Art. 1. (1) These rules (Rules) determine the order in which Simplifix Studio OOD, with UIC 205835255 (the Company) collects, records, organizes, structures, stores, adapts or changes, extracts, consults, uses, discloses through transmission, dissemination or other way in which data becomes accessible, arranges or combines, restricts, deletes, destroys or otherwise processes personal data for the purposes of its activity.
(2) Depending on the specific situation, the Company may process data in the capacity of administrator or processor of personal data.
(3) The rules have been drawn up in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation).
Art. 2. These RULES govern:
(1) The principles, procedures and mechanisms for personal data processing;
(2) The procedures for notifying the supervisory body in case of security breaches;
(3) The procedures for administration of requests for access to data, correction of the processed data, objections and withdrawal of consents, as well as administration of requests for exercise of other rights, which the subjects of personal data have by law;
(4) The persons who process personal data and their obligations;
(5) The rules for transfer of personal data to third parties in Bulgaria and abroad;
(6) The necessary technical and organizational measures for protection of the personal data from illegal processing and in case of incidents, such as accidental or illegal destruction, loss, illegal access, modification or dissemination;
(7) The technical resources applied in the processing of personal data.
Art. 3. For the purposes of these Rules, the terms used shall have the following meanings:
LPPD – Personal Data Protection Act.
CPDP – Commission for Personal Data Protection.
ORD – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation).
Data protection officer – natural person or organization, determined according to the requirements of art. 37 et seq. Of ORZD.
[or – if the appointment of a data protection officer is not mandatory – alternatively the following may be included:
Person responsible for personal data – a person who is an employee of the company or performs functions on behalf of which are assigned the obligations related to the protection and processing of personal data, regulated in these Rules.
The main activities of the controller or processor do not consist in processing operations which, due to their nature, scope and / or objectives, require regular and systematic large-scale monitoring of data subjects or in large-scale processing of special categories of data and personal data. with convictions and violations. In view of this circumstance, the Company has no obligation to appoint a data protection officer and it should not be considered that the Company has appointed such a person or that the person responsible for personal data has the obligations and should meet the requirements of the person within the meaning of Art. 37 et seq. Of ORZD.]
Personal data controller – a natural or legal person, public authority, agency or other structure that alone or jointly with others determines the purposes and means for the processing of personal data. In these Rules, “administrator” means the Company.
Personal data processor – a person or organization that, on the basis of a contract, processes personal data provided by the Company for the agreed purposes.
Data protection notices – separate notices containing information provided to data subjects at the moment when the Company collects information about them. These notices can be both general (eg addressed to employees or notices on the organization’s website) and related to processing for a specific purpose.
Data processing – any activity that is related to the use of personal data. This includes: receiving, recording, storing, performing an operation or a series of operations with data such as e.g. organize, edit, restore, use, provide, delete or destroy. The processing also includes the transfer of personal data to third parties.
Pseudominating – the replacement of information that directly or indirectly identifies an individual with one or more identifiers (“aliases”) so that the person cannot be identified without access to additional information that should be kept separate and confidential.
Consent – any freely expressed, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or clearly confirming action, which expresses consent to the processing of personal data related to him.
DATA SUBJECTS AND PERSONAL DATA CATEGORIES
Art. 4. (1) The company collects and processes personal data, necessary for realization of its rights and obligations as an employer, supplier of goods and services and contractor in observance of the requirements of the current legislation. The personal data processed by the Company are grouped in registers of processing activities, containing rules for processing personal data relating to:
- workers and employees and contractors under civil contracts;
- job candidates;
- service providers.
(2) The following personal data shall be collected regarding the persons employed under labor or civil legal relations in the Company and the job candidates:
- a) Identification: name; PIN (date of birth), permanent and / or current address, telephone, ID card data or passport data;
- b) Education and vocational training: data related to education, work experience, vocational and personal qualifications and skills;
- c) Health data: health condition, TEMC decisions, medical certificates, sick leaves and any accompanying documentation;
- d) Other data: certificate of criminal record, when its presentation is required according to a normative act, as well as other data, the processing of which is necessary for the fulfillment of the rights and obligations of the Company as an employer.
(3) Regarding natural persons, clients of the company, personal data shall be collected, which are necessary for the fulfillment of the legal obligations of the company as a supplier of goods and services, as follows:
- name; PIN (date of birth), permanent and / or current address, telephone, ID card or passport data and e-mail
(4) With regard to natural persons, service providers of the company, personal data necessary for the conclusion and execution of contracts for provision of services to the company by external suppliers shall be stored, as follows:
- name, PIN (date of birth), permanent and / or current address, telephone number, ID card data or passport data; Email.
(5) The company shall process sensitive data only insofar as this is necessary for the fulfillment of its specific rights and obligations in the field of labor and social security legislation.
PURPOSES AND PRINCIPLES OF PERSONAL DATA PROCESSING
Art. 5. The purposes of the processing of personal data are:
(1) management of human resources, payment of wages and fulfillment of the related obligations of the employer for withholding and payment of health and social insurance of employees, taxes, as well as other rights and obligations of the Company in its capacity as employer. ;
(2) administration of the relations with clients of the company and provision of goods and services;
(3) concluding and executing contracts with suppliers for the provision of goods and services to the Company.
Art. 6. Personal data shall be processed lawfully, in good faith and transparently in compliance with the following principles:
(1) The data subject shall be informed in advance about the processing of his personal data;
(2) The personal data shall be collected for specific, precisely defined and lawful purposes and shall not be further processed in a manner incompatible with these purposes;
(3) The personal data shall correspond to the purposes for which they are collected;
(4) The personal data must be accurate and, if necessary, updated;
(5) The personal data shall be deleted or corrected when it is established that they are inaccurate or do not correspond to the purposes for which they are processed;
(6) The personal data shall be maintained in a form that allows identification of the respective natural persons for a period, not longer than necessary, for the purposes for which these data are processed.
Art. 7. In order for data processing to be lawful, at least one of the following conditions must be met:
(1) The data subject has given his consent;
(2) The processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject before the conclusion of a contract;
(3) The processing is necessary for the observance of a legal obligation, which is applied to the administrator;
(4) The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(5) The processing is necessary for the performance of a task of public interest;
(6) The processing shall be necessary for the purposes of the legitimate interests of the controller, except when the interests or fundamental rights and freedoms of the data subject take precedence over these interests. The purposes for which personal data are processed on this basis must be described in the applicable data protection notices.
Art. 8. (1) The data subject agrees with the processing, if he expresses this clearly and unambiguously – through a statement or other confirming act. If the consent to the processing of personal data is given through a document that regulates other issues, it should be required separately from the consent on other issues.
(2) Data subjects must be able to easily withdraw their consent to processing at any time, and withdrawal must be respected in a timely manner. If there is no other condition for the lawfulness of the processing, it should be terminated with the withdrawal of the consent.
(3) The declarations for consent shall be kept by the company while actions for data processing are carried out on this ground, in view of the observance of the principle of accountability.
PROCEDURES FOR PROCESSING PERSONAL DATA
Procedure for processing personal data relating to persons employed in employment or civil relations in the company, as well as job applicants
Art. 9. (1) The personal data, referring to the persons, employed under labor or civil law-relations in the Company, as well as to the candidates for work, shall be collected during and on the occasion of the recruitment of personnel. The data of each employee of the Company are stored in personal files, and some data can be stored or processed on a technical medium. The data from conducted competitions and interviews are stored on technical and / or paper media, depending on the need.
(2) The personal files shall be arranged in special file cabinets with locking, located in the office of the Person, responsible for the personal data. The data of the job applicants, which are stored on paper, are stored in special cabinets in the office of the Person responsible for personal data. Access to the office is provided only to the persons authorized to process personal data, for which purpose a special order is created for entering the room by means of a key, magnetic card or other suitable means and / or device.
(3) The persons authorized to process personal data shall take all organizational and technical measures for the storage and protection of the personal files and the binders with information, including restriction of the access to them to external persons and unauthorized employees.
(4) Files of the workers and employees, as well as the data of the candidates for work, shall not be exported outside the building of the company.
Procedure for processing personal data relating to customers and suppliers of goods and / or services
Art. 10. (1) The personal data, referring to clients, shall be collected upon submission of an application for provision of goods or services or concluding a contract with a client of the Company.
(2) The personal data, referring to suppliers of goods and / or services, shall be collected upon concluding a contract with the respective supplier, as usually the personal data shall be contained in the text of the contracts themselves.
(3) The personal data shall be stored on electronic and paper carrier (signed copies of the concluded contracts), which shall be classified in separate files. The files are stored in lockable cabinets in the office of the Person responsible for personal data. Electronic data is stored in databases.
DOCUMENTATION OF PERSONAL DATA PROCESSING
Art. 11. (1) The company shall document the activities for processing personal data in compliance with the principle of reporting.
(2) The documentation must be sufficient to prove the observance of the principles for lawful processing of personal data.
(3) The processing of data related to the transmission of data to processors established in the country or abroad; storage of data on servers owned by third parties; archiving or deleting data; the introduction of pseudonymization, as well as any other processing whose parameters are different from those described in these rules, is documented by creating protocols that contain the following information:
- (a) the purposes of the processing;
- (b) the categories of personal data and the categories of data subjects;
- (c) the categories of recipients to whom the personal data are or will be disclosed, including recipients in third countries;
- (d) the transfer of personal data to a third country;
- (e) where possible, the time limits provided for the deletion of the various categories of data;
(f) a general description of the technical and organizational security measures.
(4) The protocols shall be prepared by the persons, who carry out the respective data processing according to the instructions of the Person, responsible for the personal data.
(5) The set of all protocols, containing the above-described information, shall constitute the register of the processing activities, according to art. 30 of the ORZD.
MEASURES FOR THE PROTECTION OF PERSONAL DATA
Art. 12. (1) All premises in which personal data are stored and processed shall have access control. The possible technical means for access control are:
- security of the premises;
- magnetic card and / or key recognition devices;
- policy of admitting outsiders to the company’s premises only accompanied by the company’s staff.
(2) The premises of the company shall be reliably secured by means of fire-fighting measures according to the Bulgarian legislation.
Documentary protection measures
Art. 13. (1) The company shall establish procedures for processing of personal data, regulation of the access to the data, procedures for destruction and terms for storage, detailed in these Rules. For certain categories of data, pseudonymisation may be envisaged at the suggestion of the Person responsible for personal data.
(2) The reproduction and distribution of documents or files containing personal data shall be carried out only and only by authorized employees in case of necessity.
Personal protection measures
Art. 14. (1) Before taking the respective position the persons, who carry out protection and processing of the personal data:
- undertake an obligation not to disclose the personal data to which they have access;
- get acquainted with the legal framework, internal rules and policies of the company regarding the protection of personal data;
- undergo training for reaction to events threatening data security;
- have been instructed on the dangers to personal data processed by the company;
- undertake not to share critical information with each other and with outsiders, except in accordance with the procedure established by these Rules.
(2) Upon entering work, all employees shall undergo training for reaction to events endangering data security and training regarding the obligations of the company related to the processing of personal data and the data protection measures to be taken in the course of work. . Subsequent staff training and exercises are conducted periodically to ensure knowledge of the regulations, potential risks to data security and measures to reduce them.
Measures for protection of automated information systems and cryptographic protection
Art. 15. (1) Access to the operating system, containing files with personal data, shall have only persons, whose official duties or specifically assigned task impose such access. Access is via password.
(2) Electronic databases are protected by logical means of protection, such as anti-virus program, which is updated automatically, firewalls, etc.
(3) Archiving of the personal data on a technical carrier shall be carried out periodically with a view to storage of the information.
Art. 16. (1) The protection of the electronic data from illegal access, damage, loss or destruction, committed intentionally by a person or in case of technical malfunctions, accidents, accidents, disasters, etc., shall be ensured by means of:
- entering passwords for computers that provide access to personal data and files that contain personal data;
- antivirus programs, checks for illegally installed software;
- periodic checks of the integrity of the database and updating of the system information, maintenance of the data access system;
- periodic archiving of data on technical media, maintenance of information on paper (archive copies).
(2) The person responsible for the personal data shall periodically report to the management of the company the measures taken for guaranteeing the level of security in the processing of personal data.
Art. 17. (1) The persons, who have identified signs of violation of the data security, shall be obliged to report immediately to the Person, responsible for the personal data, providing him with all available information.
(2) The person responsible for the personal data shall immediately carry out an inspection on the submitted signal, trying to establish whether a security breach has been committed and which data are affected.
(3) The person responsible for personal data shall immediately report to the partners in the Company the available information about the security breach, including information about the nature of the incident, the time of its establishment, the type of damages, the measures taken at the moment and the measures must be pre-accepted.
(4) After coordination with the management of the company, the Person responsible for the personal data shall take measures for prevention or reduction of the consequences of the breach and the possibilities for data recovery.
(5) In case of urgency, when coordination with the management would delay the reaction and would cause great damages, the Person, responsible for the personal data, may at its discretion take measures for prevention or reduction of the consequences of the security breach. In this case, the Person in charge of personal data shall immediately notify the management of the measures taken and shall comply with the received instructions.
Art. 18. (1) In case the security breach creates a probability of risk for the rights and freedoms of the natural persons, whose data are affected, and after approval by the management of the company, the Person responsible for the personal data shall organize the notification of CPDP.
(2) The notification to the CPDP shall be made without unnecessary delay and when this is feasible – not later than 72 hours after the initial knowledge of the violation.
(3) The notification to the CPDP shall contain the following information:
- (a) a description of the security breach; the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- (b) the name and contact details of the data controller;
- (c) a description of the possible consequences of the security breach;
- (d) a description of the measures taken or proposed to address the security breach, including measures to reduce any adverse effects.
(4) When the breach of the security of the personal data is likely to pose a high risk for the rights and freedoms of the natural persons, the Person responsible for the personal data shall without undue delay and in compliance with the applicable legislation notify the affected natural persons.
Art. 19. (1) The company shall keep a register of the security breaches, which shall contain the following information:
- (a) the date on which the infringement was established;
- (b) a description of the breach – source, type and extent of the data concerned, cause of the breach (if applicable);
- (c) description of the notifications made: notification to the CPDP and the affected persons, if any;
- (d) measures taken to prevent and limit negative consequences for data subjects and for the Company;
- (e) measures taken to limit the possibility of subsequent security breaches.
(2) The register shall be kept in electronic format by the Person responsible for the personal data.
PROVISION OF PERSONAL DATA TO THIRD PARTIES
Art. 20. (1) The company may, if necessary, provide personal data to third parties, acting as a processor, on the basis of an explicit contract.
(2) In the cases of providing the data to employees, customers or suppliers of goods and / or services to a processor, the Company:
- (a) requires sufficient guarantees from the processor to comply with legal requirements and good practices for the processing and protection of personal data;
- (b) concludes a written agreement or other legal act with identical effect, which regulates the obligations of the processor and meets the requirements of Art. 28 of Regulation (EU) 2016/679;
- (c) inform the natural persons whose data will be provided to the processor.
(3) The processing of personal data by processors outside the EU / EEA is permissible only when:
- (a) the European Commission has adopted a decision confirming that the country to which the transfer is made provides an adequate level of protection of the rights and freedoms of data subjects;
- (b) Appropriate safeguards are in place – such as Binding Corporate Rules (BIPs), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism;
- (c) The data subject has given his or her explicit consent to the transfer after being informed of the possible risks, or
- (d) The transfer is necessary for one of the purposes listed in the ORD, including the performance of a contract with the subject, the protection of the public interest, the establishment and protection of legal disputes, the protection of the vital interests of the data subject in cases where he is physically or legally incapable of giving consent.
DATA PROTECTION IMPACT ASSESSMENT
Art. 21. (1) The impact assessment shall be performed when this is required by the current legislation and in view of the risk for the natural persons and the nature of the processing of personal data, performed by the Company. Impact assessment is performed for high-risk processing activities.
(2) Impact assessment is necessary at each introduction of a key system or change of a business program, which is related to the processing of personal data, including:
- the initial introduction of new technologies or the transition to new technologies;
- automated processing, including profiling or automated decision making;
- large-scale processing of sensitive personal data;
- large-scale, systematic monitoring of a public area.
(3) A protocol shall be drawn up for the assessment, which shall be provided upon request of the CPDP.
DESTRUCTION OF DATA
Art. 22. (1) Destruction of personal data shall be carried out by the Company or an explicitly authorized person, without prejudice to the rights of the persons to whom the data subject to destruction refer, in compliance with the provisions of the relevant normative acts.
(2) The information in the registers shall be destroyed after achieving the purposes of the processing and in case of no need for storage.
(3) The destruction of data on paper shall be carried out by cutting with a shredder machine or burning. The electronic data is deleted from the electronic database in a way that does not allow the recovery of the information.
PERSONS RESPONSIBLE FOR THE COLLECTION, PROCESSING AND STORAGE OF PERSONAL DATA AND ACCESS TO PERSONAL DATA
Art. 23. The person responsible for personal data and the persons processing personal data on behalf of the company are natural persons with the necessary competence and appointed by a relevant written act, including through these Rules.
Art. 24. The person responsible for personal data:
- assists the Company and the persons processing personal data in fulfilling their obligations for personal data protection, ensuring the implementation and maintaining the necessary technical and organizational measures and means for the implementation of data protection;
- ensures the normal functioning of the above-mentioned protection systems;
- controls the entire process of data collection and processing;
- fulfills all obligations for reporting and management of data security breaches;
- periodically requests information from the persons processing personal data in connection with their collection, access and processing;
- notifies the Company in due time for all irregularities established in connection with the performance of its obligations;
- destroys the data from the paper and technical carriers according to the law and the terms, established in these Rules;
- re-authorizes natural or legal persons with a written act to protect personal data.
Art. 25. (1) The collection, processing, storage and protection of the personal data shall be carried out only by persons to whom this is explicitly indicated and whose official duties or specifically assigned task impose this.
(2) When assigning activities, requiring the processing of personal data from the registers of the company, the service providers shall observe the applicable normative requirements regarding the processing of the personal data and the procedures of art. 19 of these Rules.
(3) The respective state bodies – court, investigation, prosecutor’s office, auditing bodies, etc. may also have access to the personal data. The above may request the data in due course in connection with the exercise of their powers.
RIGHTS OF DATA SUBJECTS
Art. 26. (1) Every person has the right to request access to his personal data, including to request confirmation whether the data, referring to him, are processed, to be informed for the purposes of this processing, the categories of data and for the recipients of the data, as well as for the purposes of any processing of personal data relating to him.
(2) The right of access shall be exercised by a request of the affected natural person, received at the address at the registered office of the Company or the official e-mail.
(3) Every natural person has the right to request the deletion, correction or blocking of his personal data, the processing of which does not meet the requirements of the law.
(4) Every person has the right to object in writing against the processing and / or provision to third parties of his personal data without the necessary legal grounds.
(5) The company shall be obliged within two weeks from the receipt of a request under the preceding paragraphs to notify the applicant whether there are legal grounds for respecting the request. If the Company establishes that there are legal grounds to grant the request, it shall notify the person of the order in which it may exercise its right.
(6) Data subjects also have the right to:
- withdraw their consent to processing at any time;
- object to the use of their personal data for the purposes of direct marketing;
- request information on the basis on which their personal data have been provided for processing by a processor outside the EU / EEA;
- object to a decision taken entirely on the basis of automated processing, including profiling;
- be informed of a breach of data protection which is likely to lead to a high risk to their rights and freedoms;
- lodge complaints with the regulatory authority;
- in some cases, receive or request that their personal data be transferred to a third party in a structured, commonly used format suitable for machine readability (portability right).
CHANGES TO THE INTERNAL RULES
Art. 27. The Company may change these Rules at any time. All changes should be brought to the attention of those concerned without delay.
These Rules are adopted and enter into force on the date of signing.
Sofia, November 18, 2021
Manager of Simplifix Studio OOD