Encho Enchev - ETE
Mobilier de parcuri si gradina

Fursec

POLICY ON TRANSPARENCY IN PROCESSING OF PERSONAL DATA  

  1. Purpose of the Policy

This Policy includes all actions on the collection and processing of personal data by “Encho Enchev – ETE” EOOD (sole owner limited liability company), unified identification code (UIC) 104675804, and is in compliance with the legal framework of the General Data Protection Regulation (GDPR).

 

  1. Obligations and responsible persons

The officer in charge of the data protection at “Encho Enchev – ETE” EOOD is responsible for the legality, completeness and clarity of the information provided when personal data are collected. He/she establishes all conditions for informing and acquainting the data subject and he/she publicly announces the Declaration of confidentiality on the webpage of “Encho Enchev – ETE” EOOD thus enabling the subjects to become acquainted with its contents before “Encho Enchev – ETE” EOOD starts collecting and processing their data. All employees at “Encho Enchev – ETE” EOOD, who by virtue of their employment duties process personal data, shall adhere to this policy.

 

  1. Essence of the Policy.
  2. 1.             Identification of the categories of personal data and legal grounds for processing

“Encho Enchev – ETE” EOOD identifies the legal grounds for personal data processing before the performance of any operations whatsoever related to the processing. For each category of personal data, the company clearly establishes, defines and documents the following:

  • One or more particular purposes for the use of the data;
  • Grounds for legal processing of data in order to achieve these purposes including one or more of the following:

-  Consent freely expressed by the data subject;

-  Fulfillment of a contract under which the data subject is a party or undertaking of steps following a request  by the data subject before concluding a contract;

-  The processing is necessary for meeting a legal obligation applied towards “Encho Enchev – ETE” EOOD.

-  Processing is necessary in order to protect vitally important interests of the data subject or of another natural person;

-  Processing is necessary for the purposes of the legitimate interests of “Encho Enchev – ETE” EOOD or of a third party except when the interests or the fundamental rights and freedoms of the data subject have priority over those interests.

  1. 2.             Identification of the presence or absence of special categories of processed personal data.

“Encho Enchev –ETE” EOOD hereby states that the company does not process special categories of personal data as per the definition thereof  in art.9 paragraph 1 of the GDPR thus it does not have to establish, define or record the presence of legal grounds for removal of the ban on their processing.

  1. 3.             Information messages on transparency to the data subject

According to the requirements of GDPR, “Encho Enchev – ETE” EOOD provides to the data subjects the legally required information in the form of a Declaration of confidentiality.

As “Encho Enchev – ETE” EOOD collects personal data from more than one source, the company places this Declaration of confidentiality at all contact points with the data subjects, to facilitate their access to it.

3.1              “Encho Enchev – ETE” EOOD provides the following information to the data subjects when collecting the data:

  • Data identifying “Encho Enchev – ETE” EOOD and contact information about the company;
  • The purposes of processing that the personal data are intended for;
  • The legal grounds for processing the personal data;
  • When appropriate, the legitimate and legal interests of “Encho Enchev – ETE” EOOD  ensuring the legal grounds for the processing;
  • The categories of personal data processed;
  • The recipients or the categories of recipients of personal data;
  • The time limit for storage of personal data by “Encho Enchev – ETE” EOOD  or if this is not possible  – the criteria for determining this time limit;
  • Instruction to the data subject on his/her  rights  to requiring from “Encho Enchev – ETE” EOOD  access to his/her data, to rectification or erasure of his/her personal data as well as to his or her rights to restriction of processing, objection to processing and to data portability;
  • When the legal ground for the processing is consent, “Encho Enchev – ETE” EOOD notifies the data subject on the existence of a right to withdrawal of the consent at any time as well as on the lawfulness of the processing up to the moment of withdrawal;
  • The right to lodge a complaint before the Commission for Personal Data Protection;
  • When the legal ground is not consent by the subject, but is a mandatory or contractual requirement or a requirement necessary to enter a contract, “Encho Enchev – ETE” EOOD notifies the data subject about this and about the obligation of the subject or the lack thereof to provide personal data and the possible consequences if the data are not provided.

3.2         When the personal data has been obtained from a source different from the data subject, “Encho Enchev – ETE” EOOD provides the former with the information listed in item 3.1.above.  

 

  1. 4.             Time limits, exceptions and method of provision of the information

By providing the information, “Encho Enchev – ETE” EOOD meets the following requirements of GDPR:

  • When collecting personal data from the data subject, “Encho Enchev – ETE” EOOD provides the subject with the stated information at the time of obtaining the information;
  • When collecting personal data from a source different from the data subject, “Encho Enchev – ETE” EOOD provides the subject with the stated information within one month of obtaining the personal data in accordance with the specific circumstances of the processing;
  • In the event of data being used for communication with the data subject, “Encho Enchev – ETE” EOOD communicates the information at the first contact with the subject at the latest;
  • In the event of data being disclosed to another recipient, “Encho Enchev – ETE” EOOD communicates the information at the first instance of disclosure of the personal data at the latest;
  • “Encho Enchev – ETE” EOOD shall not provide this information if it has already been made available to the data subject;
  • “Encho Enchev – ETE” EOOD  shall not provide this information if its provision proves not possible or may lead to excessive effort;
  • “Encho Enchev – ETE” EOOD is not obliged to provide this information in the event when the receipt or disclosure of personal data is expressly regulated by national legislation;
  • “Encho Enchev – ETE” EOOD is not obliged to provide this information if the personal data have to remain confidential due to obligation of professional secrecy regulated by national legislation including legal obligation of secrecy;
  • “Encho Enchev – ETE” EOOD provides the data subject with any additional information necessary for the ensuring of conscientious and transparent processing;
  • “Encho Enchev – ETE” EOOD provides all the information to the data subject in easily accessible machine-readable format – XML, by using clear and plain language.

 

 

 

  1. 5.        Management of the requests by a data subject or an employee

5.1.            Purpose of the procedure.

All personal data, processed by “Encho Enchev – ETE” EOOD fall within the scope of this procedure which is in compliance with the legal framework of articles 12, 15, 16, 17, 18, 20 and 21 of the General Data Protection Regulation(GDPR).

The data subject or any employee may, in order to protect their rights, file the following requests with the company:

  • · Request for data transmission (article 12 of GDPR)
  • · Request for access (art. 15 of GDPR)
  • · Request for rectification(art. 16 of GDPR);
  • · Request for erasure („right to be forgotten”) (art.17 of GDPR);
  • · Request for restriction of processing(art.18 of GDPR);
  • · Request for data portability (art.20 of GDPR);
  • · Objection against processing (art. 21 of GDPR).

 

5.2. Course of the procedure

The methods of filing requests with “Encho Enchev – ETE” EOOD are described in the Procedure for the methods of communication at the event of complaints and requests by the data subject.

“Encho Enchev – ETE” EOOD accepts requests by the data subjects filed in any other way, by observing the terms of this procedure.

  1. 1.    Filing a request by the data subject, including a company employee

The request is submitted on paper to the administrative address of the company: ................................, or to the email address: ........................, either in person or through an authorized representative or signed with an electronic signature respectively, when submitted electronically. The following rules shall be observed when the request is submitted:

  • · The data subject states the particular type of request under item 5.1;
    • · The data subject may file a request for all of his/her personal data stored with “Encho Enchev –ETE” EOOD without stating the data’s particular type;

The data subject provides to “Encho Enchev – ETE” EOOD data about his/her identity which can identify him/her certainly and unambiguously (data from personal documents, work position, customer number, email address, etc.).

  • · “Encho Enchev – ETE” EOOD obligatorily checks the identification data to make sure that the request has been submitted by the subject identified by the data;
  • · “Encho Enchev – ETE” EOOD documents the date of receipt of the request;
  • Upon receipt of the request, it is immediately forwarded to the company manager, so that a decision is taken on the request/complaint and a reply to the data subject/ employee is sent/provided.
  1. 2.        Processing of the request

The processing of the request is performed in the following way:

  • · The identification(searching) of the personal data is carried out in all data repositories and in all respective archiving systems, including all archived files( automatic or manual archives) and all folders of the electronic mail and their archives.  
  • · At a request for access to information, the officer performs data processing in order to remove any possibly identifying information about third parties when handing over a copy of the information.
  • · “Encho Enchev – ETE” EOOD provides the requested information and replies to the requests by the data subject within one month of the date of  receiving the request for access, at the latest.
  1. 3.        Additional information sent in cases of request for access  

When the case is of a request by the data subject for obtaining access to his/her data, “Encho Enchev – ETE” EOOD ensures access to the data (for instance, by providing their copy) and in addition sends the following information:

  • · The purposes of processing;
  • · The respective categories of personal data;
  • · The recipients or the categories of recipients of the personal data ( if any);
  • The period of time through which “Encho Enchev - ETE” EOOD will store the personal data ;
  • The rights of the subject to require from “Encho Enchev - ETE” EOOD rectification or erasure of his/her personal data, as well as his/her rights to restrict the processing, to object against the processing as well as the right to data portability;
  • · The right to complain before the CPDP;
  • · All available information about the source, when the personal data is not collected from the data subject.

 

  1. 4.         Actions at requests for rectification, erasure or restriction and at objections against the processing

At a request by the data subject for rectification, erasure or at objection regarding the processed personal data, the manager of “Encho Enchev - ETE” EOOD has to assess each of these requests (apart from the request for access to data) with regard to the substantiality of the right of the subject/company employee and the existence of other legal requirements for its satisfying.  

Upon the receipt of the respective request:

  • “Encho Enchev - ETE” EOOD removes the personal data from the systems and terminates the operations on their processing without undue delay if the request for erasure submitted by the data subject is substantial;
  • “Encho Enchev - ETE” EOOD communicates each conducted rectification, erasure  or restriction of the processing to each recipient whose personal data has been disclosed by sending him or her a message to the email address the company holds for contact with the subject or if such is unavailable, via mail with a registered letter to the available current address of the subject;
  • “Encho Enchev - ETE” EOOD informs the data subject on these recipients if the data subject requires so and the company document this message ;
  • “Encho Enchev - ETE” EOOD undertakes appropriate measures without undue delay in the event that:
  • The data subject has submitted a request by which he/her objects against the processing of the personal data entirely or partially;
  • The grounds for processing under legal obligation have become redundant;
  • The data has been unlawfully processed.

“Encho Enchev – ETE” EOOD uses the following email address to reply to the requests of data subjects: .............................or the following postal address should the reply be on paper: ...............................

5.3. Limitations

The EU law or the national legislation may allow for restrictions on the exercise of the rights of the data subjects during the fulfilment of this procedure with the purpose of guaranteeing as follows:

  • · National security and defence;
  • Public security;
  • Prevention, investigation, uncovering or the penal prosecution of crimes or the execution of  the imposed punishments including the prevention and averting of threats to public security;
  • · Important objectives of wide public interest;
  • · Important economic or financial interest of the EU or of a member state, pecuniary, budget and tax matters;
  • · Public health and social security;
  • · Protection of the independence of the judiciary and the legal proceedings;
  • · Prevention, investigation, uncovering or penal prosecution of violations of the codes of ethics of the regulated professions;
  • · Function on the monitoring, inspection or regulation, related, even occasionally, to the exercise of formal authorizations  in the cases;
  • · Protection of the data subject or of the rights and freedoms of other individuals;
  • · Fulfilment under civil law claims.

5.4. Transfer of personal data  

“Encho Enchev – ETE” EOOD is responsible for the transfer of data without hindrance and guarantees that they are transferred with the respective level of communication security. “Encho Enchev – ETE” EOOD shall assess the specific risks related to the portability of data and shall undertake appropriate measures for risk mitigation.

5.5.       Transmission of personal data or transfer to another controller

“Encho Enchev – ETE” EOOD informs the data subjects on the existence of a right to portability at the time of receipt of personal data.

At the receipt of a request for transmission or transfer of personal data to another controller, “Encho Enchev – ETE” EOOD processes the request of the subject by adhering to the following rules:

ü  Each received request is immediately sent to the officer who checks for clear and indisputable  proofs for the identity of the data subject in the form of data from personal documents, customer’s number, email address, position(for the employees)or any other unambiguous identifier;

ü  The officer checks whether the stated data from the data subject/the employee have been received on the grounds of consent or a contract and whether they have been processed in automated manner. If these requirements have not been met, “Encho Enchev – ETE” EOOD has the right to refuse to satisfy the request;

ü  When the requested data concern third party(parties), the company manager assesses whether the transmission of data to another personal data controller would harm the rights and the freedoms of other data subjects;

ü  The officer checks whether the personal data prepared for transmission/transfer are solely and exactly the data which the data subject/ employee has requested to be transmitted or transferred respectively;

ü  The requested information is provided to the data subject/employee in a structured, commonly used and machine-readable format – XML, allowing effective repeated use of the data;

ü  When transmitting the data to another data controller, “Encho Enchev – ETE” EOOD resends them in an operatively compatible format. In the event of arising of technical problems which prevent their direct transfer, “Encho Enchev – ETE” EOOD shall explain the problems to the data subject/employee;

ü  “Encho Enchev – ETE” EOOD provides the requested information within 1(one) month of the date of the request. If the request is complex, “Encho Enchev – ETE” EOOD may extend the time frame for up to three months from the date of filing the former.  

ü  “Encho Enchev – ETE” EOOD informs the data subject on the reasons for the delay by the means used by the latter for filing the request( email address, current address) within one month of the initial request;

5.6.       Receipt of personal data from another controller

“Encho Enchev – ETE” EOOD accepts and stores only data which is necessary and relevant to a provided by the company service or to the employment status of an employee of the company. “Encho Enchev – ETE” EOOD does not accept nor process data “by default” even when they are received from another controller upon request for their transfer nor does the company store data received in such manner.

“Encho Enchev – ETE” EOOD may choose whether to accept data from a given data subject or from another controller following a request by the data subject for transfer to the company, but it is not obliged to do so and may refuse such a transfer.

If the received data contains data by third parties, “Encho Enchev – ETE” EOOD stores the data under the control of the subject placing the order. These data are managed only for his/her needs but not for any other purposes of “Encho Enchev – ETE” EOOD.

 

 

  1. 6.      Methods of communication in the event of complaints and requests by a data subject or an employee

 

6.1.Purpose of the procedure

This procedure is in compliance with the provisions of Chapter 3, Rights of the data subjects, of the GDPR and refers to:

  • Complaints and requests by data subjects  related to the processing of their personal data by “Encho Enchev – ETE” EOOD;
  • Processing of requests from the data subjects regarding the exercise of their rights under GDPR;
  • Complaints by the data subjects regarding the manner of processing of their requests and complaints.

 

6.2.Course of the procedure

  1. 1.        General information and messages

“Encho Enchev – ETE” EOOD announces the contact details for the submission of complaints and requests by uploading the details on its webpage at the following address: .............................

“Encho Enchev – ETE” EOOD places on its webpage clear and intelligible guidelines for the submission of requests and complaints by the data subjects.

  1. 2.        Options for the data subject

The data subjects, including the company employees may submit to “Encho Enchev – ETE” EOOD:

  • Requests for the realization of their rights to  protection of personal data i.e. request for access, for erasure, for restrictions of processing , objection to processing, data transfer;
  • Complaints about the manner of reviewing their request for data access;
  • Complaints about the manner of reviewing their request/complaint;
  • Complaint against any decision taken upon the submission of a request/complaint.

 

  1. 3.        Method of submission of requests and complaints

Data subjects may submit requests and complaints directly to the following email address: ........................................ or may send them on paper to the administrative address of the company: .......................................

  1. 4.        Reply and time limits

Encho Enchev – ETE“ EOOD  considers and takes decision on the received request or complaint by adhering to the following rules and time limits:

  • The requests/complaints are referred to the company manager who takes a decision and communicates it as a reply to the data subject not later than 1 (one) month from their receipt;
  • When necessary, by taking into account the complexity and the number of requests, the manager of “Encho Enchev – ETE” EOOD may extend the time limit with further 2 (two) months at the most. Should this be the case, the data subject is notified on the extension within one month following the receipt of the request/complaint.
  • A complaint against a decision taken by the manager of “Encho Enchev – ETE” EOOD on a request and/or a complaint shall be considered and resolved within 14 (fourteen) days.
  • If “Encho Enchev – ETE” EOOD does not satisfy the request of the data subject within the required time limits or refuses to take the complaint into consideration, in its reply the company shall state in a clear and intelligible language the reasons for refusing or not undertaking action.
  • “Encho Enchev – ETE” EOOD  shall inform the data subject in its reply on his or her right to submit complaints directly to the Commission for personal data protection and shall simultaneously provide the data subject with contact details of the  Commission and advise him/her on their right to seek legal protection.

All actions of “Encho Enchev – ETE” EOOD, undertaken for the fulfilment of this procedure are carried out free of charge for the data subject.

In the event of repeated requests/ complaints, manifestly unfounded or excessive, “Encho Enchev – ETE” EOOD may, on these grounds, refuse to address them.

 

  1. 7.        Personal data breach notification 

 

7.1.Purpose of the procedure   

The procedure in compliance with the legal provisions of Articles 33, 34 of the GDPR is applied in the event of breach of the security of personal data and contains the following rules for:

  • Notifying the Commission on Personal Data Protection (CPDP) about the breach of the security of personal data
  • Informing a data subject about a breach of the security of their personal data.

 

7.2.Roles and responsibilities

All persons related to “Encho Enchev – ETE” EOOD: the employees, contractors, partners, temporarily employed individuals have to be acquainted and to apply this procedure in the event of a breach in the security of personal data.

All employees, contractors, partners, temporarily employed individuals are obliged to report any breach in the security of personal data to the manager of “Encho Enchev – ETE” EOOD.

7.3.Course of the procedure

  1. Procedure for notification of “Encho Enchev – ETE” EOOD

Everyone processing personal data, without exception, with whom “Encho Enchev – ETE” EOOD is in contractual relationship, shall notify the manager of “Encho Enchev – ETE” EOOD without undue delay, and if possible, not later than 36 hours of having become aware of any breach in the security of the personal data or of any other incident related to the security of data at all.

The message shall be sent to email address: .........................., and it has to point all necessary details and data in relation to the occurrence of the breach.

The company manager sends a confirmation for the receipt of the notification to the email address which the message was received from.  

  1.  Procedure for the notification of the supervisory authority

2.1. “Encho Enchev – ETE” EOOD makes assessment as to the necessity of notifying the supervisory authority on the breach. In accordance with art.33, paragraph 1 of GDPR it is not necessary to send a notification if it is unlikely the breach in the security of the personal data to result in a risk to the rights and freedoms of the natural persons.  For that purpose, “Encho Enchev – ETE” EOOD makes assessment of the impact of the breach as per the Methodology for impact assessment adopted by the company.

2.2. In the event of identifying a risk to the rights and freedoms of the data subject, “Encho Enchev – ETE” EOOD notifies the Commission for Personal Data Protection (CPDP) about the breach in the security of personal data without undue delay and not later than 72 hours upon becoming aware of the breach. When the notification is not issued within the 72 hours, the manager of “Encho Enchev – ETE” EOOD notifies the CPDP at the earliest opportunity, by attaching an explanation about the causes of delay to the notification.

2.3. The notification to CPDP contains the following information:

  • Description of the nature of the breach of the personal data security;
  • The categories of personal data affected by the breach;
  • The categories and the approximate number of affected data subjects;
  • The approximate volume of affected records of personal data;
  • The names and contact details of the officer  responsible for data protection;
  • Description of the consequences of  the breach of security;
  • The measures suggested or undertaken by “Encho Enchev – ETE” EOOD for handling the breach.

2.4. When and in so far as not possible to submit all the necessary information at one time, it is submitted in stages without any further undue delay. A notification to the CPDP is sent in accordance with the guidelines of the commission on the established order and manner of communication.

2.5. “Encho Enchev –ETE” EOOD records information regarding the confirmation by the CPDP on the receipt of the notification.

  1. Procedure for sending a message to the data subject

3.1. When a possibility exists that the breach in the security of personal data may result in high risk to the rights and freedoms of the data subject, “Encho Enchev – ETE” EOOD communicates the breach to the affected parties without undue delay.

3.2. The message to the data subject(s) contains the same information that is sent to the CPDP and is stated under item 2.3 of the procedure.  

Information is provided in clear, plain and intelligible Bulgarian language.

  1. Undertaking of measures by “Encho Enchev – ETE” EOOD for handling the breach

Within 36 hours of becoming aware of the breach, “Encho Enchev – ETE” EOOD undertakes all appropriate measures to render the personal data unintelligible for every person who is not allowed access to them by encrypting them or protecting them by passwords.

Within 36 hours of becoming aware of the breach, “Encho Enchev –ETE” EOOD undertakes follow-up measures to prevent any possibility of materialization of a high risk to the rights and freedoms of the data subjects.

If the breach has affected a large number of data subjects and records of personal data, “Encho Enchev – ETE” EOOD takes a decision based on the assessment of the amount of efforts necessary for individually notifying each data subject and whether in this manner the ability of “Encho Enchev – ETE“ EOOD to send the necessary messages on time would be thwarted.  

If this assessment indicates that messaging a large number of subjects would lead to unproportional efforts, “Encho Enchev – ETE” EOOD makes a public announcement on its webpage or undertakes a similar measure to guarantee that the data subjects will be effectively notified at equal extent.

If “Encho Enchev – ETE“ EOOD  has not communicated the breach of the security of personal data to the data subject(s) and CPDP considers and provides the former with explicit guidelines that there is a high probability of the breach causing high risk,  “Encho Enchev – ETE” EOOD  communicates the breach to the data subject(s) within 24 hours.

“Encho Enchev – ET” EOOD keeps record of all breaches in the security of personal data and states all related facts, the consequences and the measures undertaken to mitigate their impact.

 

Înapoi
Căutare
Sending...