BG
BG
BG
BG

Privacy Policy

Policy for protection and confidentiality of personal data collected and processed by "Getsov & Consulting Partners" Ltd

I. POLICY OBJECTIVES AND SCOPE

Art. 1. "GETSOV AND PARTNERS CONSULTANTS" Ltd, UIC: 201299148, with headquarters and address of management: Sofia, 1000, bul. 21 Patriarch Evtimiy Str., entr. B, fl. overground, (hereinafter referred to as "the Company"), having regard to the fact that rapid technological developments and globalisation have created new challenges for the protection of personal data and that technology allows private companies and public authorities to use personal data on an unprecedented scale in order to carry out their activities, and individuals increasingly leave personal information that is publicly available while taking into account the right to privacy and in particular personal data and data protection requirements introduced by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, shall direct its efforts towards protection against unlawful processing of personal data of natural persons, In view of which we accept this policy for protection and confidentiality of personal data collected and processed by the Company.

Art. 2. With this Privacy Policy, "GETSOV & PARTNERS CONSULTANTS" Ltd aims to inform individuals about:

– the categories of data collected on them;
– the principles of personal data processing;
– the purposes of the processing of personal data;
– the period for which the data are stored;
– the recipients or categories of recipients to whom the data may be disclosed;
– the mandatory or voluntary nature of the provision of the data and the consequences of the refusal to provide data;
– the procedure for giving and withdrawing consent to data processing;
– rights in relation to the processed personal data;
– the procedure for exercising the right of access of the individual to his or her data.

II. TERMS AND DEFINITIONS USED

Art. 3. For the purposes of this Policy:

  1. Personal data means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  2. Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  3. 'filing system' means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
  4. Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of this policy, "GETSOV AND PARTNERS CONSULTANTS" Ltd is an ALS.
  5. Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  6. Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
  7. Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  8. 'personal data breach' means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

III. PERSONAL DATA PROCESSED BY "GETSOV & PARTNERS CONSULTANTS" Ltd

Art. (1) GETSOV & PARTNERS CONSULTANTS Ltd, as a personal data administrator, processes the following categories of personal data:

  • Data on physical identity – name, PIN, ID card number, date of issue, address, telephone, e-mail address;
  • Economic identity data – bank account number;
  • Data on social identity – education, employment;
  • Data on health status;
  • Data on marital status;
  • Data on the criminal record of employees;

(2) "GETSOV & PARTNERS CONSULTANTS" Ltd processes personal data provided by the natural persons to whom the data relate in relation to:

– provision of the specific service and conclusion of the specific service contract;
– conclusion of an employment contract with the employee, according to art. 62, para. 7 of the Labour Code and Ordinance No 4 on the documents necessary for concluding an employment contract.

IV. PROCESSING OF PERSONAL DATA. PRINCIPLES.

Art. 6. As a data controller, "GETSOV & PARTNERS CONSULTANTS" Ltd collects and processes personal data by means of a set of actions, such as recording, organizing, storing, adapting or modifying, restoring, consulting, using, updating or combining, blocking, erasure and destruction, which may be performed with respect to personal data by automatic or other non-automatic means, subject to the following principles:

  1. lawfulness, fairness and transparency of the processing of personal data;
  2. appropriateness of the processing of personal data, namely: the data are collected for specified, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes;
  3. proportionality of the processing of personal data, namely: only data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed are processed (so-called "data"). 'data minimisation');
  4. timeliness of the processed personal data;
  5. timeframe – the data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  6. integrity and confidentiality – the data are processed in a manner that ensures an appropriate level of security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Art. 7. "GETSOV & PARTNERS CONSULTANTS" Ltd processes personal data independently or by assigning data processors, determining the purposes and scope of the obligations assigned by the controller to the data processor, if there is a relevant legal basis. Processors on behalf of the company are:

– the employees of "GETSOV AND PARTNERS CONSULTANTS" Ltd, whose rights and obligations in connection with the processing of personal data of individuals are duly regulated in internal acts of the company;
– third parties with whom the company has a contract in connection with the performance of the concluded service contracts or the fulfillment of its obligations as an employer under the contracts with workers / employees.

V. PURPOSE OF PERSONAL DATA PROCESSING

Art. 8. In connection with the fulfillment of contractual or statutory obligations, in carrying out its activities, the company processes personal data of clients, contractors and workers / employees for the following purposes:

– сключване и изпълнение на конкретния договор за услуга;
– conclusion of an employment contract with the employee, according to art. 62, para. 7 of the Labour Code and Ordinance No 4 on the documents necessary for concluding an employment contract.

Art. 9. The processing of personal data by "GETSOV & PARTNERS CONSULTANTS" Ltd is permissible except in cases where it is necessary for the fulfillment of a statutory obligation of the personal data controller, and when the natural person to whom the data relate has given his explicit consent or the processing is necessary for the performance of obligations under a contract under which the natural person, to which the data relates, is a party, as well as to actions preceding the conclusion of a contract and taken at the request of the person.

VI. PERIOD OF STORAGE OF PERSONAL DATA

Art. 10. The personal data collected and processed by "GETSOV AND PARTNERS CONSULTANTS" Ltd shall be stored for the shortest possible period after the grounds for their processing have ceased. After dropping the grounds for data processing, the latter shall be destroyed in accordance with the procedure provided for in the internal rules for the processing of personal data of the company. The data from the employment records of employees are stored for the statutory period of 50 years.

VII. CATEGORIES OF RECIPIENTS TO WHOM THE DATA MAY BE DISCLOSED:

Art. 11. The personal data processed by "GETSOV & PARTNERS CONSULTANTS" Ltd may be disclosed to the following categories of recipients:

  1. the natural persons to whom the data relate;
  2. persons for whom the right of access is provided for in a statutory instrument, such as: public authorities,
  3. persons with whom "GETSOV AND PARTNERS CONSULTANTS" Ltd has a contract in connection with the provision of services or the fulfillment of its obligations as an employer;

where at least one of the following prerequisites is met:

  • Explicit consent of the data subject;
  • Statutory obligation of the personal data controller;
  • Protection of vital interest;
  • It is necessary for the purpose of criminal prosecution.

Art. 12. The personal data processed by "GETSOV & PARTNERS CONSULTANTS" Ltd may be provided to other personal data administrators in connection with the performance of specific tasks at the instruction and on behalf of "GETSOV & PARTNERS CONSULTANTS" Ltd only with the explicit consent of the data subject.

VIII. PROVISION OF PERSONAL DATA. CONSEQUENCES OF REFUSAL TO PROVIDE PERSONAL DATA

Art. 13"GETSOV & PARTNERS CONSULTANTS" Ltd processes personal data in the presence of an explicit written consent of the data subject. This is not necessary if the company, as a data controller, has another legal basis for the processing of personal data – for example, a statutory obligation.

Art. 14. The personal data requested by the representatives of the company are consistent with the achievement of the purposes for which they are collected, respectively. implementation of the arrangements entered into by the company and are binding. In case of refusal to voluntarily provide personal data, GETSOV & PARTNERS CONSULTANTS EOOD will not be able to fulfill the agreements undertaken by the company.

IX. GIVING AND WITHDRAWING CONSENT TO THE PROCESSING OF PERSONAL DATA

Art. 15. The individual gives explicit consent to the processing of his data by signing a declaration after familiarization with this policy and privacy statement.

Art. 16. (1) The individual may withdraw at any time the consent given under art. 15 for all or part of the data by submitting a written application to GETSOV AND PARTNERS CONSULTANTS EOOD. The application may also be submitted by a proxy with a notarized power of attorney. Where a special law provides for a certain form of authorisation, the special law applies. No fee for processing the application is due.

(2) From the moment of receipt of the application, "GETSOV & PARTNERS CONSULTANTS" Ltd is obliged to cease processing personal data about the person.

X. RIGHTS OF INDIVIDUALS

Art. 17. Natural persons whose personal data is processed have the following rights:

  1. the right to be informed about the data identifying the controller and its representative, the purposes of the processing of personal data, the recipients or categories of recipients to whom the data may be disclosed, the mandatory or voluntary nature of the data provision and the consequences of refusal to provide them, the period of storage of the data; the purposes of data processing; the procedure for giving and withdrawing consent.
  2. right of access to data relating to them, and in cases where, when granting the right of access to the individual, personal data may also be disclosed to a third party, the administrator is obliged to provide partial access to them without disclosing data about the third party.
  3. the right to erasure, correction or blocking of personal data, the processing of which does not meet the requirements of the legislation, as well as the right to request that the third parties to whom the personal data of the person have been disclosed be notified of any deletion, correction or blocking that has taken place, except where this is impossible or involves excessive effort;
  4. the right to object to the administrator against the processing of the personal data of the individual in the presence of a legal basis for this and against the processing and disclosure to third parties of his or her personal data for direct marketing purposes; the right to be informed before his or her personal data is first disclosed to third parties or used on their behalf for direct marketing purposes;
  5. the right to be forgotten – the personal data that are processed to be deleted upon the availability of an explicit request for this and taking into account the public interest;
  6. the right to restriction of processing;
  7. the right to data portability – to receive the personal data concerning him or her and which he or she has provided to the controller in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided;
  8. right of defence – the right to appeal before the CPDP and in court.

XI. PROCEDURE FOR EXERCISING THE RIGHTS OF NATURAL PERSONS

Art. 18. (1) Natural persons shall exercise their rights by submitting a written application to the company containing at least the following information:

  1. name, address and other identification data of the data subject;
  2. a description of the request;
  3. preferred form for providing the information;
  4. signature, date of submission of the application and address for correspondence.

(2) The submission of an application shall be free of charge.

Art. 19. When submitting an application by an authorized person, an explicit notarized power of attorney shall be attached to the application. Where a special law provides for a certain form of authorisation, the special law applies. No fee for processing the application is due.

Art. 20. In the event of the death of the natural person, his/her rights are exercised by his/her heirs, and a certificate of heirs is attached to the application.

Art. 21 The deadline for examining the application and ruling on it is 30 days from the day of submission of the request.

Art. 22. "GETSOV & PARTNERS CONSULTANTS" Ltd prepares a written response and communicates it to the applicant personally – against signature or by mail, with acknowledgment of receipt, taking into account the preferred form of information provided by the applicant. Failure to act in time shall be deemed to be an implied refusal.

Art. 23. Where the data do not exist or their provision is prohibited by law, the applicant shall be denied access to them.

Art. 24. In the event that "GETSOV & PARTNERS CONSULTANTS" Ltd does not respond to the request for access to personal data within the prescribed time limits or the applicant is not satisfied with the response received and/or believes that his rights related to the protection of personal data have been violated, he has the right to exercise his right to protection.

FINAL PROVISIONS

This Personal Data Protection and Privacy Policy has been adopted and approved by an Order of the Manager of "GETSOV & PARTNERS CONSULTANTS" Ltd and enters into force on 25.05.2018.