Privacy and Personal Data Protection Policy

Introduction

This Privacy and Personal Data Protection Policy (“the Policy”) is adopted and approved by the Managing Director of MEDEX Ltd. (“the Company”) and governs the manner in which the Company collects, processes, and stores your personal data in accordance with the General Data Protection Regulation (EU) 2016/679, the Bulgarian Personal Data Protection Act, and other applicable national or international legislation.

The confidentiality of information related to the personal data of our employees, counterparties, and users of our services is a key priority for us. As a Data Controller, MEDEX Ltd. applies the required technical and organizational measures to ensure the protection of personal data in compliance with applicable legislation and Good Distribution Practices (GDP). The Company collects only the data necessary for carrying out its core activities—wholesale trade of medicinal products and medical devices; for providing our services; for operating our websites; and for marketing purposes.

This Policy provides information on how and what categories of personal data we collect, the purposes for which they are used, the parties to whom they may be disclosed, how they are protected, and the rights you have with respect to your data.

 

Definitions:

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

“Processing” means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Regulation” refers to the General Data Protection Regulation (EU) 2016/679.

 

Please read this Policy carefully. By providing your personal data to MEDEX Ltd., whether electronically or in paper form, you acknowledge and agree to the practices described herein.

 

If you have any questions related to this Policy, please contact us. If you do not agree with any of its terms, we advise you not to use the products or services offered by MEDEX Ltd. that require the provision of personal data.

 

CONTACTS AND COMMUNICATION

Information regarding MEDEX Ltd. as a Data Controller:

 

Name: MEDEX Ltd.

UIC: 131268894

Registered address: 48 Chavdar Voyvoda St., Svetovrachene, Sofia, Bulgaria, 1252

Tel.: +359 (2) 405 1900

Fax: +359 (2) 405 1899

E-mail: office@medex.bg

Website: www.medex.bg

 

Supervisory authority:

Commission for Personal Data Protection 

Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592 

Tel.: +359 2 915 3518 

E-mail: kzld@government.bg; kzld@cpdp.bg 

Website: www.cpdp.bg

 

Right to lodge a complaint:

If you believe your rights have been violated, you may file a complaint with the Data Protection Officer (if applicable) or with the Commission for Personal Data Protection, or seek judicial remedy.

 

PRINCIPLES AND LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

MEDEX Ltd. processes personal data lawfully, fairly, and transparently; for specified and legitimate purposes; limited to what is necessary; accurate and up‑to‑date; stored for no longer than necessary; and secured against unauthorized access, unlawful processing, accidental loss, destruction, or damage.

 

LEGAL GROUNDS FOR DATA COLLECTION:

  • Based on explicit consent (e.g., through website inquiry forms or marketing subscriptions)
  • For performance of contracts or pre-contractual arrangements
  • For compliance with legal obligations (e.g., tax, employment, regulatory requirements)
  • For legitimate interests of the Company, except where overridden by data subject rights
  • For recruitment purposes

 

PURPOSES OF PROCESSING:

  • Employment and HR management
  • Contractual relations with counterparties
  • Compliance with regulatory requirements in wholesale trade of medicinal products
  • Marketing activities
  • Legal claims and dispute resolution
  • Video surveillance for security and operational control

 

CATEGORIES OF DATA PROCESSED

MEDEX Ltd. collects and processes:

  • Identification data (name, middle name, surname)
  • Contact information (address, phone, email, position)
  • IP address (when using the website)
  • Data required for employment or regulatory compliance
  • Other data depending on the nature of the relationship

 

The Company does NOT collect: 

  • Data revealing racial or ethnic origin
  • Political, religious, or philosophical beliefs
  • Genetic or biometric data

 

DATA RETENTION

Personal data is retained only as long as necessary to fulfill the purposes described in this Policy or as legally mandated. Upon expiry of retention periods, data is deleted or destroyed according to internal procedures.

 

YOUR RIGHTS

You have the right to:

  • Access your data
  • Request correction of inaccurate or incomplete data
  • Request erasure (“right to be forgotten”)
  • Restrict processing
  • Data portability
  • Be informed about any actions related to your data
  • Object to processing
  • Not be subject to automated decision‑making
  • Lodge a complaint with the supervisory authority
  • Seek compensation for damages arising from GDPR violations

 

TRANSFER OF DATA TO THIRD COUNTRIES

MEDEX Ltd. transfers personal data outside the EU only under the conditions of Chapter V of GDPR and after ensuring adequate safeguards.

 

DATA BREACH NOTIFICATION

In the event of a personal data breach posing a risk to data subjects, MEDEX Ltd. will notify the supervisory authority within 72 hours and, where a high risk exists, will inform the affected individuals unless exceptions apply.

 

AMENDMENTS TO THE POLICY

MEDEX Ltd. may update this Policy whenever necessary. Updates will be published on the Company’s website or communicated through other appropriate channels.

 

This notice is under active revision as of July 2025.