Name: H2MEDICAL Ltd.
EIC/BUSSTAT: 202179575
VAT No: BG202179575
Registered office and management address. Varna, ul. registered office and registered address: 2B Radost, 28 app.
Address for correspondence. Varna, address: Varna, Varna, Bulgaria, address: 3 Ivan Drasov Str.
Telephone: 0877 600 621
E-mail: info@h2medical.org
Website: www.h2medical.org
Information on the competent supervisory authority for personal data protection
Name: Commission for Personal Data Protection
Headquarters and registered office. Headquarters and registered office: 1592 Sofia Blvd. "1595 Prof. No 2 Tsvetan Lazarov
Address for correspondence. Address: 1. "Prof. No. 2 Tsvetan Lazarov
Phone: 02 915 3 518
Website: www.cpdp.bg
N2MEDICAL Ltd (hereinafter referred to as the "Administrator" or the "Company") carries out its activities in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Company and the rights you have in relation to this processing.
Basis for collecting, processing and storing your personal data
Art. 1.The controller collects and processes your personal data in connection with the use of the N2MEDICAL e-shop and the conclusion of contracts with the company on the basis of Art. 6, para. 1, Regulation (EU) 2016/679 (GDPR), and in particular on the following grounds:
Your explicit consent as a customer;
Performance of the Controller's obligations under a contract with you;
Compliance with a legal obligation applicable to the Controller;
For the purposes of the legitimate interests of the Controller or a third party;
Purposes and principles of collecting, processing and storing your personal data
Art. 2. (1)We collect and process the personal data you provide to us in connection with your use of the e-shop and entering into a contract with the company, including for the following purposes:
creating an account and providing full functionality when using the online shop;
conclusion and performance of a distance contract;
individualisation of the contracting party;
accounting purposes;
statistical purposes;
information security protection;
securing the performance of the contract for the provision of the relevant service.
sending of a newsletter if you so request;
(2) We comply with the following principles when processing your personal data:
lawfulness, fairness and transparency;
limitation of the purposes of processing;
relevance to the purposes of the processing and minimisation of the data collected;
accuracy and timeliness of data;
limitation of storage to achieve the purposes;
integrity and confidentiality of processing and ensuring an appropriate level of security of personal data.
(3) In processing and storing personal data, the Controller may process and store personal data for the purpose of protecting its following legitimate interests:
Performance of its obligations to the National Revenue Agency, the Ministry of the Interior and other state and municipal authorities.
What types of personal data our company collects, processes and stores
Art. 3. (1) The Company shall carry out the following operations with the personal data provided by you for the following purposes:
Registration of a user in the e-shop and execution of a distance purchase contract - the purpose of this operation is to create a profile for using the e-shop to purchase goods and provide contact details for making delivery of purchased goods. The registration and creation of a profile for the use of the online shop is not a mandatory step of the provision of the service and it is available to a significant extent without the creation of a profile.
Conclusion of the impact assessment: Based on the impact assessment carried out, the operation 'registration of a user in the online shop and execution of a distance purchase contract' is acceptable to carry out and provides sufficient guarantees to protect the rights and legitimate interests of data subjects in line with the requirements of the GDPR.
Conclusion and execution of a commercial transaction with a customer or partner - the purpose of this operation is the conclusion and execution of a contract with a commercial partner or customer and its administration. Given the limited scope of the personal data collected and the fact that some of it is collected from publicly available sources, conducting an impact assessment is not necessary for this operation.
Newsletter Sending - the purpose of this operation is to administer the process of sending newsletters to customers who have indicated that they wish to receive them. Given the limited scope of the personal data collected, an impact assessment of the operation is not necessary.
Exercising the right to opt-out or make a complaint - the purpose of this operation is to administer the process of exercising the right to opt-out or make a complaint by the customer. Given the limited scope of the personal data collected, conducting an impact assessment is not necessary to carry out an impact assessment of the operation.
(2) The controller processes the following categories of personal data and information for the following purposes and on the following grounds:
Your personal data (e-mail, name, etc.)
Purpose for which the data is collected: 1) Contacting the user and sending information to the user, 2) for the purpose of registering a user in the online store, and 3) for sending a newsletter.
Basis for processing your personal data - By accepting the terms and conditions and registering in the online store or placing an order without registration, or by concluding a written contract, a contractual relationship is established between the Controller and you, on the basis of which we process your personal data - Art. 6, para. 1 (b) GDPR. Your data for sending a newsletter is processed on the basis of your explicit consent - Art. 6 para. 1 (a) GDPR.
Delivery data (names, telephone, address, etc.)
Purpose for which the data is collected.
Basis for processing your personal data - By accepting the general terms and conditions and registering in the e-shop or placing an order without registration, or by concluding a written contract, a contractual relationship is established between the Administrator and you, on which basis we process your personal data - Art. 1 (b) GDPR.
Additional data provided by you - If you wish to supplement your profile, you can fill in your name, surname, telephone number.
Purpose for which the data is collected.
Grounds for processing the data: You have provided your explicit consent to the processing of his personal data for one or more specific purposes - 6 para. (a) of the GDPR at the time of registration in the online shop. The provision of this data is not mandatory for registration in the online shop.
(3)The controller does not collect or process personal data relating to the following:
reveal racial or ethnic origin;
disclose political, religious or philosophical beliefs, or trade union membership;
genetic and biometric data, data concerning health or data concerning sex life or sexual orientation.
(4) Personal data are collected by the Controller from the individuals to whom they relate.
(5) The Company does not perform automated decision-making with data.
Art. 4. (1) The Company performs the following operations with the personal data provided by you, as legal representatives or proxies of legal entities - business partners, for the following purposes:
Conclusion and execution of a commercial transaction: for the conclusion and execution of a commercial transaction with a commercial company, we only process the full name of the legal representative or the person authorised by the company. Conclusion of the impact assessment.
(2) The personal data have been collected by the Controller from the individuals to whom they relate and from the Commercial Register at the Registry Agency.
(3) The Company does not carry out automated decision-making with data.
Art. 5. The Administrator may use so-called "cookies" for the purposes of providing full functionality of the website, improving the user experience, statistical purposes, facilitating access, etc., to which you agree by using our website. You can control and/or delete cookies at any time through the settings of the browser you are using. "Cookies do not constitute personal data and are not used to identify visitors and users of the e-shop.
Storage period of your personal data
Art. 6. (1) The controller stores your personal data for a period no longer than the existence of your online shop account. After the deletion of your account, the Administrator shall take the necessary care to delete and destroy all your data without undue delay or to anonymize them (i.e. to put them in a form that does not reveal your identity).
(2) The controller processes your personal data that you have provided when placing an order without registration in the e-shop until the order is completed, unless you have given your explicit consent when placing the order for your data to be processed for the purposes of improving the service, providing recommended content for you, individual conditions, promotions, as well as for statistical purposes.
(3) The Controller stores your personal data provided in connection with online orders for a period of 5 years for the purpose of protecting the legal interests of the Controller in legal or administrative disputes with users of the online store.
(4) The Controller shall notify you in the event that the data storage period needs to be extended in order to comply with a legal obligation or in view of the legitimate interests of the Controller or otherwise.
(5) The Controller shall store the personal data that it is required to keep under applicable law for the relevant period provided for, which may exceed the duration of your e-shop account or until the order is completed.
Art. 7. The Data Controller shall keep the personal data of the legal representatives of its business partners for the duration of the performance of the contract, in order to comply with the legitimate interests and legal obligations of the Data Controller, which period may exceed the duration of the concluded contract.
Transfer of your personal data for processing
Art. 8. (1) The Controller may, at its own discretion, transfer some or all of your personal data to processors for the fulfilment of the processing purposes to which you have consented, subject to the requirements of Regulation (EU) 2016/679 (GDPR).
(2) The controller shall notify you in the event of an intention to transfer some or all of your personal data to third countries or international organisations.
Your rights in the collection, processing and storage of your personal data
Withdrawal of consent to the processing of your personal data
Art. 9. (1) If you do not wish the personal data you have provided to be processed for marketing purposes and to receive the newsletter, you may withdraw your consent to processing at any time by completing the consent withdrawal form in Appendix 1 or by making a free text request and sending it to us by email.
(2) Once we receive your request, we will send you a letter with detailed instructions for your verification as a newsletter recipient and subject of the personal data for which withdrawal of consent has been requested, to the email address you have provided to receive newsletters and promotional communications.
(3) The withdrawal of consent shall not affect the lawfulness of the processing of personal data that the Controller has carried out up to that point.
Right of access
Art. 10. (1) You have the right to request and obtain confirmation from the Controller as to whether personal data relating to you is being processed by sending a request in free text by email.
(2) You have the right to obtain access to the data relating to you as well as to the information relating to the collection, processing and storage of your personal data.
(3) Once we have received your request, we will send you a letter with detailed instructions for your verification as the subject of the personal data to which access has been requested, to the email address you used to register or place orders in the e-shop.
(4) After verification has been carried out in accordance with par. 3, the Controller shall provide you, upon request, with a copy of the personal data processed relating to you in electronic or other appropriate form.
(5) Providing access to the data is free of charge, but the Controller reserves the right to charge an administrative fee in the event of repetitive or excessive requests.
Right to rectification or completion
Art. 11. (1) You may, at any time, correct or complete inaccurate or incomplete personal data relating to you through the "Edit Profile" option.
(2) You may rectify or complete inaccurate or incomplete personal data relating to you directly through your profile on the website or by making a request to the Controller by email using the form in Appendix 4 or by making a free text request.
Right to erasure ("being forgotten")
Art. 12. (1) You have the right to request the Administrator to erase some or all of the personal data relating to you, and the Administrator has the obligation to erase them without undue delay where any of the following grounds apply:
the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
You withdraw your consent on which the processing is based and there is no other legal basis for the processing;
You object to the processing of personal data relating to you, including for direct marketing purposes, and there are no lawful grounds for the processing which override;
the personal data have been unlawfully processed;
the personal data must be erased in order to comply with a legal obligation under EU or Member State law to which the Controller is subject;
the personal data have been collected in connection with the provision of information society services.
(2) The Controller is not obliged to erase personal data if it stores and processes them:
for the exercise of the right to freedom of expression and the right to information;
for compliance with a legal obligation requiring processing provided for in EU or Member State law applicable to the Controller or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
for reasons of public interest in the field of public health;
for archiving purposes in the public interest, scientific or historical research or statistical purposes;
for the establishment, exercise or defence of legal claims.
(3) In order to exercise your right to be forgotten, it is necessary to send by email a request for deletion of your personal data processed by the Controller, either by filling in the form in Appendix No. 2 or by means of a free text request, after which the Controller will send to the email address you used to register or place orders in the e-shop, a letter with detailed instructions for your verification as a user of the shop and subject of the personal data for which deletion is requested.
(4) Once we have verified the identity of the person who made the request and the data subject in accordance with the instructions sent to you, we will delete any data we process about you in accordance with par. 3.
(5) If there is an order placed by you which is in the process of being processed, the earliest point at which you can request to be "forgotten" is upon successful completion of the order.
Right of restriction
Art. 13. You have the right to request the Controller to restrict the processing of data relating to you by sending us a request in free text by email when:
you contest the accuracy of the personal data, for a period that allows the Controller to verify the accuracy of the personal data;
the processing is unlawful, but you do not wish the personal data to be erased, but only for its use to be restricted;
The Controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims;
You have objected to the processing pending verification that the Controller's legitimate grounds override your interests.
(2) Once we receive your request, we will send you a letter to the email address you used to register or place orders on the e-shop with detailed instructions on how to verify you as a user of the shop and the subject of the personal data for which a request for restriction of processing has been made.
(3) After the verification pursuant to paragraph 2, the Company will cease processing your data, but will not remove the posts you have made in the online store, if any.
Right to portability
Art. 14. (1) If you have consented to the processing of your personal data or the processing is necessary for the performance of the contract with the Controller, or if your data is processed in an automated manner, you may:
request the Controller to provide you with your personal data in a readable format and transfer it to another Controller;
ask the Controller to transfer your personal data directly to a controller designated by you, where this is technically feasible.
(2) You may exercise the right of portability by emailing us the completed form in accordance with Appendix 3 or a free text request, after which the Controller will send to the email address you used to register or place orders in the e-shop a letter with detailed instructions for your verification as a user of the shop and subject of the personal data for which portability has been requested.
(3) After the verification pursuant to paragraph (2), the Company sends the data it processes for you in XML format to the email address you provided.
Right to receive information
Art. 15. You may request the Controller to inform you of any recipients to whom the personal data for which rectification, erasure or restriction of processing has been requested have been disclosed. The controller may refuse to provide this information if it would be impossible or would require a disproportionate effort.
Right to object
Art. 16. You may object at any time to the processing of personal data concerning you by the Controller, including if it is processed for profiling or direct marketing purposes.
Your rights in the event of a personal data breach
Art. 17. (1) If the Controller becomes aware of a breach of the security of your personal data which may pose a high risk to your rights and freedoms, he shall notify you without undue delay of the breach and of the measures which have been taken or are to be taken.
(2) The controller is not obliged to notify you if:
it has taken appropriate technical and organisational protection measures in respect of the data affected by the security breach;
has subsequently taken measures to ensure that the breach will not result in a high risk to your rights;
notification would require a disproportionate effort.
Persons to whom your personal data are disclosed
Art. 18. (1) For the purposes of processing your personal data and providing the service in its full functionality and in view of your interests, the Data Controller may provide the data to the following persons who are data processors:
Processor Purpose of the processing of personal data
............................................... .....................................................................
............................................... .....................................................................
............................................... .....................................................................
(2) Processors shall comply with all legality and security requirements in processing and storing your personal data.
Art. 19. The controller shall not transfer your data to third countries.
Art. 20. In the event of a violation of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Data Protection Commission as follows:
Personal Data Protection Commission.
Headquarters and registered office. Headquarters and registered office. "1592, Prof. No.: 2 Tsvetan Lazarov
Address for correspondence. Address: 1. "Prof. No. 2 Tsvetan Lazarov
Phone: 02 915 3 518
Website: www.cpdp.bg
Art. 21. You can exercise all your rights regarding the protection of your personal data by using the forms attached to this information. Of course, these forms are optional and you may make your requests in any form that contains a statement to that effect and identifies you as the data holder.
Art. 22. If the consent relates to a transfer, the Data Controller shall describe the possible risks for the transfer of the data to third countries in the absence of an adequate protection solution and appropriate means of protection.
Annex No. 1
Withdrawal of consent form for processing purposes
Your name*: .........................
Your email address that you used in the e-shop*: .........................
Feedback details (e-mail)*: .........................
To
Name: .........................
UIC/BULSTAT: .........................
Registered office and registered address: .........................
Address for correspondence: .........................
Telephone: .........................
E-mail: .........................
Website: .........................
I hereby withdraw my consent to the processing of the personal data provided by me for the purpose of receiving newsletters, promotional communications or other marketing materials, having read the conditions for withdrawal of consent in accordance with the Mandatory Information on the Rights of Individuals on the Protection of Personal Data of the e-shop.
In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Data Protection Commission as follows:
Personal Data Protection Commission.
Headquarters and registered office. Headquarters and registered office. "1592, Prof. No.: 2 Tsvetan Lazarov
Address for correspondence. Address: 1. "Prof. No. 2 Tsvetan Lazarov
Phone: 02 915 3 518
Website: www.cpdp.bg
Appendix No. 2
Request "to be forgotten" - to delete personal data related to me
Your name*: .........................
Your email address you registered with or used to place orders in the e-shop*: .........................
Feedback details (e-mail)*: .........................
To
Name: .........................
UIC/BULSTAT: .........................
Registered office and registered address: .........................
Address for correspondence: .........................
Telephone: .........................
E-mail: .........................
Website: .........................
I request that all personal data that you collect, process and store, provided by me or by third parties who are related to me, according to the indicated identification, be deleted from your databases.
I declare that I am aware that some or all of my personal data may continue to be processed and stored by the controller for the purposes of fulfilling its legal obligations.
In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Data Protection Commission as follows:
Name: Data Protection Commission.
Headquarters and registered office. Headquarters and registered office. "1592, Prof. No.: 2 Tsvetan Lazarov
Address for correspondence. Address: 1. "Prof. No. 2 Tsvetan Lazarov
Phone: 02 915 3 518
Website: www.cpdp.bg
Annex No. 3
Request for portability of personal data
Your name*: .........................
Your email address with which you registered or used to order from the e-shop*: .........................
Feedback details (e-mail)*: .........................
To
Name: .........................
UIC/BULSTAT: .........................
Registered office and registered address: .........................
Address for correspondence: .........................
Telephone: .........................
E-mail: .........................
Website: .........................
Please send all personal data related to me that is collected, processed and stored in your databases in XML format to:
e-mail: .........................
Data Receiving Administrator: .........................
Name: .........................
Identification number (UIC, BULSTAT, reg. number in the KPLD): .........................
E-mail: .........................
In case of violation of your rights under the above or applicable data protection legislation, you have the right to file a complaint with the Personal Data Protection Commission as follows:
Name: Data Protection Commission.
Headquarters and registered office. Headquarters and registered office. "1592, Prof. No.: 2 Tsvetan Lazarov
Address for correspondence. Address: 1. "Prof. No. 2 Tsvetan Lazarov
Phone: 02 915 3 518
Website: www.cpdp.bg
Annex No. 4
Request for correction of data
Your name*: .........................
Your email address that you registered with or used to order from the e-shop*: .........................
Feedback details (e-mail)*: .........................
To
Name: .........................
UIC/BULSTAT: .........................
Registered office and registered address: .........................
Address for correspondence: .........................
Telephone: .........................
E-mail: .........................
Website: .........................
I request that the following personal data that you collect, process and store, provided by me or by third parties who are related to me, be corrected as follows:
Data subject to correction:
..................................................
Please be corrected as follows:
..................................................
In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Data Protection Commission as follows:
Name: Data Protection Commission.
Headquarters and registered office. Headquarters and registered office. "1592, Prof. No.: 2 Tsvetan Lazarov
Address for correspondence. Address: 1. "Prof. No. 2 Tsvetan Lazarov
Phone: 02 915 3 518
Website: www.cpdp.bg