Privacy Policy

Version: 16 April 2026. Applies to the website trinitymedcenter.com (all language versions) and to patient-related processing at Trinity Medical Center.

1. Introduction

This Privacy Policy (“Policy”) governs the processing of personal data when you visit and use the website available at https://trinitymedcenter.com (the “Website”), including its subpages and language variants. The Policy is prepared in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (“GDPR”), the Bulgarian Personal Data Protection Act and applicable European Union and Republic of Bulgaria legislation.

By using the Website you acknowledge that you have read this Policy. If you do not agree with its terms, you should discontinue use of the Website.

2. Data controller

The controller of personal data within the meaning of Article 4(7) GDPR is:

The controller determines the purposes and means of processing personal data in connection with the Website and, as further explained in Section 4, in connection with patient-related healthcare activities, unless expressly stated otherwise.

3. Scope of processing

This Policy applies to processing carried out through the Website, including: (a) technical provision of access and security; (b) communication in response to enquiries submitted via contact forms or email; (c) use of cookies and similar technologies; (d) statistical and analytics activities as described below.

In addition to processing described for the Website, medical services, medical records management and other healthcare-related processing—including electronic storage, use of email and statutory reporting to public authorities—are described in Section 4 below. Such processing is also governed, where applicable, by informed consent, payer contracts (including relations with the National Health Insurance Fund of Bulgaria), professional secrecy rules and internal policies of the controller.

4. Patient data and healthcare-related processing

Beyond processing connected to the Website, Trinity Medical Center (the “Center”, “we”, “us”) processes personal data—including data concerning health, which constitute special categories of personal data under Article 9 GDPR—in the course of delivering outpatient and other medical services, operating the practice, billing and reimbursement, quality assurance, and fulfilling obligations under the laws of the Republic of Bulgaria and the European Union.

Categories of data. Depending on the clinical situation and applicable law, this may include identity and contact details; date of birth; national identifiers or other official identifiers where their processing is required or permitted by law; insurance, coverage and reimbursement data (including data exchanged with the National Health Insurance Fund of Bulgaria, other payers and contractual partners); medical history, complaints, diagnoses, treatment plans, prescriptions and referrals; documentation of consultations, procedures and interventions; laboratory and imaging results (including from contracted providers); pricing, invoicing and payment records; internal and external correspondence; and technical metadata from clinical or administrative systems (such as access logs where proportionate).

Electronic use, storage and transmission. Patient-related information may be created, accessed, updated, archived and stored electronically in practice-management systems, electronic health records where deployed, document management tools, backup infrastructure and other IT environments operated on-premises or by processors (for example hosting, cloud services, email providers, telemedicine or messaging platforms). Paper files may be maintained in parallel. The Center implements technical and organisational measures appropriate to the risk, including role-based access, authentication, instructions to staff, backup and recovery, and vendor oversight under Article 28 GDPR where relevant. No electronic system can be guaranteed to be entirely free of risk.

Email and similar channels. The Center may use email and comparable electronic means to communicate with patients, referring clinicians, insurers, processors and, where mandatory, public authorities—for example for appointment scheduling, administrative responses, transmission of non-urgent reports or documents when lawfully grounded, and invoicing. Email is not a substitute for emergency services. Standard internet email may transit outside fully controlled environments; residual confidentiality risks exist. You should avoid sending excessive or unnecessary sensitive information without prior agreement on a suitable channel. Staff are instructed to minimise personal data in message bodies and attachments and to use approved accounts and procedures.

Disclosures to public authorities and other recipients. Personal data—including health data—may be supplied in electronic or other form to government and regulatory bodies where EU or Bulgarian law requires or clearly authorises this, including but not limited to: the National Revenue Agency for fiscal, invoicing and accounting compliance; the National Health Insurance Fund of Bulgaria and other bodies under social-health legislation for verification, reporting, statistical returns, pricing and payment; the Ministry of Health and its subordinate structures or national registries where reporting is compulsory; supervisory, accreditation or professional-conduct bodies within their statutory remit; courts, prosecutors or law-enforcement authorities on the basis of a lawful request or enforceable decision; and other competent authorities in fields such as occupational health, communicable disease control or public health emergencies, strictly within the limits set by law. Data may also be shared with laboratories, diagnostic imaging providers, partner hospitals or clinics, medical couriers and IT, payroll or billing service providers acting as processors under Article 28 GDPR or equivalent sector-specific arrangements.

Legal bases (overview). Website-related processing is summarised in Sections 5 and 6. For healthcare activities, processing relies—according to the concrete purpose—on Article 6(1)(b) GDPR (pre-contractual steps or performance of a healthcare services agreement), Article 6(1)(c) GDPR (legal obligation), Article 9(2)(h) GDPR (provision of health care or treatment, management of health-care systems and services pursuant to Union or Member State law or pursuant to contract with a health professional subject to obligations of professional secrecy), Article 9(2)(i) GDPR where Union or Member State law provides for processing necessary for reasons of substantial public interest in the area of public health on a basis that is proportionate and respects the essence of the right to data protection, Article 9(2)(a) GDPR where explicit consent is required for a specific activity, and Article 9(2)(f) GDPR for the establishment, exercise or defence of legal claims where applicable. National provisions implementing Directive 2011/24/EU on patients’ rights in cross-border healthcare, the Bulgarian Health Act, implementing regulations on medical documentation, social-security legislation and other special laws may specify additional conditions.

Retention. Medical records and related data are kept for periods determined by healthcare, accounting and tax law, statutory limitation periods for claims, and legitimate archiving needs. Erasure or anonymisation is carried out when permitted by law and once the purpose of processing has ended, without prejudice to minimum statutory retention.

Rights of data subjects. The rights listed in Section 10 apply to patient data as well, subject to Articles 9(2) and 17(3)(d) GDPR and national law where processing is necessary for preventive or occupational medicine, medical diagnosis, provision of health care, public health, archiving in the public interest, scientific or historical research, or legal claims. In particular, the right to erasure may be limited where continued storage is mandatory. Contact details are in Section 2 and Section 15.

Further information. Additional specifics may be provided through informed-consent forms, payer declarations, notices at reception, price lists and internal rules available at the premises. If any such instrument conflicts with the Website-only parts of this Policy, the instrument that specifically governs the relevant healthcare processing prevails.

5. Categories of personal data

Depending on how you interact with the Website, the following categories of data may be processed: identity and contact details (e.g. name, email address, telephone number) voluntarily provided by you; technical and log data (e.g. IP address, date and time of request, browser type and operating system, referring URL); data contained in cookies and similar identifiers; and aggregated or pseudonymised data about use of the Website.

6. Purposes and legal bases for processing

Personal data are processed for the following purposes on the legal bases set out in Article 6 GDPR.

Ensuring operation and security of the Website: legitimate interests of the controller (Article 6(1)(f) GDPR).

Responding to enquiries and communicating with users: performance of pre-contractual steps or contract, or legitimate interests (Article 6(1)(b) and (f) GDPR).

Statistical analysis and improvement of content: legitimate interests (Article 6(1)(f) GDPR), where such interests are not overridden by your rights and freedoms.

Compliance with legal obligations: where required by applicable law (Article 6(1)(c) GDPR).

Consent: where processing cannot be based on another ground and your explicit consent is required (Article 6(1)(a) GDPR), including for certain cookies or marketing communications if expressly offered.

7. Cookies, analytics and event logging

The Website may use cookies and similar technologies to remember settings, maintain sessions and for statistical purposes. Google Analytics (Google LLC or an affiliate) may be used, which sets cookies and processes information about use of the Website. Processing by Google is governed by Google’s policies; we recommend reviewing the provider’s documentation.

You may control or delete cookies through your browser settings. Refusing certain cookies may limit some functionality of the Website.

A cookie information banner may be displayed; your choices are stored according to the technical parameters of that tool.

8. Recipients and processors

Personal data may be disclosed to hosting, IT and communications service providers, and to providers of analytics tools, acting as processors within the meaning of Article 4(8) GDPR, on the basis of a data processing agreement or other lawful ground.

Where transfers are made to providers outside the European Economic Area, the controller implements appropriate safeguards in accordance with Chapter V GDPR (e.g. standard contractual clauses), unless an adequacy decision applies.

9. Retention periods

Personal data are stored for as long as necessary to fulfil the purposes for which they were collected, including to comply with statutory retention periods for accounting, tax or other records, and for the establishment, exercise or defence of legal claims.

Technical logs and analytics data are generally retained for shorter periods determined by internal rules and the capabilities of the tools used.

10. Rights of data subjects

Subject to the conditions of GDPR and Bulgarian law, you have the right of access; rectification; erasure (“right to be forgotten”); restriction of processing; data portability; objection to processing based on legitimate interests; withdrawal of consent where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal.

To exercise your rights you may send a request to info@drguentchev.com or by post to the controller’s address. The controller may request verification of your identity before responding.

11. Right to lodge a complaint

You have the right to lodge a complaint with the Commission for Personal Data Protection, 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria, www.cpdp.bg, if you consider that the processing of your personal data infringes applicable law.

12. Security

The controller implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. Nevertheless, transmission of information over the internet cannot be guaranteed as absolutely secure; use of the Website in this respect remains at your own risk.

Disclaimer. To the fullest extent permitted by applicable mandatory law, Trinity Medical Center assumes no responsibility or liability of any kind for leakage, loss, unauthorised disclosure, interception or other compromise of personal data, whatever the cause or channel (including, without limitation, third-party systems, telecommunications or internet infrastructure, malware, compromise of your devices or accounts, hosting, cloud, email or payment services, processors, or events outside the Center’s reasonable control). Nothing in this Policy limits or excludes liability where such limitation or exclusion is prohibited by law.

13. Changes to this Policy

The controller may update this Policy when legislation or processing practices change. The current version is published on this page with the version date. Continued use of the Website after publication of changes may constitute acceptance of the updated Policy, unless expressly provided otherwise.

14. Unsolicited promotional communications

Use of contact data published on the Website for sending advertising or commercial communications that have not been expressly requested is not permitted. The controller reserves the right to take legal action in case of violation.

15. Contact

For questions regarding this Policy and the processing of personal data, contact: info@drguentchev.com.