Privacy Policy of Convex LTD

Taking care of your personal data is fundamental to us. We respect the right to privacy.

This Privacy Policy is intended to summarise the key points in relation to the protection of your personal data and how Convex Ltd processes that personal data. If you need more information about specific processes, you can contact us via the contacts below. 

Who are we?

 Convex Ltd (hereinafter referred to as ‘Convex’) is a commercial company registered in the Commercial Register of the Registry Agency with UIC 130441400, with registered office and registered address: Sofia, postal code 1000 Triaditsa District, 6 Tri ushi St., floor 2, ap. 2, represented by Dimitar Zhelyazkov Mirchev, in his capacity as Manager, tel.: + 359 2 986 3109, e-mail: info@convex.bg.

Convex is a Contractual Research Organisation (CRO) and Data Controller and processes your personal data in full compliance with the requirements and provisions of European and national legislation, including — the General Data Protection Regulation (‘GDPR’), the Personal Data Protection Act (‘PDPA’) and other relevant European and national regulations and guidelines of competent authorities.

How to contact us?

Address: Sofia, postal code 1000 Triaditsa District, 6 Tri ushi St., tel.: + 359 2 986 3109, e-mail: info@convex.bg.

Convex is the owner and administrator of the following web pages representing its business:

Convex respects your personal data privacy.

The protection of your personal information throughout the entire data processing process, as well as the security of all business data is an important issue for us. We process the personal data collected during your visit to our web pages confidentially and in accordance with legal provisions at European and national level.

What is the Privacy Policy and what is the purpose of this document?

This Privacy Policy is designed to provide you with key points and information in easily accessible, understandable and clear language about what is done with the personal data you provide to Convex, including:

• What personal data do we collect about you?
• What is the purpose of its collection?
• For how long do we keep the personal data provided?
• Who do we share your personal data with?
• How do we notify you of changes to our Privacy Policy?
• Do we use cookies? Where and how to learn more about their use?
• What are your rights regarding the personal data provided?

With this Privacy Policy, Convex declares that it applies all technical and organizational measures for the protection of the personal data of individuals that are prescribed by law or other regulatory act at national and European level.

What is personal data? 

Any information by which an individual can be identified, directly or indirectly, constitutes personal data.

What personal data does Convex collect about you?

In order to provide you with effective access to its products and services, Convex collects the following information about you:

• Technical data that is automatically sent to us when you use our web pages — IP address, GPS location, information about the device from which you visit the web pages;
• ‘Cookies’ — to identify your browser or device. More information about Convex‘ Cookie Policy can be found at the following Internet address – …………..;
• First and last name, e-mail address, telephone number, subject of the message and the content of the message when filling in the various forms on our web pages, including the forms for contacting us and sending comments and/or comments;

In all cases of processing special categories of personal data, Convex declares that it complies with all requirements of European and national legislation, including but not limited to Article 9 of the GDPR.

On what basis does Convex process your personal data ?

The processing of personal data includes the collection, storage, transmission, correction, updating, erasure, destruction and any other action that is carried out with your personal data. 

• Convex processes your personal data on a contractual basis in order to provide information in connection with pre-contractual relations and/or to fulfil its contractual obligations under service contracts concluded with you — Art. 6(1), Regulation (EU) 2016/679. 
• Convex processes your personal data in fulfilment of legal obligations under the applicable Bulgarian and European legislation in the field of provision of medical care, including in fulfilment of obligations arising from the Health Act, the Medical Institutions Act, the Labour Code, other legal and regulatory acts relevant to the provision of health services. Convex also processes your personal data in compliance with the obligations provided for in the Accounting Act and the Tax and Social Security Procedural Code and other related regulations in connection with the keeping of lawful accounting.
• Convex processes your personal data as and when necessary in order to protect the life and health of the individual (patient) to whom the data relates.
• Convex also processes your personal data after obtaining your explicit, clear, free and unambiguous consent for the purposes of processing. 

Your consent will be required as a basis for processing, for example, for marketing purposes and to receive advertising newsletters.

• Consent to the processing of your personal data is provided when you visit our CRO or use the contact forms on our web pages. Convex may also process your personal data where it has a legal (legitimate) interest, except where those interests are overridden by the interests of the data subject.
• Convex may also process personal data in other cases specified in a legal act authorizing or obliging Convex to carry out processing.

For what purposes do we collect your personal data? 

The personal data we receive from you will be used to enable us to fulfil our obligations to you and to help you exercise your rights, including but not limited to:

• In order to provide you with the outsourced clinical trial services offered by Convex;
• In order to provide you with access to our web pages, we show you content that is relevant, personalised and limited to the criteria you set;
• To answer your queries, opinions and recommendations;
• To send you information related to our special campaigns and new products and services;
• For statistical and accounting purposes in the performance of Convex’ contractual obligations to you;
• To ensure your security by carrying out CCTV surveillance at our premises.

In addition to the above, the collection of your personal data is in some cases mandatory in order to comply with our legal requirements to provide relevant personal data to competent state, municipal, regulatory authorities and institutions, third party individuals and legal entities. Failure to provide personal data in these cases could result in our services being refused.

How do we process your personal data? 

In order to provide its services, Convex processes (collects) the personal data you provide in the following ways:

• by visiting the web portal to use the services on our web pages;
• by you completing applications, forms, declarations and other documents provided to you or requested by Convex employees in connection with your participation in activities carried out by Convex Ltd;
• when updating data at your request and completing an update form on paper or electronically;
• by processing information about your visits to Convex‘ web pages;
• by processing information about IP addresses, cookies, operating system and browser type.

How long do we store and process your data before we destroy it?

Depending on the basis on which we process your personal data, the retention period varies. 

Your personal data will be stored by us for a period of 5 (five) years from the termination of the contractual basis if we process the personal data for the performance of contractual obligations to you. After the expiry of this period and in the event that there is no legal basis for the continued storage of your personal data, your information will be destroyed. 

Medical records containing personal data and related to the conduct of clinical trials shall be retained for a period of 25 (twenty-five) years from the date of completion of the clinical trial.

Convex shall retain documentation related to the conduct of clinical trials and other research projects, if delegated by the project sponsor, for the period required by the applicable regulatory requirements set forth in applicable law, in which case the retention period and, accordingly, processing shall be based on a legal basis. In the event that the retention periods for personal data are not fixed by law, they shall be determined depending on the nature of the information, the scope and the purposes for which it is processed. The data is stored on tangible (paper) and electronic media, with access to it only by employees of Convex, directly or indirectly related to the diagnostic and treatment activities of the specific patient and their organization and reporting, under a statutory obligation of professional secrecy, including for non-medical professionals.

Your personal data is stored for a longer or shorter period in each case of a legal obligation — by virtue of a legal basis for processing personal data. For example, your personal data contained in documents created for accounting purposes (financial statements, accounting registers, etc.), according to the Accounting Act, is kept for up to 10 (ten) years, payroll records — 50 (fifty) years, and video recordings of visits of patients, other third parties to a Convex laboratory are kept for 2 (two) months from the date of creation of the recording under the Private Security Act. 

The retention period in cases of processing of personal data pursuant to explicit consent is up to 2 (two) years from receipt of the same or until your consent is withdrawn.

In cases where your personal data is processed in order to respond to you on a review and comment sent via the platform of our web pages, the storage period is 6 (six) years.

To whom can we pass the personal data you provide?

Convex undertakes not to disclose your personal data to third parties without your explicit consent, except where this is necessary for the performance of contractual obligations to you. 

For the performance of obligations under contractual and/or pre-contractual relations with you, it is possible Convex to disclose your personal data to the following persons:

– Companies providing courier services, including the individuals who are the legal representatives or authorised agents of these companies, the categories of personal data that may be disclosed in this respect are names and delivery address;

– Companies that provide hosting services related to our web pages and/or their support systems, in which case the data will be processed in encrypted form;

– Third parties performing services in connection with contractual obligations to you or under a lawful basis for processing.

Convex, in certain cases, in compliance with the legal requirements in the field of health services, may provide your processed personal data to public authorities, institutions and third parties, including the National Health Insurance Fund, regional health insurance funds, the Ministry of Health, regional health inspectorates, NRA, NSSI, NSI, National Health Information Centre, other regulatory authorities.

Are there other instances where we can share your personal data?

Your personal data may also be provided to third parties in the following cases:

• At the request of the natural person who provided the data, the subject of the protection of personal data; 
• At the request of competent authorities in accordance with the applicable legislation in the Republic of Bulgaria and the European Union.

In all of the above cases, the entities to which we provide your personal data have declared that they provide an adequate level of protection for your personal data, including foreign companies located within the EU and EEA. With regard to companies located outside the EU and EEA, on a case-by-case basis, the company concerned shall ensure that it provides an adequate level of protection of personal data in compliance with the requirements of European law.

What are your rights regarding the personal data provided?

Subject to Bulgarian and European law, including the General Data Protection Regulation, you may exercise the following rights:

• The right of access to personal data that Convex processed about you and to receive a copy of it;
• Right to request from Convex rectification in the event that you become aware of inaccuracies or the need to update your personal data by emailinginfo@convex.bg;
• The right to request blocking of your personal data or restriction of the processing of personal data in the cases specified by law and the Regulation;
• The right to request deletion, i.e. erasure, of your personal data from Convex if the conditions for this are met;
• The right to object to the processing of your personal data for direct marketing purposes by using the ‘unsubscribe’ link we have placed in every email sent to you containing promotional information about our products;
• The right to object to the disclosure of your personal data to third parties;
• The right, whenever you wish, to withdraw your consent to your personal data being processed for the purposes for which you have given consent, for example for direct marketing purposes, by sending an email to: info@convex.bg;
• The right to request portability of your personal data in a structured, machine-readable format that is commonly used;
• The right to lodge a complaint or an application for the protection of your rights with the Commission for the Protection of Personal Data, if the prerequisites for this exist. You can contact the Personal Data Protection Commission at: 1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd., by e-mail: kzld@cpdp.bg, via website: http://www.cpdp.bg and by phone: 02/91-53-519.

You can exercise all your rights at any time during the processing of your personal data.

Do you have an obligation to provide us with your personal data?

In order to ensure our ability to provide our products and services and to enter into contractual relationships, we collect and process your personal data. We also process your personal data to comply with legal obligations.

In the event of refusal to voluntarily provide the requested personal data on your part, Convex will not be able to provide its products and services, respectively to conclude a contract or to continue the performance of an already concluded contract.

Amendments to the Privacy Policy 

To reflect relevant changes in legislation, we may update and amend our Privacy Policy, so we recommend that all our visitors check for updates promptly and, where necessary, review the latest version of the document.

Here on our web pages is where you will find the most current and up-to-date Privacy Policy. In this way, we ensure that you are informed about your rights and methods of processing your personal data.

This will give you the opportunity to stop using some or all of the services and/or to exercise your rights, some of which are expressly set out above. In addition, we will take all possible measures to inform you in the event of any changes regarding the protection of personal data by placing notices in Convex’ offices and on its web pages. This Privacy Policy has been adopted by Convex and shall be effective as of Year 2018.