PERSONAL DATA PROTECTION
NOTICE ON CONFIDENTIAL PROCESSING OF PERSONAL DATA
The website you are visiting, medspacebg.com, is operated by MedSpace Medical Center Ltd., UIC: 20772907, with registered address: Sofia, Izgrev District, 8 Gen. Shteryu Atanasov St., Entrance B, 2nd floor, Apt. 8, hereinafter referred to simply as MedSpace.
This privacy notice aims to provide information in a clear and accessible manner regarding the processing of your personal data, the purposes for which the data are processed, the measures and safeguards for the protection of the processed data, your rights, and how you can exercise them, ensuring your confidence that the processing is lawful, fair, and transparent.
I. PERSONAL DATA CONTROLLER
The controller of your personal data is MedSpace Medical Center Ltd., UIC: 20772907, with registered address: Sofia, Izgrev District, 8 Gen. Shteryu Atanasov St., Entrance B, 2nd floor, Apt. 8.
If you have questions regarding the privacy of your personal data, you can contact us by sending an email to medspace@medspacebg.com or by phone at +359 882 12 12 15.
In conducting its activities as a commercial entity, MedSpace processes personal data of individuals (“data subjects”) strictly in compliance with the requirements of Regulation (EU) 2016/679, the Personal Data Protection Act, healthcare regulations, and the company’s internal data protection policies.
The team at the medical center recognizes the importance of and respects the privacy of patients’ and counterparties’ personal data, taking all necessary measures to ensure their protection and processing in full compliance with national and European legislation. Special care is taken regarding children’s data.
II. KEY TERMS YOU SHOULD KNOW
“Personal data” means any information relating to an identified or identifiable natural person (such as name, identification number, location data, online identifier) (“data subject”).
“Processing” means any operation or set of operations performed on personal data, whether by automated or other means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Controller” means a natural or legal person, public authority, agency, or other body that alone or jointly determines the purposes and means of processing personal data.
“Health data” means personal data relating to the physical or mental health of an individual, including the provision of health services, which reveal information about their health status, as well as any other information contained in medical prescriptions, protocols, certificates, and other medical documentation.
“Recipient” means a natural or legal person, public authority, agency, or other body to whom personal data are disclosed in cases explicitly provided for, regardless of whether they are third parties.
III. PURPOSES OF PERSONAL DATA PROCESSING BY MEDSPACE
Your personal data are processed by MedSpace for one or more of the following purposes in accordance with legal provisions:
Providing services and/or information about our products and/or services upon your request.
Complying with our legal obligations as an outpatient medical institution, particularly under the Health Act, the Medical Institutions Act, and related regulations.
Compliance with legal obligations related to accounting and tax reporting under the Accounting Act, the Corporate Income Tax Act, the Tax and Social Insurance Procedural Code, and other applicable regulations.
Conclusion and execution of a contract, including pre-contractual relations and correspondence.
Other lawful purposes, such as accounting, maintenance, improvement, and security of the website and software systems, and protection of the company’s legitimate interests, including judicial protection.
Protection of our legitimate interests, such as product and service sales via our website, provision of marketing and/or advertising information, remarketing, registration of user profiles on the website, quality administrative services, and other interests, provided they do not override the rights and freedoms of data subjects.
IV. LEGAL BASIS FOR PROCESSING PERSONAL DATA
Personal data are processed based on one or more of the following:
Your explicit, freely given, specific, informed, and unambiguous consent.
The necessity of processing for the performance of a contract between you and us or in connection with our intention to conclude such a contract, or based on legal obligations.
Processing necessary to comply with a legal obligation or to protect your or another person’s vital interests, and/or to safeguard our legitimate interests.
For health-related data, additional bases include:
Processing necessary to protect vital interests of the data subject or another individual where the data subject cannot give consent.
Processing necessary for preventive medicine, diagnosis, provision of health or social care, treatment, or pursuant to a contract with a healthcare professional.
Processing necessary to protect public health interests, e.g., against serious cross-border threats or ensuring high standards of healthcare and medical products.
MedSpace ensures that special categories of personal data are collected and processed under the supervision of medical professionals bound by professional secrecy.
Consent may be withdrawn at any time by the data subject in the same manner it was given, without affecting the lawfulness of prior processing based on that consent.
V. DATA SUBJECT GROUPS
MedSpace processes data of the following data subjects:
Individuals using the website.
Individuals submitting inquiries (including via phone), requests, complaints, or other correspondence.
Individuals whose information is included in inquiries, requests, complaints, or other correspondence submitted to MedSpace.
VI. CATEGORIES OF PERSONAL DATA PROCESSED
You decide how to use the services provided through the website. Mandatory and voluntary data fields are clearly indicated. Mandatory data are required to provide the requested services.
Basic personal information collected via contact forms or service requests: name, address, phone number, email.
For personalized advertising, remarketing, and website optimization: IP address.
For provision of requested health services: personal ID number, date of birth, ID document data, health data, medical conditions and treatments, test results (blood tests, X-rays, etc.).
Special categories of personal data, if necessary, including racial or ethnic origin, genetic data, gender, sexual life, social and family identity, to ensure proper diagnosis and treatment.
Video surveillance in public areas of the MedSpace facility for security purposes, with appropriate signage.
The website uses first-party and third-party cookies for site management, personalized advertising, performance measurement, and traffic analysis.
VII. PERSONAL DATA RECIPIENTS
MedSpace may disclose your data to:
Competent public authorities, including the Ministry of Health, regional health inspections, National Revenue Agency, National Social Security Institute, National Statistical Institute, or other government bodies.
Medical professionals in other healthcare facilities.
Subcontractors providing IT maintenance and system security.
Service providers, including courier, payment/banking, marketing/telemarketing, market research, and insurance companies.
Other entities as required by law.
Data transfer outside the EU is allowed only to entities that have signed standard contractual clauses approved by the European Commission or a supervisory authority.
For social media, access to platforms like Facebook, Instagram, TikTok, Google, YouTube, Twitter, etc., requires separate registration and acceptance of those platforms’ terms. MedSpace is not responsible for personal data protection under these terms.
VIII. DATA RETENTION PERIODS
MedSpace stores data according to the purpose of processing and legal retention periods:
User data: during the service and for 5 years afterward.
Inquiries and messages via forms, WhatsApp, Viber, email, or SMS: up to 2 months.
Accounting records: per legal requirements.
Medical treatment records: as required by law.
Security camera footage: up to 30 days.
Data access is restricted to staff involved in processing. Appropriate security measures prevent unauthorized access, alteration, disclosure, or loss. Procedures exist to address any suspected data breaches, with notifications to authorities and data subjects as legally required.
IX. YOUR RIGHTS AS A DATA SUBJECT
Access and obtain a copy of your personal data.
Request transfer of your data to another controller.
Correct inaccurate or outdated data.
Request deletion when: data are no longer needed, consent is withdrawn, processing is objected to, processing is unlawful, legal obligations require deletion, or data were collected for online services.
Restrict processing, in which case data will only be stored.
Withdraw consent at any time.
Object to certain processing, including direct marketing.
Not be subject to decisions based solely on automated processing, including profiling.
Submit a complaint to the supervisory authority: Commission for Personal Data Protection, Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd., www.cpdp.bg
Requests may be sent to medspace@medspacebg.com or +359 882 12 12 15.
X. VOLUNTARY DISPUTE RESOLUTION POLICY
MedSpace aims to voluntarily resolve any disputes regarding personal data processing. We encourage contacting our Data Protection Officer before filing a complaint with the supervisory authority.
This privacy notice was last updated on September 9, 2025, and complies with Regulation (EU) 2016/679 and the Bulgarian Personal Data Protection Act. Internal procedures ensure proper implementation and compliance with applicable law.
