DATA PROTECTION POLICY of RAMCOPHARM LTD
pursuant to Regulation (ЕU) 2016/679 on the protection of natural persons with regard to the processing of personal data

 

DEFINITIONS

For the purposes of the present Data Protection Policy pursuant to Regulation (EU) 2016/679 on  the protection of natural persons with regard to the processing of personal data, hereinafter referred to as “Data Protection Policy” or just “Policy”, the following definitions shall be used:

Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in  particular by reference to identifier such as name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or other methods of making the data available, alignment or combination restriction, erasure or destruction;

Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;

Controller” means the natural or legal person, public authority, agency or other body, who/which alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processor” means a natural or legal person, public authority, agency or other body who/which processes personal data on behalf of the controller;

Recipient” means a natural or legal person, public authority, agency or another body to whom/which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law, shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons which/who, under the direct authority of the controller or processor, are authorized to process personal data;

Consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Personal data breach” means a breach of security leading to the accidental or unlawful destruction, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the Regulation.

Special categories of personal data” include the following: “Sensitive personal data” include personal data revealing a racial or ethnic origin; “genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health status of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;   “biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; “data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

 

NECESSARY INFORMATION

RAMCOPHARM LTD was established in 1993 and is a 100% private Bulgarian business company. Its main activity is development, production and distribution of herbal food supplements – products from standardized dry extracts, essential oils and a combinations of vitamins in capsule and tablet form. RAMCOPHARM LTD has registrations and exports its products to Greece, Republic of Macedonia, Republic of Iraq (Erbil), working on new opportunities for positioning on third markets. The company has its own production base established in compliance with the GMP /Good Manufacturing Practice/ and is licensed for the production of medicines by the Bulgarian Executive Drug Agency /EDA/.

The company was entered into the Trade register at the Registry agency under UIC:  831134861 and its seat and registered address is 5A, Plachkovitsa Str., Sofia, Lozenets district.

Contact telephone: (+359 2) 868 90 58;(+359 2) 868 80 52, (+359 2) 868 52 36

E-mail: ogi@mail.techno-link.com

The independent public body established by a Member State pursuant to Art. 51 of the Regulation in the Republic of Bulgaria is the Commission for Personal Data Protection. It is an independent state authority which provides protection of individuals during the processing of their personal data and the access to such data, as well as the control over the observation of applicable law.

Contact information: www.cpdp.bg ; kzld@cpdp.bg; (+359 2) 915 35 18; (+359 2) 915 35 15; (+359 2) 915 35 19

Address: 2, Prof. Tsvetan Lazarov Blvd., Sofia 1592

By virtue of Ordinance № ……. of 24 May 2018, the company manager, in item 2 appointed ………………, and ……………. as persons in charge of personal data processing at the office, and ………….. as a data processing officer at the production base. Pursuant to items 2.2 and 2.4 of the same ordinance, these are natural persons having the necessary competence, whose job descriptions include the obligation to process and store personal data and these individuals shall procure the necessary technical and organizational data protection measures in compliance with the Data Protection Policy and the applicable law.

With the present Policy and in pursuance of the applicable law, RAMCOPHARM LTD provides information regarding:

 

SECTION 1: OBJECTIVES AND SCOPE OF THE DATA PROTECTION POLICY

The present Data Protection Policy is intended to govern in the most comprehensive and unambiguous way the protection of the rights of natural persons in the processing of their personal data by RAMCOPHARM LTD pursuant to Regulation (EU) 2016/679 of the European Union and of the Council of 26 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. With the present Policy, RAMCOPHARM LTD, in its capacity of controller, respects the privacy of the natural persons and does its best to protect the personal data, applying all measures required by the law and the European legislation and ensuring a level of protection corresponding to the processing and nature of the data that needs protection.

 

SECTION 2: PRINCIPLES OF PERSONAL DATA PROCESSING

RAMCOPHARM LTD observes the following principles while processing the data of natural persons, namely:

 

SECTION 3: PURPOSES OF PROCESSING

RAMCOPHARM LTD processes personal data of natural persons in the following cases:

 

SECTION 4: LEGAL GROUNDS FOR PERSONAL DATA PROCESSING

Personal data processing by RAMCOPHARM LTD is lawful and is only performed on any of the following legal grounds:

 

SECTION 5: DATA COLLECTED AND PROCESSED FOR SPECIFIC PURPOSES

  1. Full name – employment contracts, part-time contracts, certificates, income certificates, certificates UP-2 and UP-3, notifications under Art. 62 of the Labour Code, declaration form 1, declaration under Art. 73 of the Natural Persons Income Tax Act (NPITA), declaration under Art. 50 of NPITA, declaration under Art. 92 of the Corporate Income Tax Act, References for the Annual financial statements, declaration form 6 – for self-employed persons, CVs, medical certificates for employment, patients’ charts, appendix 9 to patients’ charts, records of service, Occupational Accident Insurance, register of patients’ charts, documents for Occupational Medicine, passes, register of records of service, a book rendering account of overtime, payrolls, instruction books, orders for termination of employment contracts.
  1. Personal ID – employment contracts, part-time contracts, certificates, income certificates, certificates UP-2 and UP-3, notifications under Art. 62 of the Labour Code, declaration form 1, declaration under Art. 73 of the Natural Persons Income Tax Act, declaration under Art. 50 of NPITA, declaration ujnder Art. 92 of the Corporate Income Tax Act, References for the Annual financial statements, declaration form 6 – for self-employed persons, medical certificates for employment, patients’ charts, records of service, documents for Occupational Accident Insurance, register of records of service, documents for Occupational Medicine, register of records of service, payrolls, orders for termination of employment contracts.
  1. Address – employment contracts, part-time contracts, certificates, certificates of income, declaration form 1, declaration under Art. 73 of NPITA, declaration under Art. 50 of NPITA, patients’ charts
  1. Personal ID /Number, date and issuer/ – employment contracts, part-time contracts, certificates, certificates of income, records of service
  1. Place of birth – certificates UP-2 and UP-3, records of service, register of the records of service
  1. Position – employment contracts, records of service, notifications under Art. 62 of the Labour Code, patients’ charts, documents for Occupational Medicine, payrolls, instruction books, orders for termination of employment contracts.
  1. Income – employment contracts, part-time contracts, certificates, certificates of income, certificates UP-2 and UP-3, notification under Art. 62 of the Social Security Code, declaration form 1, declaration under Art. 73 of NPITA, declaration under Art. 50 of NPITA, records of service, Occupational Accident Insurance, payrolls.
  1. Education /Diploma, specialty/ – employment contracts, CVs.
  1. Legal status – notices of distraint
  1. Health status – medical certificates for employment, patients’ charts, register of patients’ charts
  1. Employment – records of service, CVs, employment contracts, certificates UP-2 and 3
  1. Bank accounts – appendix № 9 to patients’ charts
  1. Personal data related to convictions and violations – during work interviews in cases envisaged by the law
  1. Telephone numbers of the employees and clients using the order form on the website of RAMCOPHARM LTD – for connection with the employees and clients with respect to an order placed by them.

 

SECTION 6: STORAGE PERIODS

For the purposes of collection and processing of personal data of natural persons, RAMCOPHARM LTD determined the following personal data storage periods:

 

SECTION 9: DATA PROTECTION MEASURES

RAMCOPHARM LTD undertakes the necessary technical and organizational measures in order to protect any personal data against accidental or unlawful /illegal destruction, accidental loss, unauthorized access, amendment or dissemination, as well as other unlawful forms of processing, namely:

 

SECTION 10: SPECIAL CATEGORIES OF PERSONAL DATA

RAMCOPHARM LTD has its own production base, constructed in compliance with the conditions for GMP /Good Manufacturing Practice/ and licensed for the production of medicinal products by the Executive Drug Agency /EDA/. The company has registered and produces two medicinal products: Potassium iodide Ramcopharm – 65 mg; Nurulin Duo 500 mg Paracetamol / 200 mg Ibuprofen tablets.

In this connection and on the grounds of the legal requirements in the Foods Act, the data controller requires access to and regular verification of special categories of personal data connected with the health status of its employees at the production base, namely: health books and the information therein. The data controller is obliged, upon request from the Bulgarian Food Safety Agency, to provide the information contained in the health books. In order to ensure maximum protection and control of the storage and processing of such sensitive personal data, the data subjects provide their health books with a special Record of handover for voluntary delivery and attendance. The data controller is obliged to provide a high level of protection of the so delivered health books. With a view to the regular maintenance of updated information, a Register of validity of the health books is established and kept. Information about the Register and access thereto is only available to the person appointed as data protection officer at the production base, as well as the manager.

 

SECTION 11: RECIPIENTS TO WHOM PERSONAL DATA MAY BE DISCLOSED

All of the above listed individuals are bound by a non-disclosure obligation. Furthermore, those individuals have provided enough guarantees for the application of suitable technical and organizational measures in a manner ensuring that their processing is in full compliance with the legal requirements.

 

SECTION 12: PERSONAL DATA REGISTERS

The data controller maintains the following registers:

  1. The general register where the following data are kept:
    • Full name;
    • Personal ID;
    • Address of residence, current address, electronic address;
    • Copy of the ID card;
    • Record of service;
    • Education, etc.
  1. The following data are kept in the special register:
  1. The following special registers shall be maintained, in addition to the ones listed in item 2:

 

SECTION 13: RIGHTS OF THE DATA SUBJECTS AND PROCEDURE OF EXERCISING THEREOF

  1. Data subjects have the following rights:

1.1. Right of access

The natural person shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, to get access to the personal data and information about the purposes of the processing; the relevant categories of personal data; the recipients or categories of recipients to whom the personal data have been or will be disclosed; where possible, the envisaged period for which the  personal data will be stored; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source.

1.2. Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

1.3. Right to erasure (“right to be forgotten”)

The data subject shall have the right to request from the controller erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. b) the data subject withdraws consent on which the processing is based or objects to the processing and there are no overriding legitimate grounds for the processing;
  3. c) the personal data have been unlawfully processed;
  4. d) the personal data have to be erased for compliance with a legal obligation of EU or Bulgarian law.

1.4. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her which he or she has provided to a controller in a structured, commonly used and machine-readable format when the processing is based on consent or on a contractual obligation and the processing is carried out by automated means.

1.5. Right to restriction of processing

1.5.1. The data subject shall have the right to request from the controller restriction of processing where one of the following applies:

  1. a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  2. b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. c) the controller no longer needs the personal data for the purposes of the processing but they are required by the data subject for the establishment, exercise or defense of legal claims;

1.5.2. Where processing has been restricted under paragraph 1.5.1. herein above, such data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of the Republic of Bulgaria.

1.6. Right to profiling

The data subject has the right not to be subject to a decision which is based solely on automated processing including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her.

1.7. Right to object

1.7.1. A natural person has the right at any time and on grounds related to his or her particular situation, to object processing of personal data concerning him or her. Pursuant to Art. 21, Par. 4 of Regulation 679/2016, the natural person shall be explicitly notified of the existence of the right to object, which shall be presented clearly and separately from any other information. For the execution of this obligation, more information regarding the right to object shall be provided in this section of the present Privacy Policy.

1.7.2. The data subject shall have the right to object, at any time and on grounds relating to his or her particular situation, to the processing of personal data concerning him or her in cases where the processing is necessary for the performance of a task for reasons of public interest or in the exercise of official authorities provided to the controller or if the processing is necessary for the legitimate interests of the controller or a third party unless such interests are overridden by the interests or fundamental rights and freedoms of a natural persons requiring data protection and more specifically when the natural person is a child.

1.7.4. The controller undertakes to terminate personal data processing, unless it is proven that there are convincing legal grounds for the processing which override the interests, rights and freedoms of the natural person or for the establishment, exercise or defense of legal claims. The natural persons shall exercise their right to object by submitting a written request to a controller by post to an address indicated in the controller’s identification herein above.

1.8. Right of notification of a personal data breach

In case a personal data breach is likely to cause a risk for the rights and freedoms of the natural persons, the natural person must be notified without undue delay of the security breach.

1.9. Right to legal and administrative defense – submission of complaint to the supervisory authority; effective legal defense.

1.10. Right to damage compensation

  1. Procedure for exercising of the rights

2.1. The natural persons shall exercise the above rights by submitting a written request to the Controller (or website operator) by mail, e-mail or using the contact form on the website, using the contact information indicated at the beginning of this Data Policy, which request should contain the following information:

2.2. The written request must be lodged in person. The controller files the requests submitted by natural persons in a separate register.

2.3. After the natural person has exercised his or her right to access personal data relating to him or her, the Controller shall verify his or her identity before responding to the request. This is necessary for the purpose of minimizing the risk of unauthorized access to the data and identity theft. In case the provided data are insufficient for identification of the person who has exercised his or her rights, the Controller has the right to request a copy of documents identifying the person to a sufficient degree (e.g. identity card, driving license, etc.).

2.4. The controller reviews the request and provides to the natural person information regarding the activities undertaken in this connection, without undue delay and in all cases – within one month as of receipt of the identification data of the person who has submitted the request. If necessary, the period of execution may be extended, taking into consideration the complexity and number of requests, of which the natural persons shall be informed in due time.

2.5. The administrator undertakes to communicate any rectification, erasure or restriction of processing to any natural person requesting that, unless it proves impossible or requires disproportionate efforts.

  1. Right to object

3.1. The natural person is entitled at any time and on grounds relating to his or her particular situation, to object the processing of his or her personal data. Pursuant to Art. 21, Par. 4 of Regulation 2016/679, this right shall be explicitly brought to the attention of the data subject clearly and separately from any other information.

3.2. The natural person shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her in cases where the processing is necessary for the performance of a task for reasons of public interest or in the exercise of official authorities provided to the controller or if the processing is necessary for the legitimate interests of the controller or a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the natural persons. The controller undertakes to terminate personal data processing unless it is proven that there are convincing legal grounds for the processing which override the interests, rights and freedoms of the natural person or for the establishment, exercise or defense of legal claims. The natural persons shall exercise their right to object by submitting a written request to a controller in the manner indicated in the present privacy policy.

3.3. The controller has envisaged a procedure for approaching the supervisory authority, namely the Personal Data Protection Commission, by means of record of notification.

3.4. The controller undertakes to provide with all means the possibility for the natural person to submit notification or complaint.

 

SECTION 14: PROVISION OF PERSONAL DATA AND THEIR PROCESSING USING THE WEBSITE OF RAMCOPHARM LTD

  1. Automated data collection:

1.1. During each visit of the website, the controller automatically collects the following data, namely:

1.2. While using the collected information, the controller does not perform profiling and does not provide the collected data to third parties.

1.3. The controller collects and processes personal data of natural persons which are automatically collected for the following purposes, namely:

 

SECTION 15: COOKIES, LINKS AND FORWARDING

  1. COOKIES

The website of RAMCOPHARM LTD uses cookies. These are small text files placed on your device in order to help the website provide better practical experience to the users. Basically the cookies are used in order to save user preferences, to save information about things such as shopping carts and to provide anonymous data for tracing of applications of third parties such as Google Analytics. Generally cookies improve your practical experience. However, you can disable the cookies on this website and on other sites. The most efficient way to do so is to disable the cookies in your browser.

During your first visit of the website of RAMCOPHARM LTD you will be given the opportunity to refuse using cookies. In this case the relevant website or certain functionalities may not work properly. By pressing the button “I understand”, with the closing of the banner/ message or continuation of the use of the website, you agree to the present cookie policy.

Types of cookies that we use:

You can adjust the settings relating to the cookies which you receive from our website in the browser you use. Please have in mind that if you restrict some types of cookies the website may not be fully functional and you may not be able to enjoy all of its features.

  1. Social Plug-in – Facebook

We have included in our website a button of the social network Facebook. You can recognize this button by the Facebook logo or the button “Like the page”. As a website operator we do not have information about the content of the transmitted data or their use by Facebook. We do not know when you have clicked on any of the buttons. For more information regarding the manner in which Facebook uses your information, please see the Privacy Statement of Facebook https://www.facebook.com/policy.php# .

The present Data Policy of RAMCOPHARM LTD pursuant to Regulation (EU) 2016/679 on the protection of the natural persons relating to the processing of personal data becomes effective on 25 May 2018 and is valid until updated by a newer version. In order to apply the most topical security measures and to observe the effective legislation, we preserve the right to update the present policy, if necessary, therefore we invite you to regularly review the current version of this Policy in order to be constantly informed about the way in which we take care of the protection of your personal data.