The National Health Insurance Fund (NHIF) is a legal person with a registered office in Sofia and its scope of business is to provide compulsory health insurance. Compulsory health insurance is an activity of managing and spending of funds from compulsory health insurance contributions on the purchase of health care activities, which is performed by the National Health Insurance Fund (NHIF) and its territorial units – Regional Health Insurance Funds (RHIF). Compulsory health insurance provides a package of health activities, guaranteed by the NHIF budget. Outside the scope of compulsory health insurance, the medical services specified in the legislation are provided. In connection with its business, NHIF is a controller within the meaning of the General Data Protection Regulation (GDPR).
Our Privacy Notice
The General Data Protection Regulation requires controllers to provide natural persons with specific information on how their personal data are being used (processed). We at NHIF comply with this obligation through this Privacy Notice.
The Privacy Notice contains details about the controller, contact details of the NHIF, contact details of the personal data protection officer (DPO) and contact details of the Commission for Personal Data Protection (CPDP). In this Notice you will find information on the purposes of the processing of personal data, the data storage period, the legal grounds for the processing and, where relevant, the recipients of the data, the transfer of data to third countries, the automated decision-making, as well as information on your rights as a data subject.
For your convenience, the Privacy Notice is divided into chapters containing general information, as well as such relating to specific categories of subjects.
How to Contact Us
In order to exercise your rights relating to the processing of your personal data, you may submit your requests in any of the following ways:
By submitting your data subject rights request in writing to: 1407 Sofia, 1 Krichim Street.
By submitting your data subject rights request in person at: 1407 Sofia, 1 Krichim Street, as well as the addresses of our territorial units – Regional Health Insurance Funds (RHIF).
By submitting your data subject rights request at:
You can find a data subject rights request template here:
If your request requires the submission of personal data to you, we shall notify you and invite you to receive them in person at any of our addresses.
If you have any questions regarding the processing of your personal data and the exercise of your rights, you may contact the Data Protection Officer designated by the NHIF – [email protected]
The NHIF operates in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), as well as the other European and Bulgarian regulations on personal data protection. When processing your personal data, the NHIF shall comply with the following principles:
lawfulness, fairness and transparency;
consistency with the purposes of the processing and data minimisation;
data being accurate and up-to-date;
purpose-based storage limitation;
integrity and confidentiality of processing and guaranteed appropriate security of the personal data.
Legal Grounds for the Processing of Personal Data
NHIF is a legal person established under the Health Insurance Act. The scope of business of the organisation is the provision of compulsory health insurance and other medical services, and in this regard, for our activities in the processing of personal data, we rely on:
Article 6(1)(e) GDPR – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
For the purposes of conclusion and performance of contracts, including employment contracts, we rely on:
Article 6(1)(b) GDPR – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Where the processing of data involves compliance with a specific legal obligation, the legal basis shall be:
Article 6(1)(c) GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject;
Exceptionally, it is possible to carry out a specific processing activity on the basis of:
Article 6(1)(a) GDPR – the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Where the NHIF processes sensitive data such as health data, we comply with the additional requirements of GDPR. Thus, for purposes relating to our core function, we process the sensitive data on the basis of:
Article 9(2)(h) GDPR – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
The NHIF processes data concerning the health of health insured persons and other persons, which have been collected in compliance with a legal obligation by our contractual partners, on the basis of:
Article 9(3) GDPR – according to which data concerning health and other special categories of personal data may be processed for the purposes of the management of the services and the healthcare system, with such processing being by or under the responsibility of a professional subject to the obligation of professional secrecy under the law or rules established by national competent bodies.
Your Rights as Data Subjects
In connection with the processing of your personal data, you shall have:
Right of access to your personal data.
Right to rectification or erasure of your personal data.
Right to restriction of their processing.
Right to object to the processing of your data. Right to data portability (under certain conditions).
In order to exercise any of your rights listed above, please submit an application using the form provided and submit it to any of the communication channels specified in this Notice. We shall register your request even if you have not used this form, but in any case, in order for it to be considered, it must meet the minimum legal requirements – to be in writing and to contain:
name, address, personal number or other similar identifier, or other identification data of the natural person specified by the controller in connection with its activities;
description of the request;
the preferred form of the information when exercising the rights under Articles 15 through 22 of Regulation (EU) 2016/679;
signature, submission date and mailing address.
where the application is submitted by an authorised person, the power of attorney must be attached thereto.
Your Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a supervisory authority with regard to the processing of your personal data. The supervisory authority in the Republic of Bulgaria is the Commission for Personal Data Protection, 1592 Sofia, 2 Professor Tsvetan Lazarov Blvd, tel.: +359 2 915 3 518, [email protected], [email protected], www.cpdp.bg
How Long Do We Keep Information About You
We strive to keep the information accurate and up-to-date and not to store it for longer than necessary. The storage periods for the personal data processed by the NHIF are in accordance with all regulations.
Information for Citizens
Data Processed by the NHIF
The main purpose of the NHIF is to provide and ensure free and equal access to health care for the health insured persons. In this regard, data on the health insured persons and other persons are being processed for the provision of the medical services provided for by law.
The personal data we process for you are different depending on the medical services you use and the statutory requirements for each of them, but generally they are:
Identification data and contact details – name, personal number, identity card details, address at the time of choosing your General Practitioner, phone number, e-mail, etc.
Data concerning health insurance rights – unique identification number; the grounds for insurance under Article 33 of the Health Insurance Act; contributions paid; the reason for the payment by the NHIF of the medical assistance provided to the insured persons in another Member State in accordance with the rules on coordination of social security systems; Health Insurance Book, European Health Insurance Card;
Special categories of personal data concerning the health, hospital stay, clinical path, diagnosis, assigned treatment, ongoing treatment, dental status, etc.
Purpose of the Processing and Legal Grounds
The purposes for which the NHIF processes your personal data are regulated by law. The main purpose of the NHIF is to provide and ensure free and equal access to health care for the insured persons through a package of health activities, determined by type, scope and volume, as well as the free choice of a contractor who has a contract with a Regional Health Insurance Fund. Citizens are also provided with statutory medical services outside the scope of compulsory health insurance.
The main legal acts that regulate the activities and goals of the NHIF are the Health Insurance Act, the Health Act, the NHIF Budget Act, the National Framework Agreement, numerous ordinances and other regulations.
Source of the Data
The main sources for collecting data on the natural persons to whom they relate are: state bodies and through providers of medical and dental care, as well as pharmacies under contracts with the NHIF.
To Whom We Provide Your Personal Data
Information on you may be provided to third parties if we are required to do so by law.
We represent explicitly that your data shall not be used for marketing purposes by us.
Transfer of Personal Data to Third Countries
In connection with its activities, the NHIF shall transfer personal data to third countries only under certain conditions. The transfer shall be carried out with adequate protection of the personal data in the country in which the transfer takes place or with appropriate safeguards. In the absence of such grounds, the transfer of personal data to a third country shall only take place where necessary for important reasons of public interest, for the protection of legal claims, for the protection of the vital interests of the data subject or of other persons.
The Period for Which Your Personal Data shall be Stored
The data shall be stored and processed for a period specified in accordance with the legislation in force and according to the “Nomenclature of cases and lists of documents with terms of storage of the NHIF”.
In the event the need for storage has lapsed, we will securely destroy your personal data without undue delay.
Information for Visitors to Our Website
The website of the National Health Insurance Fund (NHIF) is the primary means of communication with citizens. The website posts decisions from the meetings of the Supervisory Board of the NHIF, financial statements, news and information concerning the health insured persons.
Furthermore, some of the services offered by the NHIF, namely:
Examination of a general practitioner
National list for planned admission in medical establishments for hospital care
Revoked health insurance books
Review of patient records
are accessed through the website and this requires the processing of personal data.
Data We Process and Purposes
Within the services available through our website, we process:
Identification data – in some cases a personal number and an accompanying identifier like a name in order to ensure that we provide information to the person to whom it relates. Most of our services do not require the processing of your personal number and instead are accessible via a “Unique Access Code” or “Digital Certificate”.
Supplementary data – information you provide to us voluntarily for the purpose of report handling or obtaining a consultation.
Data relating to the use of our website – the ITSZOP Directorate of the NHIF, where the NHIF website is being hosted, can process data, including the IP addresses of users, in order to achieve an adequate level of information security.
The security of our website is guaranteed by the implementation of adequate technical and organisational measures. The data transfer between the user and the website is carried out via SSI protocol, which ensures the confidentiality and integrity of the data.
The browsers used for accessing the NHIF website allow for the deletion of all cookies at any time. In order to do this, each user can refer to the browser's help functions. Deleting any cookies may cause the NHIF portal to malfunction.
Използваме „бисквитки“, осигуряващи правилното функциониране на здравния портал
Здравния портал на НЗОК използва следните сесийни и аналитични бисквитки, които са задължителни за неговото правилно функциониране:_cfduid2; _gat; _ga; _gid; PHPSESSID; JSESSIONID
Моля, запознайте се с пълния текст на нашето Уведомление за поверително третиране на личните данни