Privacy policy

PRIVACY POLICY
OF MEDICAL TECHNICS ENGINEERING Ltd.

Effective as of 25 May 2018, last updated on 08 June 2021.

I. GENERAL INFORMATION ON THE CONTROLLER AND THE PROCESSING

This Privacy Policy regulates the protection of individuals with regard to the processing of their personal data by MEDICAL TECHNICS ENGINEERING Ltd. in relation to the services provided by the website https://www.mte-bg.com. With this Privacy Policy, we are seeking to provide you with comprehensive information on the processing of your personal data in accordance with Articles 13 and 14 of the Regulation in a transparent, accessible and easily understandable way.

Medical Technics Engineering Ltd. (referred to herein as “the Controller” or “MTE Ltd.”) processes personal data of individuals as required by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, known as GDPR), referred to as “the Regulation”, the Data Protection Act, and all other regulations relating to the processing and protection of personal data of natural persons. Medical Technics Engineering Ltd. is a data controller within the meaning of Article 4, § 7 of the Regulation, as it determines the purposes and means of processing personal data of natural persons.

DATA ON THE DATA CONTROLLER  
Name MEDICAL TECHNICS ENGINEERING Ltd. (abbreviated as MTE Ltd.)
UIC 831641528
Seat and registered address zh.k. Mladost 1, 28B, Dimitar Mollov Str.; 1750 Sofia
Manager Yonka Hristova Getova-Hristanova,
Contact person Simona Slavcheva
Telephone 02/4627120
Email info@mte-online.com

If you have any questions, need additional information or have suggestions regarding the processing of personal data or their protection, you can contact us using the contact details indicated above.

II. TERMS USED AND THEIR MEANING

For the purposes of this Policy, the terms used therein shall have the following meaning:

  • “controller” means a natural or legal person, a public authority, an agency or any other body or structure that alone or jointly with others determines the purposes and means of processing personal data;
  • “personal data” means any information relating to an identified or identifiable natural person, including identifiers such as name, identification number (personal ID number, personal number of a foreigner, etc.), location data (geolocalisation), online identifier (e.g. IP) or one or more factors specific to the physical, physiological, genetic, psychological, mental, economic, cultural or social identity of that natural person;
    Processing of special categories of personal data is prohibited, except in several explicit assumptions described in Article 9, § 2 of the Regulation. Such data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the sole purpose of identifying a natural person, data on the health status or data on the sex life or sexual orientation of the natural person.
  • “supervisory authority” means an independent public body responsible for monitoring the application of the Regulation in order to protect the fundamental rights and freedoms of natural persons with regard to processing and to facilitate the free movement of personal data within the Union;
  • “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  • “processing” means any operation or a set of operations carried out on personal data or on a set of personal data by automated (electronic) means or by other means (paper) such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making the data available, arranging or combining, limitation, deletion or destruction;
  • “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • “risk” means the possibility of material or non-material damage to the data subject under certain conditions, assessed in terms of severity and probability.
  • “data subject’s consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by means of a statement or a clear affirmative action, stating the data subject’s consent to the processing of personal data relating to him or her;
  • “data subject” means, for the purposes of this Privacy Policy, a natural person whose personal data are the subject of processing by the controller in the framework of the activities of MTE Ltd.;
  • “destruction” is the irreversible physical destruction of the data carrier.

Terms not defined in the text above shall have the meaning given to them in Regulation (EU) 2016/679 (the full text of the Regulation is available at: https://eur-lex.europa.eu/legal-content/BG/TXT/?uri=celex%3A32016R0679).

III. CATEGORIES OF DATA, PURPOSES, LEGAL GROUNDS AND RETENTION PERIODS

The processing of personal data for the purposes of human resource management, including carrying out the selection of staff and processing of personal data of current and former employees of MTE Ltd. is detailed in the company’s Internal Rules on the Protection of Personal Data with which the persons concerned are familiar, therefore this category of data subjects will not be covered by this Policy.

In addition to its employees on the basis of a statutory obligation, Medical Technics Engineering Ltd. does not process personal data falling within the scope of the special categories of personal data, namely: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the sole purpose of identifying a natural person, data on the health status or data on the sex life or sexual orientation of the natural person.

(A) Personal data received from the subject (described in the table below)

Category of subjects Categories and types of personal data Purpose of processing Grounds and retention period
  • Customers
  • Suppliers
  • Data on your physical identity (for the conclusion of contracts with natural persons): Full name, personal ID number/personal number of a foreigner, passport data, address, telephone, e-mail;
  • In the case of counterparties – legal entities: full name of the legal representative of the company, two names of the contact person under the contract, e-mail and telephone, or data on his/her social identity: place of work and position;

 

Individualization of the legal relationship with the persons concerned;

2. Information provision for activities relating to the existence, modification and termination of the legal relationship and the preparation of all relevant documents (contracts, records of handover, invoices, etc.);

3. The exchange of correspondence relating to the performance of contractual obligations;

4. Compliance with the legal requirements of the Commerce Act, the Accountancy Act, the Corporate Income Tax Act, etc

  • Under points 1– 3: Conclusion or performance of a contract pursuant to Article 6, § 1 (b) of the Regulation; Period: up to 5 years from the termination of the contract basis;

 

 

 

 

 

  • Under point 4: Statutory obligation under Article 6, § 1 (c) of the Regulation; Period: depending on the relevant obligation: e.g. Article 12, Para 1 of the Accountancy Act;.
  • Visitors;

 

  • Customers and suppliers;
  • Video-surveillance records (video image)

 

Ensuring the physical integrity of the company’s property as well as of the staff and the visitors; Legitimate interest pursuant to Article 6, § 1 (f) of the Regulation1; Period: 1 month.
  • Visitors to the website using the contact form or making direct inquiries to the company’s e-mail;

 

  • Other persons making inquiries and initiating correspondence;
  • Data on your physical identity: two or three names;
  • Contact details: telephone or e-mail address.
  • Other information that you have provided in your inquiry (which cannot be identified in advance).
Processing of the inquiry and providing a response and assistance in relation to the subject of the correspondence; in certain cases, specifying a contractual relationship;

Pre-contractual relationship – Article 6, § 1 (b) of the Regulation

or

Legitimate interest – Article 6, § 1 (f) of the Regulation2

 

Period: Up to 1 year, unless the correspondence relates to a pre-contractual relationship;

  • Persons exercising the rights provided for in the Regulation as well as persons affected by a breach of security
  • Data on your physical identity: Full name, personal ID number/personal number of a foreigner, or any other similar identifier;
The implementation of statutory obligations pursuant to Regulation (EU) 2016/679 and the Personal Data Protection Act.

Statutory obligation under Article 6, § 1 (b) of the Regulation;

Period: 5 years since the last action.

  • Log files/system records

Technical information: IP address, browser type, internet service provider

 

Website administration, analysis of visits and user activity.

Legitimate interest – Article 6, § 1 (f) of the Regulation

Period: ………..

1 При поискване можем да Ви предоставим балансиращ тест, свързан с обработването на тези данни въз основа на легитимния интерес на “МТИ” ООД.

2 При поискване можем да Ви предоставим балансиращ тест, свързан с обработването на тези данни въз основа на легитимния интерес на “МТИ” ООД.

 

Where, for a particular type of document, the prescribed legal period is longer than that indicated in the table above, the controller shall apply the legal period. In case you wish to receive information about a period of retention of a particular document, do not hesitate to contact us using the contact details indicated in this Policy.

The company does not carry out or use technologies for automated decision making or profiling..

fter the expiry of the time limits for processing personal data, they shall be anonymised or deleted/destroyed, unless:

  • they are necessary for a pending judicial, arbitral, administrative or enforcement proceeding, or
  • the relevant subject has exercised his/her right to request restriction of the processing of personal data concerning him or her.

(B) Personal data obtained through the use of cookies

For more information on the cookies used on https://mte-bg.com/, see https://mte-bg.com/en/cookie-policy/.

IV. WHAT RIGHTS DO YOU HAVE AND HOW TO EXERCISE THEM?

In case of MTE Ltd. processing your data, you have the following rights:

1. Right of access
You have the right to obtain confirmation as to whether we are processing personal data relating to you. In case we process such data, we will provide you with a copy of the data as well as the following information:

  • purposes of processing;
  • relevant categories of personal data;
  • the recipients or categories of recipients to whom the personal data are or will be disclosed;
  • where possible, the envisaged period for which the personal data will be stored and, where not possible, the criteria for its determination;
  • the existence of the right to request from the controller to rectify or delete personal data or restrict the processing of personal data relating to the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information on their source;
  • the existence of automated decision-making, including profiling (with relevant information on the logic used and the meaning and consequences of such processing).

In case the documents containing personal data on the subject contain personal data of other persons, they will be deleted in an appropriate manner.

2. Right to rectification
You have the right to ask us to rectify the personal data we process relating to you if they are inaccurate. If you wish us to supplement your personal data, you will need to provide a declaration/application containing the relevant information.

Once we have received your request, we will rectify/supplement the data as soon as possible.

3. The right to erasure (the so-called right to be forgotten)

You have the right to request the deletion of personal data relating to you which will be deleted, where any of the following grounds apply:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • you withdraw your consent on which the processing of the data is based and we do not have any other legal basis for processing them;
  • you object to the processing and there are no overriding legitimate grounds for the processing;
    Where you have objected to processing carried out for marketing purposes, the reasons shall not be analysed and the data shall be deleted.
  • your personal data have been unlawfully processed;
  • personal data must be deleted in order to comply with a legal obligation under the EU or Bulgarian law;
  • personal data have been collected in connection with the provision of information society services.
    An information society service is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of the recipient of services.

Even if any of the situations described above is present, we will not delete your personal data when processing is necessary for:

  • the exercise of the right to freedom of expression and the right to information;
  • compliance with a legal obligation requiring processing provided for in the EU or Bulgarian law, or for the performance of a task carried out in the public interest or in the exercise of official powers of the controller;
  • the establishment, exercise or defence of legal claims;
  • two other specific assumptions set out in Article 17, § 3 (c) and (d) of the Regulation.

4. Right to restriction of processing
You have the right to ask us to restrict processing when one of the following applies:

  • you contest the accuracy of the personal data. In this case, the restriction is carried out for the period necessary for MTE Ltd. to check the accuracy of the data;
  • The processing is unlawful, but you want the use of the personal data to be restricted instead of deleted;
  • MTE Ltd. no longer needs the personal data for the purposes of processing, but they are required by you for the establishment, exercise or defence of legal claims;
  • You have objected to the processing pending the verification whether the legitimate interests of MTE Ltd. override your interests;

The controller will inform any person to whom data have been disclosed that have been corrected, deleted or restricted, except where this is impossible or requires a disproportionate effort. If you wish, we will inform you about who these persons are.

5. Right to data portability
You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to ask to transmit them to another controller of your choice. In order to take such action, the following two prerequisites must be in place:

  • the processing is based on consent or contractual obligation; and
  • data are to be processed in an automated manner.

6. Right to object

You have the right to object to the processing of your personal data when it is based on:

  • performance of a task carried out for reasons of public interest or exercising official powers vested in the controller, or
  • a legitimate interest.

We will stop processing your data immediately if we are not able to prove that there are compelling legitimate grounds for processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

When processing is carried out for marketing purposes, we will stop processing your data as soon as we process your request.

7. Right to withdraw the consent

Where your data processing is based on consent, you have the right to withdraw consent at any time by informing us using the contact details specified.

How to exercise the rights described above?

1. If you wish to exercise any of your rights, please download the application from HERE and fill in the required information. The application was created for your convenience, but is not mandatory.

If you prefer, you can also send us a request in a free form, which must contain the following information:

  • your full name;
  • personal ID number/personal number of a foreigner or other equivalent identifier (only if you have provided us with such information so far);
  • address:
  • mailing address;
  • description of the request;
  • preferred form for response and information;
  • signature;
  • date of submission.

2. Please send your application in one of the following ways:

  • by e-mail to info@mte–online.com under the terms of the Electronic Document and Electronic Trust Services Act (EDETSA), the Electronic Government Act (EGA) or the Electronic Identification Act (eID).
  • by post or in person at: zh.k. Mladost 1, 28B, Dimitar Mollov Str.; 1750 Sofia

Where the application is filed by an authorized person, a power of attorney must be attached to the application.

3. Once we have examined your application, we will analyse its content and, if necessary, ask for further information. You will receive information about its processing within one month of being sent in the way you have indicated as the preferred manner of communication.

4. In case you need assistance in filling in the form provided by us, you may contact us using the contact details indicated in this Policy. We have prepared instructions for your convenience: (hyperlink)

You should bear in mind that MTE Ltd. can refuse to satisfy all or part of the rights described above where satisfying them would create a risk to public order and security, the prevention, investigation, detection or prosecution of criminal offences or the execution of the penalties imposed, including the protection from and the prevention of threats to public order and security, other important objectives of general public interest and in particular important economic or financial interest, including monetary, budgetary and fiscal matters, public health and social security, the protection of the data subject or of the rights and freedoms of others or the enforcement in civil actions.

In addition to the rights described above, you have the option to:

1. Lodge a complaint with a supervisory authority

Each data subject shall have the right to lodge a complaint with a supervisory authority where he or she considers that the processing of personal data concerning him or her infringes the provisions of the Regulation or the Personal Data Protection Act. In case the subject has his/her place of work or usual residence in the Republic of Bulgaria, as well as where the offence has been committed in the Republic of Bulgaria, the latter should refer the matter to the Commission for Personal Data Protection (CPDP) within 6 months of becoming aware of the offence, but no later than 2 years after its commitment, by lodging a complaint by letter, fax or electronic means under the EDETSA procedure.

Following the entry into force of the Regulation, data subjects may also lodge complaints with other supervisory authorities within the European Union, where provided for in the Regulation.

2. Lodge a complaint with the competent administrative court

Without prejudice to your right to lodge a complaint with the CPDP, as described in point 1, you have the option to lodge a complaint with the competent administrative court when you believe that your rights under the Regulation/PDPA have been infringed as a result of the processing of your personal data.

3. Right to compensation and liability for damage caused

If you have suffered material or non-material damage as a result of a breach of the Regulation, you have the right to obtain compensation from the controller for the damage suffered.

V. INFORMATION ON THE SUPERVISORY AUTHORITY

The supervisory authority competent in the territory of the Republic of Bulgaria is the Commission for Personal Data Protection (CPDP).

Contact details of CPDP:
Address:2, Prof. Tsvetan Lazarov Blvd., 1592 Sofia
E-mail: kzld@cpdp.bg
Website: www.cpdp.bg
Information and Contact Centre – тел. 02/91-53-518

VI. TO WHOM DO WE PROVIDE THE PERSONAL DATA RELATING TO YOU?

Your personal data shall be provided to:

  • competent public authorities, in compliance with legal provisions or other statutory obligations, including the National Revenue Agency, the National Council on Prices and Reimbursement of Medicinal Products, etc.;
  • our partners with whom we have concluded contracts for the provision of various services, including lawyers, IT support companies, licensed postal operators, etc. (all of whom are established on the territory of the Republic of Bulgaria).

All our partners comply with the requirements of Regulation (EU) 2016/679, and those who perform as processors on behalf of MTE Ltd. have made such commitments through the agreements on the protection of personal data concluded with us (in accordance with Article 28, §3 of the Regulation).

Your personal data shall not be made available to any other person within the EU or to third countries or international organisations.

VII. SECURITY MEASURES

In order to ensure the security of your personal data, many protection measures have been taken, including:

  • integrated SSL certificate;
  • re-routing all links in the website from http:/ to https://; setting up the loading of all .html, .css, .js files through https:///; forcing the site to load via an encrypted connection and https:/; secure identification and authentication of the persons processing personal data on behalf of the company;
  • keeping operational systems up-to-date;
  • maintenance of anti-virus programmes in an up-to-date state;
  • other measures to protect buildings, premises and facilities where personal data are processed and stored, as detailed in the company’s Internal Rules;
  • limited access of employees to information resources according to the need-to-know principle;
    documented procedures for the processing of personal data of natural persons, etc.

CLOSING INFORMATION

§1. Medical Technics Engineering Ltd. makes efforts to ensure that personal data processed concerning all individuals are kept up to date (and, where necessary, corrected) and that no data is stored that is not necessary to achieve the objectives described in this Policy.

§2. All amendments and supplements to the Privacy Policy will be implemented after publication of its updated content available on our website. If the amendments are substantial and/or substantive, in accordance with the Guidelines on Transparency under Regulation 2016/679 of the Article 29 Working Party (now the European Data Protection Board) adopted on 29.11.2017, last revised on 11.04.2018, we will inform you about them via a pop-up message on our website, or by e-mail to your e-mail address, where available.