Политика за поверителност

  1. Introduction
    This Privacy and Personal Data Protection Policy (“the Policy”) is adopted and approved by the Managing Director of MEDEX Ltd. (the “Company”) and governs the manner in which the Company collects, processes and stores your personal data in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Bulgarian Personal Data Protection Act and any other applicable Bulgarian or international legal acts.

    The confidentiality of information relating to the personal data of our employees, counterparties and users of our services is a primary priority for us. In its capacity as a personal data controller and in compliance with the legislation and Good Distribution Practice (GDP), MEDEX Ltd. implements the required technical and organisational measures to protect the personal data of natural persons. MEDEX Ltd. complies with all requirements of the new European and national regulatory framework and collects data only to the extent necessary for: carrying out the Company’s core activity of wholesale trade in medicinal products and medical devices; providing our services; enabling the use of our websites; and for marketing purposes.

    This Policy provides information on how and what types of personal data we collect from and about you, the purposes for which such data are required, to whom they may be disclosed or made available, how they are protected, and what your rights are in relation to those data.

    Definitions:
    “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    “Regulation” means the General Data Protection Regulation (EU) 2016/679.

    Please read this Policy carefully. By providing your personal data to MEDEX Ltd., whether electronically or on paper, you acknowledge and agree to the practices described in this Privacy and Personal Data Protection Policy.

    If you have any questions regarding this Policy, please contact us. If you do not agree with any of the terms contained in this Privacy Policy, we do not recommend that you use the products and services provided by MEDEX Ltd. for which it is mandatory to provide your personal data.

    Contacts and communication
    Information regarding MEDEX Ltd. in its capacity as Personal Data Controller

    In connection with the processing of your personal data, you may contact us using the following details:

    Name: MEDEX Ltd.
    UIC: 131268894

    Registered office and address of management:
    District: Sofia (capital), Municipality: Stolichna, Locality: village of Svetovrachene, post code 1252, 48 “Chavdar Voyvoda” Street
    Telephone: +359 (2) 405 1900
    Fax: +359 (2) 405 1899

    Correspondence address:
    District: Sofia (capital), Municipality: Stolichna, Locality: village of Svetovrachene, post code 1252, 48 “Chavdar Voyvoda” Street
    Telephone: +359 (2) 405 1900
    Fax: +359 (2) 405 1899

    E-mail: office@medex.bg
    Website: www.medex.bg

    Information regarding the competent supervisory authority:

    Name: Commission for Personal Data Protection
    Registered office and address: 2 “Prof. Tsvetan Lazarov” Blvd., Sofia 1592, Bulgaria
    Correspondence address: Bulgaria, Sofia 1592, 2 “Prof. Tsvetan Lazarov” Blvd.
    Telephone: +359 2 915 3518
    E-mail: kzld@government.bg; kzld@cpdp.bg
    Website: www.cpdp.bg

    If you believe that we are infringing your rights in relation to the processing of your personal data and in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679, you have the right to lodge a complaint with the Data Protection Officer (if appointed), to lodge a complaint with a supervisory authority and to seek judicial protection, as follows:

    Right to lodge a complaint with a supervisory authority

    If you wish to lodge a complaint concerning the processing of your personal data carried out by us, or concerning the way in which we have handled your complaint, you have the right to lodge a complaint with the Commission for Personal Data Protection and, where applicable, with the Data Protection Officer.

    You may lodge a complaint in one of the following ways:

    • In person, on paper, at the Registry Office of the CPDP at: Sofia 1592, 2 “Prof. Tsvetan Lazarov” Blvd.
    • By post, at: Sofia 1592, 2 “Prof. Tsvetan Lazarov” Blvd., Commission for Personal Data Protection.
    • By fax at: 02 915 35 25.
    • Electronically, to the CPDP e-mail address (kzld@cpdp.bg). In this case, your complaint must be formatted as an electronic document signed with an electronic signature (not a scanned copy).
    • Through the CPDP website at https://cpdp.bg/?p=pages&aid=6 in the manner described on that page. In this case as well, your complaint must be formatted as an electronic document signed with an electronic signature.

    In all of the above cases, the complaint must contain:

    • Details of the complainant – full name, address, contact telephone number, e-mail address (if any);
    • The nature of the complaint;
    • Any other information and documents that you consider relevant to the complaint;
    • Date and signature (for electronic documents – electronic signature; for paper documents – handwritten signature).

    The CPDP provides a complaint form (to assist and guide citizens) in connection with misuse of personal data processing in electoral rolls supporting the registration of political entities. The form can be downloaded from the following page:

    https://cpdp.bg/userfiles/file/Documents_2017/Forma_jalba_politicheski subekti.doc

    Principles and legal grounds for the collection, processing and storage of personal data

    In order for the processing of personal data to be compliant with legal requirements, personal data must be collected and used lawfully, the security of processing operations must be ensured and MEDEX Ltd. must take the necessary measures to prevent personal data being processed from becoming subject to unauthorised disclosure. In accordance with the core principles observed by MEDEX Ltd., your personal data are:

    • processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
    • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);
    • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
    • accurate and, where necessary, kept up to date; MEDEX Ltd. has taken all reasonable measures to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
    • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);
    • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”);
    • MEDEX Ltd. is responsible for, and able to demonstrate compliance with, the fundamental principles relating to the processing of personal data (“accountability”).

    Legal grounds for collecting personal data:

    MEDEX Ltd. collects and processes your personal data in connection with the use of the Company’s website and the subsequent provision of information on the basis of Article 6(1) of Regulation (EU) 2016/679, and in particular on the basis of your explicit consent as a client/potential client. You are not obliged, and we do not require you, to register or to provide personal data in order to browse our website or to access most of its content. Personal data are provided through our website via the enquiry form. By submitting your personal data in the enquiry form, you must give your consent to their provision, which automatically means consent for us to process them for the purpose of responding to your enquiry;

    MEDEX Ltd. collects and processes your personal data where you have given your consent to receive communications from us relating to our projects, events, campaigns, offers, proposals related to our activities and news about the Company;

    MEDEX Ltd. collects and processes your personal data in connection with the conclusion (including negotiations that have not resulted in a contract) and/or performance of a contract – contracts for the use of our services; contracts of sale; contracts under which we assign the performance of specific work or the provision of services and/or orders, etc.;

    MEDEX Ltd. collects and processes personal data in connection with compliance with legal obligations applicable to the controller – in fulfilment of our obligations towards the National Revenue Agency, the National Social Security Institute and other state and municipal authorities;

    MEDEX Ltd. administers personal data for the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;

    MEDEX Ltd. collects and processes personal data in connection with staff recruitment for various positions announced by the Company. Vacant positions may be advertised in the “Careers” section of our website, with the possibility to apply for a given position via a special contact form or by sending us a message and the necessary documents to the e-mail address indicated;

    as well as in other cases established by law.

    Purposes of personal data processing

    In accordance with the requirements of Section I – Transparency and conditions of Regulation (EU) 2016/679, MEDEX Ltd. provides transparent information, communication and conditions for the exercise of the rights of data subjects under Article 12 of the Regulation.
    MEDEX Ltd. collects, processes and stores personal data for the following purposes:

    4.2.1. For the performance of employment and social security relations, including for staff recruitment purposes (human resources management activities):

    MEDEX Ltd. processes personal data of job applicants, current and former employees of the Company.

    In the course of human resources management activities, data are processed relating to the identification of natural persons, education and professional qualifications, criminal record data in cases required by law (for the responsible master pharmacists of the wholesale warehouses), contact details (telephone, e-mail, correspondence address), as well as other data required under special laws governing employment and official relationships, tax and social security relationships, accounting of activities, health and safety at work, as well as data required by regulatory authorities in the course of registration and licensing procedures mandatory for wholesalers of medicinal products and medical devices under the applicable legislation.

    The data collected are used solely for the above purposes and are disclosed to third parties only in cases where this is provided for by law. In such cases, data may be provided to the National Revenue Agency, the Executive Agency “General Labour Inspectorate”, the Ministry of Health, the Executive Agency for Medicines and other public authorities, in view of their powers and competence. The information is not stored outside the EU and the European Economic Area. MEDEX Ltd. ensures appropriate technical and organisational measures to protect your personal data.

    In connection with the performance of employment relationships, only the personal data required by law are processed and these are stored for the statutory retention periods.

    Activities related to the provision of healthy and safe working conditions are regulated by a contract with an occupational health service pursuant to Ordinance No. 3 of 25 January 2008 on the terms and procedure for the operation of occupational health services, under which the provider also guarantees that it applies privacy and personal data protection policies to the employees’ data to which it has access.

    4.2.2. Contractual relations with counterparties:

    In carrying out its main activity of wholesale trade in medicinal products and medical devices, MEDEX Ltd. processes personal data of natural persons for the performance of contracts concluded under the Obligations and Contracts Act, the Commerce Act, the Medicinal Products in Human Medicine Act, the Medical Devices Act, etc. MEDEX Ltd. processes the names, telephone numbers and e-mail addresses of the legal representatives, attorneys or employees (contact persons) of manufacturers; marketing authorisation holders valid for the territory of the Republic of Bulgaria and representatives in the Republic of Bulgaria of marketing authorisation holders valid for the territory of the Republic of Bulgaria; parallel importers of medicinal products in the Republic of Bulgaria; healthcare establishments within the meaning of the Health Establishments Act; other wholesalers of medicinal products and medical devices; retailers of medicinal products (pharmacies and drugstores); healthcare professionals; doctors and dentists who have obtained an authorisation for storage and sale of medicinal products issued by the director of the Regional Health Inspectorate (RHI) under Ordinance No. 5 of 6 July 2011 on the terms and procedure for obtaining an authorisation for storage and sale of medicinal products by doctors and dentists and their supply with medicinal products.

    The purpose is to identify the respective persons as representatives, attorneys or employees (contact persons) of the relevant counterparty.

    Insofar as, in connection with the performance of contractual relations with counterparties, personal data of individual natural persons are processed, only information in a minimal volume is processed for them, sufficient only for the exact performance of the obligations under the relevant contract and compliance with the specific regulatory requirements in the field of wholesale trade in medicinal products and medical devices. Access to such information is provided to third parties only where there is a legal requirement to do so. The legal basis for processing the data is the performance of the concluded contract.

    4.2.4. For the fulfilment of legal obligations under the specific regulatory framework governing wholesale trade in medicinal products, tax and social security legislation, legislation on measures against money laundering, as well as for the fulfilment of legal obligations under the remaining applicable European and national legislation at the time when the respective data are processed. This also includes processing in connection with the provision of certain information to regulatory authorities in the course of licensing and registration regimes related to wholesale trade in medicinal products and medical devices.

    4.2.5. For marketing purposes – related to our projects, events, campaigns, offers and proposals relating to our activity and news about the Company (where there is an explicit wish to receive such information), etc.

    4.2.6. For legal purposes – for the resolution of legal disputes and the protection of the rights and legitimate interests of the Company;

    4.2.7. For video surveillance:

    Video surveillance is carried out at the warehouse facilities of MEDEX Ltd. for security purposes. Video recordings are kept for a period of 30 days. Access to the recordings is granted only to specific employees within the scope of their official duties. In relation to the use of video systems, MEDEX Ltd. has carried out a legitimate interest assessment to determine the extent to which the privacy of visitors, employees and counterparties of the Company is affected in connection with the preservation of its legitimate interest. Cameras are installed at various locations in the Company’s warehouses, including the surrounding perimeter. The location of the cameras is regularly reviewed to ensure that areas which are not relevant to the purposes pursued are covered to the minimum extent possible. No monitoring is carried out in areas associated with heightened expectations of privacy, such as rest rooms and sanitary facilities. MEDEX Ltd. uses video surveillance solely for the purposes of security and safety; protection of inventory and assets; optimisation of business processes; and protection of its employees. The legal basis for video surveillance is the legitimate interest of the Company, including in its capacity as employer. The video system is not intended to capture (e.g. by zooming in or targeted tracking) or otherwise process (e.g. indexing, profiling) images revealing “special categories of data”. Where necessary for the purposes of investigating or prosecuting a criminal offence, access may be granted to law enforcement authorities in accordance with the statutory procedure.

    For communication with you – concerning contractual and non-contractual relationships

    Where the processing of personal data is based on your consent, you may withdraw that consent at any time. In such a case MEDEX Ltd. will immediately cease processing the data for the relevant purpose; this will not affect processing based on another legal ground – for example, where we have a contractual or legal obligation to process the data. You may always object to the processing of your personal data for the purposes of providing information on our part; in such cases we will immediately stop the respective provision of information, unless we have a legal obligation to continue it.

    In specific cases, additional purposes for processing your personal data may also apply; in such cases you will be expressly informed.

    Types of data collected, processed and stored by MEDEX Ltd.

    In order to achieve the purposes set out in Section 4 of this Policy, MEDEX Ltd. collects, processes and stores the following categories of data:

    • Identification data: first name, middle name, surname;
    • Contact data: address, telephone number, e-mail, position, etc.;
    • Data regarding the IP address used (when accessing the website);
    • Data necessary for employment relations (in accordance with internal Company procedures and statutory requirements in the field of wholesale trade in medicinal products and medical devices), etc.;
    • Data depending on the specific services used and the type of legal relationship in which you participate;

    MEDEX Ltd. does not collect personal data relating to racial or ethnic origin; data revealing political, religious or philosophical beliefs; genetic and biometric data.

    Retention period for personal data

    MEDEX Ltd. retains your personal data for the period necessary to achieve the purposes described in this Policy, unless a longer retention period is required or permitted by applicable law. Retention is carried out in compliance with the statutory retention periods for certain categories of documents (payroll records, financial statements, accounting registers, etc.), as well as the statutory limitation periods under the Tax and Social Security Procedure Code, the Accountancy Act, the Social Security Code, the Obligations and Contracts Act, the Medicinal Products in Human Medicine Act, the Medical Devices Act and the relevant secondary legislation. After the expiry of the retention period, MEDEX Ltd. takes the necessary steps to erase and destroy all data without undue delay, in accordance with the adopted internal Company procedure for the destruction of personal data.

    MEDEX Ltd. will inform you if it is necessary to extend the retention period of the data in order to fulfil the purposes, to perform the contract, in view of the legitimate interests of MEDEX Ltd. or for other reasons.

    Destruction

    MEDEX Ltd. will destroy your personal data as soon as reasonably possible and in a manner that does not allow them to be reproduced or recovered. MEDEX Ltd. has adopted a Company procedure for the destruction of personal data.

    Sources of personal data

    The personal data collected by MEDEX Ltd. are collected from the data subjects themselves; through the contact forms on the Company’s websites; from third parties – our counterparties and/or intermediaries, in compliance with the requirements of the Regulation; as well as from publicly accessible sources – registers maintained by the Ministry of Health, the Executive Agency for Medicines and other public institutions.

    Rights of data subjects whose data are processed by MEDEX Ltd.

    Right of access: You have the right to request and obtain from MEDEX Ltd. confirmation as to whether or not personal data concerning you are being processed; to obtain access to the data concerning you, as well as to the information relating to the collection, processing and storage of your personal data. MEDEX Ltd. will provide you, upon request, with a copy of the personal data undergoing processing concerning you, in electronic or other appropriate form. The provision of access to data is free of charge, but MEDEX Ltd. reserves the right to charge an administrative fee in the event of repetitive or excessive requests.

    Right to rectification: You may request the rectification or completion of inaccurate or incomplete personal data concerning you by submitting a request to MEDEX Ltd.

    Right to erasure (“right to be forgotten”): You have the right to request from MEDEX Ltd. the erasure of personal data concerning you, and MEDEX Ltd. is obliged to erase them without undue delay where the legal grounds provided for by law are present and no other lawful basis for processing or lawful ground for refusal to erase the data exists. MEDEX Ltd. does not erase data which it is legally obliged to store, including for the purposes of defence in relation to claims brought against it or for proving its own rights.

    Right to restriction of processing: You have the right to request that MEDEX Ltd. restrict the processing of personal data concerning you where: you contest the accuracy of the personal data, for a period enabling MEDEX Ltd. to verify the accuracy of the personal data; the processing is unlawful but you oppose the erasure of the personal data and request the restriction of their use instead; MEDEX Ltd. no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; you have objected to processing pending the verification whether the legitimate grounds of MEDEX Ltd. override your interests.

    Right to data portability: You may at any time download the data stored and processed concerning you in relation to your relationship with MEDEX Ltd. by submitting a written request to the controller. Where technically feasible, you may request that the personal data be transmitted directly to another controller indicated by you.

    Right to information: You have the right to request to be informed of any action related to the rectification, erasure or restriction of processing.

    Right to object: You may at any time object to the processing by MEDEX Ltd. of personal data relating to you where the processing is based on: the performance of a task carried out in the public interest or in the exercise of official authority; the purposes of the legitimate interests pursued by the controller; the purposes of scientific or historical research or statistical purposes, including profiling or processing for the purposes of direct marketing.

    You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. MEDEX Ltd. does not engage in automated decision-making using data.

    Right to lodge a complaint: You have the right to lodge a complaint with the Commission for Personal Data Protection in the event of breaches of Regulation (EU) 2016/679 of 27 April 2016 and the right to effective judicial protection against the CPDP, a controller or a processor of your personal data.

    Right to compensation: You have the right to compensation for material or non-material damage suffered as a result of an infringement of Regulation (EU) 2016/679.

    To exercise the above rights, you must submit a request to MEDEX Ltd. and prove your identity and your identity as the data subject. A template request form may be downloaded from here:

    You may exercise your rights in the following ways:

    At the office of MEDEX Ltd. at the address:
    District: Sofia (capital), Municipality: Stolichna, Locality: village of Svetovrachene, post code 1252, 48 “Chavdar Voyvoda” Street
    Telephone: +359 (2) 405 1900
    Fax: +359 (2) 405 1899

    E-mail: office@medex.bg
    Website: www.medex.bg

    Withdrawal of consent to the processing of your personal data

    Where you have given your consent to the processing of your personal data for one or more specific purposes, and you no longer wish all or part of the data to continue to be processed by MEDEX Ltd. for a particular or for all processing purposes, you may withdraw your consent to processing at any time by submitting a free-form request to MEDEX Ltd.

    Transfer of personal data to third countries or international organisations

    The transfer of personal data which are processed or are intended for processing after transfer to a third country or to an international organisation outside the EU is carried out by MEDEX Ltd. only under the conditions of the General Data Protection Regulation (EU) 2016/679 and in compliance with the conditions laid down in Chapter V of the Regulation. MEDEX Ltd. applies all provisions of the Regulation so as not to jeopardise the required level of protection of natural persons ensured by the Regulation.

    Where MEDEX Ltd. intends to transfer personal data to a third country or to an international organisation outside the EU, such transfer shall be carried out in accordance with the Company’s Procedure for Transfers of Data outside the EU, and data subjects shall be informed in advance and their consent to the transfer of personal data shall be obtained.

    Recipients of your personal data

    The employees of MEDEX Ltd. who have access to your personal data are strictly defined in the Company’s internal rules and in the procedures for data processing, and levels of access to different personal data registers are determined.

    It is possible that MEDEX Ltd. may transfer your personal data to third parties involved in the processing or acting as processors, to public administration bodies exercising control and regulatory functions over the Company’s activities and others. In all cases, the transfer of personal data by MEDEX Ltd. is carried out for the fulfilment of the purposes of processing and in strict compliance with the requirements of Regulation (EU) 2016/679.

    Breaches and notification of breaches

    “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by MEDEX Ltd.

    In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, MEDEX Ltd. shall notify the Commission for Personal Data Protection of the breach without undue delay and, where feasible, not later than 72 hours after having become aware of it.

    If MEDEX Ltd. establishes a personal data breach which is likely to result in a high risk to your rights and freedoms, we will notify you of the breach without undue delay, as well as of the measures that have been taken or are to be taken.

    MEDEX Ltd. may refrain from notifying you if:

    • it has implemented appropriate technical and organisational protection measures with respect to the data affected by the security breach;
    • it has subsequently taken measures which ensure that the high risk to your rights is no longer likely to materialise;
    • notification would involve disproportionate effort.

    Amendments to the Privacy Policy

    MEDEX Ltd. is entitled to update, amend and supplement this Privacy Policy at any time in the future where circumstances so require. Any update made by MEDEX Ltd. will be announced in an appropriate manner on the Company’s website or through other information channels.

    This notice is under active revision as of July 2025.