PERSONAL DATA PROTECTION POLICY
Art. 1. (1) The present rules (the “Rules”) determine the order in which ERP Agency EOOD, with UIC 130977558 collects, records, organizes, structures, stores, adapts or changes, extracts, consults, uses, discloses by transmission, distribution or another way in which data becomes accessible, arranges or combines, restricts, deletes, destroys or otherwise processes personal data for the purposes of its activity.
(2) Depending on the specific situation, ERP Agency EOOD may process data in the capacity of administrator or processor.
(3) The rules have been drawn up in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation).
Art. 2. These Rules govern:
(1) The principles, procedures and mechanisms for personal data processing;
(2) The procedures for notifying the supervisory body in case of security breaches;
(3) The procedures for administration of requests for access to data, correction of the processed data, objections and withdrawal of consents, as well as administration of requests for exercise of other rights, which the subjects of personal data have by law;
(4) The persons who process personal data and their obligations;
(5) The rules for transfer of personal data to third parties in Bulgaria and abroad;
(6) The necessary technical and organizational measures for protection of the personal data from illegal processing and in case of incidents, such as accidental or illegal destruction, loss, illegal access, modification or dissemination;
(7) The technical resources applied in the processing of personal data.
DEFINITIONS
Art. 3. For the purposes of these Rules, the terms used shall have the following meanings:
- LPPD – Personal Data Protection Act.
- CPDP – Commission for Personal Data Protection.
- ORZD – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC EC (General Data Protection Regulation).
- Personal data controller – a natural or legal person, public body, agency or other structure that alone or jointly with others determines the purposes and means for the processing of personal data. In these Rules, “administrator” means the Company.
- Personal data processor – a person or organization that, on the basis of a contract, processes personal data provided by the Company for the agreed purposes.
- Data protection notices – separate notices containing information provided to the data subjects at the moment when the Company collects information about them. These notices can be both general (eg addressed to employees or notices on the organization’s website) and related to processing for a specific purpose.
- Data processing – any activity that is related to the use of personal data. This includes: receiving, recording, storing, performing an operation or a series of data operations such as e.g. organizing, editing, restoring, using, providing, deleting or destroying. The processing also includes the transfer of personal data to third parties.
- Alias - the replacement of information that directly or indirectly identifies an individual with one or more identifiers (“aliases”) so that the person cannot be identified without access to additional information that should be stored separately and be confidential.
- Consent – any freely expressed, specific, informed and unambiguous indication of the will of the data subject, through a statement or clearly confirmatory action that expresses consent to the processing of personal data relating to him.
DATA SUBJECTS AND PERSONAL DATA CATEGORIES
Art. 4. (1) The company collects and processes personal data necessary for the exercise of its rights and obligations as an employer, service provider and contractor in compliance with the requirements of the applicable legislation. The personal data processed by the Company are grouped in registers of processing activities, containing rules for personal data processing, related to:
- workers and employees and contractors under civil contracts;
- job candidates;
- customers;
- service providers.
(2) The following personal data shall be collected regarding the persons employed under labor or civil legal relations in the company and the job candidates:
- Identification: name; PIN (date of birth), permanent and / or current address, telephone, ID card data or passport data;
- Education and professional qualification; data related to education, work experience, professional and personal qualifications and skills;
- Health data: health condition, TEMP decisions, medical witnesses
- Health data: health condition, TEMC decisions, medical certificates, sick leaves and any accompanying documentation;
- Other data: certificate of criminal record, when its presentation is required according to a normative act, as well as other data, the processing of which is necessary for the fulfillment of the rights and obligations of the Company as an employer.
(3) Regarding natural persons, clients of the company, personal data shall be collected, which are necessary for the fulfillment of the legal obligations of the company as a service provider, as follows:
- name, permanent and / or current address, telephone number, identity card data or passport data.
(4) Regarding natural persons, service providers of the company, personal data necessary for the conclusion and execution of contracts for provision of services to the company by external suppliers shall be stored, as follows:
- name, PIN (date of birth), permanent and / or current address, telephone, ID card data or passport data; Email.
(5) The company shall process sensitive data only insofar as this is necessary for the fulfillment of its specific rights and obligations in the field of labor and social security legislation.
PURPOSES AND PRINCIPLES OF PERSONAL DATA PROCESSING
Art. 5. The purposes of the processing of personal data are:
(1) management of human resources, payment of wages and fulfillment of the related obligations of the employer for withholding and payment of health and social insurance of employees, taxes, as well as other rights and obligations of the Company in its capacity as employer. ;
(2) administration of the company’s relations with clients and provision of services;
(3) concluding and executing contracts with suppliers for the provision of services to the Company.
Art. 6. Personal data shall be processed lawfully, in good faith and transparently in compliance with the following principles:
(1) The data subject shall be informed in advance about the processing of his personal data;
(2) The personal data shall be collected for specific, precisely defined and lawful purposes and shall not be further processed in a manner incompatible with these purposes;
(3) The personal data shall correspond to the purposes for which they are collected;
(4) The personal data must be accurate and, if necessary, updated;
(5) The personal data shall be deleted or corrected when it is established that they are inaccurate or do not correspond to the purposes for which they are processed;
(6) The personal data shall be maintained in a form that allows identification of the respective natural persons for a period, not longer than necessary, for the purposes for which these data are processed.
Art. 7. For data processing to be lawful, at least one of the following conditions must be met:
(1) The data subject has given his consent;
(2) The processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject before the conclusion of a contract;
(3) The processing is necessary for the observance of a legal obligation, which is applied to the administrator;
(4) The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(5) The processing is necessary for the performance of a task of public interest;
(6) The processing shall be necessary for the purposes of the legitimate interests of the controller, except when the interests or fundamental rights and freedoms of the data subject take precedence over these interests. The purposes for which personal data are processed on this basis must be described in the applicable data protection notices.
CONSENT
Art. 8. (1) The data subject agrees with the processing, if he expresses this clearly and unambiguously – through a statement or other confirmatory act. If the consent for the processing of personal data is given through a document that regulates other issues, it should be required separately from the consent on other issues.
(2) Data subjects must be able to easily withdraw their consent to processing at any time, and withdrawal must be respected in a timely manner. If there is no other condition for the lawfulness of the processing, it should be terminated with the withdrawal of the consent.
(3) The declarations for consent shall be kept by the company while actions for data processing are carried out on this ground, with a view to the observance of the principle of accountability.
PROCEDURES FOR PROCESSING PERSONAL DATA
Art. 9. (1) The personal data, referring to the persons, employed under labor or civil legal relations in the Company, as well as to the candidates for work, shall be collected during and on the occasion of the recruitment of personnel. The data of each employee of the Company are stored in personal files, and some data can be stored or processed on a technical medium. The data from conducted competitions and interviews are stored on technical and / or paper media, depending on the need.
(2) The personal files shall be arranged in special file cabinets with locking, located in the office of the Person, responsible for the personal data. Data of job applicants which are stored on paper are stored in special cabinets in the office of the Person responsible for personal data. Access to the office is provided only to persons authorized to process personal data, and for this purpose a special order is created to enter the room by key, magnetic card or other appropriate means and / or device.
(3) The persons authorized to process personal data shall take all organizational and technical measures for the storage and protection of the personal files and the binders with information, including restriction of the access to them to external persons and unauthorized employees.
(4) Files of the workers and employees, as well as the data of the candidates for work, shall not be exported outside the building of the company.
Art. 10. (1) The personal data relating to clients shall be collected upon submission of an application for provision of a service or conclusion of a contract with a client of the Company.
(2) The personal data, referring to service providers, shall be collected upon concluding a contract with a service provider, as usually the personal data shall be contained in the text of the contracts themselves.
(3) The personal data shall be stored on electronic and paper carrier (signed copies of the concluded contracts), which shall be classified in separate files. The files are stored in lockable cabinets in the office of the Person responsible for personal data. Electronic data is stored in databases.
DOCUMENTATION OF PERSONAL DATA PROCESSING
Art. 11. (1) The company shall document the activities for processing personal data in compliance with the principle of reporting.
(2) The documentation must be sufficient to prove the observance of the principles for lawful processing of personal data.
(3) The processing of data related to the transmission of data to processors established in the country or abroad; storage of data on servers owned by third parties; archiving or deleting data; the introduction of pseudonymization, as well as any other processing whose parameters are different from those described in these rules, is documented by creating protocols that contain the following information:
(a) the purposes of the processing;
(b) the categories of personal data and the categories of data subjects;
(c) the categories of recipients to whom the personal data are or will be disclosed, including recipients in third countries;
(d) the transfer of personal data to a third country;
(e) where possible, the time limits provided for the deletion of the various categories of data;
(f) a general description of the technical and organizational security measures.
(4) The protocols shall be prepared by the persons, who carry out the respective data processing according to the instructions of the Person, responsible for the personal data.
(5) The set of all protocols, containing the above-described information, shall constitute the register of the processing activities, according to art. 30 of the ORZD.
MEASURES FOR THE PROTECTION OF PERSONAL DATA
Art. 12. (1) All premises in which personal data shall be stored and processed shall have access control. The possible technical means for access control are:
- security of the premises;
- magnetic card and / or key recognition devices;
- surveillance with video cameras;
- policy of admitting outsiders to the company’s premises only with an escort from the company’s staff.
(2) The premises of the company shall be reliably secured by means of fire-fighting measures according to the Bulgarian legislation.
Art. 13. (1) The company shall establish procedures for processing of personal data, regulation of the access to the data, procedures for destruction and terms for storage, detailed in these Rules. For certain categories of data, pseudonymisation may be envisaged at the suggestion of the Person responsible for personal data.
(2) The reproduction and distribution of documents or files containing personal data shall be carried out only by authorized employees in case of necessity.
MEASURES FOR THE PROTECTION OF PERSONAL DATA
Art. 12. (1) All premises in which personal data shall be stored and processed shall have access control. The possible technical means for access control are:
- security of the premises;
- magnetic card and / or key recognition devices;
- surveillance with video cameras;
- policy of admitting outsiders to the company’s premises only with an escort from the company’s staff.
(2) The premises of the company shall be reliably secured by means of fire-fighting measures according to the Bulgarian legislation.
Art. 13. (1) The company shall establish procedures for processing of personal data, regulation of the access to the data, procedures for destruction and terms for storage, detailed in these Rules. For certain categories of data, pseudonymisation may be envisaged at the suggestion of the Person responsible for personal data. (2) The reproduction and distribution of documents or files containing personal data shall be carried out only by authorized employees in case of necessity.
Art. 14. (1) Before taking the respective position the persons, who carry out protection and processing of the personal data:
- commit we do not disclose the personal data to which they have access;
- get acquainted with the legal framework, internal rules and policies of the company regarding the protection of personal data;
- receive training for reaction to events that threaten data security;
- are instructed about the dangers to the personal data that are processed by the company;
- undertake not to share critical information with each other and with outsiders, except in accordance with the procedure established by these Rules.
(2) Upon entering work, all employees shall undergo training for reaction to events endangering data security and training regarding the obligations of the company related to the processing of personal data and the data protection measures to be taken in the course of work. . Subsequent staff training and exercises are conducted periodically to ensure knowledge of the regulations, potential risks to data security and measures to reduce them.
Art. 15. (1) Access to the operating system, containing files with personal data, shall have only persons, whose official duties or specifically assigned task impose such access. Access is via password. (2) Electronic databases are protected by logical means of protection, such as anti-virus program, which is updated automatically, firewalls, etc. (3) Archiving of the personal data on a technical carrier shall be carried out periodically with a view to storage of the information.
Art. 16. (1) The protection of the electronic data from illegal access, damage, loss or destruction, committed intentionally by a person or in case of technical malfunctions, accidents, accidents, disasters, etc., shall be ensured by means of:
- entering passwords for computers that provide access to personal data and files that contain personal data;
- anti-virus programs, checks for illegally installed software;
- periodic checks of the integrity of the database and updating of the system information, maintenance of the data access system;
- periodic archiving of data on technical media, maintenance of information on paper (archive copies).
(2) The person responsible for the personal data shall periodically report to the management of the company the measures taken for guaranteeing the level of security in the processing of personal data.
SECURITY VIOLATIONS
Art. 17. (1) The persons, who have identified signs of violation of the data security, shall be obliged to report immediately to the Person, responsible for the personal data, providing him with all available information.
(2) The person responsible for the personal data shall immediately carry out an inspection on the submitted signal, trying to establish whether a security breach has been committed and which data are affected.
(3) The person responsible for personal data shall immediately report to the partners in the Company the available information on the security breach, including information on the nature of the incident, the time of its establishment, the type of damages, the measures taken at the moment and the measures must be taken.
(4) After coordination with the management of the company, the Person, responsible for the personal data, shall take measures for prevention or reduction of the consequences of the breach and the possibilities for data recovery.
(5) In case of urgency, when coordination with the management would delay the reaction and would cause great damages, the Person, responsible for the personal data, may at its discretion take measures for prevention or reduction of the consequences of the security breach. In this case, the Person in charge of personal data shall immediately notify the management of the measures taken and shall comply with the received instructions.
Art. 18. (1) In case the security breach creates a probability of risk for the rights and freedoms of the natural persons, whose data are affected, and after approval by the management of the company, the Person responsible for the personal data shall organize the notification of CPDP.
(2) The notification of the CPDP shall be made without unnecessary delay and when this is feasible – not later than 72 hours after the initial knowledge of the violation.
(3) The notification to the CPDP shall contain the following information:
(a) a description of the security breach; the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) the name and contact details of the data controller;
(c) a description of the possible consequences of the security breach;
(d) a description of the measures taken or proposed to address the security breach, including measures to mitigate any adverse effects.
(4) When the breach of the security of the personal data is likely to pose a high risk for the rights and freedoms of the natural persons, the Person responsible for the personal data shall without undue delay and in compliance with the applicable legislation notify the affected natural persons.
Art. 19. (1) The company in a register of security breaches containing the following information:
(a) the date on which the infringement was established;
(b) a description of the breach – source, type and extent of the data concerned, cause of the breach (if applicable);
(c) a description of the notifications made: notification of the CPDP and the affected persons, if any;
(d) measures taken to prevent and limit negative consequences for data subjects and for the Company;
(e) measures taken to limit the possibility of subsequent security breaches.
(2) The register shall be kept in electronic format by the Person responsible for the personal data.
PROVISION OF PERSONAL DATA TO THIRD PARTIES
Art. 20. (1) The company may, if necessary, provide personal data to third parties, acting as a processor, on the basis of an explicit contract.
(2) In the cases of providing the data to employees, clients or service providers to a processor, the Company:
(a) requires sufficient guarantees from the processor to comply with legal requirements and good practices for the processing and protection of personal data;
(b) concludes a written agreement or other legal act with identical effect, which regulates the obligations of the processor and meets the requirements of Art. 28 of Regulation (EU) 2016/679;
(c) inform the natural persons whose data will be provided to the processor.
(3) The processing of personal data by processors outside the EU / EEA is permissible only when:
(a) the European Commission has adopted a decision confirming that the country to which the transfer is being made provides an adequate level of protection of the rights and freedoms of data subjects;
(b) Appropriate safeguards are in place – such as Binding Corporate Rules (BIPs), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism;
(c) The data subject has given his or her explicit consent to the transfer after being informed of the possible risks, or
(d) The transfer is necessary for one of the purposes listed in the ORD, including the performance of a contract with the data subject, the protection of the public interest, the establishment and protection of legal disputes, the protection of the data subject’s vital interests in cases where he or she legally incapable of giving consent.
DATA PROTECTION IMPACT ASSESSMENT
Art. 21. (1) The impact assessment shall be carried out when this is required according to the applicable legislation and in view of the risk for the natural persons and the nature of personal data processing, performed by the Company. Impact assessment is performed for high-risk processing activities.
(2) Impact assessment is necessary at each introduction of a key system or change of business program, which is related to the processing of personal data, including:
- the initial introduction of new technologies or the transition to new technologies;
- automated processing, including profiling or automated decision making;
- large-scale processing of sensitive personal data;
- large-scale, systematic monitoring of a public area.
(3) A protocol shall be drawn up for the assessment, which shall be provided upon request by the CPDP.
DESTRUCTION OF DATA
Art. 22. (1) Destruction of the personal data shall be carried out by the Company or an explicitly authorized person, without prejudice to the rights of the persons to whom the data, subject of the destruction, refer and in observance of the provisions of the respective normative acts.
(2) The information in the registers shall be destroyed after achievement of the purposes of the processing and in case of eliminated necessity for storage.
(3) The destruction of data on paper shall be carried out by cutting with a shredder machine. The electronic data is deleted from the electronic database in a way that does not allow the information to be recovered.
PERSONS RESPONSIBLE FOR THE COLLECTION, PROCESSING AND STORAGE OF PERSONAL DATA AND ACCESS TO PERSONAL DATA
Art. 23. The person responsible for personal data and the persons processing personal data on behalf of the company are natural or legal persons having the necessary competence and appointed and / or authorized by a relevant written act, including through these Rules.
In connection with the protection of personal data in the course of their processing by ERP Agency EOOD, the employee Boyan Vassev (tel. +359 888 613 478, e-mail: boyan.vassev@erp.agency) is appointed as an official for protection of the data.
Art. 24. The person responsible for personal data:
- assists the Company and the persons processing personal data in fulfilling their obligations for personal data protection, ensuring the implementation and maintaining the necessary technical and organizational measures and means for the implementation of data protection;
- ensures the normal functioning of the above-mentioned protection systems;
- controls the entire process of data collection and processing;
- fulfills all obligations for reporting and management of data security breaches;
- Periodically requests information from personal processors data relating to their collection, access and processing;
- notifies the Company in a timely manner of all irregularities established in connection with the performance of its obligations;
- destroys the data from the paper and technical carriers according to the law and the terms, established in these Rules;
- re-authorizes natural or legal persons with a written act to protect personal data.
Art. 25. (1) The collection, processing, storage and protection of the personal data shall be carried out only by persons to whom this is explicitly indicated and whose official duties or specifically assigned task impose this.
(2) When assigning activities, requiring the processing of personal data from the registers of the company, the service providers shall observe the applicable normative requirements regarding the processing of the personal data and the procedures of art. 19 of these Rules.
(3) The respective state bodies – court, investigation, prosecutor’s office, auditing bodies, etc. may also have access to the personal data. The above may duly request the information in connection with the exercise of their powers.
RIGHTS OF DATA SUBJECTS
Art. 26. (1) Every person has the right to request access to his personal data, including to request confirmation whether the data, concerning him, are processed, to be informed for the purposes of this processing, the categories of data and for the recipients of the data, as well as for the purposes of any processing of personal data relating to him.
(2) The right of access shall be exercised by a request of the affected natural person, received at the address at the registered office of the Company or the official e-mail.
(3) Every natural person has the right to request the deletion, correction or blocking of his personal data, the processing of which does not meet the requirements of the law.
(4) Every person has the right to object in writing against the processing of and / or the provision to third parties of his personal data without the necessary legal grounds.
(5) The company shall be obliged within two weeks from the receipt of a request under the preceding paragraphs to notify the applicant whether there are legal grounds for respecting the request. If the Company establishes that there are legal grounds to grant the request, it shall notify the person of the order in which it may exercise its right.
(6) Data subjects also have the right to:
- withdraw their consent to processing at any time;
- object to the use of their personal data for direct marketing purposes;
- request information on the basis on which their personal data are provided for processing by a non-EU / EEA processor;
- object to a decision taken entirely on the basis of automated processing, including profiling;
- be notified of a breach of data protection, which is likely to lead to a high risk to their rights and freedoms;
- lodge complaints with the regulatory body;
- in some cases to receive or request that their personal data be transferred to a third party in a structured, commonly used format suitable for machine reading (right of portability).
CHANGES TO THE INTERNAL RULES
Art. 27. The Company may change these Rules at any time. All changes should be brought to the attention of those concerned without delay.
These Rules have been adopted and come into force on 25.05.2018.