Policy for personal data protection

1. GENERAL DEFINITIONS

1. 1. “Responsible person” means the employee of the Data Controller, who, by the nature of his work, shall be entitled to perform the specific functions related to the processing.

1. 2. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council dated April 27th 2016 regarding the protection of individuals in relation to the processing of personal data and regarding the free movement of such data and for revocation of Directive 95/46/EC (General Data Protection Regulation)

1. 3. “Employee” means a person, who has signed an employment contract or similar contract with the Personal Data Controller.

1. 4. “Data/ personal data” means any information, related to an identified or identifiable individual (data subject); identifiable individual is a person, who can be identified directly or inderectly, more specifically by using an identifier as name, identification number, data for the location, online identifier or one or more factors, specific for the physical, physiological, mental, economic, cultural or social identity of such individual.

1. 5. “CPD” means contract for processing of data, that will be signed with every Personal Data Processor in correspondence with the terms, indicated in section 3 below;

1. 6. “Receiver” means a physical or legal entity, state authority, agency or another body, to whom personald ata shall be disclosed, irrespective of whether this is a third party or not.

1. 7. “Personal Data Subject” means client or employee of the Data Controller or any other person, whose personal data is processed by the Personal Data Controller.

1. 8. “Processing” means any operation or collection of operations, performed with personal data or collection of personal data through automatic or other means as collection, recording, organization, structuring, storage, adaptation or change, extraction, consulting, use, disclosure through transfer, proliferation or other manner, through which the data become accessible, arrangement or combination, restriction, deletion or destruction;

1. 9. “Personal Data Processor” means a physical or legal entity, public authority, agency or other structure, which processes personal data on behalf of the Controller;

1. 10. “Controller” means U-TEAM EOOD, registry number of the legal entity 205068345, registered at address: Sofia, postal code 1124, Tsar Ivan Assen II street № 64, fl. 1.

1.11. “Client” means a person, that uses or has used the services, provided by the Controller.

1.12. “Supervision of mobility” means the collection and processing of data for the employees and the clients, using the web page of the Controller, irrespective of whether the data has been recorded in a file or not.

1.13. “Policy” means the present Personal Data Processing Policy.

1.14. “Site owner” means U-TEAM EOOD, registry number of the legal entity 205068345

1.15. For the purposes of the present Policy the remaining terms shall correspond to the terms, used in GDPR, the Bulgarian Personal Data Protection Act (hereinafter below “BDPA”) and the Bulgarian Electronic Document and Electronic Signature Act (hereinafter below: “BEDES”).

2. GENERAL PROVISIONS

2. 1. The Controller collects specific Personal data for the purposes of administering, exercising its own activity and exercising the legal obligations.

2. 2. The present policy contains the general principles and procedures for collection, processing and storage of personal data of the users of the website http://www.uteam-bg.com/, controlled by the Controller (hereinafter referred to as “website”). Please read carefully and acquaint yourself with the present policy before you start using the Website. Through the use of the services, provided by the Controller, you confirm that you consent to comply with the present Policy.

2. 3. The Data Subject has no right to use the Website, unless he/she has failed to familiarize himself/herself with the Policy and/or has rejected it. In case the Data Subject does not agree with the Policy or the respective part thereof, he must not use the Website. Otherwise it will be deemed that the Client has familiarized himself/herself and has accepted the Policy unconditionally.

2. 4. The Controller must comply with the inviolability of the personal data. The present policy explains the acceptable practice regarding the confidentiality in our company. It explains the manners used for collection and use of your Personal data and the rights, exercised by you.

2. 5. The use of the services by third parties may be governed by the general terms of third parties. For example, all Facebook users and visitors are governed by the Confidentiality Polict for such data. Therefore, for the purposes of the use of third party services, we recommend that you examine their applicable terms and conditions first.

2. 6. The Data Subject shall guarantee that he will comply with the following general principles for data protection:

2.6.1. The personal data is processed lawfully, fairly and in a transparent manner in respect of the Data Subject (lawfulness, fairness and transparency);

2.6.2. The personal data is collected for specific, express and lawful purposes and are not processed in a manner, that is incompatible with those purposes; the subsequent processing of personal data for the purposes of archiving in public interest, scientific or historical research or statistical purposes does not count as incompatible with the initial purposes (restriction of the purpose);

2.6.3. The personal data must be adequate, appropriate and restricted to those that are necessary in respect of the purposes, for which they are processed (minimization of data);

2.6.4. The personal data must be accurate and, if necessary, updated; all reasonable measures must be undertaken, in order to guarantee that the personal data, that are inaccurate, taking into account the purposes, for which they are processed, are deleted or corrected immediately (accuracy);

2.6.5. Personal data, stored in form, which allows identification of the data subjects, are stored no longer than necessary for the purposes, for which the personal data is processed; The personal data may be stored for longer periods, insofar they will be processed solely with archiving purpose in public interest, scientific or historical research or statistical purposes in correspondence with article 89, paragraph 1 of GDPR provided that appropriate technical and organizational measures have been introduced, as required by the present regulation, for the purpose of protectingthe rights and the freedoms of the Data Subject (restriction of the storage);

2.6.6. The personal data is processed in a manner, that ensures suitable protection of the personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by using appropriate technical or organizational measures (comprehesiveness and confidentiality).

2.6.7. The Controller shall be responsible and must be able to prove the compliance with the principles described above (accountability).

2. 7. The data is processed, by sending a proper notification to the Data Subjects.

2. 8. The data is stored for the periods, indicated for every type of personal data, as provided herein. The storage shall be performed in correspondence with the procedures, provided in section А of the present document.

2. 9. The rights of the Controller for access to the data shall be revoked in case of termination of the contract for processing of personal data, signed with the Controller or upon expiry of the term of the agreement.

2.10. The data shall be transferred to the Controllers and receivers, in every case where the legal regulations provide for the right and/or the obligation to do so, on the respective grounds.

2.11. The Controller shall be entitled to provide personal data to the authorities of the investigation, the prosecution office or the court for the purposes of any administrative, civil or penal proceeding as evidence or in any other cases provided by the law.

3. PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF PROVIDING SERVICES

3. 1. The Controller shall provide to its Clients the services described on the company site, for which provision the following Data of the Clients shall be processed:

3.1.1. Name;

3.1.2. Surname;

3.1.3. Personal identification number;

3.1.4. Date of birth;

3.1.5. Place of residence (address);

3.1.6. Email address;

3.1.7. Phone number;

3.1.8. Certain data for the paycards used by the Client received by the company providing the service of processing of cards (card type, part of the card’s number)

3. 2. The data, indicated in paragraphs 3.1.1 – 3.1.8, shall be received directly from the Client, but part of the data, recorded in the system, can be received also from the Client’s employer, in case the latter uses the services of the Controller as client or employee of the respective company.

3.3. For the purposes of the registration and the recording of the Clients, the signing, administering and the performance of a contract, protection and control over the assets owned by the Company, the Controller shall additionally provide the following Data:

3.3.1. Number, date and place of issuance and date of validity of the identification card (when the other measures for identification are not sufficient, are not reliable, etc.);

3.3.2. Categories of the internet page, which the Data Subject has the right to manage, the date when such right was granted and the date of its expiry;

3.3.3. Details about the liability;

3.3.4. Details about liabilities (level of indebtedness, amount of the liability, date of origination of the liability, deadline, due date).

3. 4. The Controller must not transfer to the receivers the above said data of the Clients. The data of former Clients shall be providedonly to the law enforcement authorities according the procedure provided in the law.

3. 5. The legal basis for the processing of personal data are article 6, paragraph 1, letter b) and article 6, paragraph 1, letter c) of GDPR.

3. 6. In order to check the validity of the data, The Controller must provide specific Personal data (such as for example number of identification document and the personal identification number) of the Data Processors, responsible for the performance of verification of the registered personal data and for technical and administrative assistance for the Clients.

3. 7. The Controller confirms that in order to ensure data protection, all technical and organizational measures for data protection have been introduced.

3. 8. The Controller enters into agreements for the processing of data with the owner of the site in relation to the processing of the personal data on behalf of the Controller. T|he Data Processors process personal data only on behalf of the Controller for the purposes, specified in those agreements for data protection. In particular, every Data Processor shall:

– process Personal data only according the documented instructions of the Controller, including in respect of the transfer of personal data to a third country or international organization, unless a deviation from those instructions is necessary, in order to

comply with the requirements of the applicable Regulation for data protection in EU, to which the Data Processor is subject. In such case, the Data Processor must, without undue delay, inform the Controller of the respective requirement before the processing of personal data;

– guarantees that the persons, authorized to process the personal data, have undertaken an obligation for confidentiality and compliance with the applicable regulation for data protection within EU or are boud by a prompt legal obligation to keep confidentiality;

– assist the Controller, upon the latter’s express request, for the purpose of ensuring the performance of his legal obligations, such as for example, obligations related to the security of the data by the Controller, the impact assessment on the data protection and preliminary consulting, as provided in the Regulation for personal data protection, and, in particular, to introduce such appropriate technical and organizational measures for protection of the personal data, falling into the scope of the Agreements for processing of data, from accidental or illegal destruction, loss, change, unauthorized announcement or access to the personal data. The Controller shall compensate the Data Processor for the costs, resulting from such assistance. In order to avoid any doubt hereby the parties expressly accept that the Data Processor shall be under obligation to perform all his obligations as Personal Data Processor, in full compliance with the Regulation for personal data protection at his own expense;

– assist the Controller by applying the appropriate technical and organizational measures for performance of the obligation of the Controller as Personal Data Controller, and namely: respond to the requests for exercising of the rights of the Data Subjects according the Regulation for data protection. the Data Processor must immediately notify the Controller of any request, sent by any Data Subject, and not to answer to the respective request, before receiving the instructions of the Controller. The Controller shall refund the Data Processor for all expenses, related to such assistance;

– shall provide to the Controller the entire information, necessary for proving the compliance with the obligations of the Data Processor the personal data, indicated in those agreements for processing of data and in the regulation for data protection, and to allow and to cooperate during audits, including checks, made by Controller or other auditor, authorized by the Controller;

– maintain accurate records of all activities of processing according the present contract for data processing in correspondence with the requirements, indicated in the Regulation for data protection, and provide to the Controller the respective records within ten (10) work days after receiving the request of the Controller;

– guarantees that no personal data shall be transferred, released, assigned, published or in any other manner provided to a third party without the prior express written consent of the Controller.

– guarantees that obligations for data protection, similar to those indicated in the present document, have been imposed to the other Personal Data Processors, which are engaged by Data Processor by the means of contract. the Data Processor shall be responsible before the Controller for the performance of those obligations by the other Data Processors;

– informs immediately the Controller, in case a given instruction of the Controller violates the Regulation for data protection or if the personal data is processed or will be processed in breach of the Regulation for data protection or the Agreement (including the present CPD) and informs immediately the Data Controller regarding the complaints or audits by the authorities for data protection, regarding to the processing of Personal data;

– informs the Controller without undue delay (but not later than 48 hours), after gaining knowledge of breach in the security of the personal data, which means breach of the security, leading to accidental or illegal destruction, loss, change, unauthorized disclosure or access to Personal data, that are transferred, stored or processed in other manner. The notification must describe the nature of the breach, number of affected Subjects, possible consequences of the breach, the suggested and adopted measures, as well as any other data, related to the breach, as listed article 33, paragraph 3 of GDPR; and

– upon termination of CPD or by written request of the Controller, or to destroy, or to return all Personal data, unless otherwise provided in the Regulation for personal data protection within EU, to which the Data Processor is subject.

4. PERIODS OF STORAGE OF THE DATA

4.1. The Controller applies various storage periods of the personal data depending on the categories of processed personal data.

4.2. The Controller applies the following storage periods of personal data:

  Categories of Personal data Storage period
1. Personal data of the clients, processed for the purposes of providing the services of the company 3 years from the date of termination of the contract or the date of payment of the liability.

4.3. Exceptions from the above said storage periods can exist to the extent they do not violate the rights of the Data Subjects, meet the legal requirements and are duly documented.

4.4. The documents, in respect of which the Controller has issued a stop order due to a legal dispute, are stored and destroyed according the instructions of the legal department.

5. RIGHTS OF THE DATA SUBJECTS

5. 1. The Data Subject is entitled to exercise the following rights according the procedure provided in GDPR and BDPA:

5.1.1. Right to be informed;

5.1.2. Right of access;

5.1.3. Right of deletion;

5.1.4. Right to update;

5.1.5. Right to restrict the processing of data;

5.1.6. Data transfer rights;

5.1.7. Right to object;

5.1.8. Rights regarding the automatic making of decisions and profiling.

5. 2. The rights, indicated in item 7.1.2 – 7.1.8 herein, shall be exercised within the terms specified in the GDPR.

5. 3. The above said terms, specified in the GDPR, are as follows:

Request from the data subject Period
Right to be informed When enough data has been collected (provided the data has been provided by the Data Subject) or within one month (if the data is not provided by the Data Subject)
Right of access One month
Right to update One month
Right of deletion Without undue delay
Right to restrict the processing Without undue delay
Data transferability rights; One month
Right to object After receipt of objection
Rights related to automatic decision-making not specified
of decisions and profiling.  

5. 4. The Controller is entitled to deny, on good grounds, to the Data Subject from exercising his rights or to impose a reasonable fee for the terms, provided in article 12, paragraph 5, letter c) of GDPR.

6. PERSONAL DATA PROTECTION OFFICER

6. 1. According to the GDPR, in the cases where the general activities of the Controller consist in operations of processing, which require a regular and systematic monitoring of the Data Subjects in large scale or where the general activities of the Controller or the Data Processor consist in the processing in large scale of special categories of personal data, it is mandatory to have a Data Protection Officer.

6. 2. The rights and the obligations of the Data Protection Officer are described in detail in GDPR, the appendices to the Policy, the job descriptions, provided the position is occupied by an employee of the Controller, or one under contract for services, provided the position of Data Protection Officer shall be occupied by an external service provider.

6. 3. In respect of the above said criteria and the activities, exercised by the Controller, the latter shall not be under obligation to appoint a Data Protection Officer.

7. PROCEDURE FOR MANAGEMENT OF BREACHES IN THE SECURITY OF PERSONAL DATA AND HANDLING SUCH BREACHES

7. 1. If the employees of the Controller, who are authorized to access the data, observe breaches in the security of the data (action of failure to act by a person that can lead to have led to a risk for the security of the data), they must notify the responsible person and / or their direct manager.

7. 2. Taking into account the risk factors for data security breach, the degree of impact of the breach, the damage and consequences, following the respective internal procedures, the Controller takes decisions for the necessary measures for elimination of the data security breach and the consequences thereof and for notification of the respective persons.

8. TECHNICAL AND ORGANIZATIONAL MEASURES FOR THE SAFETY OF PERSONAL DATA

8. 1. The organizational and technical measures for data security, introduced by the Controller, ensure such level of security, which corresponds to the nature of the data, processed by the Controller, and to the risk of data processing, including, but not limited to, the measures, indicated in the present section.

8. 2. Measures for security of the personal data include the following:

8.2.1. Administrative (establishment of a procedure for safety of the documents, computer data and their archives and organization of the work in various spheres of activity, training of the personnel, employed as of the respective moment, as well as at the time of leaving work/discharge, etc..);

8.2.2. Technical and software protection (administration of servers, information systems and databases, maintenance of work stations, protection of the operation systems, supervision (control) of the access by the users, protection from computer viruses, etc.);

8.2.3. Administration of information systems and databases, maintenance of work stations, protection of operation systems, protection from computer viruses and others;

8.2.4. Protection of the communication and computer networks (technical and software measures for encoding and transfer of data for general use, applications, Personal data, filtering unwanted data packages and others).

8. 3. The above said measures for protection of the personal data ensure 1) equipping the vault preserving copies of operation systems and databases, control of the storage of copying equipment; 2) technology for non-stop work with data (processing); 3) strategy for restoring the functioning of the systems in emergencies (management of insecure variables); 4) system for unique identification of user, as well as password; 5) physical (logical) separation of testing medium of applications from the operative regime processes; 6) registered use of data and inviolability of the data.

8. 4. The Controller must introduce a procedure for the restoration of Personal data in case of incidental loss of data. The Controller makes reserve copies of the data, available on the system. The data will be extracted according the interior procedure, using the software libraries for reserve copying equipment. In all cases the archives of the data is stored, without affecting the storage period of the data, as specified in the Policy.

8. 5. The Controller also applies other measures, guaranteeing the security of the personal data:

8.5.1. The VPN technology will be used for remote connection to the internal network of the Controller, while a digital certificate is used for user identification;

8.5.2. The access to personal data through organizational and technical measures for data security, that register and control the efforts for registration and acquisitions of rights, are subject to the appropriate control;

8.5.3. The following records are kept when persons entitled to process personal data, enter the databases: identifier at the time of access, data, time, duration, resulting from the access (successful, non-successful). The above said records are stored for a duration of at least 1 (one) year;

8.5.4. It is necessary to guarantee the security of the premises, where Personal data is stored (the respective premises can be accessed only by authorized persons, etc.);

8.5.5. The requests for executing searches in the provided personal data must have as their purpose the identification of the person and verification of his driver license;

8.5.6. It is necessary to make efforts to guarantee the use of protection protocols and / or passwords when providing personal data through external networks for data transfer;

8.5.7. It is necessary to ensure control over the security of the personal data on external data carriers and email and their deletion after the use of the personal data by transferring them to the databases;

8.5.8 Any emergency actions for restoration of personal data (when and who performed the actions for restoration of personal data with automatic and non-automatic means) shall be recorded;

8.5.9. It is necessary to guarantee that the testing of information systems shall not be performed with real personal data, except in the cases when organizational and technical measures for protection of the personal data are in place, guaranteeing real security of the personal data;

8.5.10. The personal data in laptops, in case they are not used in the network for the purpose of transfer of data of the Controller, shall be protected by the means of the respective measures, corresponding to the risk of processing.

8. 6. The Controller applies appropriate technical and organizational measures, ensuring a standardized processing of personal data, which is necessary for the specific purpose of the data processing. The above said obligation shall apply to the respective quantity of collected Personal data, the scope of their processing, the period of storage of such Personal data and the accessibility of the personal data.

9. CONTACT DETAILS

9.1. You are welcome to contact us with any questions you might have regarding the present policy and / or the protection of the data as a whole, using the following contact details:
Email: ………………………..
Phone: + 359………………………….

Supervisory authority:
Personal Data Protection Commission

Address: 1592 Sofia 2 Tsvetan Lazarov blvd
phone: +359 2 915 3580 Fax +359 2 915 3525
Email: kzld@cpdp.bg
Website: http://www.cpdp.bg/

10. FINAL PROVISIONS

10. 1. The Policy shall be reviewed annually at the initiative of the controller and/or in case of changes in the legal regulations, governing the processing of personal data.

10. 2. The Policy and any amendments thereto shall come into force on the date of their approval.