Data Protection Policy at FERTITRON BULGARIA EOOD
FERTITRON BULGARIA EOOD, UIC: 131040111, with seat and registered office at 11, Hadzhi Dimitar St, Sofia, Capital (Sofia) Municipality, Sofia – City Region, tel.: +359 2 980 72 71 and email address: firstname.lastname@example.org, applies in its business relations with its Clients these General Terms and Conditions, ("Controller" or "FERTITRON BULGARIA"),
FERTITRON BULGARIA, as a personal data controller, collects and processes certain information, regarding natural persons.
Such information may concern employees, managers, clients, suppliers, contractors, business contacts and other natural persons, the Controller has a relationship with or wants to contact.
This personal data protection policy governs the collection, processing and storage of the personal data, in order to ensure compliance with the standards at Controller’s organization and the applicable legal requirements.
I. Legitimate grounds
This personal data protection policy ("Policy") is issued, based on The Personal Data Protection Act and the relevant regulations, as amended, ("Bulgarian Legislation") and the General Data Protection Regulation (EU) 2016/679 ("GDPR").
The Bulgarian Legislation and GDPR contain rules, regarding the way, in which the organizations, incl. FERTITRON BULGARIA, should collect, process and store personal data. Such rules shall be applied by the Controller whether these concern, data, processed electronically, on paper or other media.
In order to ensure that the personal data processing is in compliance with the legal requirements, the personal data is collected and used justifiably, securely stored and the Controller takes all necessary measures to make sure that the personal data processed are not subject to unlawful disclosure.
The Personal data controller is aware of and follows the principles, set out in the GDPR:
- the personal data are processed lawfully, in good faith and transparently;
-the personal data are collected for specific, expressly identified and legitimate purposes and are not further processed in a manner, incompatible with such purposes;
-the personal data are appropriate, related and limited to the necessary, with regard to the purposes of processing;
-the personal data are accurate and if necessary these are updated;
-the personal data are stored in a form, allowing the identification of the concerned persons, for a period, not longer than the necessary for the purposes, for which the personal data are processed;
-the personal data are processed in a manner, ensuring suitable level of security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, as appropriate technical or organizational measures are taken.
II. Policy Objectives
The objective of this Policy is that the Controller:
- is in compliance with the applicable legislation, concerning personal data and follows the established good practices;
- establishes the mechanisms for keeping, maintenance and protection of the reporting records;
- establishes the obligations of the officers, processing personal data and/or the persons, who have access to personal data and work under the management of the personal data processors, their responsibility in case of failure to perform such obligations;
- protects the rights of the personnel, clients and partners;
- is open as to the information on his storage and protection of the personal data of natural persons;
- establishes appropriate technical or organisational measures for the protection of the personal data against unlawful processing (accidental or unlawful destruction, accidental loss, unauthorized access, alteration or distribution, as well as any other unlawful forms of personal data processing);
- is protected in case of a risk of violations.
This Policy applies to the processing of personal data of contractors, suppliers, clients and partners, as described in the electronic reporting records, established in accordance with this Policy, Bulgarian Legislation and art. 30 of the GDPR ("Records of Processing Activities").
IV. Personal Data Collection
Data categories and subjects
"Personal data" means any information, related to an identified natural person or natural person, who may be identified (“Data subject“), i.e.:
The Controller shall collect personal data regarding the following categories of persons:
- persons, representing the companies, with which the Controller has or plans to have business relationship;
- contact persons at the companies, with which the Controller has business relationships;
- persons, who are interested in obtaining information services – newsletter, reference books etc.;
- persons, who register in order to use an online shop.
Purposes of the collection of data
The Controller collects personal with respect to the performance of the following objectives:
1. For the performance of activities, related to the signing, existence, amendment and termination of contractual legal relations, including for:
- the preparation of any and all documents;
- for contacting the contacts person by telephone, fax, email or in any other lawful manner;
- for the supply and/or acceptance of goods/services, for communications with respect to the provision and/or receiving of goods/services and for the provision of the related customer service;
- for bookkeeping purposes, with respect to the performance of contracts, where the Controller is a party;
- for the processing of payments with respect to the signed contracts by the Controller;
- for sending important information to the subjects with respect to any changes in the rules, terms and conditions and the policies of the Controller and/or other administrative information;
2. For marketing purposes – upon obtaining personal data subjects’ express consent;
3. For statistical purposes - upon obtaining personal data subjects’ express consent;
Data concerning contractors (incl. natural persons, managers, agents and/or contact persons of the legal entity under a commercial contract)
The personal data for each person shall be provided voluntarily by the respective persons and shall be collected by the Controller in compliance with his regulatory obligations, with respect to the signing of contracts and/or fulfilment of the obligations, pursuant to a signed contract, in accordance with the provisions of the Obligations and Contracts Act, the Trade Act, the Accountancy Act, Value Added Tax Act etc. and the conditions, specified in business agreements with the respective client, in the following manners: as hard copies – written documents (incl. powers of attorney, contracts, banking information etc.), by electronic mail – provided with respect to the performance of service or business contracts and/or by filling-in of registration forms. The persons are notified of the provisions of this Policy in advance or at the moment of receiving their data.
V. Legitimate interests, pursued by the Controller
With respect to the processing of the data of managers and contractors:
The processing of the data is carried out, based on the legitimate interest and with regard to the signing, existence, amendment and termination of the service and business contracts, within the implementation and fulfilment of the regulatory requirements of the Trade Act, the Obligations and Contracts Act, Social Security Code, the Tax and Social Security Procedure Code, the Insurance Code, the Taxation of the Income of Natural Persons Act, the Accountancy Act etc.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer, if you agree. Cookies contain information that is transferred to your computer's hard drive.
We use the following cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of our Site. They include, for example, cookies that enable you to log into secure areas of our Site.
- Analytical/performance cookies. These cookies allow us to recognise and count the number of visitors to our Site and see how visitors use our Site. This cookie helps us to improve the way our website works.
- Functionality cookies. These cookies are used to recognise you when you return to our Site. This enables us to personalise our content for you, greet you by name and remember your preferences.
- Targeting cookies. These cookies record your visit to our Site, the pages you have visited and the links you have followed. We will use this information to make our Site and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
VII. Web space analysis
We need statistical information on the use of our website to make it more accessible, to measure the scope and to conduct market research.
For this purpose, we use the web analytics tools described in this section.
The profiles created by these tools, using analytic cookies or by evaluating the log files, do not contain personal data. Tools either do not use users' IP addresses at all, or cut them down immediately after they are collected.
Instrument providers process the data only as processors of our personal data according to our guidelines and not for our own purposes.
Below you will find information about each instrument provider and how you can object to the collection and processing of personal data through the tool.
Additionally, you can generally prevent user accounts from being disabled by using cookies.
Google Analytics is available from Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"). We use Google Analytics with Google's additional IP anonymization feature. Google cuts the IP address within the EU and only exceptionally in the US, and in both cases only writes abbreviated IPs.
You can object to the collection and processing of your data by downloading and installing a browser plug-in from the following link: http://tools.google.com/dlpage/gaoptout?hl=en
Rights of the persons, whose data is processed by the Controller
Transparency and conditions for the exercising of the rights of the persons
The Controller provides information to the persons in a brief, transparent, understandable and easily accessible form, in a clear and simple language.
The Controller strives to ensure that the persons are fully aware of the personal data processed by him and that the persons fully and completely understand and are well informed, with respect to the processing in accordance with the requirements of the GDPR and the Bulgarian Legislation.
The Controller shall provide such information to the persons in writing or by other means, including, as appropriate, by electronic means. If the respective person has so requested, the information may be given verbally, provided that the identity of the person has been proven by other means.
The Controller shall provide the persons free of charge with information regarding the actions, undertaken with respect to a request, regarding their right of access, rectification, erasure, restriction of the processing, portability, objection and automated decision-making, without undue delay and in all cases within one month of receiving such a request.
If necessary, this period may be extended by two further months, taking into consideration the complexity and number of the requests. The Controller shall notify the respective person of each such extension within one month of receiving the request, specifying the reasons for the delay. When the respective person submits a request by electronic means, if possible, the information is also provided by electronic means, unless the person has requested otherwise.
If the Controller fails to undertake any actions, regarding the request, the Controller shall notify the person without delay and not later than one month after receiving the request, of the relevant reasons why no actions have been undertaken and of the possibility to submit a complaint to a supervisory body and seek protection/remedies through judicial means.
If the requests of the person are clearly unjustified or excessive, especially due to their recurring nature, the Controller may either:
- impose a reasonable fee, taking into consideration the administrative costs for the provision of the information or the communication or the undertaking of the requested actions; or
- refuse to act upon the request.
Right of access of the persons
Every person has the right to receive from the Controller confirmation of whether personal data, concerning such person is processed, and if so, to obtain access to the data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed (including recipients in third countries or international organisations);
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with Commission for Personal Data Protection;
- where the personal data are not collected from you, any available information as to their source;
- the existence of automated decision-making, including profiling, and at least in these cases, significant information, regarding the used logic, as well as the significance and expected consequences of such processing for the persons.
If the personal data are provided to a third country or international organization, the persons shall have the right to be informed of the appropriate guarantees, related to such transfer.
The Controller shall provide the respective person with a copy of the personal data, being processed. For any additional copies, requested by the persons, the Controller may charge a reasonable fee, based on the relevant administrative costs. When the person submits a request by electronic means, if possible, the information is provided in a widely used electronic form, unless otherwise requested by such person.
Right to rectification
Every person, whose data is processed by the Controller, has the right to request from the Controller to rectify the inaccurate personal data, concerning him/her. Taking into consideration the purposes of the processing, the person has the right that any incomplete personal data are completed.
The right to erasure (the right “to be forgotten")
Every person, whose data is processed by the Controller, has the right to request from the Controller the erasure of personal data, concerning him/her, without undue delay, and the Controller is obliged to erase such data without undue delay, if
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the person withdraws his/her consent, on which the processing of the data is based and there are no other Legitimate grounds for the processing;
- the person objects against the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation, to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services.
Where the controller has made the personal data public and is obliged pursuant to the preceding paragraph to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Right to restriction of processing
Every person, whose data is processed by the Controller, shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject
Where processing has been restricted under the preceding paragraph, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(i) the processing is based on consent with respect to certain purposes or on a contractual obligation of the data subject or on the undertaking of steps, before signing a contract and (ii) the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her (when the processing is necessary to perform a task of public interest or in exercising Controller’s official authorities, or if the processing is intended for purposes of Controller’s or a third-party’s legitimate interests), including profiling. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
At the latest at the time of the first communication with the data subject, the right referred to in the preceding paragraphs shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
IX. Technical and organizational data protection measures
The protection of the data as a hard copy, as well as on electronic media, against unauthorized access, damage, loss or destruction, shall be provided by a number of internally regulated technical and organizational means.
X. Personal Data Transfer
At present the Controller does not carry out any transfer of personal data to other countries or outside the European Union.
XI. Breaches. Notice of breaches
Data security breach means that the personal data, for which FERTITRON BULGARIA is responsible, are affected by a security accident, resulting in a breach of the confidentiality, availability or integrity of the personal data. In this sense, a data breach occurs, when there is a data security breach, resulting in an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of data, which are transferred, stored or otherwise processed.
In the case of a personal data security breach, FERTITRON BULGARIA shall be immediately notified at the following email address: email@example.com
Evaluation of the breaches
After the respective employee of FERTITRON BULGARIA receives the information of the occurred breach, it has to determine whether a specific event is a personal data breach and notify Controller’s managers of such event (if they are not aware of it).
In the case of a personal data breach, where there is a potential risk for the rights and freedoms of the natural persons, the Controller (acting through the relevant employee), shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Commission for Personal Data Protection.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
When there is high probability that the personal data breach results in a high risk for the rights and freedoms of natural persons, the Controller shall without undue delay, notify such breach to the subject of the breach.
The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
The accounting and business information, as well as any other information and documents of significance for taxation and the compulsory social security contributions, shall be stored by the Controller for the following periods of time:
- payrolls - 50 years;
- accounting registers and financial statements - 10 years;
- documents for tax and social security control - 5 years after the expiration of the prescription for repayment of the public liability, to which these are related;
- any other media - 5 years, unless provided otherwise by law.
Upon expiration of the storage period, the information media (hard copies or electronic media), which are not subject to submission to the National Archives Fund, may be destroyed.
Upon expiration of the storage period, the data shall be destroyed as quickly as possible, through destruction of the hard copies, by shredding, and with respect to the electronic media – by deleting and erasing the respective files from Company’s servers/computers.
Within the meaning of these internal regulations:
§ 1. The ”Personal data controller” is "FERTITRON BULGARIA", a sole-owner limited liability company, UIC 131040111, as the actions on behalf of the controller shall be carried out by Gergana Marvakova, database administrator.
§ 2. „Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
§ 3. This Policy is subject to approval and notification to the persons, it concerns, by means of an order by Controller’s manager.