INFORMATION BY DATA SUBJECTS (working in each of the serviced enterprises)
1. Data controller: HEALTH & SAFETY OOD (H&S), UIC 200462197, head office: 72 Tsvetna Gradina Street, floor 3, Lozenets residential area, Sofia
2. Data protection officer: The data subjects can exercise their rights and receive additional information about the personal data processing on behalf of the controller by contacting his data protection officer at the registered address, by email: firstname.lastname@example.org or by phone: 0894 477 007. email@example.com или по телефон 0894 477 007.
3. Categories of collectable personal data:
3.1. Ordinary personal data: full name, address, e-mail, data about the position/occupation in the enterprise, about the workplace and the working conditions; factors of the working environment, physiological alternation of work and rest; General Practitioner (name, address of practice and telephone);
3.2. Personal ID number;
3.3. Special (sensitive) personal data concerning the health status, in particular: data about registered occupational diseases, accidents at work, rehabilitation and permanent or temporary disability; data from preliminary and regular medical examinations, in particular: copies of the card for preliminary medical examination, results from the mandatory medical examination, expert decisions of the Territorial Expert Medical Committees (TEMC) / the National Expert Medical Committee (NEMC), instruction by the territorial unit of the National Social Security Institute (NSSI) for acknowledgement of an accident at work, where such documents are available;
4. For what particular purposes are the personal data collected, stored and processed: legally defined purposes in the Health and Safety at Work Act and Ordinance No. 3 from 25 January 2008 concerning the conditions and the procedure for carrying out the activities of the Occupational Health Offices, as follows: preparation and maintenance of health records in electronic or paper format; preparation of conclusion for the suitability of the employee to perform a certain type of work; observation, analysis and assessment of the health status with respect to the conditions at work for all serviced employees, including those having higher sensitivity and reduced resistance; notification of the selected General Practitioner for a disease or deviations in the physiological indicators of the employee, requiring diagnostic specification or treatment; preparation of summarized health status analyses of the employees in each of the serviced enterprises with respect to the particular conditions at work.
5. Categories of personal data recipients outside the company:
5.1. Personal data may be supplied to other processors assisting the controller for the achievement of the purposes under item 4 above, such as: hosting company, IT company supporting the information system, providers of legal or accounting services;
5.2. Under extraordinary circumstances, it is possible to supply personal data to the person who has acquired the economic activity of the controller, his assets, or respective parts of them; to the competent public authorities and proceedings before them (the Labour Inspectorate, the Ministry of Health, Regional Health Inspectorates, the National Social Security Institute (NSSI); or to another person, when required by law;
5.3. Personal data shall not be transferred or shared to any third persons outside the European Union or the European Economic Area;
6. Profiling: No profiling shall be carried out in personal data processing.
7. Storage period: The health records of the employees shall be kept for 50 years. This time limitation is fixed under Ordinance No. 3 from 25 January 2008 concerning the conditions and the procedure for carrying out the activities of the Occupational Health Offices.
7.1. The health records or the employees shall be delivered and received ex officio between the Occupational Health Offices on paper or electronic carrier in the following cases: -Change in the place of employment and request filed by the office servicing the respective enterprise; -Termination of the contractual relations between the employer and the office – to the new office servicing the enterprise.
7.2. If the enterprise terminates its activity, the health records of the employees shall be kept by the last office which has serviced the enterprise before such termination.
7.3. If the office servicing the enterprise terminates its activity, the health records of the employees shall be handed over to the employer to be kept by him until negotiating a contract with a new office. The employer shall not have access to the data contained in the health records kept by him.
7.4. When the objectives and the time limit set out in the previous items have been met, the carries of personal data shall be destroyed physically by cutting them in shredding machines. The destruction shall be duly recorded in a respective protocol.
8. Security measures, undertaken for data protection:
8.1. The data are collected and processed in internet based systems, created especially for this purpose by the controller, and stored by "СУПЕРХОСТИНГ.БГ" and ICN.Bg with available HTTPS link.
8.2. The employees of the controller shall have personal password and user name to enter the system, designed with different level of access. Access to personal data shall be permitted only to those persons who need the personal data for their work. The passwords shall be changed every month.
8.3. Records are kept for the data processing carried out by each user in the automated processing system;
8.4. The employees of the controller shall receive refresher instructions for the rules governing the work with the data on a quarterly basis;
8.5. The protection of the rooms where the personal data is stored shall be achieved by means of controlled access with a smart card, coded alarm signaling equipment and cabinets with locking devices; the work with and the storage of the work with computer systems shall be secured with antivirus programmes and passwords for access.
9. Rights of the subjects:
9.1. Right to information. The data subjects can exercise their rights and receive additional information about the personal data processing on behalf of the controller by contacting his data protection officer at the registered address;
9.2. Right to access his/her health record and correct/complete the respective incorrect or incomplete data;
9.3. Right to delete data, in cases of unlawful or annulled legal basis, such as: terminated employment contract between the subject and the employer – customer of the controller – and starting a freelance business. Right to be notified in the event of correcting or deleting data.
9.4. Right to limit the data processing – in case of a legal dispute;
9.5. Right of objection – at any time, under the condition that there are no compelling legal grounds for processing the data;
9.6. Right to data portability;
9.7. Right to file a complaint to the Commission for Personal Data Protection and the court;