Notification of confidential treatment of personal data
For the purposes of its activity, the Company processes the personal data in strict compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Personal Data Protection Act and other applicable legal acts and its policy for the of personal data protection.
Under the General Data Protection Regulation:
• “Personal data“ means any information relating to a natural person or a natural person that can be directly or indirectly identified (“data subject“).
• “Controller“ means a natural or legal person, public authority, agency or other body which, alone or jointly with others, defines the purposes and means of processing personal data.
• “Personal data processor“ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
• “Processing“ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
• “Recipient“ means a natural or legal person, public authority, agency or other body, to which the personal data are disclosed, whether a third party or not.
The Controller processes personal data for the following purposes as well:
• Implementation of the requirements of the labour and social legislation with regard to its employees;
• For concluding and executing contracts;
• Implementation of legal obligations;
• Marketing and advertising information;
• Maintenance and security of the Company’s website and information systems;
• Protection of legitimate interests of the Controller.
Lawful basis for the processing of personal data
The company processes personal data based on the following legitimate grounds:
• the data subject has consented to his or her personal data being processed for specific purposes;
• processing is necessary for the performance of a contract of which the data subject is a party, or in order to take steps at the request of the data subject prior to the conclusion of a contract;
• processing is necessary to comply with a legal obligation that applies to the Controller;
• processing is necessary for the legitimate interests of the Controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Recipients of personal data
Your personal data can be shared with the following categories of recipients:
• State institutions and bodies;
• Companies which provide the Controller with accounting services, IT security information systems support, website support.
The Company introduces appropriate technical and organizational measures to guarantee the rights and freedoms of data subjects:
• ability to ensure consistent confidentiality, integrity, availability and sustainability of processing systems and services;
• ability to promptly restore availability and access to personal data in the event of a physical or technical incident;
• process of regular testing, assessment and evaluation of the effectiveness of technical and organizational measures in order to ensure the security of the processing.
The Controller shall not transfer any personal data from data subjects to third parties outside the European Union.
Time limits for storing personal data
• Customer personal data are stored for 5 (five) years from the finalization of the relevant contractual relationship;
• Personal data of employees according to the deadlines established in accordance with the Labour Code and the regulations applicable to it, the Social Insurance Code and the regulations applicable to it, the TIPC, the Accountancy Act, etc .;
The personal data contained in the accounting records shall be kept within the following time limits:
• payrolls – 50 (fifty) years as of January 1 (first) of the reporting period following the reporting period to which they relate;
• accounting records and financial statements, including tax audits, and subsequent financial inspections – 10 (ten) years as of January 1 (first) of the reporting period following the reporting period to which they relate;
• all other accounting information media – 3 (three) years as of January 1 (first) of the reporting period following the reporting period to which they relate.
Data subjects’ rights and way of exercising them
Data subjects whose data are processed by the Controller shall have:
• Right to access personal data, including to receive a copy thereof. This right can be exercised by submitting an application for access to information or filling out a form on the spot in the Company’s office;
• The right to correct inaccurate or incomplete personal data by sending application to email or by filling out a form on the spot in the Controller’s office;
• The right to erasure (right to be forgotten) of your personal data by sending an application or by filling out the required form on the spot;
• The right to limit the processing that can be exercised by submitting an online application or on paper on the spot in the Company’s office;
• Data portability which can be exercised by sending an online application or by filling out the required form on the spot in the Company’s office;
• The right of objection may be exercised by sending an application or by filling out the required paper form on the spot.
Right to appeal to the supervisory authority
In accordance with the General Data Protection Act and the Personal Data Protection Act, data subjects have the right to file a complaint with the Commission for Personal Data Protection at: 2, Prof. Tzvetan Lazarov str., or via the website: www.cpdp.bg.
Also available in: Français (French)