Privacy Policy

 

PRIVACY POLICY AND DATA PROTECTION OF THE MOBILE APPLICATION eRx

 

Introduction

The "eRx" application is a free mobile application provided by the Ministry of Health of the Republic of Bulgaria (MH). The application has a securely protected mobile interface to the National Health Information System (NHIS) and program functionality through which you, as a licensed medical professional, will be able to issue electronic prescriptions (recipes) to your patients. This privacy policy is designed to inform users of the application how the MH, as a data controller, collects and processes personal data when using the application.

For the normal functioning of the "eRx" application, we collect and process certain data, including personal data, as specified below in the section "What data we collect". This may include data related to the registration of a user profile (your names and email), data from your access requests, information from usage surveys you participate in voluntarily, identification and verification (authentication) data, and information about the use of our application and services by each user.

We collect and process your personal data only for the purposes specified below in the section "Purposes of collecting and processing personal data", related to providing our services to you, ensuring the normal functioning of the Application and its information security, conducting surveys and research related to user demand, and restricting access to information for persons who do not have the right to access it.

In connection with the provided personal data, you have rights that you can exercise as described below in the section "Your rights".

Each section of this policy contains information about us and how we collect, process, and store personal data.

Before using the application, you must check the box that you have read this policy. We will not share your personal data with anyone except as described in this policy.

Administrator

"eRx" is a mobile application that provides a connection to the NHIS and functionality allowing the issuance of electronic prescriptions (recipes), hereinafter referred to as "the Application".

The application is owned by the Ministry of Health of the Republic of Bulgaria and is managed by it as the owner of the NHIS, the Application, and the controller of your personal data (hereinafter referred to as "Administrator").

What data we collect

This Policy covers information we collect from you through the Application, defined as personal data or personal information.

"Personal information" is information that can be used to identify you, also defined as "personal data". Specific information that can be defined as personal data may include your name, email address, IP address, and device identifier from which you access the Application, among other data. The accuracy and reliability of the personal information and personal data you provide to the Application are your responsibility. Inaccurate information may affect your ability to use the Application, the information you receive when using the Application, and our ability to contact you. The email address you provide as the primary means of communication with us must be kept up to date.

The MH, as the Administrator of the Application, collects the following categories of information about you and personal data:

Personal data related to your physical identity: full name; personal identification number (PIN), your personal identification code as a licensed medical professional, and for feedback purposes - phone and/or email for contact.

We may use the personal data provided to us related to your physical identity to respond to your questions, inform you about events or updates, and/or send you messages to your registered email regarding the maintenance of the Application, issues that have arisen, or possible updates.

We do not collect personalized information about your use of the Application as a user. All information about how you use the Application is immediately anonymized. When each user logs in, we may receive, collect, and analyse information about specific pages of the electronic health record that are visited, the order in which this happens, and the hyperlinks that were clicked, but without any connection to data that individualizes the user. In the same anonymized way, we collect information about the URLs from which users connect to the Application. Collecting such information may include logging the IP address, operating system, and browser software used by each user of our site. Based on the IP address used, we may be able to determine the user's internet service provider and geolocate the corresponding connection point. We use or may use cookies and pixel markers (web-beacons) when you access the Application. More information about this can be found in the "Cookie Policy" section.

All personal data we process is visible to you in the Application. All other data we use and that is not visualized for you is anonymized.

Special rules

Account registration: To provide better service when using the Application, you need to provide us with your personal data. Registration can only be done through your electronic identification. This is done through access provided to you via your computer at doc.his.bg where you identify yourself with your qualified electronic signature (QES) and a unique QR code for security is generated, which completes the identification procedure.

Updates: We may offer you the opportunity to receive updates through the Application itself (push notifications), available only to registered users. No personal data will be required to use these services.

Identification upon access: Your identification upon access will only be done through your QES.

Communications with the Application: Your personal data can only be received by us upon your identification upon access as described above. This does not affect your personal data administered in the NHIS. After this point, your connection with the NHIS Portal www.his.bg is one-way for data transfer from the Application to the NHIS. Links to other sites, portals, or applications will not be made or available.

Third-party sites: The Application does not provide access to third-party sites, such as social networks, so your personal data is not accessible to third-party sites, nor does it give you access to such sites.

Partner sites: The Application has no connection with other sites except for the described one-way connection to the NHIS Portal www.his.bg.

Purposes for collecting and processing personal data

The purpose of this policy is to describe how the Application collects, uses, and shares information about you through our online interface. Please read this privacy policy carefully to understand what we do. If you do not understand any aspects of our privacy policy, you can request clarifications at support@his.bg. The purposes for collecting and processing the different types of personal data are described separately in the section "What data we collect" above.

Legal grounds for using your personal data

The legal grounds for using your personal data, as stated in this Policy, are specified in Article 6, paragraph 1, letters "c" and "f" of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or GDPR) and are one or more of the following:

(1) Processing is necessary for compliance with our legal obligation to establish your identity as a licensed medical professional, which gives you the right to use the NHIS through the Application.

(2) Processing is necessary to ensure the security and functionality of the Application, as well as feedback with its users for maintenance and further development purposes.

Which legal ground applies to a specific processing activity depends on the type of personal data processed and the context in which it is processed.

When the processing of your personal data is necessary to protect our legitimate interests or the legitimate interests of others for their use, we will perform a balancing test of these interests to ensure that we will protect your personal data unconditionally when our legitimate interests (or those of a third party) do not override your interests or fundamental rights and freedoms.

Age Restrictions

The application can only be used by individuals with full professional qualifications as medical specialists, therefore users can only be fully capable individuals.

How Personal Data is Used

Information related to the use of the Application: We use information related to your use of the Application to build higher quality, more useful services by performing statistical analyses of the collective characteristics and behaviour of our users, as well as measuring demographic data and interests regarding specific areas of the Application. We may also use this information to ensure the security of our services and the Application as a whole. In these cases, the data is completely anonymized, and your personal data is not collected and therefore not accessible.

Technical Support and Security: We may use your personal data to provide technical support when necessary and to ensure the security of the NHIS and the Application.

Updates: We may use some of your personal data collected during registration to send you messages regarding the Application and its updates. We may also archive this information and/or use it for future communication with you, but only when we have a legal right to do so.

Communications with or from the Application: When you send us a message or otherwise contact us, we may use the information you provide to respond to your message and/or for other purposes described in this Privacy Policy. We may also archive this information and/or use it for future communication with you when we have a legal right to do so. When we send you emails, we may track how you interact with those emails (e.g., when you open an email or click on a link in an email). We use this information only for the purposes of securing our communications with you and tailoring and optimizing them to your needs.

Communications with Partners and Suppliers: We do not share and will not share your personal data with content providers or potential partners, so they cannot and will not be able to share information about their products and services, regardless of whether they have a legal right to do so.

Research: We may share only aggregated data about access to the Application, information about your activity in it and through it - in the NHIS Portal www.his.bg and demographic data from surveys conducted by us for the needs of the Ministry of Health, which may use the data for health-related research. In none of these cases do we provide, or will we provide your personal data in any way, and all provided and processed data will be anonymized.

Government Authorities and Legal Obligations: The Application may share your personal data with various government authorities in the following circumstances:

  • In response to subpoenas, court orders, or other similar issued within a due process.
  • When establishing or exercising the rights of the Controller in a legal process, including intellectual and industrial property rights.
  • When exercising the rights of the Controller to defend against legal claims, as well as
  • In other cases established by a statute.

In the above cases, the Administrator has the right to assert, exercise or waive any legal claim, objection or right granted to it by law. The Administrator may also share your personal data when it deems it appropriate to investigate, prevent or take action regarding illegal activities or serious suspicions of such activities; to protect the data security and the Application, the NIS, as well as you as users of the Application. In all such cases, we will provide your personal data only to government authorities for whom there is a legal requirement to provide certain categories of personal data.

 

E-readers: If we receive any personal information related to the extent to which you use different types of e-readers to access the materials of the Application, we may archive it by deleting the link to your personal data and use it for research, business, or other purposes. In this case, only anonymized data will be processed.

Cookie Policy

For the proper functioning of the Application as a whole, we sometimes place small data files called "cookies" on your device.

What are cookies? Cookies are small text files that are stored on your mobile device or computer when you visit a website. They allow the website to remember your actions and preferences (such as username, language, font size, and other display settings) for a certain period of time, so you don't have to enter them every time you visit the site or move from one page to another.

How do we use cookies? Some components of the Application use cookies that are not absolutely necessary for it to work but make it more convenient to use. You can delete or block cookies, but if you do, some features of the Application may not work properly. Cookies are used to remember:

  • Your display settings, such as navigation language, contrast, font size, used device, search result preferences, and notifications.
  • Your last visit to the Application (for statistical purposes) and the last three pages you visited (to facilitate our help desk in case you submit a request).
  • Information on whether you have accepted or not the use of cookies on this site.

Additionally, embedded videos in the Application may also use cookies to collect anonymous statistics on how you reached the respective page and which videos you watched.

Cookies and Personal Data: The information related to cookies is not used to identify you, and the data patterns are entirely under our control. Cookies are not used for purposes other than those stated here.

Third-party Cookies: We do not allow third-party services to send cookies to users.

How to Control Cookies: You can control and/or delete cookies as you wish. You can delete all cookies that are already stored on your device, and you can also set most browsers to block them. However, if you do this, you may need to manually adjust some parameters each time you visit the site, and some services and features may not work.

Opt-out of Cookies: You can freely accept or decline the use of cookies on this site with a single click on one of the following links:

Accept cookies

Decline cookies

In this case, you decline all cookies except the one that remembers this choice.

Decline cookies entirely

In this case, you will see our cookie banner every time you visit the Application. You can decline the use of only non-essential cookies. Some cookies are absolutely necessary for you to use the Application and the data transfer to the NHIS Portal www.his.bg, as without them we will not be able to provide you with certain features, such as automatic login to the Application.

Personal Data Retention Period

We retain your personal data for a period not longer than necessary for the purposes for which it is collected and processed. The time we retain your personal data depends on the purposes for which we collect and use it and/or according to the requirements to comply with applicable laws and to establish, exercise, or defend our legal rights. The maximum retention period for your personal data is 10 years.

Security in Processing and Storing Personal Data

We value your trust in providing us with your personal data and use all possible means to protect it. Please note that no method of transferring information over the Internet is 100% secure and reliable.

For us, the confidentiality and security of your personal data are of utmost importance. We will use standard physical, technical, and administrative security measures to keep your personal data confidential and secure and will not share it with third parties unless otherwise provided in this Privacy Policy or if such disclosure is necessary in special cases, such as a physical threat to you or others, as permitted by applicable law. Since the Internet is not a completely secure environment, we cannot guarantee the absolute security of the personal information provided to us, and there is still some risk that an unauthorized third party may find a way to circumvent our security systems or that your information may be intercepted during its transmission over the Internet. Therefore, it is your responsibility to protect the security of your login data. Please note that email communications are generally not encrypted and should not be considered secure.

Service Providers

The data processor does not use service providers for the Application and does not hire other persons for this, except for its employees working under an employment contract, who are assigned to perform activities on its behalf. Employees are required not to disclose or use the information for any other reasons than those described in this policy. These obligations are assumed with their employment contracts and the confidentiality documents they have signed.

Objections, Questions, and Suggestions

If you have questions, suggestions, unresolved issues, or complaints related to the privacy and protection of your personal data, you can contact us through the functionalities of the Application or at the email addresses listed below. If you reside or are located in the European Economic Area, our data protection officer and the Application management team can assist you with any questions related to the processing of your personal data. If you reside or are located in a country in the European Economic Area, you can also file a complaint with the Data Protection Commission or file a claim with the competent Bulgarian court if you believe your rights have been violated.

To contact the data protection officer appointed by the controller - the Ministry of Health, please use the following contact information:

Subject: Privacy Request

Alexander Maslarski

Address: Pl. "Sveta Nedelya" No. 5, Sofia 1000

email: dpo@mh.government.bg

Your Rights

You have the right to request access to your personal data, correction or deletion of your personal data, or restriction of the processing of your personal data, or the right to object to the processing, as well as the right to data portability.

  • You have the right to access your personal data and confirm that it remains accurate and up-to-date, choose whether you want to receive feedback from the Controller and the Data Processor, and request that we delete or provide you with a copy of your personal data by logging into the Application and visiting your account page. You have the right to update any personal information that is outdated or inaccurate.
  • You have the right to delete all personal data we process, as well as the right to restrict the way we process your personal data.
  • You have the right to annual information about the categories of user data provided to third parties - processors, the names and addresses of the processors to whom this data is provided or has been provided in the immediately preceding calendar year. For this purpose, if the information is not published on the NHIS Portal www.his.bg, you should send us an email at support@his.bg with the text or just the title (subject) "Request for Privacy Information". In response, we will send you the requested information to the same email address.
  • You have the right to file a complaint with the Data Protection Commission regarding the processing of your personal data by us as the Controller, or by the data processors to whom we have provided this data.

If you need additional information regarding your rights or if you want to exercise any of them, you can also contact us through the procedure for submitting objections, questions, and suggestions (see above "Objections, Questions, and Suggestions").

Data Processor

The data processor of your personal data is the company "Information Services" JSC, UIC 831641791, which is the national system integrator of the state's information systems by government decision. The processor receives them as an established service operator in the field of information and communication technologies and the maintenance of the NHIS Portal www.his.bg and this Application.

Changes to this Policy

We periodically review our privacy policy for compliance with applicable legal requirements and safety standards, as a result of which it is subject to change. We advise you to regularly check its content for changes. Any subsequent amendment, update, or addition to the Privacy Policy will take effect immediately upon publication. We will notify you of any significant changes to this policy by posting on the NHIS Portal www.his.bg within a reasonable period before such an update, or by sending an email to the address associated with your user account. The effective date of the publication of the change is indicated at the end of this policy. We recommend periodically checking this page to be promptly informed of the current version of this Privacy Policy.

 

This privacy policy is effective from 01.02.2025.

 

Managing your privacy

Тhis website uses cookies in accordance with the Privacy policy. By clicking the Accept button, you confirm that you have read and agree to it.