the Executive Director of Haelan.

Data subjects may contact the Data Protection Officer on all matters relating to the processing of their personal data and the exercise of their rights.

The Data Protection Officer shall respect confidentiality and confidentiality in the performance of his or her duties, in accordance with EU or national law.

The Data Protection Officer may also perform other functions and duties. We do everything necessary to ensure that these additional functions and obligations do not lead to a conflict of interest with its data protection activities.

Due care

‍

Unfortunately, as we all know, the transmission of information over the Internet is not entirely secure. We do everything possible to protect the personal data of the subjects, but we cannot guarantee their security at the stage of their transfer over the Internet to our site. Once received by our site, the personal information of the subjects will be protected through strict policies, procedures and security measures to try to prevent unauthorized access, modification or unauthorized deletion.

When using passwords to access user accounts created for the use of services provided through our Websites, the data subject is responsible for keeping this password and account secret. The data subject undertakes not to share it with other persons. If a subject's password and account are compromised by intentional or involuntary actions or omissions on his or her part, the subject must immediately notify us and take steps to change the password and/or username. If the password is used byother persons, the subject bears full responsibility for any action taken through his account.

Definitions

‍

“Personal data”means any information relating to an identified natural person or an identifiable natural person (“data subject”).

An identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier, such as name, identification number, location data, online identifier or by one or more signs specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that physical face;

“Special categories of personal data”data on racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, as well as genetic data and biometric data processed solely for the purpose of identifying a natural person, data on health status or data on sexual life or sexual orientation;

“Personal data relating to convictions and offences”data on convictions and offences and related security measures;

“Processing of personal data”means any operation or set of operations performed on personal data or a set of personal data, by automatic or other means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, by transmission, dissemination or other means by which the data becomes available, arranged or combined, restricted, deleted or destroyed firing;

“Consent of the data subject”means any freely expressed, specific, informed and unambiguous indication of the data subject's will, by means of a statement or a clear affirmative action, which expresses his or her consent to the processing of personal data relating to him or her;

“Violation of the security of personal data”means a breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data that is transmitted, stored or otherwise processed;

“Administrator of personal data”means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for its designation may be laid down in European Union (EU) law or in the law of a Member State;

“Processing personal data”is a natural or legal person who processes personal data on behalf of the personal data controller;

“Recipient”means a natural or legal person, public authority, agency or other body to which personal data are disclosed, whether third party or not. At the same time, public authorities which may receive personal data, in the context of a specific investigation, in accordance with EU or Member State law, are not considered “recipients”; the processing of such data by those public authorities complies with the applicable data protection rules, in accordance with the purposes of the processing.

“Third Party”means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process such data.

This Policy may be updated from time to time, depending on changes in the regulations and/or the activities of Haelan. The current version is published on the website https://www.haelan.bg/  

Date of last update: 01\ 2024

‍

‍