A medical center contracted by an insurance company to provide examinations and studies to individuals covered by insurance may be a “data controller” under the EU General Data Protection Regulation (GDPR) says the Commission for the Protection of Personal Data of Bulgaria.

The CPPD determined that in the case before it, the medical center was a data controller and not a “data processor” because:

1. The processing of personal data in connection with the carrying out of examinations and research cannot be carried out on behalf of the insurer (data controller) because such services are required, by law, to be carried out by an organization having the status of a “medical establishment” within the meaning of the Bulgarian Law on Medical Establishments.
2. Special legislation in the field of healthcare provides for a number of obligations, measures, mechanisms, procedures and conditions for the protection of health information containing personal data which can not be delegated to a data processor.*

* summary based on an informal translation

View the original CPPD determination.