1. In this Privacy Policy, "Regulation" shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2. "Personal data" shall mean any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as well as health information about the natural person, covering any data related to the health status, physical and mental development of the natural person, as well as any other information contained in medical prescriptions, orders, protocols, certificates and other medical documentation.

3. "Processing" includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, or in any other way provided for in the Regulation.

4. "Administrator" or "the Clinic" is "SMILE DENTAL SERVICES – Outpatient Clinic for Primary Medical Care – Individual Practice for Primary Care – Dental" EOOD, registered in the Commercial Register and the Register of Non-Profit Legal Entities at the Registry Agency with EIK 202293778, with registered office and address of management in Sofia, Sredets District, 23 San Stefano St., floor 1.

5. "Website" means https://implants.bg/

6. "Informed consent" is consent given by the Patient voluntarily to the Clinic in relation to specific medico-dental services, after being informed of at least the following information:

- the diagnosis and nature of the disease;

- a description of the objectives and nature of the treatment, reasonable alternatives, expected results and prognosis;

- potential risks associated with the proposed diagnostic and therapeutic methods, including side effects and adverse drug reactions, pain and other discomforts;

- the likelihood of a favourable outcome, the health risk when applying other methods of treatment or in case of refusal of treatment.

7. "Contract for medico-dental services" means a contract between a patient and the Clinic in written or oral form for the provision of medico-dental services in the field of dental medicine provided by the Clinic, with the informed consent and the treatment plan being an integral part thereof.

8. "User" or "Patient" is any person who accesses the Website or provides personal data to make contact with the Administrator, as well as any person who has sought or is being provided medico-dental services by the Clinic, including on the basis of a concluded Contract for medico-dental services with the Clinic.

1. This Policy regulates the processing of personal data by the Administrator in accordance with the Regulation in relation to, for and when accessing the Website and using its functionalities by Users, as well as in cases of communication by Users with the Administrator by telephone, on site or by email, or in relation to the processing of health information and the conclusion and performance of a contract for the provision of medico-dental services.

2. The Administrator collects Personal Data to the extent specified in this Policy for the purposes of identifying and communicating with Users, ensuring the operation of the Website and Users’ use of its functionalities, ensuring the security of the Website, registering a Patient, preparing for and carrying out medical activities, performing the Administrator’s contractual obligations and exercising the Administrator’s statutory obligations.

3. This Privacy Policy contains the main principles and procedures for the collection, processing and storage of Users’ personal data and the basic rights of Users in accordance with the requirements of the Regulation. Before accessing the Website, each User should read this Policy, and upon registration as a Patient or when using medico-dental services provided by the Clinic, respectively upon entering into a contract for medico-dental services, should expressly give their consent to the processing of Personal Data by the Administrator. Providing such consent is a condition and necessary requirement for sending a communication message, accessing certain information, registering as a Patient, using medico-dental services provided by the Clinic, or concluding a contract for medico-dental services.

1. The Administrator provides Users with free access to the Website and encourages every User to read the detailed information on the medico-dental services provided by the Clinic published on the Website.

1.1. The Administrator automatically collects certain information when Users visit, use or navigate the functionalities of the Website. This information does not reveal the user’s specific identity (such as name or contact information) but may include device and usage information, such as IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when the Website is used, and other technical information. This information is primarily needed to maintain the security and operation of the Website, as well as for internal analytics and reporting purposes.

Information collected automatically:

Log & Usage data – This is information related to access to and use of the Website, which is collected automatically when accessing and using the Website. The information is stored in log files. Depending on how you interact with the Website, these log data may include IP address, device information, browser type and settings, and information about the user’s activity on the Website (such as date/time of use, pages opened and files viewed, searches, and other actions taken on the Website, such as functionalities used), device event information (such as system activity, error reports (sometimes called “crash dumps”), and hardware settings).

Device data – data about the device, including information about the computer, phone, tablet or other device used to access the Website. Depending on the device used, these device data may include information such as IP address (or proxy server), device identifiers, location, browser type, hardware model, internet service provider and/or mobile carrier, operating system and system configuration information.

1.2. To enable sending a message/establishing contact with the Administrator, the Administrator processes the following Personal Data provided by the User:

- email, name, phone number, communication data (data contained in the message provided by the User, which may contain personal data), the provision of which is a prerequisite for establishing contact with the Administrator, respectively registering to receive informational materials, booking an appointment or accessing a wider range of information located on the Website.

The data specified in this point are provided directly by the User. In the event that a User provides the Administrator with data of third parties, the User is obliged to inform the respective third parties about the data provided to the Administrator and to obtain their consent, as well as to acquaint them with this Privacy Policy.

2. For the purposes of registration as a Patient, drawing up a treatment plan, concluding and performing a contract for medico-dental services or the provision of medico-dental services by the Clinic, the Administrator collects and processes the following Personal Data provided by the User:

- full name, phone number, permanent address, EGN (and if the person is a foreign citizen – date of birth, personal number of a foreigner, identity document number, citizenship), health information covering any data related to the health status, physical and mental development of the natural person, as well as any other information contained in medical prescriptions, orders, protocols, certificates and other medical documentation;

- In performing its functions as a primary outpatient healthcare provider, the Administrator has the right to unrestricted access to all health records in the Patient’s electronic health record, for which the Patient must provide their explicit consent pursuant to Art. 25, para. 1 of Ordinance No. H-6 of 21.12.2022 on the functioning of the National Health Information System.

2.1. Where it is necessary to provide medical assistance to a Patient in an emergency condition, the medical professionals from the Clinic have the right to access the following information from the Patient’s electronic health record even without consent, where such consent is absent in the electronic health record and it is not possible to obtain it in a timely manner:

- full name and EGN;

- blood group;

- allergies;

- mandatory and other immunizations administered;

- past acute infectious diseases;

- established chronic diseases or disabilities;

- ongoing or administered medication or other treatment;

- implanted medical devices;

- contact details for relatives (names, phone number, etc.).

3. The legal grounds for processing personal data are:

- Art. 6(1)(a) of the Regulation (the User’s consent to the processing of personal data for one or more specific purposes such as accessing the Website, accessing information, registering as a Patient, using medico-dental services, etc.);

- Art. 6(1)(b) of the Regulation (processing necessary for the performance of a contract);

- Art. 6(1)(f) of the Regulation (necessary for the purposes of the legitimate interests pursued by the controller, the Patient or a third party).

4. The Administrator processes Users’ personal data for the following purposes:
4.1. identification of Users;
4.2. ensuring the normal functioning and use of the Website by each User;
4.3. maintenance and administration of the Website and its functionalities, including detecting and resolving technical or functional issues, developing and improving the operation of the Website;
4.4. compliance with the Administrator’s legal obligations under Bulgarian law;
4.5. provision of medical assistance, delivery of medico-dental services and performance of contracts for medico-dental services.

1. The Administrator creates an electronic health record for each activity performed. The electronic health record is an electronic document or a set of electronic documents for each of the activities carried out, including activities performed remotely, which create or use health information about the Patient or are relevant to their health status, regardless of their health insurance status and the source of funding for the respective activity. The prepared health documentation is sent to the National Health Information System, which is administered and maintained by the Ministry of Health.

2. On the basis of Art. 28, para. 1 of the Health Act, health information may be provided to third parties when:
- the Patient’s treatment continues in another medical facility;
there is a threat to the health or life of other persons (after notifying the Patient);
- it is necessary for the identification of a human corpse or to establish the causes of death;
- it is necessary for the purposes of state health control to prevent epidemics and the spread of communicable diseases;
- it is necessary for the purposes of medical expertise and social security;
- it is necessary for the purposes of medical statistics or for medical scientific research, after the data identifying the Patient have been erased;
- it is necessary for the purposes of the Ministry of Health, the National Center for Health Information, the NHIF, the regional health inspectorates and the National Statistical Institute;
- it is necessary for the purposes of an insurer licensed under Section I of Annex No. 1 or item 2 or under items 1 and 2 of Section II, letter “A” of Annex No. 1 to the Insurance Code.

3. In performing its activities and in order to fulfil its legal obligations, the Administrator uses or may use subcontractors or service providers to whom it is necessary to provide personal data received. Such subcontractors may include accounting consultants, legal consultants, IT specialists, information storage platforms, etc.

4. The Administrator ensures that the persons under para. 3 comply with the requirements of the Regulation when processing the personal data provided, and, where possible, enters into confidentiality agreements and ensures the required level of data protection in accordance with the Regulation.

5. The Administrator undertakes not to transfer personal data outside the European Union or to countries in respect of which the Commission has not adopted a decision ensuring an adequate level of protection.

1. The Administrator stores Users’ personal data provided directly by them until they withdraw their consent, unless under the law or for the protection of its legitimate interests it is required to store them for a longer period, in which case the data are stored up to 3 months after the expiry of the respective statutory retention period (e.g. pursuant to Art. 29, para. 1 of Ordinance No. 8 of 03.11.2016 on preventive examinations and dispensary observation, medical establishments store the medical documentation for the examinations and tests performed by them for three years after their performance; pursuant to Art. 12, para. 1, item 2 of the Accounting Act, documents for tax control, audit and subsequent financial inspections are stored for a period of ten years, as from 1 January of the reporting period following the reporting period to which they relate)

2. The Administrator stores Users’ personal data collected automatically when using the Website for a period of up to 6 months after the use of the Website has ceased.

3. After the expiry of the described periods, the personal data are destroyed by the Administrator in a way that does not allow their recovery and/or reproduction.

1. Every User has the right to exercise the following rights under the Regulation:
1.1. Right to be informed – to receive information about what data relating to them are processed by the Administrator, for what purpose, for what period they are stored and to whom they are provided;
1.2. Right of access – to receive a copy of the personal data relating to them processed by the Administrator;
1.3. Right to erasure, where one of the conditions of the Regulation is present;
1.4. Right to rectification – to request the Administrator to rectify without undue delay inaccurate personal data relating to them;
1.5. Right to restriction of processing, in the cases described in the Regulation;
1.6. Right to data portability – to receive the personal data concerning them which they have provided to the Administrator in a structured, commonly used and machine-readable format and to transmit those data to another controller;
1.7. Right to object to the processing of personal data;
1.8. Right not to be subject to a decision based solely on automated processing.
1.9. Right to lodge a complaint with the Commission for Personal Data Protection if they consider that there has been a violation of the legislation regarding the protection of personal data.

2. Requests for the exercise of Users’ rights under the Regulation shall be submitted to the correspondence contacts specified in this Policy.

3. Except in the cases under para. 4, Patients may exercise their rights under the General Data Protection Regulation for their data entered in the National Health Information System (NHIS) by submitting an application to the Administrator, respectively to the Ministry of Health. The application is examined by the person to whom it is submitted. Erasure of health data and records in the NHIS is permissible only if it is established that they have been collected and processed unlawfully or are no longer necessary for the purposes for which they were collected and processed.

4. Rectification of health records in the NHIS is a change of one or more health records in the Patient’s electronic health record due to inaccuracy or incompleteness of the data contained therein.

Depending on the nature of the electronic health record and whether it is functionally linked to other electronic health records, rectification is carried out in one of the following ways: by amending data in the health records, cancelling entire health records or cancelling records and creating new records.

Within 7 days of the generation of the health record by the Clinic, at the initiative of the Clinic or at the request of the Patient, the Clinic has the right to rectify the record independently, without the need for notification or intervention by the NHIS administrator.

After the expiry of the specified period, rectification is carried out according to a rectification procedure approved by order of the Minister of Health. The order is published on the health information web portal of the system www.his.bg and on the website of the Ministry of Health. The rectification procedure is initiated at the request of the Clinic, if it has made the record, or at the request of the Patient to whom the record relates.

1. The Administrator takes appropriate technical and organizational measures to ensure the security and protection of personal data, e.g. measures that make personal data unintelligible to any person who does not have authorization to access them, such as encryption.

2. Despite the Administrator’s safeguards and efforts to protect the personal data collected, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so the Administrator provides no guarantees that hackers, cybercriminals or other unauthorized third parties will not be able to breach security and unlawfully collect, access or alter collected information.

1. For more information regarding the personal data processed by the Administrator, about this Policy, as well as for exercising Users’ rights under the Regulation, the Administrator designates the following contact person: and contact details: info@implants.bg

2. For contact with the Commission for Personal Data Protection: Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd., Email: kzld@cpdp.bg, Website: www.cpdp.bg

1. The Policy may be amended by the Administrator in case of changes in the scope of the data processed, the purposes and ways of their processing, changes in the regulatory acts governing the processing of personal data, or for other reasons.

2. The Policy and amendments thereto shall enter into force on the date of their adoption and publication in a manner that makes them accessible to the users.

3. The Administrator shall notify Users of any amendment to the Policy. Where the amendment to the Policy is related to a change in the scope of the data processed, the purposes or ways of their processing, the Administrator shall obtain Users’ prior consent for this.