Privacy policy

Introduction

SAT Health is a joint-stock company, established in Sofia in 2017. The current registration number is UIC 204705650. The company is specialized in gathering, processing, and analyzing data, delivering Patient Support Programs, consulting services, and solutions for the healthcare sector. Our registered office address is: 4-6 Racho Petkov-Kazandzhiata str., Business Center Matrix Tower, Floor 2, Office 2, Sofia 1766, Bulgaria, and e-mail: office@sathealth.com.

As a controller of personal data, we at SAT Health take due care to protect the confidentiality of all categories of personal data that we receive, collect, process and store. We do it in accordance with the applicable legal requirements. 

With this privacy policy (The Policy) we inform you about the internal rules established in SAT Health for processing of personal information, which we receive or collect, also about your rights regarding the protection of your personal data. 

We urge you to carefully read this document. When you provide us with your personal data by logging onto our website or through other channels, you agree to and accept the here defined internal rules for processing and protecting your personal information.


Personal Data Processing

Personal data covers any information relating to an identified or identifiable individual, such as (but not limited to) a name, address, e-mail, or phone number. Information that is not directly related to your identity, is out of the scope to this policy.

At SAT Health we process personal data in compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data and for repealing Directive 95/46/CE (General Data Protection Regulation), later referred to as “Regulation (EU) 2016/679”.

We strictly follow Article 5 principles relating to processing of personal data for lawfulness, fairness, transparency, protection of integrity and confidentiality, accuracy, and data minimization. The personal data is collected by us for legitimate purposes only. Data will be processed and used solely for the purposes initially declared and/or as required by the applicable law. 

SAT Health has implemented Information Security Management System (ISMS), certified to ISO/IEC 27001. We strive to ensure that all personal data is processed in a manner that ensures appropriate security protection against unauthorized or unlawful processing. Risk assessment based appropriate organizational and technical security measures are implemented and maintained to safeguard against unauthorized or unlawful processing, accidental loss, destruction, or damage of data. We have processes in place to make sure that only those people in our organization, who need to access your data, can do so. 

Our ISMS is subject to regular information security audits by internationally recognized certification authority and is maintained in compliance. You can see our ISMS ISO/IEC 27001 Certificate on our website.

We gather and process the following types of personal data:

names, 

contact information (address; telephone number, mobile, email address, etc.)

medical information;

other information, relevant for your participation in specialized patient support prоgrammes; 

This personal data is needed to provide you with the desired services and products. It is a free personal choice whether one is comfortable with the fact that his personal data will be processed as described above.  If you choose not to provide us with your personal data, we may not be able offer you some or all the services and products provided by SAT Health.

Use of Cookies

As it is common practice for websites, our website uses so-called Cookies. These are small text files, which are stored on your device’s hard drive when using a browser. The Cookies cause no damage to your device. They cannot access your personal data. We use these Cookies to analyze the information traffic, to personalize the services and products we offer, and to optimize the functions of our website. 

As with most other commercial websites, we also automatically collect certain information, which is stored in log files. This information includes internet protocol addresses (IP addresses), type of browser used, internet service provider (ISP), reference and end pages, operating system, date and time, data volume transferred and click stream data. Additionally, we use pixel tags (small picture files) that provide information about which areas of the website customers have visited and/or measure the effectiveness of customer search requests on our website.

Some Cookies are stored on your device until you delete them. They enable us to recognize your browser automatically they next time it accesses our website.

If you wish so, you can adjust your browser’s settings to inform you about the placing of Cookies, so that you can allow it in individual cases. 

Whilst the deactivation or rejection of cookies may restrict the functionality of our website, it will not stop its functioning.


Data Processing

We collect personal data from you for one or more of the following purposes:

to identify you as user and to provide you with information that you have requested 

to provide you with information that we believe may be relevant to a subject in which you have demonstrated an interest.

to manage any communication between you and our company.

to fulfil a contract with you or with a company/entity that you represent. 

to provide access to a service and/or a product on request.

to ensure the protection and safe operation of our website (and the underlying business infrastructure).

to meet the applicable legal and fiscal compliance requirements related to the services we provide for you (e.g. statistics, taxation, insurance, income management, etc.)

for our legitimate interests. 

In case we collect personal data from you for our legitimate interest, we shall follow a process of preliminary assessment whether the processing of that data is appropriate. The process has three steps: a) purpose test to verify if there a solid legitimate interest behind the planned processing; b) necessity test to see if the processing is necessary for that purpose c) balancing test to assess if the legitimate interest is overridden, or not, by the individual’s interests, rights, or freedoms.

Communication

We may communicate with you via electronic means (SMS or mail) to provide you with relevant information for products and services in which you have expressed interest or similar to the ones we have provided for you in the past.

If you wish that we discontinue the use of your personal data, please send us a mail to compliance@sathealth.com.

Information Disclosure

We undertake not to sell, exchange, or rent out your personal data for use by third parties in any form. The personal data collected is used only for the purposes stated above. We may provide access to your personal information and allow its processing, according to strictly defined purposes, to strictly defined third parties, which in these cases are Processors of personal data on behalf of the Administrator of your personal data - SAT Health.

These third parties may be:

•providers and subcontractors for the performance of a contract concluded with you or for the provision of services requested by you, such as providers of IT, communication, or logistics services, such as providing assistance to patients to competent government organizations. 

•providers of logistics in connection with specialized trainings offered by SAT Health, incl. transport, accommodation, etc. similar.

•providers of technical solutions, such as collective e-mail or text messages, that allow us to send you information, including product information, or about the level of customer satisfaction, if you have consented to receive such information.

SAT Health signs with the Processors of personal data contracts (or annexes to existing contracts), binding them to abide by the principles of ensuring legality, transparency and security while processing personal data. 

We reserve the right to conduct on-site audits of the methods used by the Personal Data Processors to protect the personal data we provide to them for processing. The processors of personal data are obliged not to obstruct the performance of such audits and to assist in their conduct without undue delay.

If you do not wish us to share your personal information with the said category of third parties for the purposes described above, please contact us by email at compliance@sathealth.com, by SMS, or by calling +359 882 727 270

Your personal information may be shared with the competent authorities if we are obliged to fulfil a legal obligation, to protect our rights or property, or to ensure the safety of our users or others.

Data storage and retention period

All personal data provided by you or gathered for you is stored in dedicated protected environment in specialized Data Centre in our country. Access to the data have only our employees on need-to-know basis. All our staff is ISMS trained. The company managing the Data Center has independently implemented an ISO/EN 27001 certified ISMS.

We will take all steps that are reasonably necessary to ensure that the personal data provided by you is stored and processed safely, in accordance with the conditions set out in this Privacy Policy and in accordance with the applicable regulations.

If a need arises to transfer your personal data to a third party for processing, which falls within the scope of the predefined and agreed with you purposes, we shall request your approval accordingly. No transfer takes place before we have obtained your explicit confirmation.

We store personal data so long as it is necessary for the business relationship or required under law. Access to our website as well as files found on the website is logged. The storage of data in our internal system is strictly business-related. It may also be done for statistical purposes and is carried out following internal retention periods. The following information is logged: name of the accessed file, data, and time of access, transferred data amount, notice of successful access, web browser and IP address of the inquiring computer. The activities of all persons that access the site are also logged. This information may be accessible for our partners. The data may also be used for the improvement of the website as well as for targeting communication with clients to improve their satisfaction with the products and services we provide.  

By providing your personal date, you agree to the conditions described in this Policy for their storage, processing or transfer to third parties.

Due Care

You need a password to access your user account created to use the services and products provided through our site. You need to keep it secret and not the share is with anyone. We strongly urge you to inform us and change your password immediately if your password is compromised for any reason. If your password is used by others, you are responsible for any action taken through your account.

Unfortunately, as we all know, the transmission of information over the Internet is not completely secure. While we do our best to protect your personal information, we cannot guarantee its security at the stage of transferring it over the Internet to our site. Once received on our site, your personal information will be protected through strict policies, procedures, and security features to try to prevent unauthorized access, modification, or unauthorized deletion.

In case you wish to use our products and services for an extended period of time and with your explicit consent, we undertake to store your personal data (names, contact details and other personal information provided by you) in a secure environment, until you withdraw your consent. However, if you stop using our products and services for more than 48 months, we will permanently delete your personal data. If after this period you decide to use our products and services again, you will need to make a new registration with your current personal data.

Protection of your rights

You have the right to access the information that applies to you. You may request to be informed if and how your personal data is being processed. We will perform an in-depth inspection and will inform you in writing on your preferred contact channel.

You may also request that your processed personal data be corrected to keep it up to date. When updating your personal data, you should send us verified information. We undertake to enter it in the relevant registers without changes. It will be your responsibility if the data processed after the change turns out to be inaccurate.

You have the right at any time to ask us to suspend for a period of time or permanently the processing of your personal data for one or more purposes within the scope of the purposes stated in this Policy. You have the right to request your personal data processed in SAT Health to be deleted.

Your requests to exercise your rights listed above should be communicated to us by email at compliance@sathealth.com, by SMS, or by calling +359 882 727 270. 

Upon receipt of a request for deletion of your processed personal data, we undertake, within the statutory deadlines, to make a thorough inspection and delete all available personal data, except those - if any - which we are obliged to keep in force of a regulatory requirement. In some cases, we may need to temporarily retain as much of your personal information as it is necessary to protect our interest in resolving disputes and resolving issues, as well as to take other actions permitted by law.

Should such a situation arise, as in all other cases related to the management of your personal data processed by us, you will be promptly notified in writing via your preferred contact channel.

Objections and complaints

We shall readily accept any questions, comments, objections, complaints, and requests for clarifications on the management of personal data of data subjects in SAT Health. The same applies to this Privacy Policy. You may contact us on these issues by email at office@sathealth.com or compliance@sathealth.com, by calling or SMS at +359 889 355 725.

The Commission for Personal Data Protection (CPDP) is the authorized body for monitoring the application of the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council (of Europe) of 27 April 2016. Contact with it can be established at: Blvd. "Prof. Tsvetan Lazarov” 2, 1592 Sofia, by fax on 029153525 and electronically at the email of the CPDP (kzld@cpdp.bg) with an electronic document signed with a qualified electronic signature.

This Policy is subject to update in the event of changes in the applicable legislation or changes in the processes managed in SAT Health. Updated versions of the Policy will be made available on the Company's website.

Note:

For the purposes of this policy, the terms "personal data" and "personal information" are used interchangeably to avoid the emerging tautology in several texts.

Definitions

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Date of last actualization: 25.11.2020

Additional Definitions

(3) ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future.

(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

(5) ‘pseudonymization’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

(6) ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

(7) ‘controller’ means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

(8) ‘processor’ means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

(9) ‘recipient’ means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

(10) ‘third party’ means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

(11) ‘consent’ of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

(12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

(13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

(14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.

(15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.