Home Privacy Policy

Privacy Policy

PRIVACY POLICY

of “Medical And Dental Centre Sofia Implant” Ltd. (Sofia Implant Centre)

Effective from: 18.05.2026г.      Version: 2.0

1. Introduction and scope

The privacy and protection of personal data of our patients, website visitors and prospective clients is of paramount importance to us. This Privacy Policy (the “Policy”) explains how “Medical And Dental Centre Sofia Implant” Ltd., trading as Sofia Implant Centre, collects, processes, stores, shares and protects your personal data.

The Policy has been drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the “General Data Protection Regulation” or “GDPR”), the Bulgarian Personal Data Protection Act, the Health Act, the Medical Establishments Act and the relevant secondary legislation in the Republic of Bulgaria.

The Policy applies to the personal data we process in connection with: your visits to our website https://sofiaimplantcentre.com and its language versions; the dental and medical services we provide; our marketing activities; and any communication with you by phone, email, social media or other channels.

2. Data controller

The data controller is:

“Medical And Dental Centre Sofia Implant” Ltd. (in Bulgarian: „Медико-дентален център София Имплант“ ООД)

  • UIC: 206304001
  • Registered office: 251G Ring Road, Sofia 1715, Bulgaria
  • Phone (reception): +359 895 750539
  • Phone (international consultant): +44 7488 428593
  • Phone (emergencies): +359 884 556 569
  • Email: info@sofiaimplantcentre.com
  • Website: https://sofiaimplantcentre.com

3. Contact for personal data matters

At present, the Clinic is not required to appoint a Data Protection Officer within the meaning of Article 37 GDPR. Questions, requests and complaints regarding the processing of your personal data may be addressed to:

  • Email: info@sofiaimplantcentre.com (with subject “GDPR / personal data”)
  • In writing to: 251G Ring Road, Sofia 1715, Bulgaria

The Clinic responds to every request within 30 (thirty) days of receipt. For complex or numerous requests, the period may be extended by up to a further 60 days, in which case you will be notified.

4. Categories of data subjects

This Policy covers the following categories of natural persons whose personal data we process:

  • patients and prospective patients of the Clinic;
  • persons who visit our Website or submit an enquiry via form, email, phone, chat or social media;
  • persons who sign up to receive news, offers and marketing communications;
  • companions and legal representatives of patients;
  • persons who have left reviews, comments or otherwise interacted through the Clinic’s public channels.

5. Categories of personal data we process

5.1. Identification and contact data

First and last name, ID/UCN/passport details (where required for issuing financial documents or for foreign nationals), date of birth, sex, nationality, address, phone number, email address, language of communication.

5.2. Special categories of personal data – health data (Article 9 GDPR)

In connection with the Services we provide, we process the following special categories of personal data relating to your health:

  • medical and dental history, past illnesses and operations;
  • current diagnoses, symptoms and complaints;
  • allergies (including to titanium, latex, anaesthetics and medications);
  • medications taken, doses and regimens;
  • pregnancy and breastfeeding data;
  • smoking, alcohol use and other risk factors;
  • X-ray images (OPG), computed tomography (CT) scans, 3D intraoral scans and other imaging studies;
  • photographic material of the oral cavity and maxillofacial region (before, during and after treatment);
  • laboratory results (full blood count, cardiology tests, etc., required for sedation);
  • signed informed consent forms and treatment plans;
  • data on procedures performed, implants and prosthetic constructions used (with manufacturer, model and batch number);
  • post-operative records, follow-up appointments and any complications.

5.3. Financial and payment data

Data relating to payments made, invoices, bank account details for refund purposes (we do not store full card details – card transactions are processed directly by the payment operator). For card payments we receive only a masked card number and transaction reference.

5.4. Technical data and Website usage data

IP address, type and version of browser and operating system, geolocation data (at country/city level), language and time zone, pages visited, time spent, referring page, device identifiers and data collected via cookies and similar technologies (see section 15).

5.5. Communication data

Content of your emails, chat messages, contact-form submissions, VideoAsk recordings, audio recordings of phone calls (where announced at the beginning of the call), messages on social media and messenger platforms.

5.6. Review and feedback data

The content of reviews, ratings and comments you have voluntarily posted on Google Reviews, Trustpilot, Facebook, Instagram or other public platforms, as well as on feedback forms we provide.

6. Sources of the personal data

We obtain your personal data from the following sources:

  • directly from you – when completing the medical questionnaire, submitting an enquiry, attending a consultation, during treatment and when paying for services;
  • generated during treatment – X-rays, scans, photographs and medical records produced by your treating team;
  • automatically when using the Website – via cookies and server logs;
  • from third parties – social media (Meta/Facebook, Instagram), advertising platforms (Meta Ads, Google Ads), partner websites and review platforms, to the extent you have provided consent or the information is publicly available;
  • from your legal representatives or companions – where necessary and with your explicit consent;
  • from other medical establishments – when requesting epicrises, previous medical documentation or test results (with your consent).

7. Purposes and legal bases for processing

We process your personal data for the following purposes and on the following legal bases:

7.1. Provision of dental services and medical care

Categories of data: identification data, health data (special category), communication data.

Legal bases: Art. 6(1)(b) GDPR (performance of the dental treatment contract); Art. 6(1)(c) GDPR (compliance with legal obligations under the Bulgarian Health Act and Medical Establishments Act); Art. 9(2)(h) GDPR (preventive or occupational medicine, medical diagnosis, the provision of health care or treatment); Art. 9(2)(c) GDPR (protection of vital interests); Art. 9(2)(a) GDPR (explicit consent for specific procedures).

7.2. Preparation of the treatment plan and informed consent

Legal bases: Art. 6(1)(b) and Art. 6(1)(c) GDPR; Art. 9(2)(h) GDPR; Art. 87 of the Bulgarian Health Act on informed consent.

7.3. Financial operations, invoicing and accounting

Legal bases: Art. 6(1)(b) GDPR (performance of contract); Art. 6(1)(c) GDPR (Bulgarian Accountancy Act, Tax-Insurance Procedure Code, VAT Act, Cash Payments Restriction Act).

7.4. Communication with patients and prospective patients

Including responding to enquiries, sending offers, confirming and reminding of appointments, organising transfers and coordinating intermediate consultations.

Legal bases: Art. 6(1)(b) GDPR (pre-contractual and contractual relations); Art. 6(1)(f) GDPR (legitimate interest in customer service).

7.5. Marketing and advertising

Sending newsletters, offers and information about new services, running online advertising campaigns and remarketing.

Legal bases: Art. 6(1)(a) GDPR (your explicit consent for marketing communications) – which may be withdrawn at any time; Art. 6(1)(f) GDPR (legitimate interest in marketing to existing customers for similar services, subject to your right to object).

7.6. Service improvement and analysis

Customer satisfaction analysis, feedback collection, statistical analyses and quality improvement.

Legal bases: Art. 6(1)(f) GDPR (legitimate interest in service improvement); Art. 9(2)(i) GDPR (public health and quality of healthcare services, where data is anonymised).

7.7. Compliance with legal obligations

Maintaining medical records, reporting to the National Health Insurance Fund (where applicable), AML notifications, responses to requests from competent authorities.

Legal basis: Art. 6(1)(c) GDPR.

7.8. Defence of legal claims

Retention of documentation for defence against potential complaints, warranty claims and medical disputes.

Legal bases: Art. 6(1)(f) GDPR; Art. 9(2)(f) GDPR.

7.9. IT and physical security

CCTV in publicly accessible areas of the Clinic (where installed), cyber-security protection, access control.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security).

8. Recipients of personal data

Access to your personal data is granted to a strictly limited number of staff members and data processors acting under our instructions and based on written agreements pursuant to Article 28 GDPR. The categories of recipients are:

8.1. Internal recipients

Dental practitioners, nurses, assistants, dental technicians, treatment coordinators, administration and accounting staff of the Clinic, all bound by professional and contractual confidentiality.

8.2. External data processors

Including, but not limited to:

  • CRM and patient management: Kommo (CRM platform for managing leads and patient communications).
  • Email communication and marketing: Brevo (transactional and marketing emails); Google Workspace (Gmail for business communication).
  • Forms and video intake: Jotform (online enquiry forms and medical questionnaires); VideoAsk (video sessions for initial consultation).
  • Telephony: JustCall (telephone platform for calls, recording and call logging).
  • Automation and integrations: com (Integromat – workflow automation across systems).
  • Hosting and storage: web hosting provider for sofiaimplantcentre.com; Google Drive / Google Workspace (internal documents); specialised software for the storage of imaging and dental records.
  • Website analytics and optimisation: Google Analytics, Google Tag Manager, Meta Pixel; site speed optimisation platforms (e.g. NitroPack).
  • Advertising: Meta Platforms Ireland Ltd. (Facebook/Instagram advertising), Google Ireland Ltd. (Google Ads and YouTube advertising).
  • Payment services: myPOS (card payments at POS terminal), banking institutions (for bank transfers).
  • Laboratory services: external dental laboratories and medical laboratories for specialised tests.
  • Accounting and legal services: external accounting firms and legal advisers, all bound by professional confidentiality.
  • Marketing agency: partner marketing agencies responsible for managing digital campaigns.

8.3. Joint controllers

In certain advertising and analytics activities on social media and platforms (for example when using Facebook Insights, Meta Lead Forms or similar tools), the Clinic and the relevant platform act as joint controllers within the meaning of Article 26 GDPR. Details of the processing carried out by those platforms can be found in their respective privacy policies.

8.4. Public authorities

Including the Bulgarian Ministry of Health, the Executive Agency “Medical Supervision”, the Regional Health Inspectorate, the Bulgarian Dental Association, the National Revenue Agency, the Commission for Personal Data Protection, courts and pre-trial proceedings authorities – solely in the cases and to the extent provided for by law.

9. International transfers of personal data

Some of our processors (including Google, Meta, Brevo, Make.com and others) may process data in countries outside the European Economic Area (EEA). In such cases, transfers are based on:

  • European Commission adequacy decisions (Art. 45 GDPR);
  • Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR);
  • the EU-US Data Privacy Framework – for certified US providers;
  • other appropriate safeguards under Art. 46 GDPR.

Note: The EU-US Privacy Shield, referenced in previous versions of this Policy, was invalidated by the Court of Justice of the European Union in case C-311/18 (Schrems II) in 2020 and was replaced by the EU-US Data Privacy Framework, which entered into force in July 2023.

10. Retention periods

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The specific retention periods are:

Category of data

Retention period

Medical record, treatment plan, informed consent, X-rays, 3D scans, clinical photographs

5 (five) years following the last examination or completion of treatment, unless a specific statutory provision requires a longer period

Medical device traceability records (implants, prostheses) – manufacturer and batch number

Not less than the warranty term (10 years for implants and 5 years for prostheses/crowns) from the date of placement

Sick-leave certificates

10 years from 1 January of the year following the year of issuance (Art. 19 of the relevant National Social Security Institute regulation)

Financial and accounting documents (invoices, fiscal receipts, banking documents)

Up to 10 (ten) years under the Bulgarian Accountancy Act and Tax-Insurance Procedure Code

Data for marketing communications (newsletter email, etc.)

Until consent is withdrawn or up to 3 (three) years following last activity

Enquiries from prospective patients who did not proceed to treatment (in CRM)

Up to 3 (three) years after last contact

Audio recordings of phone calls (where recorded)

Up to 12 (twelve) months, save where a dispute is pending or a statutory requirement applies

CCTV recordings

Up to 2 (two) months from the recording, save where an incident is pending

Cookies and technical Website data

Depending on the type of cookie – see section 15

Data necessary for the defence of legal claims

Until the applicable limitation periods expire (generally 5 years; 10 years for certain claims)

 

After the applicable retention period expires, data is securely deleted or irreversibly anonymised.

11. Security of personal data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful access, accidental loss, destruction or damage, including:

  • physical access control to the Clinic’s premises and archives;
  • encryption of sensitive data in transit and at rest, where technically feasible;
  • strict access control on a “need-to-know” basis and multi-factor authentication for critical systems;
  • regular backups and recovery testing;
  • written data processing agreements with all processors (Art. 28 GDPR);
  • staff training on personal data protection and medical confidentiality;
  • policies on secure use of IT resources and incident response.

In the event of a security breach posing a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Articles 33 and 34 GDPR. Breaches resulting in a risk to your rights will be reported to the Commission for Personal Data Protection within 72 hours.

12. Your rights as a data subject

As a data subject, you have the following rights, which you may exercise at any time:

12.1. Right of access (Art. 15 GDPR) – to obtain confirmation as to whether we process your data, a copy of it and information about the processing.

12.2. Right to rectification (Art. 16 GDPR) – to request the correction or completion of inaccurate or incomplete data.

12.3. Right to erasure / “right to be forgotten” (Art. 17 GDPR) – to request deletion of your data under certain conditions. This right is restricted in respect of medical documentation that we are required to retain by law.

12.4. Right to restriction of processing (Art. 18 GDPR) – where you contest the accuracy of the data, where processing is unlawful, or where retention is required for legal claims.

12.5. Right to data portability (Art. 20 GDPR) – to receive your data in a structured, commonly used and machine-readable format, or to request its transfer to another controller.

12.6. Right to object (Art. 21 GDPR) – to processing based on legitimate interest or direct marketing.

12.7. Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

12.8. Right to lodge a complaint with a supervisory authority – see section 18.

You may exercise these rights by sending a request to info@sofiaimplantcentre.com or to our postal address. We may request additional information to verify your identity. The service is free of charge; in cases of manifestly unfounded or excessive requests, a reasonable fee may be charged.

13. Automated decision-making and profiling

We do not take decisions concerning you that are based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.

We use marketing remarketing and audience tools that may involve elements of profiling for advertising purposes, but these do not lead to decisions with legal effect and may be discontinued via the cookie settings and/or directly on the respective platform (Google Ads, Meta).

14. Marketing communications

We send marketing communications (email newsletters, SMS, social media notifications) only if you have given explicit consent, or if you are an existing customer within the exception under Article 261 of the Bulgarian Electronic Communications Act for marketing of similar services.

Every marketing message includes an option to unsubscribe. You may also unsubscribe by email to info@sofiaimplantcentre.com.

15. Cookies and tracking technologies

Our Website uses cookies and similar technologies (web beacons, pixels, local storage).

The types of cookies we use:

  • Strictly necessary – for the operation of the Website (sessions, language preferences, consent banner). Cannot be refused. Duration: session or up to 12 months.
  • Analytical – for understanding Website use (Google Analytics). Duration: up to 26 months.
  • Functionality – for remembering choices and personalisation. Duration: up to 12 months.
  • Marketing / targeting – for remarketing and measurement of campaign effectiveness (Meta Pixel, Google Ads conversion). Duration: up to 13 months.
  • Third-party – set by partner services. Governed by their respective policies.

You can manage your preferences via the consent banner on your first visit and, at any time, via the “Cookie preferences” link in the Website footer or via your browser settings.

16. Personal data of minors

The Clinic’s Services are intended primarily for persons of full legal age. For treatment of minors (under 18 years of age), the explicit written consent of a parent or legal guardian exercising parental rights is required. Personal data of persons under 14 is processed only on the basis of the explicit consent of a parent/guardian.

We do not knowingly target persons under 18 with marketing communications.

17. Changes to this Policy

We may update this Privacy Policy to reflect changes to our practices, technologies, legislation or regulatory requirements. The current version is published at https://sofiaimplantcentre.com/privacy/ with the date of entry into force.

For material changes affecting your rights, we will notify you in an appropriate manner (prominently on the Website, by email, or at your next visit). We recommend that you review this Policy periodically.

18. Right to lodge a complaint with a supervisory authority

If you believe that the processing of your personal data infringes the GDPR or applicable law, you have the right to lodge a complaint with:

Commission for Personal Data Protection (CPDP)

  • Address: 2 Prof. Tsvetan Lazarov Blvd, Sofia 1592, Bulgaria
  • Phone: +359 2 915 35 18
  • Email: kzld@cpdp.bg
  • Website: https://www.cpdp.bg

For cross-border processing, you are also entitled to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or workplace, or where the alleged infringement took place.

19. Contact

For any questions, requests or concerns regarding this Policy and the processing of your personal data:

“Medical And Dental Centre Sofia Implant” Ltd. (Sofia Implant Centre)

  • Address: 251G Ring Road, Sofia 1715, Bulgaria
  • Email: info@sofiaimplantcentre.com
  • Phone: +359 895 750539

Thank you for taking the time to read our Privacy Policy. We are committed to protecting your personal data and your trust in us.