Internal rules for personal data protection

INTERNAL RULES FOR PERSONAL DATA PROTECTION OF U-TEAM LTD.

(Supplemented 23.05.2018)

Section one GENERAL PROVISIONS

Art. 1. The present internal rules for personal data protection, hereinafter: the „Rules“, regulate the organization for processing of personal data and their protection by the employees of U-TEAM Ltd..

Art. 2. (1) Processing of personal data means any action or collection of actions which can be performed in relation to the personal data with automatic or other means, such as collection, recording, organization, storage, adaptation or amendment, restoration, consulting, use, disclosure or transfer, proliferation, update or combination, blocking, deletion or destruction of the data.
(2) The Processing of personal data also consists in ensuring access to certain information only for the individuals whose work obligations, resulting from specific assigned tasks, require such access.

Art. 3. U-TEAM Ltd. is a Personal Data Controller in the sense of art. 3, par. 1 of the Personal Data Protection Act and has been registered for maintaining two registries:
1. Registry “Employees”;
2. Registry „Counterparties“.
(2) The principles for personal data protection are:
– Principle of restricted collection;
– the collection of personal data be within the necessary limit. The information is collected in a legal and objective manner;
– Principle of the restricted use, disclosure and storage – the personal data must not be used for purposes, other than those for which they were collected, except with the consent of the individual or in the cases, expressly provided in the law. The personal data must be stored only for the duration necessary for the performance of those purposes;
– Principle of precision – the personal data must be precise, accurate, complete and up-to-date, insofar that is necessary for the purposes they are used for;
– Principle of the security and preservation – the personal data must be protected with security measures, corresponding to the information’s sensitivity.

Art. 4. The personal data is collected for specific, exactly defined purposes, are processed lawfully and in good faith and cannot be additionally processed in a manner incompatible with those purposes.

Art. 5. Upon processing of the personal data by U-TEAM Ltd. the employees sign a declaration for consent – Appendix № 1.

Section two PERSONAL DOSSIERS REGISTRY

Art. 6. The “Employees” Registry contains and stores the personal data of the employees in U-TEAM Ltd., employed under labour or civic contracts during their work on the performance of those contracts for the purpose of:
1. Individualization of the labour and civic legal relations.
2. Compliance with the regulation requirements of the Labour Code, the Social Insurance Code, the Accounting Code, the State Archive Code, etc.
3. Use of the data collected for the respective parties for work purposes.
4. For all activities, related to the existence, amendment and termination of the employment and civic legal relations – for the preparation of any and all documents of the individuals in relation thereto (contracts, additional agreements, documents, certifying length of employment service, work references, reports, certificates and other similar documents).
5. For the establishment of contact with the individual by phone, for the purpose of sending correspondence related to the performance of his/her duties under employment or civil contracts.
6. For the purpose of maintaining accountability, regarding the remunerations of the above said parties under employment and civic contracts.

Art. 7. The Registry shall be kept both on hard copy and e-carrier.

Art. 8. (1) The hard copy carriers of personal data shall be stored in folders (employee files) for every employee, worker or any person hired under a civic contract. The file dossiers shall be arranged in a dedicated dossier cabinet.
(2) The file cabinet shall be stored in a premise, meant for independent work of the employees, who, on the grounds of these rules, have been assigned to be processors of personal data.
(3) Access to the employee dossiers shall be granted only to the personal data processors. The possibility to provide another person with access to the personal data during their processing is restricted and strictly regulated by this instruction.

Art. 9. (1) While maintaining the registry on technical carrier, the personal data shall be recorded on hard disc.
(2) The computer shall be connected to the local network, but with protected access to the personal data, which shall be a direct one only for the personal data processors. During the processing of the data software products are used for the remunerations of the personnel, including base and additional remunerations, tax and other (loan instalments, attachments, etc.) liabilities, length of service, working and non-working days and others. The software products shall be adapted to the specific needs of the personal data controller.
(3) The computer shall be stored in an isolated premise so that the personal data processors can work independently on the registry at the Human Resources Dept.
(4) The operation system, containing files for processing of personal data, can only be accessed by personal data processors through password for opening those files. The protection of electronic data against unauthorized access, damage, loss or destruction is ensured by maintaining antivirus programs, periodic archiving of the data on separate discs, as well as by maintaining the information on hard copy.

Art. 10. The following types of data shall be stored in the registry:
1. Physical identity – full name, Personal Number, ID Card number, date and place where it was issued, place of birth, address, contact phones.
2. Family identity – marital status, number of family members, including children of less than 18 years of age.
3. Education – document certifying the education acquired, qualification, legal capacity, when such are required for the position the individual applies for, etc.
4. Work activity – according the enclosed documents for length of service and curriculum vitae.
5. Medical data – file card for preliminary medical examination at start of work, job placement document.
6. Convictions records certificate when required by the law in order to occupy the position.
7. Personal form according to sample.

Art. 11. The personal data in the “Personnel” registry shall be collected at the time of starting work/assignment of work under a labour or civic legal relation for a given person in performance of a regulated obligation – the provisions of the Labour Code and legal regulations affecting is application, the Social Insurance Code and others, in one of the following manners:
1. Verbal interview with the individual (at the time of work start or in the process of work).
2. On paper – written documents – requests, applications submitted at the time of work start/working under labour or civic legal relation, for the change of, or termination of those relations, on any current matters arising in the process of work and initiated by the individual.
3. by external sources (from court, financial, insurance, tax or other institutions in performance of regulative requirements).

Art. 12. In all cases, when it is necessary on the grounds of regulative obligation, the individuals, whose data is mandatory subject of processing in the registry, shall submit the necessary personal data of the controller and of the officer, appointed for the processing thereof – personal data processor. The officer/personal data processor shall notify the individual of any necessity for the collection of personal data and the purposes they shall be used for.

Art. 13. Besides the specified persons and in the specified cases, restricted access to the personal data shall be available to the cashiers and the accountants in the course of processing personal data of the individuals, for the purpose of preparing payroll documents, related to the transfer of remunerations to the individuals, employed under labour and civic legal relations, in cash or via bank transfer.

Art. 14. If the personal data needs to be corrected, the individuals shall provide them to the officer/personal data processor at their request on the grounds of regulative obligation.

Art. 15. Besides the employees, processing personal data, access shall also be granted to any employees directly engaged in the preparation and verification of the legal compliance of the individuals’ documents, who will be engaging in technical accounting operations for processing of the documents, related to the remunerations of the personnel – accountant, cashier. The Personal Data Processors shall be under obligation to ensure access when requested by the above said persons.

Art. 16. The employee dossier of the individual cannot be taken out of the controller’s building. No employee or third party shall be entitled to access the employee dossiers of the personnel, unless such access has been duly requested by court authorities (court of justice, prosecutor’s office, investigation bodies). The access to those authorities to the personal data of the individuals is deemed lawful.

Art. 17. (1) The consent of the individual shall not be required, if the processing of his personal data shall be performed only by or under the control of the competent state authority for personal data, related to perpetration of crimes, administrative violations or unlawful damage caused. Such parties shall be granted access to the personal data, and, if necessary, are provided with the necessary work conditions at the premises of „U-TEAM“.
(2) Also lawful is any access by the auditing state authorities, who have duly proven their identity with the respective documents – written orders of the respective authority, stating the grounds, names of the individuals, and for such purposes of their activities it is necessary for them to be granted access to the employee dossiers of the personnel.

Art. 18. The decision for granting or refusal of access to personal data for the respective person shall be communicated by the controller to the third parties within 30-days term after the submission of the application, respectively, the request.

Art. 19. Upon introduction of a new program product for processing of personal data a dedicated commission shall be assembled to test and check the possibilities of the product for the purpose of compliance with the requirements of Personal Data Protection Act and ensuring their maximal protection from unauthorized access, loss, damage or destruction.

Art. 20. For failure to perform the obligations, assigned to the respective employees according to these rules, and under the Personal Data Protection Act, they will be imposed disciplinary sanctions under the Labour Code, and when the non-performance of the respective obligation has been established by a competent authority – the administrative sanction provided in the Personal Data Protection Act – a penalty. If, as a result of the actions of the respective employee engaged in processing of personal data, damages have been suffered by a third party, then the latter shall be entitled to seek compensation under the general civil legislation or through criminal procedures, provided the above act qualifies as a severe perpetration, for which criminal responsibility is applicable.

Art. 21. The archiving of the personal data of technical carrier shall be performed periodically every 30 (days) by the personal data processor for the purpose of preserving the information to the respective parties updated. The same shall be performed for discs which can only be accessed by the personal data processor.

Section four PROVISION OF PERSONAL DATA

Art. 22. (1) The Controller shall provide personal data in performance of regulative obligations.
(2) The Personal data shall be provided officially on the grounds of well-founded request and a permission granted by the head secretary to that effect.

Art. 23. The individuals shall be entitled to access their personal data, for which they shall written application personally or through an authorized person. Submitting the application is free of charge.

Art. 24. The application contains the name of the individual and other data, that identifies him – Personal Number, position, place of work, description of the request, the preferred form for provision of access to personal data, signature, date and correspondence address; power of attorney – when the application is submitted by an authorized person. The application shall be registered in the incoming registry of the controller.

Art. 25. The access to the data of the individual shall be provided in the form of:
1. verbal report;
2. written report;
3. inspection of the data by the person himself/herself or a person authorized by the latter;
4. provision of a copy from the requested information.

Art. 26. Upon submission of request for ensuring access, the controller’s representative shall examine the access request or orders the personal data processor to ensure the access requested by the individual in the form preferred by the applicant. The term for examination of the application and reaching a decision thereon shall be 14-days term after the submission of the request, respectively 30-days, when more time is necessary for collecting the personal data of the individual, for the purpose of possible difficulties encountered by the controller. The decision shall be announced in writing to the applicant, personally in exchange for signature or by mail with proof of receipt. When such data does not exist or cannot be provided due to any lawful reason, the applicant shall be denied access to them on the grounds of a motivated decision. The refusal to grant access can be objected against by the individual not later than the deadline indicated in the letter.

Art. 27. Access to the personal data of the individuals, stored on a technical carrier, is available only to the personal data processors

Art. 28. In addition to the employees processing personal data, also lawful is the access for employees, directly engaged in the preparation and verification of the legal compliance of the individuals’ documents, performing technical accounting operations for processing of the documents, related to the remunerations of the personnel – accountant, cashier. The Personal Data Processors shall be under obligation to ensure access when requested by the above said persons.

Art. 29. The file of the individual shall not be carried out of the controller’ building. No employee or third party shall be entitled to access the employee dossiers of the personnel of U-TEAM Ltd., unless this is required in a due manner by the court authorities (court, prosecutor’s office, investigation bodies, Ministry of Interior, National Insurance Institute, Ministry of Education). The access of those authorities to the personal data of the individuals is deemed lawful.

Art. 30. (1) The consent of the individual shall not be required, if the processing of his personal data shall be performed only by or under the control of the competent state authority for personal data, related to perpetration of crimes, administrative violations or unlawful damage caused. Such parties shall be granted access to the personal data.
(2) Also lawful is any access by the auditing state authorities, who have duly proven their identity with the respective documents – written orders of the respective authority, stating the grounds, names of the individuals, and for such purposes of their activities it is necessary for them to be granted access to the employee dossiers of the personnel.

Art. 31. The decision for granting or refusal of access to personal data for the respective person shall be communicated by the controller to the third parties within 30-days term after the submission of the application, respectively, the request.

Art. 32. Upon introduction of a new program product for processing of personal data a dedicated commission shall be assembled to test and check the possibilities of the product for the purpose of compliance with the requirements of Personal Data Protection Act and ensuring their maximal protection from unauthorized access, loss, damage or destruction.

Art. 33. For failure to perform the obligations, assigned to the respective employees according to these rules, and under the Personal Data Protection Act, they will be imposed disciplinary sanctions under the Labour Code, and when the non-performance of the respective obligation has been established by a competent authority – the administrative sanction provided in the Personal Data Protection Act – a penalty. If, as a result of the actions of the respective employee engaged in processing of personal data, damages have been suffered by a third party, then the latter shall be entitled to seek compensation under the general civil legislation or through criminal procedures, provided the above act qualifies as a severe perpetration, for which criminal responsibility is applicable.

Art. 34. (1) The Company, after taking into consideration, that data will be exchanged, the data in question being „personal data“ in the sense of the Personal Data Protection Act („BDPA“), must act to regulate the relations, the obligations and responsibilities resulting from the processing of personal data, for the purpose of due protection of the rights and interests of the data subjects.
(2) The procedures related to the processing of personal data shall be established, controlled and terminated by the Controller U-Team Ltd., according the Policy for personal data protection, and the Data Processors shall be under obligation to comply with the orders and instructions.
(3) The Controller shall submit to personal data to the Data Processors;
(4) During the processing of any personal data received from the Controller, the Data Processors shall be under obligation to undertake special protective measures:
(5) the Data Processors, as well as every data processor shall separately undertake to:
– to process the personal data only on documented instruction by the Controller.
– to inform the Controller for any case where at their opinion a transfer of personal data, received from the Controller will be required, to a third party, or a transfer to a third country in the sense of BDPA, with due statement of the reasons therefore. Transfer is not admissible without the prior consent of the Controller.
– To ensure and to guarantee that all parties – his employees or assistants, that are or will be assigned with, or authorized to process the personal data received from the Controller, will be unconditionally bound by obligation for keeping the so-obtained personal data confidential for the entire duration of the contract and for an unlimited term after its expiry; for that purpose the Data Processor will make sure that those parties will sign a confidentiality declaration, and the Controller shall be entitled to request and receive copies of such declarations.
– To maintain a registry for the activities related to the processing he is engaged in, as well as proper documentation regarding the processed and activities of processing personal data.
– To ensure and maintain for the entire duration of the contract, appropriate technical and organizational measures, ensuring the proper protection of the personal data received from the controller, taking into account their nature and the specific types of processing operations.
– Upon request by the Controller, to ensure the latter with access to its office and premises where the processing of personal data is performed, as well as to the equipment used for such purposes, and to cooperate for the performance of checks by the authorized representatives of the Controller in order to establish the ensured level of protection and proving performance of his obligations for the protection of the personal data provided by the Controller.
– To ensure access to the representatives of state authorities, auditors or other parties, exercising control over the Controller’s activity, in case such verification is requested from them within their legal obligations for the purpose of establishing the compliance of the Controller with such legal requirements.
– To immediately notify the Controller of the establishment of any risk of breach in the security of the personal data, or for any such occurred breach (including, but not limited to – accidental or unlawful destruction, loss, change, unauthorized disclosure or access to personal data or others).
– To document any and all circumstances, related to the assessment of heightened risk or breach, the consequences thereof and the steps undertaken for the minimization of the negative consequences thereof.
(6) In case of the requirements or the obligations, established for personal data protection, are violated, the Controller is entitled to immediately terminate the contract by sending a written notification to the Data Processor.
(7) in all cases of termination of the contract between the parties, irrespective of the grounds for termination, the Data Processor shall immediately suspend any and all kind of processing of the personal data provided by the Controller, as well as shall delete or return to the Controller any and all personal data received from the Controller according to his instructions (which will be mandatory for the Data Processor). The Data Processor has no right to store copies of them on paper, electronic, magnetic or other type of permanent carrier, except with the mandatory obligation for their storage provided in a regulation that is applicable to the Data Processor.
(8) the Data Processor shall be under obligation to compensate all material damage, that has been suffered by the Controller in case, the Controller is imposed administrative sanctions, or becomes obligated to pay a financial compensation to a third party as a result of violations in the processing of personal data by the Data Processor. In case the relations regarding the realization of that responsibility are not settled amicably, then the Controller shall seek the realization of his rights according the procedures of the acting Bulgarian civil legislation.

FINAL PROVISIONS

For the purposes of the present rules:
§ 1. „Personal Data Controller” shall be U-TEAM Ltd., represented by the MANAGER.
§ 2. „The Data Processors” of personal data are employees of U-TEAM Ltd..
§ 3. The present rules are issued on the grounds of art. 24, par. 4 of the Personal Data Protection Act and Ordinance № 1 of 07.02.2007 for minimal level of technical and organizational measures and admissible type of personal data protection, issued Commission for personal data protection.
§ 4. All amendments and supplements to those rules shall be effected as per the order of their acceptance.
§ 7. A copy of the Rules shall be available to those employees with access to the personal data of the employees of U-TEAM Ltd..

The present rules have been supplemented on 23.05.2018 in correspondence with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council dated April 27th 2016 regarding the protection of individuals in relation to the processing of personal data and regarding the free movement of such data and for the revocation of Directive 95/46/EО (General Data Protection Regulation).

DIRECTOR:

____________________
/Simona Timchova Stephanova/