Privacy Policy

Privacy and Personal Data Protection Policy

 

INTRODUCTION

The mobile application "eZdrave" is developed as a free application provided by the Ministry of Health of the Republic of Bulgaria (MoH), which is used to provide your health information only to you. This privacy policy is designed to inform users of the application how the MoH, as a data controller, collects and processes personal data when using the application.

For the normal functioning of the "eZdrave" application, we collect and process certain personal data, specified below in the section "What data we collect," including data related to account registration (your names and email), data from your access requests, information from usage surveys you participate in voluntarily, identification and verification (authentication) data, and information about the use of our application and services by each user.

We collect and process your personal data only for the purposes specified below in the section "Purposes for collecting and processing personal data," related to providing our services to you, ensuring the normal functioning of the Application and information security within it, conducting surveys and research related to user demand, and restricting access to information for persons who do not have the right to access it.

In connection with the provided personal data, you have rights that you can exercise as described below in the section "Your Rights."

Each section of this policy contains information about us and how we collect, process, and store personal data.

If you use the application, you agree to the collection and use of information in connection with this policy. The personal information we collect is used to provide and improve the service. We will not share your information with anyone except as described in this policy.

CONTROLLER

"eZdrave” is an application program, designated as a functional subsystem of the National Health Information System (NHIS), hereinafter referred to as "the Application."

The Application is owned by the Ministry of Health of the Republic of Bulgaria and is managed by it as the owner of the National Health Information System, the Application, and as the controller of your personal data (hereinafter referred to as "Controllerr").

WHAT DATA WE COLLECT

This Policy covers information we collect from you through the Application, defined as personal data or personal information.

"Personal information" is information that can be used to identify you, also defined as "personal data." Specific information that can be defined as personal data may include your name, email address, IP address, and device identifier from which you access the Application, among other data. The accuracy and reliability of the personal information and personal data you provide to the Application are your responsibility. Inaccurate information may affect your ability to use the Application, the information you receive when using the Application, and our ability to contact you. The email address you provide as the primary means of communication with us must be kept up to date.

The MoH, as the Administrator of the Application, collects the following categories of information about you and personal data:

  • (1) Personal data related to your physical identity, provided directly by you or through third parties - healthcare institutions: full name; personal identification number, gender, permanent or current address, and for foreign citizens - personal number of a foreigner (PNF), if available, or date and place of birth, citizenship, and gender; as well as phone and/or email for contact (feedback). We collect such data when provided to us by the NHIS based on your informed consent, given explicitly and in writing at a healthcare institution, or when you provide them to us in any of the following cases: registering your account; updating or changing your account data; placing orders for our services; filling out survey questionnaires; subscribing to email updates; participating in our public forums or sending us emails. We may use the personal data provided to us, related to your physical identity, to provide the services you have requested, respond to your inquiries, inform you about events or updates, and send you messages to your registered email regarding site maintenance, issues, or updates.
  • (2) Personal data constituting health information. According to Article 27, paragraph 1 of the Health Act, health information is personal data related to the health status, physical and mental development of individuals, as well as any other information contained in medical prescriptions, protocols, certificates, and other medical documentation. We store your health information only to the extent that it is received in the NHIS from healthcare institutions on the grounds provided by law.
  • (3) We do not collect personalized information about your use of the Application as a user. All information about how you use the Application is anonymized immediately. When each user logs in, we may receive, collect, and analyze information about the specific pages of the electronic health record that are visited, the order in which this occurs, and the hyperlinks that were clicked, but without any connection to data identifying the user. In the same anonymized manner, we collect information about the URLs from which users connect to the Application. Collecting such information may include logging the IP address, operating system, and browser software used by each user of our site. Based on the IP address used, we may be able to determine the user's internet service provider and geolocate the corresponding connection point. We use or may use cookies and pixel markers (web-beacons) when you access the Application. More information about this can be found in the "Cookie Policy" section.

All personal data we process is visible to you in the Application. All other data we use and that is not visualized for you is anonymized.

BASIC PROVISIONS

Account Registration. To provide better service when using the Application, you need to provide us with your personal data. Registration can be done through electronic identification in the NHIS. This is done by logging into your web-based electronic health record in the NHIS Portal www.his.bg, where a QR code is generated to complete the identification procedure. Registration can also be provided through a special mobile application for electronic identification when available. If you are unable to register through the NHIS Portal, account registration may require data related to your physical identity, such as your name and phone and/or email. Additionally, the Application will need your permission to access the camera and flash of your device through which you access it. The information we have requested will be used only for the purposes of the application and as described in this privacy policy.

Updates. We may offer you the opportunity to receive updates through the Application itself (push notifications), available only to registered users. No personal data will be required to use these services.

Identification upon Access. Your identification upon access will be done with your biometric data (face ID) contained in the phone itself. All these data, including your identifying photo, will be deleted immediately after your successful identification to create your profile.

Communications with the Application. Your personal data may be sent by you and received by us via electronic message (email) or other means by which you can contact us, but only when pairing the Application with the NHIS Portal www.his.bg. After this point, our connection with the Portal is one-way. Links to other applications will not be made.

Third-Party Sites. The Application does not provide access to third-party sites, such as Facebook, so your personal data is not accessible to third-party sites, nor does it give you access to such sites.

Partner Sites. The Application has no connection with other sites outside the NHIS Portal www.his.bg, from which only the health information you are interested in is extracted.

PURPOSES FOR COLLECTING AND PROCESSING PERSONAL DATA

The purpose of this policy is to describe how the Application collects, uses, and shares information about you through our online interfaces (the NHIS Portal www.his.bg and the Application itself). Please read this privacy policy carefully to understand what we do. If you do not understand any aspects of our privacy policy, you can request clarifications at support@his.bg. Your use of the NHIS Portal www.his.bg is governed by the Health Act, the Ordinance on the Structure and Functioning of the NHIS, and the terms of use of the NHIS, which you can find at www.his.bg.

LEGAL GROUNDS FOR USING YOUR PERSONAL DATA

The legal grounds for using your personal data, as stated in this Policy, are specified in Article 6, paragraph 1, letters "b" and "c" of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or GDPR), and are one or more of the following:

  • (1) Processing is necessary to fulfill our obligations to provide access to the NHIS and your electronic patient record, including the terms of their use, which you accept by accessing them.
  • (2) Processing is necessary to take steps at your request before providing access to you, which requires the use of your personal data.
  • (3) Processing of your personal data is necessary to comply with our legal obligations to restrict access to health information for individuals and their identification when providing personal access to their electronic patient record.
  • (4) Processing is carried out based on your explicit prior consent in the cases provided for in this Policy, or with your consent to send you certain messages or where you provide us with certain information.

Which legal basis applies to a specific processing activity depends on the type of personal data processed and the context in which it is processed.

When processing your personal data is necessary to protect our legitimate interests or the legitimate interests of others in using them, we will conduct a balancing test to ensure that we unconditionally protect your personal data when our legitimate interests (or those of others) do not outweigh your interests or fundamental rights and freedoms.

If you have given consent to use your personal data in a certain way but later change your mind, you can withdraw your consent by visiting your user profile page and clicking on the consent withdrawal field, or by deleting your account, and we will immediately stop processing your personal data. Please note that if you withdraw your consent, it may affect our ability to provide you with our services or completely prevent us from doing so. You can withdraw your consent through the Application settings. In this case, your profile will be deactivated, the pairing will be terminated immediately, and all your personal data collected up to that point will be deleted.

AGE RESTRICTIONS

Driven by the awareness of special protection for minors, we do not collect or process personal data of minors. For this reason, the Application does not allow account registration by persons under the age of 14. If you are under this age, please do not access this Site in any way. If you have done so, we will take appropriate measures to delete the received personal data without the validated consent of your parent, guardian, or custodian immediately upon establishing the presence of such data. If you are a minor, your parents have the right to access your electronic health record as your legal representatives. They also have the right to do so through the Application.

HOW PERSONAL DATA IS USED

Information related to the use of our site. We use information related to your use of the Application to build better, more useful services by performing statistical analyses of the collective characteristics and behavior of our users, as well as measuring demographic data and interests regarding specific areas of the Application. We may also use this information to ensure the security of our services and the Application as a whole. In this case, the data is completely anonymized, and your personal data is not collected and therefore not accessible.

Technical support and security. We may use your personal data to provide technical support when necessary and to ensure the security of the NHIS and the Application.

Updates. We may use some of your personal data collected during the registration process to send you messages related to the Application and its updates. We may also archive this information and/or use it for future communication with you, but only when we have a legal right to do so.

Communications with or from the Application. When you send us a message or otherwise contact us, we may use the information you provide to respond to your message and/or for other purposes described in this Privacy Policy. We may also archive this information and/or use it for future communication with you when we have a legal right to do so. When we send you emails, we may track how you interact with these emails (e.g., when you open an email or click on a link in an email). We use this information only for the purposes of securing our communications with you and tailoring and optimizing them to your needs.

Communications with partners and suppliers. We do not share and will not share your personal data with content providers or potential partners in any way, so they cannot and will not be able to share information about their products and services, regardless of whether they have a legal right to do so.

Research. We may share only aggregated data about access to the Application, information about your activity in the NHIS Portal www.his.bg, and demographic data from surveys conducted by us for the needs of the Ministry of Health, which may use the data for health-related research. In none of these cases do we provide or will we provide your personal data in any way, and all provided and processed data will be anonymized.

Government Authorities and Legal Obligations: The Application may share your personal data with various government authorities in the following circumstances:

  • In response to subpoenas, court orders, or other similar issued within a due process.
  • When establishing or exercising the rights of the Controller in a legal process, including intellectual and industrial property rights.
  • When exercising the rights of the Controller to defend against legal claims, as well as
  • In other cases established by a statute.

In the above cases, the Administrator has the right to assert, exercise or waive any legal claim, objection or right granted to it by law. The Administrator may also share your personal data when it deems it appropriate to investigate, prevent or take action regarding illegal activities or serious suspicions of such activities; to protect the data security and the Application, the NIS, as well as you as users of the Application. In all such cases, we will provide your personal data only to government authorities for whom there is a legal requirement to provide certain categories of personal data.

 

Disclosure of information to acquirers. The Application may disclose and/or transfer your personal data to an acquirer, universal or private successor in the event of a sale, transfer, transformation, liquidation, distribution of assets, enforcement, or other form of reorganization of the entire equity, business (enterprise), or assets of the Data Processor of the Application, or part of this equity, business (enterprise), or assets.

Electronic readers. If we receive any personal information related to the extent to which you use the specified electronic readers to access the materials of the Application, we may archive it by deleting the link to your personal data and use it for research, business, or other purposes. In this case, only anonymized data will be processed.

COOKIE POLICY

For the proper functioning of the Application as a whole, we sometimes place small data files called "cookies" on your device.

What are cookies? Cookies are small text files that are stored on your mobile device or computer when you visit a website. They allow the website to remember your actions and preferences (such as username, language, font size, and other display settings) for a certain period, so you do not have to enter them every time you visit the site or move from one page to another.

How do we use cookies? Some components of the Application use cookies that are not absolutely necessary for it to work but make it more convenient to use. You can delete or block cookies, but if you do, some features of the Application may not work properly. Cookies are used to remember:

  • (1) your display settings, such as navigation language, contrast, font size, used device, search results preferences, and notifications.
  • (2) your last visit to the website (for statistical purposes) and the last three pages you visited (to facilitate our help desk in case you submit a request).
  • (3) information on whether you have accepted or not the use of cookies on this site.

Additionally, embedded videos on our pages may also use cookies to collect anonymous statistics on how you reached the respective page and which videos you watched.

Cookies and personal data. The information related to cookies is not used to establish your identity, and the data patterns are entirely under our control. Cookies are not used for purposes other than those stated here.

Third-party cookies. We do not allow third-party services to send cookies to users.

How to control cookies? You can control and/or delete cookies as you wish. You can delete all cookies that are already stored on your device, and you can also set most browsers to block them. However, if you do this, you may need to manually adjust some parameters each time you visit the site, and some services and features may not work.

Opting out of cookies. You can freely accept or refuse the use of cookies on this site with a single click on one of the following links:

Accept cookies

Refuse cookies

In this case, you refuse all cookies except the one that remembers the current choice.

Refuse cookies entirely.

In this case, you will see our cookie banner every time you visit the Application. You can refuse the use of only non-essential cookies. Some cookies are absolutely necessary for you to use the Application and the NHIS Portal www.his.bg, as without them we will not be able to provide you with certain features, such as automatic login to the Application.

PERSONAL DATA RETENTION PERIOD

We store your personal data for a period not longer than necessary for the purposes for which they are collected and processed. The time we store your personal data depends on the purposes for which we collect and use it and/or according to the requirements to comply with applicable laws and to establish, exercise, or defend our legal rights. The maximum retention period for your personal data is 10 years.

SECURITY OF PERSONAL DATA STORAGE

We value your trust in providing us with personal information, and we use all possible means to protect it. Please note that no method of transferring information over the Internet is 100% secure and reliable.

For us, the confidentiality and security of your personal data are of utmost importance. We will use standard physical, technical, and administrative security measures to keep your personal data confidential and secure, and we will not share it with third parties unless otherwise provided in this Privacy Policy or if such disclosure is necessary in special cases, such as a physical threat to you or others, as permitted by applicable law. Since the Internet is not a completely secure environment, we cannot guarantee the absolute security of the personal information provided to us; there is still some risk that an unauthorized third party may find a way to circumvent our security systems or that your information may be intercepted during its transmission over the Internet. Therefore, it is your responsibility to protect the security of your login data. Please note that email communications are generally not encrypted and should not be considered secure.

SERVICE PROVIDERS

The data processor does not use service providers for the Application and does not hire other persons for this, except for its employees working under employment contracts, who are assigned to perform activities on its behalf. Employees are obliged not to disclose or use the information for any other reasons than those described in this policy. These obligations are assumed with their employment contracts and the confidentiality documents they have signed.

OBJECTIONS, QUESTIONS, AND SUGGESTIONS

If you have any questions, suggestions, unresolved issues, or complaints related to the privacy and protection of your personal data, you can contact us through the functionalities of the Application or at the email addresses provided below. If you reside or are located in the European Economic Area, our data protection officer and the Application management team can assist you with any questions related to the processing of your personal data. If you reside or are located in a country in the European Economic Area, you can also file a complaint with the Data Protection Commission or bring a claim before the competent Bulgarian court if you believe your rights have been violated.

To contact the data protection officer appointed by the controller - the Ministry of Health, please use the following contact information: Alexander Maslarski Address: 5 "Sveta Nedelya" Square, Sofia 1000 Email: dpo@mh.government.bg

YOUR RIGHTS

You have the right to request access to your personal data, correction or deletion of your personal data, or restriction of the processing of your personal data, or the right to object to the processing, as well as the right to data portability.

  • (1) You have the right to access your personal data and confirm that it remains accurate and up-to-date, choose whether you want to receive feedback from the Controller and the Data Processor, and request that we delete or provide you with a copy of your personal data by logging into the Application and visiting your user account page. You have the right to update any personal information that is outdated or inaccurate.
  • (2) You have the right to delete all personal data we process, as well as the right to restrict the way we process your personal data.
  • (3) You have the right to annual information about the categories of user data provided to third parties - processors, the names and addresses of the processors to whom this data is provided or has been provided in the immediately preceding calendar year. For this purpose, if the information is not published on the NHIS Portal www.his.bg, you should send us an email to support@his.bg with the text or just the title (subject) "Request for Privacy Information." In response, we will send you the requested information to the same email address.
  • (4) You have the right to file a complaint with the Data Protection Commission regarding the processing of your personal data by us as the Controller or by the data processors to whom we have provided this data.

If you need additional information regarding your rights or if you want to exercise any of them, you can also contact us following the procedure for submitting objections, questions, and suggestions (see above "Objections, Questions, and Suggestions").

DATA PROCESSORS

The data processor is the company "Information Services" JSC, UIC 831641791, which is the national system integrator of the state's information systems by government decision. The processor receives them in its capacity as an operator of services in the field of information and communication technologies and the maintenance of the systems of the NHIS Portal www.his.bg and this Application.

CHANGES TO THIS POLICY

We periodically review our privacy policy for compliance with applicable legal requirements and safety standards, as a result of which it is subject to change. We advise you to regularly check its content for changes. Any subsequent amendment, update, or addition to the Privacy Policy will take effect immediately after its publication. We will notify you of any significant changes to this policy by posting on the NHIS Portal www.his.bg within a reasonable period after such an update or by sending an email to the address associated with your user account. The effective date of the publication of the change is indicated below at the end of this policy. We recommend periodically checking this page to be promptly informed of the most current version of this Privacy Policy.

This privacy policy is effective from 1.02.2025.

Managing your privacy

Тhis website uses cookies in accordance with the Privacy policy. By clicking the Accept button, you confirm that you have read and agree to it.