POLICY ON TRANSPARENCY IN PROCESSING OF PERSONAL DATA
This Policy includes all actions on the collection and processing of personal data by “Encho Enchev – ETE” EOOD (sole owner limited liability company), unified identification code (UIC) 104675804, and is in compliance with the legal framework of the General Data Protection Regulation (GDPR).
The officer in charge of the data protection at “Encho Enchev – ETE” EOOD is responsible for the legality, completeness and clarity of the information provided when personal data are collected. He/she establishes all conditions for informing and acquainting the data subject and he/she publicly announces the Declaration of confidentiality on the webpage of “Encho Enchev – ETE” EOOD thus enabling the subjects to become acquainted with its contents before “Encho Enchev – ETE” EOOD starts collecting and processing their data. All employees at “Encho Enchev – ETE” EOOD, who by virtue of their employment duties process personal data, shall adhere to this policy.
“Encho Enchev – ETE” EOOD identifies the legal grounds for personal data processing before the performance of any operations whatsoever related to the processing. For each category of personal data, the company clearly establishes, defines and documents the following:
- Consent freely expressed by the data subject;
- Fulfillment of a contract under which the data subject is a party or undertaking of steps following a request by the data subject before concluding a contract;
- The processing is necessary for meeting a legal obligation applied towards “Encho Enchev – ETE” EOOD.
- Processing is necessary in order to protect vitally important interests of the data subject or of another natural person;
- Processing is necessary for the purposes of the legitimate interests of “Encho Enchev – ETE” EOOD or of a third party except when the interests or the fundamental rights and freedoms of the data subject have priority over those interests.
“Encho Enchev –ETE” EOOD hereby states that the company does not process special categories of personal data as per the definition thereof in art.9 paragraph 1 of the GDPR thus it does not have to establish, define or record the presence of legal grounds for removal of the ban on their processing.
According to the requirements of GDPR, “Encho Enchev – ETE” EOOD provides to the data subjects the legally required information in the form of a Declaration of confidentiality.
As “Encho Enchev – ETE” EOOD collects personal data from more than one source, the company places this Declaration of confidentiality at all contact points with the data subjects, to facilitate their access to it.
3.1 “Encho Enchev – ETE” EOOD provides the following information to the data subjects when collecting the data:
3.2 When the personal data has been obtained from a source different from the data subject, “Encho Enchev – ETE” EOOD provides the former with the information listed in item 3.1.above.
By providing the information, “Encho Enchev – ETE” EOOD meets the following requirements of GDPR:
5.1. Purpose of the procedure.
All personal data, processed by “Encho Enchev – ETE” EOOD fall within the scope of this procedure which is in compliance with the legal framework of articles 12, 15, 16, 17, 18, 20 and 21 of the General Data Protection Regulation(GDPR).
The data subject or any employee may, in order to protect their rights, file the following requests with the company:
5.2. Course of the procedure
The methods of filing requests with “Encho Enchev – ETE” EOOD are described in the Procedure for the methods of communication at the event of complaints and requests by the data subject.
“Encho Enchev – ETE” EOOD accepts requests by the data subjects filed in any other way, by observing the terms of this procedure.
The request is submitted on paper to the administrative address of the company: ................................, or to the email address: ........................, either in person or through an authorized representative or signed with an electronic signature respectively, when submitted electronically. The following rules shall be observed when the request is submitted:
The data subject provides to “Encho Enchev – ETE” EOOD data about his/her identity which can identify him/her certainly and unambiguously (data from personal documents, work position, customer number, email address, etc.).
The processing of the request is performed in the following way:
When the case is of a request by the data subject for obtaining access to his/her data, “Encho Enchev – ETE” EOOD ensures access to the data (for instance, by providing their copy) and in addition sends the following information:
At a request by the data subject for rectification, erasure or at objection regarding the processed personal data, the manager of “Encho Enchev - ETE” EOOD has to assess each of these requests (apart from the request for access to data) with regard to the substantiality of the right of the subject/company employee and the existence of other legal requirements for its satisfying.
Upon the receipt of the respective request:
“Encho Enchev – ETE” EOOD uses the following email address to reply to the requests of data subjects: .............................or the following postal address should the reply be on paper: ...............................
5.3. Limitations
The EU law or the national legislation may allow for restrictions on the exercise of the rights of the data subjects during the fulfilment of this procedure with the purpose of guaranteeing as follows:
5.4. Transfer of personal data
“Encho Enchev – ETE” EOOD is responsible for the transfer of data without hindrance and guarantees that they are transferred with the respective level of communication security. “Encho Enchev – ETE” EOOD shall assess the specific risks related to the portability of data and shall undertake appropriate measures for risk mitigation.
5.5. Transmission of personal data or transfer to another controller
“Encho Enchev – ETE” EOOD informs the data subjects on the existence of a right to portability at the time of receipt of personal data.
At the receipt of a request for transmission or transfer of personal data to another controller, “Encho Enchev – ETE” EOOD processes the request of the subject by adhering to the following rules:
ü Each received request is immediately sent to the officer who checks for clear and indisputable proofs for the identity of the data subject in the form of data from personal documents, customer’s number, email address, position(for the employees)or any other unambiguous identifier;
ü The officer checks whether the stated data from the data subject/the employee have been received on the grounds of consent or a contract and whether they have been processed in automated manner. If these requirements have not been met, “Encho Enchev – ETE” EOOD has the right to refuse to satisfy the request;
ü When the requested data concern third party(parties), the company manager assesses whether the transmission of data to another personal data controller would harm the rights and the freedoms of other data subjects;
ü The officer checks whether the personal data prepared for transmission/transfer are solely and exactly the data which the data subject/ employee has requested to be transmitted or transferred respectively;
ü The requested information is provided to the data subject/employee in a structured, commonly used and machine-readable format – XML, allowing effective repeated use of the data;
ü When transmitting the data to another data controller, “Encho Enchev – ETE” EOOD resends them in an operatively compatible format. In the event of arising of technical problems which prevent their direct transfer, “Encho Enchev – ETE” EOOD shall explain the problems to the data subject/employee;
ü “Encho Enchev – ETE” EOOD provides the requested information within 1(one) month of the date of the request. If the request is complex, “Encho Enchev – ETE” EOOD may extend the time frame for up to three months from the date of filing the former.
ü “Encho Enchev – ETE” EOOD informs the data subject on the reasons for the delay by the means used by the latter for filing the request( email address, current address) within one month of the initial request;
5.6. Receipt of personal data from another controller
“Encho Enchev – ETE” EOOD accepts and stores only data which is necessary and relevant to a provided by the company service or to the employment status of an employee of the company. “Encho Enchev – ETE” EOOD does not accept nor process data “by default” even when they are received from another controller upon request for their transfer nor does the company store data received in such manner.
“Encho Enchev – ETE” EOOD may choose whether to accept data from a given data subject or from another controller following a request by the data subject for transfer to the company, but it is not obliged to do so and may refuse such a transfer.
If the received data contains data by third parties, “Encho Enchev – ETE” EOOD stores the data under the control of the subject placing the order. These data are managed only for his/her needs but not for any other purposes of “Encho Enchev – ETE” EOOD.
6.1.Purpose of the procedure
This procedure is in compliance with the provisions of Chapter 3, Rights of the data subjects, of the GDPR and refers to:
6.2.Course of the procedure
“Encho Enchev – ETE” EOOD announces the contact details for the submission of complaints and requests by uploading the details on its webpage at the following address: .............................
“Encho Enchev – ETE” EOOD places on its webpage clear and intelligible guidelines for the submission of requests and complaints by the data subjects.
The data subjects, including the company employees may submit to “Encho Enchev – ETE” EOOD:
Data subjects may submit requests and complaints directly to the following email address: ........................................ or may send them on paper to the administrative address of the company: .......................................
Encho Enchev – ETE“ EOOD considers and takes decision on the received request or complaint by adhering to the following rules and time limits:
All actions of “Encho Enchev – ETE” EOOD, undertaken for the fulfilment of this procedure are carried out free of charge for the data subject.
In the event of repeated requests/ complaints, manifestly unfounded or excessive, “Encho Enchev – ETE” EOOD may, on these grounds, refuse to address them.
7.1.Purpose of the procedure
The procedure in compliance with the legal provisions of Articles 33, 34 of the GDPR is applied in the event of breach of the security of personal data and contains the following rules for:
7.2.Roles and responsibilities
All persons related to “Encho Enchev – ETE” EOOD: the employees, contractors, partners, temporarily employed individuals have to be acquainted and to apply this procedure in the event of a breach in the security of personal data.
All employees, contractors, partners, temporarily employed individuals are obliged to report any breach in the security of personal data to the manager of “Encho Enchev – ETE” EOOD.
7.3.Course of the procedure
Everyone processing personal data, without exception, with whom “Encho Enchev – ETE” EOOD is in contractual relationship, shall notify the manager of “Encho Enchev – ETE” EOOD without undue delay, and if possible, not later than 36 hours of having become aware of any breach in the security of the personal data or of any other incident related to the security of data at all.
The message shall be sent to email address: .........................., and it has to point all necessary details and data in relation to the occurrence of the breach.
The company manager sends a confirmation for the receipt of the notification to the email address which the message was received from.
2.1. “Encho Enchev – ETE” EOOD makes assessment as to the necessity of notifying the supervisory authority on the breach. In accordance with art.33, paragraph 1 of GDPR it is not necessary to send a notification if it is unlikely the breach in the security of the personal data to result in a risk to the rights and freedoms of the natural persons. For that purpose, “Encho Enchev – ETE” EOOD makes assessment of the impact of the breach as per the Methodology for impact assessment adopted by the company.
2.2. In the event of identifying a risk to the rights and freedoms of the data subject, “Encho Enchev – ETE” EOOD notifies the Commission for Personal Data Protection (CPDP) about the breach in the security of personal data without undue delay and not later than 72 hours upon becoming aware of the breach. When the notification is not issued within the 72 hours, the manager of “Encho Enchev – ETE” EOOD notifies the CPDP at the earliest opportunity, by attaching an explanation about the causes of delay to the notification.
2.3. The notification to CPDP contains the following information:
2.4. When and in so far as not possible to submit all the necessary information at one time, it is submitted in stages without any further undue delay. A notification to the CPDP is sent in accordance with the guidelines of the commission on the established order and manner of communication.
2.5. “Encho Enchev –ETE” EOOD records information regarding the confirmation by the CPDP on the receipt of the notification.
3.1. When a possibility exists that the breach in the security of personal data may result in high risk to the rights and freedoms of the data subject, “Encho Enchev – ETE” EOOD communicates the breach to the affected parties without undue delay.
3.2. The message to the data subject(s) contains the same information that is sent to the CPDP and is stated under item 2.3 of the procedure.
Information is provided in clear, plain and intelligible Bulgarian language.
Within 36 hours of becoming aware of the breach, “Encho Enchev – ETE” EOOD undertakes all appropriate measures to render the personal data unintelligible for every person who is not allowed access to them by encrypting them or protecting them by passwords.
Within 36 hours of becoming aware of the breach, “Encho Enchev –ETE” EOOD undertakes follow-up measures to prevent any possibility of materialization of a high risk to the rights and freedoms of the data subjects.
If the breach has affected a large number of data subjects and records of personal data, “Encho Enchev – ETE” EOOD takes a decision based on the assessment of the amount of efforts necessary for individually notifying each data subject and whether in this manner the ability of “Encho Enchev – ETE“ EOOD to send the necessary messages on time would be thwarted.
If this assessment indicates that messaging a large number of subjects would lead to unproportional efforts, “Encho Enchev – ETE” EOOD makes a public announcement on its webpage or undertakes a similar measure to guarantee that the data subjects will be effectively notified at equal extent.
If “Encho Enchev – ETE“ EOOD has not communicated the breach of the security of personal data to the data subject(s) and CPDP considers and provides the former with explicit guidelines that there is a high probability of the breach causing high risk, “Encho Enchev – ETE” EOOD communicates the breach to the data subject(s) within 24 hours.
“Encho Enchev – ET” EOOD keeps record of all breaches in the security of personal data and states all related facts, the consequences and the measures undertaken to mitigate their impact.