1.“TIT” Ltd, registered in the Commercial Register at the Registry Agency with UIC 127620539, with registered office and management address: obl. Shumen, общ. Shumen, gr. Shumen, PC 9700, ul. . ATHANAS STOIKOV № 7 (the Client) shall act as an administrator with respect to the personal data contained in the information media provided to the Contractor. The controller shall determine the purposes for which personal data are processed and the time limits for carrying out such processing. The Contractor shall act as a processor in respect of such personal data and warrants that it will not, under any circumstances, process such personal data for any purposes specified by it.
2. The Principal and the Contractor undertake to comply with the requirements of the General Data Protection Regulation and all other data protection regulations, including the Medical Institutions Act, the Personal Data Protection Act and other regulations, in the performance of their duties and the exercise of their rights. In this regard, the Client shall ensure that the personal data provided to the Contractor is collected and processed in compliance with the requirements of the aforementioned regulations, including those related to the storage of medical records.
3. The Contractor undertakes to take technical and organizational measures to ensure the confidentiality of the personal data provided for processing and to notify the Client immediately if the security of their protection is compromised.
4. The Contractor shall comply with the agreed terms and conditions for data processing and shall carry out the instructions of the Client in connection with the performance of the personal data processing activities assigned by the latter. The Contracting Authority shall send its orders in writing, including by e-mail, in accordance with the procedures laid down for the exchange of information with the Contractor, allowing at least 7 days for their execution. If urgent action is required due to a security risk to the personal data processed, the Client shall indicate this circumstance and the Contractor shall undertake to take the appropriate action without delay.
5. The Contractor undertakes to notify the Client immediately in the event of a threat to the security of personal data, in accordance with the established procedure for the exchange of information.
6. The Contractor shall notify the Client if the orders contravene the requirements for the protection of personal data, including cases of: apparent contradiction between an order and the rules for processing personal data, where these orders endanger the security of personal data or other confidential information held by the Contractor, or require action that is disproportionate to the risk to the personal data being processed. If the Contractor unreasonably and in breach of its obligations fails to comply with an order of the Employer, thereby endangering the security of personal data or other information confidential to the Employer, the Employer may terminate the contract with 1 month’s notice.
7. The Contractor shall ensure that all of its employees performing functions in connection with the services provided have signed a declaration in a form or have undertaken by virtue of any other binding document to protect the confidentiality of the data, have committed themselves to its protection, and have been instructed on the consequences arising in the event of a breach of confidentiality obligations. The contractor shall also ensure that the designated employees are familiar with and strictly comply with the standards for the protection of personal data, regular briefings are conducted in relation to the identification and prevention of threats to the protection of personal data, and employees are provided who are responsible for taking immediate action in the event of a risk to or breach of the security of personal data processed.
8. Organisational and technical measures taken by the Contractor to ensure data protection shall include measures to restrict physical access to data carriers, measures to prevent unauthorised access and to secure the premises where processing is carried out, measures to identify unauthorised access and the data affected. The Contractor shall ensure that the data provided to it is encrypted, which limits the risk to the persons to whom it relates, protected from damage, alteration or destruction, including by recording on a back-up electronic medium that allows timely recovery. The organisational and technical measures implemented by the Contractor shall allow the traceability of authorised access to data and the actions carried out within it.
9. The Contracting Authority, and in particular its Data Protection Officer, will be empowered to take all necessary monitoring measures. Monitoring shall be carried out in coordination with the Contractor, who shall provide the necessary assistance. The Client shall have the right to access all information about the processing of personal data carried out by the Contractor in accordance with the assigned activity, with the exception of information that would put personal data at risk or would lead to the disclosure to the Client of other information that is confidential to the Contractor.
10. The Contractor shall engage third parties (subcontractors) only if the Employer has given its written consent in the contract, or later in a separate letter of agreement. The Contractor will ensure compliance with data protection regulations and will respect the Employer’s right to instruct and inspect any subcontractor.
11. The Contractor undertakes not to store, process or transfer personal data provided by the Client to countries outside the EU without the prior written consent of the Client. If the Client and the Contractor agree on the rules and measures to safeguard the rights of data subjects in relation to the storage, processing or transfer of data to a third country.
12. The Contractor shall ensure the execution of the Client’s orders in relation to the performance of obligations towards personal data subjects, orders related to the rectification, deletion of data, restriction of processing, provision of data with regard to the right to data portability or objections to automated data processing. The Employer shall be obliged to allow at least 10 days for the execution of such orders, within which time the Contractor shall acknowledge receipt of the order and indicate whether it will be able to execute it within the time allowed.
13. In the event that the Contractor collects and carries out automated processing of personal data on behalf of the Principal, the Contractor undertakes to assist in informing the data subjects when initially collecting information about them and in connection with objections to automated data processing.
14. The Contractor shall immediately forward to the Principal any requests received by it from the persons whose personal data are processed in connection with the preceding two points.
15. The Contractor and the Contracting Authority shall inform each other immediately of data protection breaches and irregularities, in particular of suspected non-compliance with data protection provisions. The Contractor shall immediately notify the Client if it has detected unauthorised access to the personal data provided to it. In this case, the Contractor shall provide information on the nature of the breach and the individuals whose data has been affected, the possible consequences of the breach and the measures taken to mitigate these consequences, as well as the measures to address the security breach. The Contractor may delay the provision of information about the infringement only where there is good reason to do so, and shall be obliged to provide the Employer with information about that reason. Information about the breach may be provided to the Contracting Authority in instalments to ensure that the information is provided as soon as possible.
16. The Contracting Authority shall arrange for the notification of the CPC and the persons affected by the breach, and the Contractor shall provide all necessary assistance in this regard.
17. The Contractor shall assist the Employer in connection with the fulfilment of the latter’s obligations to ensure the security of personal data, and may give recommendations and opinions in relation to the data protection measures applied, which are known to the Contractor, as well as the means of access to the information media stored by the Contractor. When conducting an impact assessment carried out by the Contracting Authority, the Contractor shall provide information on the technical and organisational measures applied to protect personal data and give an opinion on the risk associated with the processing, subject to the proviso of paragraph 6 of these General Conditions.
18. Upon completion of the Contract, unless destruction of the personal data carriers by the Contractor has been agreed, they shall be returned to the Client.
19. These General Terms and Conditions shall apply insofar as nothing else is provided for in a contract between the Principal and the Contractor or the above rules are inapplicable due to the nature of the data processing commissioned.
