These Rules (“Rules“) shall regulate the conditions and the procedure in accordance with which the natural persons whose personal data are processed by Sopharma AD, UIC (Unified Identification Code) 831902088 (“Sopharma“, the “Company“), may exercise their rights in conformity with the legislation for personal data protection.
Part 1: General Principles
- Sopharma processes and protects the personal data collected at the implementation of the activities of the Company, honestly, in conformity with the law and in accordance with the objectives, which the data are collected for.
- The employees who as a part of their labor obligations process personal data for the purposes of the production and sale of medicinal products or servicing customers – natural persons, as well as the employees who process personal data related to the human resources, counteragents and natural persons – shareholders of Sopharma, shall observe the following principles at the processing of personal data:
- i)The personal data shall be processed in conformity with the law and bona fide.
- ii) The personal data shall be collected for specific, exactly determined and in conformity with the law objectives and shall not be processed additionally in a manner incompatible with these purposes.
- iii)The personal data, which are collected and processed at the management of the human resources are commensurate, related to and not exceeding the objectives they are processed for.
- iv)The personal data are accurate and they shall be updated in events of need.
- v) The personal data shall be erased or rectified when it is established that they are inaccurate or disproportionate with regard to the purposes they are processed for.
- vi)The personal data shall be maintained in a kind which shall allow the identification of the relevant natural persons for a period not longer than the needed for the purposes these data were collected for.
- The employees, who process personal data, pass through initial and periodic training for confidentiality of the data and get acquainted with the applicable legislation.
Part 2: Definitions
The definitions enumerated herein below shall have the following meaning:
- ”Personal data“ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Applicable legislation“ means the legislation of the European Union and of the Republic of Bulgaria which is relevant for the personal data protection;
”Profiling“ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
“Data subject“ means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
”Regulation (EU) 2016/679“ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), promulgated in the Official Journal of the European Union on 4 May 2016.
Part 3: Rights of data subjects
The data subjects shall have the following rights with regard to their personal data:
- i) Right of access;
- ii) Right to rectification;
- iii) Right to data portability;
- iv) Right to erasure (right “to be forgotten“);
- v) Right to request restriction of processing;
- vi) Right to object to personal data processing;
- vii) Right of the personal data subject not to be subject to a decision based solely on automated processing, whether profiling is included or not.
Right of access
- At request, Sopharma shall present the following information to the personal data subject:
- i) Information whether Sopharma processes or does not process the personal data of the subject;
- ii) A copy of the personal data of the subject which are processed by Sopharma, and
- iii) Explanation about the data processed
- The explanation pursuant to Art. 2.1. (iii) shall include the following information about the personal data processed by Sopharma:
- i) the purposes of the processing;
- ii) the categories of personal data concerned;
- iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- v) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- vi) the right to lodge a complaint with a supervisory authority;
- vii) where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling or not, and information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- ix) Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
- The explanation about the processed data contains the information which Sopharma presents to the data subjects through privacy notifications.
- At request by the personal data subject, Sopharma may present a copy of the personal data, which are being processed.
- At the provision of a copy of personal data, Sopharma shall not disclose the following categories of data:
- i) Personal data of third persons unless the same have expressed their explicit consent for the purpose;
- ii) Data which constitute trade secrecy, intellectual property or confidential information;
- iii) Other information which is protected in conformity with the applicable legislation
- The provision of access of personal data subject may not exert adverse impact over the rights and freedoms of third persons or result in breach of a legislative obligation of Sopharma.
Right to rectification
4.1. Data subjects may request that their personal data processed by Sopharma should be rectified in event that the latter are inaccurate or incomplete.
4.2. With a satisfied request for rectification of personal data, Sopharma shall notify the other recipients, whom the data were disclosed to (for instance state authorities, providers of services), so that they may reflect the alterations.
Right to erasure (right “to be forgotten“)
- At request, Sopharma shall be obligated to erase personal data, if any of the following grounds are available at hand:
- i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- ii) the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
- iii) the data subject objects to the processing and there are no overriding legitimate grounds for the processing
- iv) the data subject objects to the processing of personal data for the purposes of the direct marketing;
- v) the personal data have been unlawfully processed;
- vi) the personal data have to be erased for compliance with a legal obligation of Sopharma;
- vii) the personal data have been collected in relation to the offer of information society services referred to in Article 8, Paragraph 1 of Regulation (EU) 2016/679
- Sopharma shall not be obligated to erase the personal data, in so far as the processing is needed:
- i) For exercising the right of freedom of expression and information;
- ii) For observation of a legal obligation of Sopharma;
- iii) For reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9, Paragraph 2 as well as Article 9, Paragraph 3 of Regulation (EU) 2016/679;
- iv) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89, Paragraph 1 of Regulation (EU) 2016/679 in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- v) for the establishment, exercise or defense of legal claims.
Right of restriction of the processing
6.1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- Sopharma no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
- iv) the data subject has objected to processing on the grounds of the legitimate interest of Sopharma pending the verification whether the legitimate grounds of the controller override those of the data subject.
- Sopharma may process personal data, whose processing is restricted solely for the following objectives:
- i) For storage of the data
- ii) With the consent of the data subject;
- iii) For the establishment, the exercise or defense of legal claims;
- iv) For protection of the rights of another natural person; or
- v) Due to important grounds of public interest
6.3. When a data subject who has requested restriction of processing and there are any of the grounds pursuant to Art. 6.1. hereinabove available at hand, Sopharma shall inform him before the restriction of processing is lifted.
Right to data portability
7.1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to Sopharma in a structured, commonly used and machine-readable format.
7.2. At request these data may be transmitted to another controller indicated by the data subject where this is technically feasible.
7.3. The data subject may exercise the right to portability in the following events:
| i) Where the processing is made on the grounds of the consent of the data subject;
ii) Where processing is made on the grounds of a contractual obligation;
iii) the processing is carried out by automated means
7.4. The right to portability shall not adversely affect the rights and freedoms of others.
Right to object
- The data subject shall have the right to object to the processing of his or her personal data by Sopharma, if the data are processed on the basis of one of the following grounds:
- i) The processing is necessary for the performance of a task carried out for reasons of public interest or at the exercise of official powers granted to the controller;
- ii) The processing is needed for objectives related to the legitimate interests of Sopharma or of a third party;
- iii) The data processing includes profiling
- Sopharma shall terminate the processing of the personal data, unless it proves that there are convincing legal grounds for its continuation overriding the interests, the rights and the freedoms of the data subject or for the establishment, exercise or defense of legal claims.
Right to object to personal data processing for the purposes of the direct marketing
9.1. Where personal data are processed for the purposes of the direct marketing, the data subject shall be entitled at any time to make an objection to the processing of personal data for the purpose, inclusive of with regard to profiling related to direct marketing.
9.2. Where the data subject objects to processing for the purposes of the direct marketing, the processing of personal data for these purposes shall be terminated.
Right of human interference at automated decision-making
10.1. In the events when Sopharma makes automated individual decisions, whether with the help of profiling or not, which generate legal consequences for natural persons or concern them to a significant degree in a similar manner, these persons may request reconsideration of the decision with human interference as well as express their point of view.
10.2. Sopharma shall present to natural persons-subject to automated decision-making substantial information about the logic used as well as with regard to the significance and the anticipated consequences of this processing for the person.
Part 4: Procedure for exercise of the rights of the data subjects
11.1. The data subjects may exercise the rights in conformity with these Rules submitting a request for the exercise of the relevant right.
11.2. Requests for exercise of the rights of the data subjects may be submitted in the following manner:
- i) In an electronic manner at the following e-mail address: email@example.com
- ii) On the spot in an office of Sopharma
iii) By mail – at the address of the Head Office of Sopharma: city of Sofia, zip code 1220, district of Nadezhda, 16, Iliensko Shose Street.
11.3. The request for exercise of rights related to the protection of the personal data shall contain the following information:
- i) Identification of the person – name and PIN (when applicable)
- ii) Feedback contacts – address, telephone, electronic mail
- iii) Request – description of the request and indication of the manner of receipt of an answer / correspondence related to the request.
11.4. Sopharma provides information about the actions undertaken in connection with a request for exercise of the rights of the subjects, within a term of one month from the receipt of the request.
11.5. In events of need this term may be extended by another two months taking into consideration the complexity and the number of the requests from a certain person. Sopharma shall notify the person about each such extension within a term of one month from the receipt of the request indicating also the reasons for the delay.
11.6. Sopharma shall not owe answers to requests in the events when the Company is not in a position to identify the data subject.
11.7. Sopharma may request the provision of additional information needed for the confirmation of the identity of the data subject when there are well-grounded apprehensions in connection with the identity of the natural person who submits such a request.
11.8. When the requests for exercise of rights of the subjects are evidently groundless or excessive, in particular due to their repeatability, Sopharma may charge a reasonable fee on the grounds of the administrative costs for the provision of the information or refuse to answer the request for exercise of rights. Sopharma shall assess for each individual event whether a certain request is evidently groundless or excessive.
11.9. All the requests of the data subjects for exercise of rights which were already fully satisfied or which to a great degree overlap with already satisfied requests regardless of the periods and time intervals which elapsed between the individual requests, unless a change occurred in the data or other parameters of the processing after the first request was satisfied, shall be reported as excessive. For instance, in event that a certain request was satisfied and a new request follows up for the exercise of the same right, and no new information was received in the meantime and no additional personal data of the subject are processed, the request in question shall be reported as excessive due to its repeatability. In such events it is possible that Sopharma should refuse to answer the request or should charge a reasonable fee based on the administrative costs for its being taken into consideration.
11.10. In event of refusal for provision of access to personal data, Sopharma shall back up its refusal with arguments and shall inform the data subject about his/her right to lodge a complaint to the Commission for Personal Data Protection (CPDP).
11.11. When the request was submitted by electronic means, if possible, the information shall be provided by electronic means unless the data subject requested otherwise.
11.12. These Rules may be periodically updated to reflect the alterations in the practices for protection of the personal data of persons whose data are processed by Sopharma.
11.12. These Rules shall enter into force from 25.05.2018.