This Agreement applies between
"Eight Investments" EAD, UIC 206291447, registered address: Sofia, Mladost-1A district, 33 Alexander Malinov Blvd, represented by Yosif Dishliev, Executive Director, hereinafter referred to as the "Contractor"
AND
every Client with whom the Contractor has a duly concluded Agreement for Mediation, Services and Software Usage Rights in connection with the provision of remote medical assistance,
whereas:
a) for the purposes of the performance of the Agreement, the Parties process personal data, including special categories of personal data (health data) within the meaning of Art. 9 of Regulation (EU) 2016/679;
b) the Client acts as a controller of the personal data of its patients when using Healee, and bears the responsibility set out in Art. 29 of Ordinance No. H-5 of 28 April 2026;
c) in compliance with Regulation (EU) 2016/679 ("GDPR"), the Parties wish to regulate their relations with regard to the processing, exchange and protection of personal data,
the Parties have agreed as follows:
1.1. "Applicable Law" means the applicable legislation of the European Union and the Republic of Bulgaria on the protection of personal data, including the GDPR, the Personal Data Protection Act, Ordinance No. H-5 of 28 April 2026, and Ordinance No. H-6 of 2022 on the functioning of the National Health Information System.
1.2. "Health Data" means personal data relating to the physical or mental health of a natural person, including data concerning medical services provided, diagnoses, symptoms, treatment and test results, constituting special categories of personal data under Art. 9 of the GDPR.
1.3. The terms "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Special Categories of Personal Data" and "Supervisory Authority" have the meanings given to them in the GDPR and applicable national legislation.
1.4. All terms for which no definition is given in the Agreement shall have the meaning set out in the Contract, and if no such meaning is given in the Contract — the meaning given to them in the Applicable Law.
2.1. The Parties confirm and agree that:
2.1.1. The Client is the Controller of personal and health data, and the Contractor is the Processor of personal and health data in the provision of remote medical assistance through Healee. The Client determines the purposes, means and legal bases for processing. The Contractor processes on behalf of the Client and in accordance with its instructions the following categories of personal data: a) date of birth and national identification number (EGN/LNC), data on requested remote medical services, health data — of patients.
2.1.2. Each Party shall process the following Shared Personal Data on its own behalf, independently determining the purposes, means and legal bases for their processing: a) names, email, phone number of patients, users of the Platform. With regard to this Personal Data, each Party shall act as a Personal Data Controller;
2.2. In the event that during the term of the Agreement the applicable law or the practice of its application changes in a way that requires a review of the Parties' roles, the relevant Party shall immediately notify the other Party and the Parties shall in good faith undertake the necessary changes.
3.1. The Contractor processes personal data in connection with the performance of the Contract and/or pursuant to a documented instruction of the Client, including with regard to the transfer of data to third countries outside the EU, unless required to act under applicable law, in which case it notifies the Client.
3.2. The Contractor ensures confidentiality of the personal data processed and ensures that persons with the right of access to them are bound by an appropriate obligation of confidentiality.
3.3. The Contractor applies appropriate technical and organisational security measures, including: a) encryption and pseudonymisation of personal data in transit and at rest; b) measures to ensure the ongoing confidentiality, integrity, availability and resilience of systems; c) procedures for the timely restoration of data following an incident; d) processes for regularly testing the effectiveness of security measures.
3.4. Upon an established or suspected personal data breach, the Contractor notifies the Client immediately and no later than 24 (twenty-four) hours of becoming aware of it, providing all available information on the nature, data affected and measures taken.
3.5. The Contractor assists the Client in fulfilling its obligations under the GDPR, including in the exercise of data subjects' rights.
3.6. At the Client's request, the Contractor shall delete or return all personal data after the completion of the provision of services and shall delete existing copies, unless applicable law requires their retention.
3.7. The Contractor provides the Client with the information required under Art. 28 of the GDPR and assists with audits and inspections.
3.8. For the purposes of performing the services under the Contract, the Client gives general prior written authorisation to the Contractor to engage sub-processors (for example, cloud infrastructure providers, video communication or payment services). The Contractor shall inform the Client of the current list of sub-processors upon request.
3.9. The Contractor shall notify the Client with no less than 14 days' notice of a planned addition or replacement of a sub-processor. The Client has the right to object to the change within 7 days of receiving the notification.
3.10. The Contractor shall ensure that data protection obligations equivalent to those provided for in this Agreement are also applied to sub-processors, and shall be liable to the Client in this respect.
4.1. When using Healee for the provision of remote medical assistance, special categories of personal data within the meaning of Art. 9 of the GDPR are processed, namely health data of patients.
4.2. The processing is carried out pursuant to the Contract and is permissible on the basis of Art. 9(2)(h) of the GDPR.
4.3. The Client is responsible for obtaining the patient's informed consent for the processing of health data in the provision of remote medical assistance.
4.4. The Contractor processes health data solely in the capacity of a Processor and exclusively for the purposes of the technical support of the services under the Contract.
4.5. The Parties apply enhanced technical and organisational measures to protect health data, including encryption in transit and at rest, restricted access on a need-to-know basis, and audit trails for every access.
5.1. The Client is responsible for the lawfulness of the collection and processing of personal data, including health data, of its patients.
5.2. The Client, through the technical capabilities of the Platform, provides data subjects with the information under Art. 13 and Art. 14 of the GDPR, including regarding the transfer of data to the Contractor in its capacity as Processor.
5.3. The Client publishes on its website a notice for data subjects in accordance with Art. 30 of Ordinance No. H-5, and may use a link to the information provided on the Platform.
5.4. The Client is obliged to comply with its obligations as a controller under the GDPR.
6.1. Data subjects have the right to receive certain information about the processing of their Personal Data through a data access request. Data subjects may also request the rectification, erasure, restriction or blocking of their personal data. In addition, data subjects have the right to data portability, the right to object, and the rights related to automated decision-making, including profiling, under the GDPR.
6.2. The Parties agree that responsibility for handling requests to exercise the rights of Data Subjects belongs to:
6.2.1. The Party that received the request, with regard to Shared Personal Data;
6.2.2. The Client, with regard to the personal data under point 2.1.1.
6.3. The Parties agree to cooperate in good faith and in a timely manner so as to ensure the exercise of the rights of Data Subjects in accordance with the Applicable Law and compliance with the applicable deadlines. To this end, each Party undertakes to provide such assistance as is reasonable and commercially justified, which the other Party may reasonably request, in connection with a request from a Data Subject to exercise rights, a complaint or other petition.
7.1. When transferring personal data to recipients established in third countries outside the European Economic Area, the transferring Party is obliged to comply with the requirements of the GDPR.
7.2. The Contractor shall notify the Client of any transfer of personal data to third countries and shall provide the documentation evidencing the safeguards applied.
8.1. Each Party undertakes to apply appropriate technical and organisational measures to protect the Personal Data it processes in the performance of the Contract, in accordance with the requirements of the GDPR and applicable law, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the various risks to the rights and freedoms of natural persons.
8.2. Each Party guarantees that the technical and organisational measures taken:
8.2.1. shall include measures aimed at protecting Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access, as well as against all other unlawful forms of processing.
8.2.2. shall ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing of personal data, including where applicable through pseudonymisation and encryption of personal data.
8.2.3. shall ensure the restoration of the availability of and access to Personal Data in the shortest reasonable time following an incident.
8.3. Each Party undertakes to take the necessary measures to ensure the reliability of all its employees engaged under employment and/or civil law relationships who have access to Personal Data processed for the performance of the Contract, by ensuring that every person who has access to such Personal Data:
8.3.1. has completed initial training and will undergo regular follow-up training on personal data protection, tailored to the specific processing activities and the specific risks associated with the processing of Personal Data.
8.3.2. has made a commitment to confidentiality or is legally obliged to maintain confidentiality.
8.4. Each Party that processes Personal Data shall take reasonable steps to verify the reliability of each of its employees or sub-processors who may have access to the other Party's personal data. In any event, access to such Personal Data shall be strictly limited solely to individuals who need access to the data in connection with the work they carry out, as defined under the Contract.
8.5. Each Party undertakes to ensure an appropriate level of internal control and monitoring with regard to compliance with the requirements and the fulfilment of the obligations arising from the Applicable Law and this Agreement.
9.1. The Parties agree that the Client is obliged to document the remote medical assistance provided in the National Health Information System (NHIS) in accordance with Ordinance No. H-5.
9.2. The Contractor provides technical mechanisms supporting the documentation in the NHIS by the Client, to the extent that Healee technically supports this functionality at the time.
9.3. The Client bears full responsibility for the timely and accurate completion of the required information in the Platform, so as to enable the entry of electronic health records into the NHIS through the existing integration.