• office@spectro-group.com
  • +359 2 971 25 93; +359 887 562 164

GDPR policy

POLICY FOR PERSONAL DATA PROTECTION OF „SPECTRO GROUP” OOD

For the purposes of its activity, SPECTRO GROUP OOD (hereinafter referred to as the “Administrator”) processes personal data of natural persons (“data subjects”) in strict compliance with Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR), the Personal Data Protection Act and the Privacy Policy of the Company.

According to the General Regulation, "personal data" means any information relating to a natural person through which he can be directly or indirectly identified.

"Health status Details" means personal data relating to the physical or mental health of a natural person. These data are subject to special protection, given their sensitive nature, and are handled by medical specialists bound by the obligation of professional secret.
 
The processing of personal data is any operation or set of operations that may be performed on personal data by automatic or other means.
 
This information is intended to inform you of all aspects of the processing of your personal data by the Administrator and the rights you have in connection with this processing.

Who is the data administrator?
Which natural persons do personal data be processed by the company?
For what purposes and on what basis is personal data processed?
To whom are the personal data transmitted or disclosed?
The deadlines for storing personal data.
Measures to ensure data security.
The rights of individuals and the way they are exercised.

Personal Data Administrator

Personal data Administrator is „SPECTRO GROUP” OOD with address: city of Sofia, “Vitosha” r.d., 6 “Asen Raztsvetnikov” Str., tel: +359 2 971 36 98,
Mobile: +359 882 74 37 38 

The company has a specially appointed data protection officer with who you can contact by e-mail: snejana.mincheva@spectro-group.com and on tel.: +359 887 562 164.
 
Natural persons whose personal data are processed by the company
 
„SPECTRO GROUP” OOD processes personal data about the following natural persons:
(а) Customers;
(б) Staff - current and former employees of the company, job applicants, as well as those who are trained;
(в) Contractors or potential contractors of the company and their employees.

Reason for collecting, processing and storing personal data

Art.1. The Administrator collects and processes the data you have provided pursuant to Article 6, para. 1, letter „a“ of Regulation (EU) 2016/679 (GDPR), namely: based on consent to the processing of personal data for one or more specific purposes or processing is necessary in order to protect the vital interests of the data subject or other natural person or on the basis of a statutory duty of the Administrator or on the legitimate interests of the Administrator or of a third party and if one of the grounds of Article 9, paragraph 2 of Regulation (EU) 2016/679 (GDPR) exists.

Objectives and principles of collecting, processing and storing personal data

Art.2. (1) We collect and process the personal data you provide us for:
your individualization as our customer / patient;
Accepting, processing and executing requests for reviews, procedures and interventions, including those requested through the “Spectro aesthetics Beauty Studio” website and / or through registration in specialized client software;
the issue of medical documents, forms, certificates;
Creating and storing a client/ patient file;
providing tax information to the competent state authorities;;
accounting purposes;
making contact with you;
information about newly introduced procedures, promotions, packages, services.

(2) We comply with the following principles when processing your personal data:
lawfulness, good faith and transparency;
limitation of the processing objectives;
relevance to the processing objectives and minimizing data collected;
accuracy and timeliness of the data;
limitation of storage in order to achieve the objectives;
integrity and confidentiality of the processing, and ensuring an adequate level of security of personal data.
(3) At processing and storing personal data, the Administrator can process and store personal data to protect the following legitimate interests:
fulfilling its obligations to the Ministry of Health, the National Center for Health Information, the National Statistical Institute, regional health inspections and other state and municipal authorities;
the protection of its property and the property for which he is responsible on the basis of a contract concluded.
What kind of personal data collects, processes and stores the medical center
Чл.3. (1) The administrator processes the following categories of personal data and information:
Names;
Personal ID Number;
Email;
Telephone;
Health status data;
Other sensitive personal data.

Term for storing your personal data

Art.4. (1) The administrator has an internal policy that determines how long your personal data is stored. It is based primarily on the type of information it collects and the purposes for which it is collected. Your personal data is stored for as long as necessary for the purposes of the processing for which the data were collected and for any other permissible and related purpose or expiry of a legally prescribed period. The legitimate interest of the administrator is to retain a certain your personal information until the expiry of the limitation period for claiming. The Administrator will not delete or anonymize your personal data if it is necessary for pending court or administrative proceedings or proceedings to examine your complaint before the company.
(2) The Administrator notifies you if the storage period of the data needs to be extended in order to comply with a statutory obligation or with respect to the legitimate interests of the Administrator or otherwise.

Transmission of your personal data for processing

Art.5. (1) The Administrator may, at his own discretion, transmit all or part of your personal data to processors for the fulfillment of the processing objectives you have agreed to, subject to the requirements of applicable legislation.
(2) The administrator may provide personal data to third parties when:
Competent public authorities implementing statutory regulations, including the National Health Insurance Fund, the Ministry of Health, the National Revenue Agency, the National Social Security Institute, etc .;
Commercial companies providing services to the company, including informational maintenance and security of the IT systems.

(3) The Administrator notifies you in case of intent to transfer some or all of your personal data to third countries or international organizations.

Your rights in collecting, processing and storing your personal data.

Withdrawal of consent to process your personal data

Art.6. The collection, processing and storage of personal data is voluntary. The subject of personal data may withdraw his consent for processing for a particular or for any purpose at any time. Withdrawal of consent is made by a written request to the Administrator submitted to the specified email or to the address of the beauty studio.

Right of access

Art.7. (1) You have the right to request and obtain by the Administrator a confirmation that personal data relating to you is being processed.
(2) You have the right to access the data relating to you as well as information relating to the collection, processing and storage of your personal data.
(3) The Administrator provides you with a copy of the personal data processed with you, on request, in electronic or other appropriate form.
(4) Providing access to the data is free of charge, but the Administrator reserves the right to impose an administrative fee in the event of recurrence or excessiveness of the requests.

Right of adjustment or replenishment

Art.8. You have the right to ask the Administrator to:
Corrects inaccurate personal data relating to you;
to fill in the incomplete personal data relating to you.

Right to delete ("to be forgotten")

Art.9. (1) You have the right to ask the Administrator to delete the personal data relating to you and the Administrator has the obligation to delete them without undue delay when any of the following reasons exists:
• personal data is no longer needed for the purposes for which it was collected or otherwise processed;
• You withdraw your consent on which the processing of the data is based and there is no other legal basis for the processing;
• You object to the processing of personal data related to you, including for the purposes of direct marketing, and there are no legitimate grounds for processing that have an advantage;
• personal data has been processed unlawfully;
• Personal data must be deleted to comply with a legal obligation under EU law or the law of a Member State that applies to the Administrator;
• personal data have been collected in connection with the provision of information society services.
(2) The administrator is not obliged to delete the personal data if he / she keeps them and processes them:
• exercising the right to freedom of expression and the right to information;
• complying with a legal obligation that requires processing provided for under EU law or the law of the Member State that applies to the Administrator or for the performance of a public interest task or the exercise of official rights;
• for reasons of public interest in the field of public health;
• for purposes of archiving in the public interest, for scientific or historical research or for statistical purposes;
• for the establishment, exercise or protection of legal claims.
(3) In the event that you exercise your right to be forgotten, the Administrator will delete all your data, except the information that is required to verify that your right to be forgotten is fulfilled.
(4) The right of deletion is exercised as the data subject submits a request to the Administrator. In order to execute the request, the Administrator shall draw up a record.

Right of limitation

Art.10. You may require the Administrator to restrict the processing of your related data when: 
• question the accuracy of personal data for a period that allows the Administrator to verify the accuracy of personal data;
• processing is illegal, but you do not want personal data to be deleted, but only to be restricted;
• The administrator no longer requires personal data for the purposes of processing, but you require them to identify, exercise or protect your legal claims;
• You have rejoined the processing pending verification that the Administrator's legal grounds have an advantage over your interests.

Right of portability

Art.11. If you have consented to the processing of your personal data or the processing is necessary for the execution of the agreement with the Administrator, or if your data is processed in an automated manner, you may, after you have legitimized yourself before the Administrator:
• ask the Administrator to provide you with your personal data in a readable format and transfer it to another Administrator;
• ask the Administrator to transfer your personal data directly to an administrator you point when it is technically realizable.

Right to receive information

Art.12. You may ask the Administrator to inform you of all recipients to whom the personal data for which correction, deletion, or limitation of the processing was requested has been disclosed. The administrator may refuse to provide this information if this would not be possible or would require disproportionate efforts.

Right of objection

Art.13. You may object at any time to the processing of personal data by the Administrator that relates to him, including if it is being processed for profiling or direct marketing purposes.

Your rights in violation of the security of your personal data

Art.14.(1) If the Administrator finds breach of security of your personal data, which may pose a high risk to your rights and freedoms, he lets you know without undue delay of the infringement and the measures taken or to be taken.
(2) The administrator is not required to notify you if:
• he has taken appropriate technical and organizational protection measures with respect to the data affected by the security breach;
• he has subsequently taken measures to ensure that the violation will not lead to a high risk for your rights;
• notification would require disproportionate efforts.

Right to appeal

Art.15. Everyone can make a complaint to the supervisor. The competent supervisory authority is the Commission for Personal Data Protection, address: Sofia 1592, 2 "Prof. Tsvetan Lazarov” Str., phone:  02 915 3 518, website: www.cpdp.bg.

Requests, inquiries and objections may be filed in writing at the address of „Spectro Group” OOD in the city of Sofia, region Vitosha, 6 “Asen Raztsvetnikov” Str., or on email: office@spectro-group.com.

Protection of personal data

Art.16. „SPECTRO GROUP” OOD has adopted policies and instructions to ensure confidentiality and protection of personal data, including the explicit commitment of employees to professional secret and confidentiality. The Administrator shall take the necessary technical and organizational measures to protect the data from accidental or unlawful destruction, accidental loss, unauthorized access, alteration or dissemination, as well as other illegal forms of processing.
This policy is current as of 22.05.2018. It may be amended on the initiative of “SPECTRO GROUP” OOD or a competent authority due to an amendment of the current legislation. The notifying of the persons for changes in the policy for the personal data protection is made by publishing it on the company's website www.spectroaesthetics.com.