COMMON POLICY FOR PERSONAL DATA PROTECTION IN UNION IVKONI Ltd.
1. Introduction
1.1. General Considerations
The present Common Policy for Personal Data Protection (referred to below as „ the Policy”) regulates the activities related to the personal data processing performed by Union Ivkoni Ltd., with EIK (UIC): 121444454, having its seat and registered address at the city of Sofia 1000, 17 Tsar Ivan Shishman Str. (referred to belowas „the Company” and/or „the Administrator”), with regards to the categories of subjects of personal data, which are set out in it, for the purposes of providing a guarantee for the compliance of this processing with the requirements of REGULATION(EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, referred to below as „the Regulation”), as well as with all other applicable regulatory acts of the European Union (EU) and with the national legislation in the ares of the personal data protection. The present Policy shall apply to all issues related to the personal data protection, which are not regulated by another explicit or specific regulation according to other acts of the Company.
1.2. The Policy aims at regulating and including the following issues in particular:
- the activitiesof personal data processing, the categories of subjects of personal data, with regards to which the Policy shall apply, the principles of processing and the liabilities related to the processing;
- the obligations of the persons acting under the responsibility of the Company within the meaning of Art. 29 of the regulation during the personal data processing and their liability in case of non-performance of these obligations;
- rights of the subjects of personal data and a procedure for their implementation;
- procedure related to the personal data processing pursuant to a consent of the subjects of personal data;
- rules for reaction in case of infringement of the personal datasecurity;
- the technical and organizational measures for the protection of the personal data that shall be applied within the Company.
1.3. Information regarding the Administrator
Company |
Union Ivkoni Ltd. |
|
|
Data for Registration |
Registered with the Commercial Register and the Register of Legal EntitiesЕngaged in a Non-Profit Making Activityof the Registry Agency, with EIK (UIC): 121444454 |
|
|
Seat and Registered Address |
City of Sofia 1000, 17 Tsar Ivan Shishman Str. |
|
|
Scope of Activity |
Internal and external trade, tour operator and tour agent business, representation, intermediation for and agency os local and foreign persons and legal entities, intermediary business implementation with regards to employee hiring in the country and abroad, transport and forwarding deals in the country and abroad,accommodation, food service, manufacturing and trade with industrial goods, household goods, food and agricultural goods, manufacturing and trade with electric energy, all other commercial deals that are not prohibited by law. |
|
|
Data Protection Officer |
t.bolen@union-ivkoni.com |
2. Used Terms and Abbreviations
All terms and abbreviations that are not explicitly defined in the Policy bear the meaning that has been given to them in the Regulation.
3. Personal Data Processing Activities
3.1. Principles of the Processing of Personal Data
The processing of personal data by the Administrator shall be performed in compliance with the following principles:
- the personal data shall only and solely be processed on the basis of one of the grounds for processing in accordance with the Regulation and/or the other applicable legislation in the field of personal data, whereas it shall be performed in a fair manner, transparently with regards to the subject of personal data (the principle of legality, fairness and transparency);
- the personal data shall be collected for explicitly set out and legitimate purposes and they shall not be processed further in a manner that is not compatible with these purposes;
- the personal data is suitable, related and limited to the necessity with regards to the purposes, for which they are processed (principle of data minimisation);
- the personal data is accurateand, in case of necessity, it shall be maintained up to date. The Administrator undertakes all sensible measures in order to guarantee the timely deletion or correction of inaccurate personal data, whereas the purposes, for which they are being processed, shall be taken into account (principle of accuracyduring the processing);
- the personal data shall be stored in a form that does not allow the identification of the subject of personal data for a period longer than the time that is necessarywith regards to the purposes, for which the personal data is being processed;
- the personal data shall be processed in a manner that guarantees a suitable level of security of the personal data, including a protection against unauthorized or illegal processing and against accidental loss, disclosure, desctruction or harm, whereas suitable technical and organizational measures shall be applied;
- the applied technical and organizational measures shall provide constant confidentiality, integrity, availability and sustainability of the systems and the services for personal data processing.
3.2. Categories of Personal Data Subjects. Categories of Personal Data and Purposes of the Processing. Video Surveillance.
3.2.1. The Administrator is entitled to process personal data with regards to its clients and other subjects of data, as follows:
- clients (persons) of the Company in its capacity of a carrier, with regards to which personal data, such as three names, EGN (PIN), IP address, e-mail, telephone number, MAC address, etc. may be processed. The processing of personal data shall be based on the principle of data minimisation, depending on and for the purposes of provision of the services, which the relevant client uses, such as a discount for children and/or people above a certain age (EGN (PIN)), use of the online system of the Company for purchasing tickets (IP address; e-mail; telephone number; data related to the habits and the preferences), use of wi-fi in the buses of the Company (MAC address), etc. The purposes of processing include: (i). provision of the service of transportation and/or the additional services, including the online purchasing of tickets and the use of the website of the Company; (ii). maintenance of a tax and accounting register; (iii). compliance with the legal requirements; (iv). provision of discounts to regular customers; (v). purposes related to the legitimate interests of the Company within the meaning of the Regulation;
- clients (persons) of the Company as a tour operator, with regards to which personal data, such as three names, EGN (PIN), data from personal documents (ID card or passport depending on the chosen destonation), data and documents necessary for the purposes of police, border, customs checks or checks by a relvant public authority, viza and/or other types of permitting documents, information regarding family connections and relations (e.g., with regards to tourists below the age of 18 years, in view of the compliance with the requirements regarding parental consent in case of leaving the country, etc.), bank account information (IBAN, in case of online payment), information that matters with regards to the establishment of medical insurance for travelling, in the type and volume required by the relevant insurance company (companies) and/or the law, information regarding contacts (e.g., e-mail address, contact address, telephone number), as well as other data, such as IP address, MAC of the device, etc. may be processed. The processing of personal data shall be wholly based on the principle of data minimisation, depending on and for the purposes of provision of the services, which the relevant client uses, such as use of wi-fi in the buses of the Company (MAC), use of the website of the Company (IP address; data related to the habits and preferences), etc. The purposes of processing include: (i). provision of the requested tour operator service and/or of the additional services, including the use of the web site of the Company; (ii). maintenance of a tax and accounting register; (iii). compliance with the legal requirements; (iv). provision of discounts to regular customers; (v). direct marketing; (vi). purposes related to the legitimate interests of the Company within the meaning of the Regulation;
- potential, current and/or former employees of the Company. The Policy on Protection of the Personal Data of the Employees of the Company shall be applied with regards to the personal dataof the described subjects of data;
- other persons and persons that are representatives or contact personsof legal entities that are in contact with the Company (including, but not limited to, vendors, business contacts, subcontractors, other contragents and business partners, etc.) for the purposes of the performance and/or the management of the activity of the Company;
- other persons, who act as representatives of persons that are clients of the Company on the basis of the law or a proxy (e.g., parents of underage children in case of constents for leaving the country, etc.)
3.2.2. The Company has established a register or the activities of processing of personal data and maintains it in its capacity of an administrator in accordance with Art. 30 of the Regulation (referred to below as„the Register”). The Register is described in details in item 7 of the Policy and it contains the information set out in the Regulation, including the concrete categories of subjects of data, the categories of personal data, the purposes and the term for processing that are categorized for the separate activities.
3.2.3. The Company shall store the personal data during the longer period of the following periods: either the periods that are necessary for the compliance with the applicable laws and the subregulatory acts, or for anotherperiod in accordance with the requirements applicable towards the commercial activity of the Company. The processing of the personal data is based on the principal of minimisation ofdata depending on and for the purposes of provision of the services that the relevant client uses (e.g. a discount for children and/or people over a certain age (ENG (PIN)), etc.). Part of the data may be stored after the finishing of the service requested by the client, for the purposes of the provision of discounts for regular clients.
3.2.4. The Company implements video surveillance in areaswith public access in the units for ticket selling, in the offices and in its service base. The video surveillance shall be performed in accordance with the rules for the implementation of video performance of the Administrator.
4. Categories of Receivers of Data
The Administrator may disclose personal data to the following persons:
- service providers – consultants, attorneys, accountants, auditors, IT professionals, etc., with regards to the conclusion of the contracts related to the main activity of the Company, the compliance with the legal requirements, the technical support, etc. Such disclosure shall be performed on the basis of a written agreement with the relevant service provider for the purposes of guaranteeing thatthe latter will provide an adequate level of protection and compliance with the legislation in the area of personal data;
- subcontractors – when providing services on behalf of the Administrator (commercial representatives, tour operators, tour agents, etc.) on and outside of the territoryof the Republic of Bulgaria, with regards to the conclusion and implementation of the contracts for transportation of passengers and for tourist services.Such disclosure shall be performed on the basis of a written agreement with the relevant subcontractor for the purposes of guaranteeing that the latter will provide an adequate level of protection and compliance with the legislation in the area of personal data;
- persons providing servicesof provision and maintenance of equipment, software and hardware used for processing (storage included) of personal data for registering of payments, etc.;
- banks, with regards to the servicing of the payments made by the subjects of data for the services of transportation of passengers and/or for tourist services;
- security companies that provide services for private security activity, with regards to the performance of video surveillance in areas with public access in the units for ticket selling of the Administrator;
- public and court authorities, in and up to the volume that is permitted and/or required in accordance with the law;
- insurance companies – with regards to the establishment of insurance policies for travelling during the provision of tourist services;
- other administrators of personal data, in the cases when the Company acts as a processor on their behalf.
5. Obligations of the Administrator
The Administrator has the following obligations:
- to determine the policies and procedures for the protection of the processed personal data, to comply with the requirements of the regulation, the EU legislation and the national legislation in the field of personal data protection;
- to determine a data protection officer;
- to provide the organization of the maintenance of the Register, respectively, of the provided measures that shall guarantee an adequate protection;
- to implement suitable technical and organizational measures that have been developed in view of the effective application of the data protection principles, both as at the moment of the determination of the means for the processing and as at the moment of the sole processing;
- to provide the performance of the rights of the persons with regards to personal data protection;
- to implement suitable technical and organizational measures in order to guarantee and to be able to prove thatthe processing of personal data is peformed in compliance with the requirements of the Regulation;
- to implement suitable technical and organizational measures in order to guarantee that, by default, only personal data that is necessary for each concrete purpose of the processing is being processed. This obligations is related to the volume of the collected personaldata, the level of the processing, the period of its storage and its accessability;
- to perform control on the compliance with the requirements for the protection of the Register, to determine circumstancesrelated to the infringement of their protection and to undertake measures for their removal;
- to update the maintained registers;
- to maintain the personal data, so that it can allow the identification of the relevant persons for a period no longer than the necessary in view of the purposes, for which this data is being processed;
- periodically, as appropriate, to informand implement trainings of the staffwith regards to the issues of personal data protection;
- to provide cooperation with regards to the performance of the control functions of the Commission for Personal Data Protectionin its capacity of a monitoring authority under Art. 51 of the Regulation (referred to below as„CPDP”), to support the determination of circumstances related to the personal data protection;
- to determine the rights of the employees regarding the accessto the personal data in the information systemsin accordance with the purposes of the processing, so that the lawfulness is guaranteed and the principles of processing are complied with;
- to use the services of personal data processors that provide enough guarantees through the application of suitable technical and organizational measures for protection;
- to comply with certain rules in case of infringement of the security of the personal data;
- to document each infringement of the security of the personal data, including the facts related to the infringement of the security of the personal data, its influence and the actions undertaked for dealing with it;
- to peform an evaluation of the risk in accordance with the requirements of the Regulation, respectively an evaluation of the effect, when the conditions for this are present in accordance with the Regulation.
6. Obligations of the Administrator. Liability. Declarations for Confidentiality.
6.1. The Employees of the Administrator begin processing personal data after acknowledging the following:
- the legislation in the field of personal data protection, including the Regulation and the Law on Personal Data Protection (referred to below „LPDP”);
- the Policy and the other internal acts of the Administrator related to the personal data protection;
- the dangers with regards to the personal data processed by the Administrator.
The employees of the Administartor are obliged to:
- comply with the requirements of the Regulation, the other applicable legislation in the field of personal data protection, the Policy and the other internal acts of the Administrator that are related to the personal data protection;
- to process the personal data only on the basis of a condition for lawful processing (a legal basis), namely: a basis for the processing of personal data that stems from the law; or a basis for the processing of personal data that stems from the contractual relations with the person; or a basis for the processing of personal data that stems from the explicit constent of the person; or a basis for the processing of personal data that stems from the legitimate interest of the Administrator or of a third party, which legitimate interest shall prevail over the interests, the basic rights and the freedoms of the subject of the data which require personal data protection;
- to use the personal data that they have an access to in accordance with the purposes, for which they are collected, and to refrain from additionally processing them in a manner that is incompatible with there purposes;
- to refrain from using personal data that they have an access to in their capacity of employees of the Administrator for whatever personal purposes there might be;
- to comply with the rule of avoidance of the opportunity of unregulated access to personal data and for leaving accessible personal data without any surveillance on their place of work. In premises external persons have an access to, the relevant employees are obliged to undertake measures in order to restrict any unregulated access of external persons to documents containing personal data, including by reviewing them, copying them or photographing them by technical means;
- when the performance of the certain activity allows it, to limit the used personal data maximally;
- to provide and guarantee the compliance with the rights of the persons with regards to the processing of personal data;
- to refrain from allowing, supporting or creating conditions for the infringements of the securyduring the processing of personal data;
- to refrain from sharing to or providing one another,or third parties, with information of significant importance with regards to the security of the data (their user names,passwords, etc.);
- to refrain from copying files with corporate information that contains personal data on a portable carrying device in non-crypted form (or in a non-protected by a password form);
- to refrain from sending, by means of electronic mail to an email addresses outside of the Company, any information containing significant volumes of personal data and any special categories of personal data or other type of personal data, the unregulated access to which might constitute high risk with regards to the rights and interests of the subjects of data, to which they are related to, in files that are not protected with a password;
- to refrain from publishing personal data regarding clients or employeesof the Company on public websites, etc., without having an adequate legal basis for this;
- to provide cooperation to the data protection officer during the performance of the competences of the latter.
6.2. Responsibility of the Employees
6.2.1. All actions that lead to or may lead to unregulated deletion, destruction or changing of personal data that has been filed with the Administrator in electronic form or on paper, as well as to unregulated sharing/disclosure of personal data from employees of the Company, is forbidden and it can lead to initiatinga procedure with regards to the liability of the relevant employee.
6.2.2. The employees of the Administrator are liable for the non-compliance with the provisions of the Regulation and/or the LPDP, and/or the Policy, and/or the other applicable internal acts of the Administrator.
6.2.3. Separately from the disciplinary liability, administrative-penal liability and/or penal liability can be borne by the relevant employee, in case that the action he or she has commited constitutes an act, with regards to which penal or administrative-penal liability is provided;
6.2.4. Separately from the disciplinary liability, administrative-penal liability and penal liability, the relevant employee shall bear civil liability and procedures with regards to the latter can be broughup against him or her, if the preconditions for that are present.
6.3. The Administrator shall:
- provide the signing of a declaration for confidentiality and non-disclosure of personal data by all of the employees that process personal data on its behalf;
- maintain information regarding the performance of its obligations for training the employees that process personal data and for training the staff with regards to events that put the security of the personal data in danger.
7. Maintenance of a Register of the Activities of Processing of Personal Data in Its Capacity of an Administrator
According to the requirements of Art. 30, paragraph 1 of the Regulation, the Company shall maintain a Register of the Activities of Processing of Personal Data in Its Capacity of an Administrator, which shall contain the name and the coordinates for contact with the Administrator and the Data Protection Officer. The Register shall include a detailed description of all of the activities of processing of personal data in accordance with Art. 30, paragraph 1 of the Regulation, including the following characteristics:
- name of the activity (the business process, the function) of personal dataprocessing;
- the purposes and the bases for processingof personal data;
- the categories of persons with, with regards to which personal data are being processed (clients, employees, contact persons of legal entities, etc.);
- the categories of personal data, which are being processed in the scope of the relevant activity;
- processing of special categories of data (e.g., information for health condition, if applicable);
- the sources of personal data;
- third parties that receive or participate, one way or another, in the processing of personal data in the scope of the relevant activity;
- the location (storage) of the personal data;
- the terms providedfor the storage and deletion of the various categories of personal data, when possible;
- a basic description of the technical and organizational measures for security, when possible.
8. Maintenance of Registers of the Activities of the Processing of Personal Data in the Capacity of a Processor
Regarding certain activities of personal data processing, the Company acts on the basis of assignation, which means that it acts on behalf of other persons – administrators of personal data, e.g. insurance companies (while performing its tour operator activity). In such cases of processing, the Company acts as a processor of personal data. In compliance with the requirements of Art. 30, paragraph 2 of the Regulation, the Company maintains a Register of the Activities of the Processing of Personal Data in Its Capacity of a Processor, which contains the name and the contact coordinates of the Company and the administrator, on behalf of which it processes the data. The Register includes a detailed description of all the activities (business processes, functions) of personal data processing in accordance with the requirements of Art. 30, paragraph 2 of the Regulation, including at least the following characteristics:
- the categories of processing being performed on behalf of each administrator;
- third parties that receive personal data or participate in another way in the processing of personal data during the performance of the relevant activity;
- when applicable, the provision of personal data to a third countryor to an international organization, including the identification of this third country or international organization, respectively with regards to the suitable guarantees (when required);
- a basic description ofthe technical and organizational measures for security, when applicable and possible.
9. The Data Protection Officer
The Administrator has determined a Data Protection Officer (referred to below as „DPO”), which shall participate in a suitable way and in timely manner in the resolving of all of the issues related to the protection of the personal data. The DPO has the following obligations and competences:
- to inform and consult the management and the employees, which perform activities related to the processing of personal data, regarding their obligations in accordance with the Regulation and all other applicable regulatory acts of the EU and the national legislation in the field of personal data protection;
- to monitor and to be responsible for the increasing of the knowledge and the trainings of the staff, which participates in operations related to the processing of personal data;
- to prepare and offer for approval internal rules and policies for the protection of personal data or ammendments in the already existing rules and policies;
- to monitor the necessity of changes in the activities related to the processing of personal data and/or the regulating documents related to them;
- to participate in activities related to performance of evaluation of the risk and, when necessary, of the effect of the processing of personal data;
- to act as a single unit contact point for the subjects of datawith regards to the performance of their rights in accordance with the Regulation;
- to store the applications of the subjects of data with regards to the performance of their rights;
- to store information regarding the security infringements of the personal data protection;
- to maintain registers under Art. 30 of the Regulation with regards to the activities of processing of personal data;
- to implement a total surveillance, to perform a regular evaluation, to consult and provide recommendations and suggestions in view of guaranteeing a suitable level of personal data security.
The responsibilities of the DPOare described in detail in his or her job description (when he or she is an employee of the Company) or in the relevant contract for the provision of services (when he or she is not an employee of the Company).
10. Rights of the subjects of data
The Administrator shall undertake the necessary measures for the provision of information to the subjects of data regarding the processing of personal data in a short, transparent, understandable and easily accessible form by using clear and simple wording. The Administrator shall provide cooperation with regards to the performance of the rights of the subject of data underArticles 15-22 of the Regulation.
In cases, when the requests of a certain subject of data are obviously unjustified or excessive (more specifically due to their repretitiveness), the Administrator may deny the undertaking of any actions. More specifically, the Administrator shall providethe performance of the following rights of the subjects of data:
- right of information upon the collection of the personal data from the subject of data or from third parties;
- right of access to the data of the subject of data and more concrete: (i). a confirmation whether any personal data of this subjectof data are being processed by the Company; (ii). The provision of access to the data via a copy of the data, which are being processes at that time, as well as information regarding the purposes of the processing; the categories of personal data; the receivers or the categories of receivers to whom the personal data are disclosed or will be disclosed; the terms for the storing of the personal data;the existence of a right of correction in or deletion of personal data or limitation of the processing of personal data, or objection against the processing; the right of filing of a complaint with a Monitoring Authority (which in the Republic of Bulgaria is the Commission for Personal Data Protection); the sources of personal data; the existence of automatized adoption of decisions, including by profiling;
- right of making corrections–to require the making of corrections or the filling of his or her personal data in case that the latter are not correct or are incomplete;
- right of deletion of personal data when the bases for this that are set out in the Regulation are present;
- right of limitation of the processing;
- right of data transfer;
- right of objection;
- right of the subject of data to not be a subject of decision that is solely bases on an automatized processing, including profiling, which causes legal consequences or affects him or her in significant volume in another way;
- provision, change or withdrawal of consent for processing of personal data, when the basis for the processing is the constent of the subject of data.
The subjects of data can perform their rights by filing a written applicationwith the Administrator in one of the following manners:
- personally, by a legal representative or via a representative of the subject of data that is authorized with a Power of Attorney certified by a notary public, in the office of the Company situated at the following address:Sofia, 102 Kn. Maria Luiza Blvd., Serdika Bus Station, floor 2 , after an identification of the subject of data or of the relevant representative performed by an employee of the Administrator;
- via electronic mailsent to the DPO by using a qualified electronic signature in accordance with the Law on the Electronic Document and the Electronic Certification Services (referred to below as„QES”);
- via mail by sending an application that has been certified by a notary public for the purpose of indentification of the applicant.
All applications filed with the abovementioned office of the Company or via mail shall be sent to the DPO, who shall review them without any unreasonable delay. Within one month as of the filing of the application, the DPO shall notify the subject of data about the actions that have been undertaken on the basis of the application, respectively, about the reasons for not undertaking any actions and for the opportunity of filing an appeal with a monitoring authority and for seeking protection within a court procedure.In case that any actions are undertaken with regards to the application, the term for notifying the subject of data regarding these actions may be prolonged with three months in total, whereas the complicity and the number of the applications shall be taken into account.In such case, the DPO shall notify the subject of data regarding the prolongation of the term within the limits of the initial one-month term.
The information (which may vary depending on which right of the subject of data was performed within the application) shall be provided on paper, personally to the subject of data or to its legal representative, or to a representative of his or her that has been explicitly authorized with a Power of Attorney certified by a notary public. If the application has been filed via electronic mail, the information shall also be provided via electronic mail at the email address from which the filed application was sent. In such case, the information shall be sent in files that are protected with a password.
11. The Consent of the Subject of Aata as a Basis for the Processing of Personal Data.
11.1. Basis
Pursuant to Art. 6, paragraph 1, letter „a“ of the Regulation, the consent of the person is one of the legal bases for lawfulness of the processing of personal data. The consent shall be provided in person by a written declaration, via electronic means or via other means determined by the Administrator, which guarantees that the consent is:
- provided by free will; and
- concrete; and
- informed; and
- unambiguous.
11.2. Subjects of Data
The Company may collect consents for all categories of subjects of data, with regards to which processing of personal data is performed, including for clientsand employees.
The consents of the subjects of data shall be collected only in writing by means of declarations for consent, after the performance of identification of the person in order to prove, in case of necessity, the presence of consent regarding the relevant activity of processing.The consent is a separate basis for processing of personal data andn the concrete purposes of the processing shall be stated in it.
11.3. Withdrawal
The Company shall provide the subjects of data with an opportunity to easily change and withdraw their consent, without causing any adverse legal consequences with regards to them, when there is an objective opportunity for this.The changes in or the withdrawal of the consentshall be performed by the subjects of data in accordance with the procedure for the collecting of consents. In case of partial or total withdrawal of consent, when the processing of personal data is performed on this basis, the Company may happen to be unable to provide the service requested by the Client.
11.4. Collection of Consents of Clients
The consents of former, present clients and their representatives shall be collected in one of the following manners:
- personally, in each office or representationof the Company;
- via a licensed postal operator with a notary certification of the statement of consent; or
- a statement of consent signed with a QESand sent via electronic mail to the DPO.
11.5. Collection of Consents of Employees
The consents of former, present employees and candidates for a job shall be collected in one of the following manners:
- personally, in the human resources management unit;
- via electronic work mail–for present employees;
- a statement of consent signed with a QES and sent via electronic mail to the DPO – forformer employees and candidates for a job; or
- via a licensed postal operator with a notary certification of the statement of consent.
11.6. Online Provision and Online Withdrawal of Consents
In case that thereceipt of consent forthe processing of personal data by the Company is required in view of services provided by the Company, which shall berequested or used online, such consent shallbe received (or withdrawn, as the case may be) online, as well, in compliance with separate rules for this.
11.7. Storage
All of the consents for the processing of personal data shall be registered and stored by the Administrator.
12. Processing of Personal Data by the Administrator through a Processor of Personal Data.
For the performance of its activities, the Company may use the services of third parties (subcontractors, commercial representatives, service providers, etc.)acting on its behalf when processing personal data and constituting processors of personal data within the meaning of Art. 4, item 8 of the Regulation. Such processors may be:
- commercial companies;
- persons hired pursuant to civil contracts.
Upon the assignation of the processing of personal data to a processor of personal data, the Administrator shall comply with the following requirements:
- the processors that will be chosen shall provide enough guarantees for the application of suitable technical and organizational measures for the protection of the personal data;
- the conditions for the protection of the personal data shall be set out in an additional written agreement or in the main written contract between the Administrator and the processor;
The contracts (respectively, the agreements), which the Administrator concludes with the processors of personal data, shall determine and regulate at least the following:
- the subject and the term of the processing;
- the purposes and the nature of the processing;
- the categories of subjects of data, with regards to the data of whom the processing is being performed;
- the type of the personal data, which the processor will process on behalf of the Administrator;
- the rights and the obligations of the Administrator and the processor;
- the requirements towards the technical and organizational measures for the protection of the personal data, which shall be applied by the processor in compliance with the specifics and the scope of the concrete assignation. Irrespective of the concrete arrangements in such contracts, no deviation is allowed and, respectively, no application of a lower level of protection of the personal data is allowed in comparison with the one that is set out in this Policy;
- obligation of the processor for the provision of cooperation to the Administrator with regards to the performance of its obligations under Articles 31-36 of the Regulation;
- obligation of the processor to notify the Administrator without any unreasonable delay after acknowledging the existence of an infringement of the security of personal data;
- requirements towards the processor and other imperative conditions in accordance with Art. 28, item 3 of the Regulation.
13. Rules for Reaction in Case of Infringement of the Security of the Personal Data
13.1. Basis
The rules of reaction in case of infringement of the security of the personal data are based on the requirements under Art. 33 and Art. 34 of the Regulation.
13.2. Determining of Infringement of the Security by an Employee
In case ofinfringement of the security determined by an employee of the Administrator, the relevant employee shall immediately inform the DPO about this in writing (and if this is possible – in oral form, as well – personally or via a telephone call), whereas he or she shall provide all the details (as long as there is any information about them) regarding the nature of the infringement, the possible time of the occurrence/performance of the infringement, etc., too.
13.3. Signals for Infringement of the Security by Third Parties
Signals for cases ofinfringement of the security by third parties are received by the Administrator in one of the following manners:
- personally, in the office of the Company, situated in Sofia,102 Kn. Maria Luiza Blvd, Serdika Bus Station, floor 2, after the identification of the person by an employee of the Administrator;
- via electronic mail sent to the DPO by using a qualified electronic signature in accordance with the Law on the Electronic Document and the Electronic Certification Services;
- via mail by sending a signal certified by a notary public.
13.4. Researching the Infringement of the Security and MeasuresWithout any unreasonable delay, the DPO shall establish a commission for the researching of the case, which commission shall consist of employees of the Administrator having a suitable qualification depending on the particular case. The commission shall research the facts, it shall perform an analysis and evaluation of the severity of the infringement in view of the risk for the rights and the freedoms of the persons, the number of the affected subjects of data, etc. and it shall offer, as may be appropriate, suitable measures for the removal of the infringement, and if this is not possible, it shalloffer measures for the minimisation of the identified risks and possible adverse consequences.
13.5. Notification to the CPDPIn case of infringement of the security, the Administrator, acting through the DPO, shall inform the CPDP regarding this within 72 hours as of the determination, unless there is no possibility that the infringement of the security may cause any risk with regards to the rights and the freedoms of the persons.
13.6. Notification to the subjects of dataWhen the infringement of the security may cause high level of risk with regards to the rights and the freedoms of the persons, the Administrator shall report the infringement of the security of the personal data to the affected subject of data without any unreasonable delay. The message sent to the subject of data shall describe in clear and simple wording the nature of the infringement of the security of the personal data, whereas at least the following shall be stated:the name and the coordinates for contact with the DPO; a description of the possible consequences of the infringement of the security of the personal data; a description of the measures for dealing with the infringement of the security of the personal data that are undertaken or of the ones that are offered by the Administator, including measures for the reduction of the possible adverse consequences, as may be appropriate.
The Administrator is entitled to refrain from informing the affected subjects of data about the infringement, if:(i). it has undertaken suitable technical and organizational measures for protection in advance and such measures have been applied with regards to the personal data affected by the infringement of the security of the personal data (crypting, for examplel); and/or
(ii). it undertook subsequent measures, which guarantee that there is no possibility of materializing of the high risk with regards to the rights and the freedoms of the subjects of data; and/or(iii). such notification would lead to disproportionate efforts. In such case, the Administrator shall make a public announcement on its own expenses on its website and/or by spreading the information regarding the presense of infringement of the security that may lead to a high risk with regards to the rights and the freedoms of the persons via the mass media.
13.7. StorageAll of the signals forinfringement of the security of personal data shall be registered and stored by the Administrator.
13.8. TrainingsThe employees engaged in the processing of personal data shall pass periodical trainings for reaction in case of infringements of the security of the personal data.
14. Technical and Organizational Measures for the Protection of Personal Data
14.1. Technical and Organizational Measures of the Company in Its Capacity of an Administrator
Within the scope of activity of the Company, the necessary technical and organizational measures have been provided in view of the protection of the personal data from accidental or illegal destroying, or from accidental loss, from unregulated access, change or distribution, as well as from other illegal forms of processing.
The types of protection are: personal, documental, protection of automatized information systems and/or nets, cryptographic protection. The measures are relevant to the modern technological progress and they provide a level of protection that is adequate in view of the risks related with the activities of processing and the category of the protected data.
The concrete technical and organizational measures applied by the Company are listed in detail in Appendix 1 to the present Policy, whereas the latter may be subject to periodical updates.
14.2. Technical and Organizational Measures of the Company in Its Capacity of an Processor
In case that the Company processes personal data in the capacity of a processor for other administrators,the concrete technical and organizational measures applied by the Companyin its capacity of a processor shall be determined in individual agreements with the relevant administrator and if such determination is missing, the Company shall stick to the technical and organizational measures applied by the Company in its capacity of an Administrator.
15. Transmitting of Personal Data Outside ofthe European Economic Area (EEA)
The Administrator may perform international transmitting of data that originate from the European Economic Area (EEA), when the European Commission has acknowledged a certain country outside of the EEA as a country that provides an adequate level of data protection.
For transmitting to countries outside of EEA, the level of the protection of which is not acknowledged by the European Commission, the Administator shall refer either to a certain derogation that is applicable to the concrete situation in accordance with the Regulation (e.g., if the transmission is necessary for the performance of a contract of the Company with the subject of data), or it shall apply one of the guarantees that are provided in the applicable legislation.In all other cases, with regards to the transmitting of personal data to countries outside of EEA, it shall be performed on the basis of an explicit consent by the subject of data for the offered transmission of data. In these cases, the necessity of such transmission, the country to which the transmission will be made, as well as the lack of decision of the European Commission for an adequate level of protection with regards to this country and of suitable guarantees during the offered transmission, shall be brought to the knowledge of the subject of data and his or her consent shall be requested.