Privacy Policy

PRIVACY POLICY AND PROTECTION OF PERSONAL DATA

  1. PURPOSE

This Policy determines the order, in which UNIVERSE CONSULT" Ltd, EIC 121109258, (hereinafter referred to as the Company) collects, records, organize, structure, stores, adapt or change, extracts, he consults, uses, reveals by transmission, distribution or otherwise, by which the data becomes available, arrange or combine, limits, deletes, destroys or otherwise processes personal data for the purposes of its activity.

Depending on the specific situation, The Company may process data in the capacity of Personal Data Administrator (Administrator) or Personal Data Processor (Handler) according to whether it processes personal data of its employees, clients and counterparties - natural persons or on personal data of employees and counterparties of their clients - companies or self-insured persons. The policy has been prepared in accordance with the requirements of the Regulation (EU) 2016/679 of the European Parliament and the Council from 27 April 2016 year on the protection of natural persons in relation to the processing of personal data and on the repeal of Directive 95/46/EC (General Data Protection Regulation – GDPR), Personal Data Protection Act (ЗЗЛД), Ordinance no 1 from 30 January 2013 г. for the minimum level of technical and organizational measures and the permissible type of personal data protection (Ordinance No. 1).

This Policy governs:

  • The principles, the procedures and mechanisms for processing personal data;

  • The procedures for administering data access requests, correction of processed data, objections and withdrawal of consents, as well as administering requests to exercise other rights, which the subjects of personal data have by law;

  • The procedures for notifying the supervisory authority in case of security breaches;

  • The faces, who process personal data and their obligations;

  • The rules for transferring personal data to third parties in Bulgaria and abroad;

  • The necessary technical and organizational measures to protect personal data from unlawful processing and in case of accidents, such as accidental or unlawful destruction, loss, unauthorized access, modification or distribution;

  • The technical resources, applied to the processing of personal data.

  1. SCOPE AND EFFECTIVENESS

This Policy is mandatory for all employees, employees and for the management of the Company, responsible for the processing of personal data in connection with the performance of their official duties and enters into force from the date of its approval. The policy is applied by the Company in its relations with other controllers of personal data, processing personal data, data subjects, Data Protection Officers and the Data Protection Officer (DLZD) /if appointed/, as well as in relation to all third parties, who have the right to access personal data in the registers of processing activities.

They have specific duties and responsibilities under this policy:

The manager/s;

Specific employees of the Company, determined by order of the Manager/s;

  1. CONCEPTS

For the purposes of this Policy, the terms below have the following meanings:

Personal data administrator' is a natural or legal person, public body, agency or other structure, which alone or jointly with others determines the purposes and means of processing personal data. In this Policy, "Administrator" means the Company, in cases, when processing personal data of its employees, counterparties and clients – natural persons.

“Data Protection Officer”/DLZD/ is a natural person, having the necessary competence, which is authorized or appointed by the Company with a corresponding written act, in which his rights and obligations are settled in relation to ensuring the necessary technical and organizational measures for the protection of personal data during their processing. At the moment, the Company has no obligation and has not appointed a DZLZ.

Personal data processor" is any natural or legal person, public body, agency or other structure, which processes personal data on behalf of the administrator. In cases, when the Company processes personal data of employees and contractors - natural persons of its customers under a service contract, it appears in the quality of Processor of personal data in relation to these natural persons.

Data Protection Officeris a face, who is an employee of the Company or performs functions on behalf of the Company, which is assigned the duties in relation to the protection and processes of personal data processing, regulated in this Policy. In the Company, these functions are performed by individuals, to whom this has been assigned by order of the Manager/s.

Recipient' is a natural or legal person, public body, agency or other structure, before which the personal data is disclosed, whether third party or not.

Third side" is a natural or legal person, public body, agency or other body other than the data subject, administrator, the personal data processor and the individuals, which under the direct supervision of the administrator or the processor, have the right to process personal data.

Personal data" are any information, relating to a natural person, which is identified or can be identified (data subject) directly or indirectly through an identifier such as a name, ID, location data, online identifier or by one or more specific signs.

Sensitive Personal Data' – categories of personal data, which enjoy a higher level of protection. Such data are the data collected for health status, biometric data, data on racial or ethnic origin, political views, etc. The processing and storage of this data is prohibited, except in cases of legally justified reason or public interest, as well as after the express consent of the person. The company processes only some aspects of the health status of the employees /data from sick sheets and epicrisis of TELK, etc./, related to the realization of their work, insurance and social rights.

Processing of personal data” is any action or set of actions, which the Company carries out in relation to personal data by automatic or non-automatic means (gathering, recording, organizing, structuring, storage, adaptation or modification, retrieval, recovery, counseling, use, disclosure by transmission, distribution, provision, updating or combining, blocking, deletion or destruction or otherwise, by which the data becomes available).

Pseudonymization” is processing personal data in such a way, that personal data can no longer be linked to a specific data subject, without using additional information, under conditions, that it is stored separately and subject to technical and organizational measures to ensure, that the personal data of a related and identified natural person or person, which can be identified.

Register with personal data” is a structured collection of personal data, available according to certain criteria according to the internal documents of the Company, which can be centralized and decentralized and is distributed on a functional or geographical basis.

Consent of the data subject” is any freely expressed, concrete, informed and unambiguous declaration of will, with which the individual, to which the personal data relates, consent to their processing.

Breach of personal data security" is a security breach, resulting in accidental or wrongful destruction, loss, change, unauthorized disclosure or access to personal data, which are transmitted, stored or otherwise processed.

Supervisor" – an independent public body, established by a member state pursuant to Art. 51 of the GDPR. In this Policy, "Supervisory Authority" means the Commission for the Protection of Personal Data (CPLD).

4. GENERAL PRINCIPLES OF PERSONAL DATA PROCESSING IN THE COMPANY

4.1.The company, as a personal data administrator, processes personal data in accordance with the law, in good faith and transparently in compliance with the following principles:

  • The data subject is informed in advance about the processing of his personal data;

  • Personal data is collected for specific, precisely defined and legitimate purposes and are not further processed in a way, incompatible with these purposes;

  • Personal data corresponds to the purposes, for which they are collected and processed;

  • Personal data are accurate and, if necessary, kept up-to-date;

  • Personal data is stored in a form, which allows the identification of the data subject for a period, no longer than necessary for the purposes, for which personal data is processed;

  • Personal data is processed in a way, which guarantees an appropriate level of personal data security, including protection against unauthorized or unlawful processing and against accidental loss, disclosure, destruction or damage, by applying appropriate technical or organizational measures;

  • The applied organizational and technical measures ensure permanent confidentiality, completeness, availability and sustainability of systems and services for processing personal data.

4.2. For the lawful processing of the data, at least one of the following conditions must be present:

  • The data subject has given his consent;

  • The processing is necessary for the performance of a contract, to which the data subject is a party, or to take steps at the data subject's request prior to entering into a contract;

  • Processing is necessary to comply with a legal obligation, which applies to the administrator;

  • Processing is necessary, to protect vital interests of the data subject or another natural person;

  • The processing is necessary for the performance of a task of public interest;

  • Processing is necessary for the purposes of the controller's legitimate interests, except when the interests or fundamental rights and freedoms of the data subject take precedence over these interests.

  • When the Company is in the role of Personal Data Processor, there is a signed purposeful Agreement to the service contract with the relevant Personal Data Administrator for confidential data processing.

5. ROLES IN THE PROCESSING OF PERSONAL DATA IN THE COMPANY

5.1. Personal data administrator

The implementation of the necessary technical and organizational measures to protect personal data is carried out by UNIVERSE CONSULT" Ltd, EIC 121109258, with address: city. Sofia 1301, blvd.. Hristo Botev No 48, meat. 3, in his capacity as Administrator of personal data:

The administrator has the following duties:

  • defines the policy for the protection of personal data in the Company, complies with GDPR requirements, EU legislation in the field of personal data protection and national legislation;

  • designates a data protection officer /DPL/, when such a person is appointed, assisting him in the performance of his duties, providing the necessary resources, full access to personal data and processing operations, and thus also maintains his expertise. At the moment, the Administrator has no commitment and has not appointed a Data Protection Officer.

  • ensures the organization of maintaining the registers, according to the measures provided to ensure adequate protection and updates them if necessary;

  • introduces appropriate technical and organizational measures, developed with a view to the effective application of data protection principles;

  • ensures the exercise of the rights of individuals to protect personal data;

  • controls compliance with the requirements for the protection of registers, establishes circumstances, related to a breach of their protection, and takes measures to remove them;

  • keep personal data intact, which allows the identification of the relevant natural persons for a period not longer than necessary for the purposes, for which this data is processed;

  • periodically informs the staff about personal data protection issues;

  • provides assistance in the implementation of the control functions of the Supervisory Authority – CPLD, assists in establishing circumstances, related to the protection of personal data; in the event of a breach of personal data security, notify the Supervisory Authority without undue delay if there is an established risk for the affected persons;

  • determines the rights of employees to access personal data in information systems according to the purposes of processing, so as to ensure legality and comply with processing principles;

  • only uses subcontractors – other Personal Data Processors, /in cases, when necessary/, which provide sufficient guarantees through the application of appropriate technical and organizational protection measures;

  • in case of high risk for individuals, to inform them in an appropriate way about the personal data security breach;

  • documents any breach of personal data security, including the facts, related to the breach of personal data security, its consequences and the actions taken to deal with it.

5.2. Data Protection Officer (DLZD). Persons responsible for personal data protection.

5.2.1.The company has no obligation to appoint and has not appointed a DZLD at the present time.

5.2.2. Responsible person on personal data protection is an employee/s, determined by order of the Manager/Managers of the Company, who has the following obligations:

  • provides the management organization the registers under item 11 from this Policy, according to the measures provided to ensure adequate protection;

  • monitors compliance with the specific measures for protection and access control in accordance with the specifics of the kept registers;

  • controls compliance with the rights of data subjects in relation to the registers and the software and technical means for their processing;

  • specifies the technical means, applied to the processing of personal data;

  • conducts periodic control for compliance with data protection requirements and, in case of detected irregularities, notifies the Manager, jointly taking the necessary measures to eliminate them. At discretion, Responsible person on personal data protection may be the Manager of the company.

5.3. Employees of the Administrator, processing personal data

The employees of the Administrator process personal data after regular and if necessary/newly appointed employees, changes/acquaintance with the current regulations in the field of personal data protection and this Policy, by signing the Training and Instruction Protocol - Appendix no3 to this Policy and Declaration of non-disclosure of personal data – Application no 4 To this Policy.

Administrator's employees, determined by special order of the Manager/Managers, who are entrusted with the processing of personal data, are obliged:

  • to process personal data only if there is a reason, which derives from the law, from the contractual relationship with the person, by express consent of the person; from the Administrator's legitimate interest;

  • to use personal data, which they have access to, according to the objectives, for which they are collected and not to process them further in any way, incompatible with these purposes;

  • to keep personal data intact, which allows the identification of the relevant natural persons for a period not longer than necessary for the purposes, for which this data is processed;

  • not to export and store personal data outside the places specially designated for the purpose, regulated by a special access regime;

  • to follow the rule of "clean desk" and "clean screen" regarding the protection of information and personal data. This means that only the data is available on the work desk and on the screen and/or on the desk, which are currently being processed by the employee and only until the time of completion of their processing. After completion of the processing, the data should be stored in the manner provided for in this Policy - the data on paper in lockable cabinets and rooms, and the data in the server and in the software product Sugar CRM PRO – by closing the screen, through which they are also accessed by using a username and password, known only to the relevant employee. Data is maintained with monthly backups, which are deleted after the data storage period. The data server and backups are stored in a special lockable cabinet. The manager/s and the person have access to the key, determined by their deliberate order. The exchange of data with the NRA and NOI is carried out with an electronic signature, which guarantees a high level of security.

  • to take measures, so that outsiders do not have any unauthorized access to documents, containing personal data, including being able to review them, copy or take photos with a mobile phone;

  • when the implementation of the relevant process allows, the personal data used is limited to the maximum extent (minimization);

  • to ensure and guarantee compliance with the rights of natural persons in connection with the processing of personal data;

  • to provide assistance to the Manager/s as the Person Responsible for the protection of personal data in the performance of his functions.

For non-compliance with GDPR provisions, current national legislation and this Policy, the Administrator's employees bear disciplinary responsibility.

If as a result of the actions of a relevant employee of the Administrator when processing personal data, damage to a third party has occurred, the same may seek liability under general civil law or criminal law, if the act constitutes a more serious act, for which criminal liability is provided.

5.4. Personal data processor

In connection with the performance of its activity of providing services to its customers, regarding the processing of personal data of their employees and contractors, The company is in its capacity of Processor of personal data.

When assigning the processing of personal data as a Processor, The company complies with the requirements, specified in item 9 from this Policy, as well as the instructions of the relevant Personal Data Administrator, as the relationship is regulated by signing a special Agreement.

5.5.Terms of storage of personal data:

5.5.1.„UNIVERS CONSULTLtd, will store personal data of its workers and employees no more than:

  • 10 years, counted from 01.01. of the year, next year, during which the employment was terminated (civil) contract - for the data in the works (civil ones) agreements;

  • for the data in the payroll of employees - 50 year, counted from 01.01. of the year, next year, through which they relate;

  • for the data in resumes and other documents of job candidates - up to one month after concluding a contract with the selected candidate, unless the person has given consent for a longer period to participate in a new selection;

  • for the data in other accounting documents – 3 years, counted from 01.01. of the year, next year, through which they are composed;

  • for data in copies of hospital sheets – 3 years, counted from 01.01. of the year, next year, through which they were issued;

5.5.2.UNIVERS CONSULTLtd, will store the personal data of its customers and contractors no more than:

  • for the contract for the provision of services and the documents for its implementation, as well as the data in these documents – 10 years, counted from 01.01. of the year, next year, during which the contract is terminated;

  • for data in other accounting documents under the Service Provision Agreement – 3 years, counted from 01.01. of the year, next year, through which the documents were drawn up;

  • other personal data of the client's counterparties, provided by him, necessary for the performance of the contract for services - up to 2 years, counted from 01.01. of the year, next year, during which the particular service was performed, unless a longer term is required to perform a service under the contract;

6. CONSENT. RIGHTS OF DATA SUBJECTS

The Company as Administrator of personal data provides individuals, its workers and employees under a civil or employment contract information about the processing of personal data in a brief, transparent, comprehensible and easily accessible form, in plain and simple language by communicating the Privacy Policy, for which they sign the Notification - Appendix No. 1 to this Policy at the Company's office. Declarations and signed notifications are on paper and are kept in the personal employment files of employees for a period 10 years, counted from 01.01. of the year, next year, during which the employment was terminated (civil) contract - for the data in the works (civil ones) agreements;

The Company as Administrator of personal data provides individuals, its customers and counterparties – natural persons, information about the processing of their personal data in brief, transparent, comprehensible and easily accessible form, in plain and simple language by communicating the Privacy Policy, for which they sign the Notification - Appendix No. 2 to this Policy at the Company's office. The confirmation, that the persons - customers, individuals of the Company have familiarized themselves with the Declaration of confidentiality of their personal data, they can also do it by email: оffice@universconsult.com. Declarations and signed notifications are kept on paper in the files of clients - natural persons, and in electronic form in the software product Sugar CRM PRO for a period 10 years, counted from 01.01. of the year, next year, during which the service contract was terminated. This storage period of 10 years, counted from 01.01. of the year, next year, during which the relevant contract was terminated is determined by the Accounting Act, from the general 10 annual tax statute of limitations, but also from the Administrator's legitimate interest in protecting his interests from possible claims against the Administrator.

6.1. Consent

Subjects' personal data are processed on the basis of their consent only when there is no other basis for processing personal data. For the purposes of concluding and executing employment and civil contracts, as well as the provision of services by the Company does not require consent from the subjects, because without the provision and processing of the relevant personal data, contracts cannot be concluded and executed.

The data subject agrees to the processing of personal data /when this is necessary for the legality of the processing in the absence of another reason/, if he expresses this by a clear and unequivocal statement or other affirmative act. When processing is based on consent, it should be given in person through Declaration – consent to the processing of personal data - Appendix No. 5 to this Policy. Declaration – consent to the processing of personal data can also be obtained by e-mail: оffice@universconsult.com, by being stored in paper form in the file of the clients-natural persons, but in electronic form V the software product Sugar CRM PRO for a period of 6 month after completion of processing, for which consent is required, unless the person has given consent for a longer period in view of the emergence of a new need for processing.

In case consent is given by document, which also settles other issues, it should be sought separately from consent on other matters. The tacit consent, pre-checked boxes or failure to act do not constitute consent.

The data subject can easily withdraw his consent to processing at any time by submitting the written application to the Administrator in free text.

Withdrawal of consent does not affect the lawfulness of the processing, based on consent given before its withdrawal. If there is no other condition for the legality of the processing, with the withdrawal of consent, it should cease.

The consents of the persons are collected in person, at the Company's office or by email оffice@universconsult.com.

Declaration-consent for the processing of personal data and the application for withdrawal of consent, received in electronic form and in paper form are registered in the software product Sugar CRM PRO, like Declaration-consent for the processing of personal data and the application for withdrawal of consent, received in the office on paper are stored in the file of the individual client.

Withdrawal of consent does not affect the lawfulness of the processing, based on consent given before its withdrawal. If there is no other condition for the legality of the processing, with the withdrawal of consent, it should cease.

Declarations of consent and withdrawal are kept by an employee, determined by order of the Manager/s, while data processing activities are carried out on this basis, in view of compliance with the principle of accountability.

6.2. Right of access to information

The data subject has the right to request access to his personal data, including asking for confirmation as to whether the data, relating to it are processed, to be informed about the purposes of this processing, the categories of data and the recipients of the data, as well as for the purposes of any processing of personal data, pertaining to him.

If when accessing personal data at the request of one person, it is possible to disclose personal data of another person, The administrator is obliged to grant access to only part of them, relating to the data subject. The right of access is exercised by submitting the Application for access to personal data - Appendix No. 6 to this Policy.

6.3. Right to erasure, correction or blocking (restriction of processing)

Any data subject has the right to request erasure, the correction or blocking of his personal data, the processing of which does not meet the requirements of the law.

The data subject has the right to ask the Administrator to delete/correct his personal data without undue delay, by submitting to Application for deletion of personal data/ Application for correction of personal data – Appendix No. 6 to this Policy.

The right to block (restriction of processing) enables the data subject to request a temporary suspension of the processing of his personal data, in order to establish their accuracy and/or the reasons for their processing. When processing is restricted, personal data is processed only with the consent of the data subject or for the establishment, the exercise or defense of legal claims, to protect the rights of another natural person or for important reasons of public interest. To exercise this right, the data subject submits Application for restriction of personal data processing – Appendix No. 6 to this Policy.

6.4. Right to portability of personal data

The data subject has the right to receive the personal data, which concern him and which he has provided to the Administrator, in structured, widely used and machine-readable format and has the right to transfer this data to another Administrator, when:

  • the processing is based on consent or a contractual obligation;

  • the processing is carried out in an automated manner.

When exercising your right to data portability, the data subject has the right to obtain a direct transfer of the personal data from one administrator to another, when technically feasible.

The right of portability is exercised only, when it does not adversely affect the rights and freedoms of others. The data subject exercises his right to portability by submitting the Application for portability of personal data – Appendix No. 6 to this Policy.

6.5. Right to object to the processing of personal data

The data subject has the right at any time to object to the processing of his personal data and/or their provision to third parties without the necessary legal basis. The right to object is exercised by submitting to Application for objection to processing of personal data – Appendix No. 6 to this Policy.

The administrator examines the submitted application and terminates the processing of personal data, unless there are legal grounds for the processing, which take precedence over interests, rights and freedoms of the data subject, or for the establishment, the exercise or defense of legal claims.

The applications listed above are registered by the employee(s)., determined by special order of the Manager/s in the software product Sugar CRM PRO. Applications in electronic form are stored in the software product Sugar CRM PRO, and on paper - in the client's file - a natural person.

Within 14 days, from the date of submission of the application, The administrator notifies the applicant in writing whether there are legal grounds for honoring the request. If the Administrator finds, that there are legal grounds to grant the request, he also informs the applicant about the order, on which he can exercise his right or for his refusal to honor the request due to lack of legal grounds.

The storage of all paper applications is limited, the same as the storage period of the subject's personal data, with the exception of the Application for deletion of personal data, which should be destroyed, along with deleting the data, unless a special law or the Administrator's legitimate interest requires a longer period of storage of individual documents.

6.6. The right to appeal to the Supervisory Authority (CPLD)

The subject of personal data has the right to appeal to the CPLD in all cases, when his rights are violated, within one year of learning of the violation, but not later than 5 (five) years from its execution.

7. INCIDENT PROCEDURE

7.1.Reporting a breach of personal data security

7.1.1.Employees of the Company and candidates for employment in the Company submit Personal data breach alert in free form, in one of the following ways:

  • personal, in the office of the Administrator to the Manager of the Company - on paper or orally;

  • through a licensed postal operator;

  • on email: оffice@universconsult.com.

The received Personal data breach alert is registered by the employee(s)., determined by special order of the Manager/s in the software product Sugar CRM PRO/ with the paper report being kept in the Administrator's office.

The employees, received the signal, immediately inform the Manager about it.

7.1.2. The Company's customers and counterparties submit Personal data breach alert in free form on paper or electronically, in one of the following ways:

  • personal, in the Administrator's office to the Company Manager;

  • through a licensed postal operator.

  • on email: оffice@universconsult.com.

The received Personal data breach alert is registered by the employee(s)., determined by special order of the Manager/s in the software product Sugar CRM PRO. The employees, received the signal, immediately inform the Manager about it. The signals, received on paper are kept in the Administrator's office.

7.2. Incident review and risk assessment – analysis of the security breach and determination of response measures

After receiving a signal, The Manager of the Company determines whether the specific event constitutes "breach of personal data security“. Depending on the character, the scope and seriousness of the breach, The manager determines the affected areas, which data is affected, as well as the risk for the affected individuals, takes appropriate measures to deal with the breach of personal data security, including and, where appropriate, takes the necessary actions to eliminate its adverse consequences.

7.3. Assessment of the need to notify individuals. Notification of individuals in case of high risk

According to GDPR, when the breach of personal data security is likely to pose a high risk to the rights and freedoms of natural persons, The administrator without undue delay, sends information about the violation to the data subject, describing its nature and specifying at least the information and measures, specified in Article 33, paragraph 3, letters b), V) and Mr) from GDPR.

7.4. Notification to the supervisory authority

In case of "breach of personal data security" and when there is a possibility of creating a risk to the rights and freedoms of natural persons, The administrator, without undue delay and whenever practicable (not later than 72 o'clock after he found out about it), sends Notification of personal data breachAppendix No. 7 to this Policy.

When and to the extent that it is not possible to submit the information at the same time, the information may be submitted in stages without further undue delay.

7.5. Taking measures to deal with the personal data security breach

The administrator shall document any breach of the security of personal data, including the facts, related to the violation, its consequences and actions taken to address the breach. Incidents in the Company are registered by the employee(s)., determined by special order of the Manager/s in the software product Sugar CRM PRO, as they necessarily fit:

  • the alleged time or period of occurrence;

  • the time of establishment of establishment of the incident;

  • the person's name and position, established the existence of the incident and filed a report;

  • description of the violation - source, type and scale of affected data, reason for the violation (if applicable);

  • description of the notifications made: notification of the CPLD and the affected persons (if it was done);

  • measures taken to limit the possibility of subsequent security breaches.

The manager of the Company carries out a detailed assessment of the degree of impact and damage to the carriers of personal data and the electronic array of personal data. Takes appropriate measures to restore the database with personal data in the event of their complete destruction/loss. In his analysis, the Manager pays particular attention to the reasons, led to the damage/loss of personal data and takes appropriate measures to prevent subsequent incidents in the future.

8. DATA PROTECTION IMPACT ASSESSMENT PROCEDURE

An impact assessment is underway, when required under applicable law and in view of the risk to individuals and the nature of the processing of personal data, carried out by the Company. An impact assessment is carried out for high-risk processing activities.

An impact assessment is required for any key system introduction, which is related to the processing of personal data, inclusive:

  • the initial introduction of new technologies or the transition to new technologies;

  • automated processing, including profiling or automating decision-making;

  • processing of sensitive personal data on a large scale;

  • massively, systematic surveillance of a public public area.

A report is drawn up for the assessment, which is provided upon request by the CPLD.

Due to lack of grounds - a relatively limited number of subjects, whose data is processed, low degree of risk and limited number of persons, accessing personal data, The company does not assess the impact on the protection of personal data, which it processes.

9. PROCEDURE FOR PROVIDING PERSONAL DATA FROM THIRD PARTIES

In certain cases, upon performance of a contract for services, The company may act as a Processor of personal data of third-party natural persons - workers, employees or contractors of their clients. The processing of personal data in these cases is carried out on the basis of Personal data processing agreement. In these case, The Company as a Personal Data Processor:

  • provides the relevant Administrator with sufficient guarantees for compliance with legal requirements and good practices for processing and protecting personal data;

  • enters into a written agreement, which regulates the obligations of the Processor and meets the requirements of Art. 28 from GDPR;

The company does not provide for the processing of personal data by processors outside the EU/EEA.

10. PROTECTION OF PERSONAL DATA. BASIC TECHNICAL AND ORGANIZATIONAL MEASURES

10.1. Types of protection

Physical protection – a system of technical and organizational measures to prevent unregulated access to buildings, premises and facilities, in which personal data is processed.

Personal protection – a system of organizational measures against natural persons, which process personal data at the Administrator's direction.

Documentary protection – a system of organizational measures in the processing of personal data on paper.

Protection of automated information systems and networks – a system of technical and organizational measures to protect against illegal forms of personal data processing.

Cryptographic protection – a system of technical and organizational measures, which are applied to protect personal data from unauthorized access during transmission, distribution or provision.

To protect personal data from accidental or unlawful destruction, from unauthorized access, from modification or distribution, as well as from other illegal forms of processing, The administrator organizes and takes measures, described below and in accordance with modern technological advances and risks, related to the nature of the data, which must be protected.

10.2. Basic technical and organizational measures of individual types of personal data protection in the registers under item 11:

Physical protection measures

  • determining the premises, in which personal data will be processed – lockable rooms with secret locks, COURT;

  • determining the premises, which houses the server, in which the data and the computer are stored, through which the directory on the server is accessed, storing personal data;

  • defining areas with controlled access;

  • defining the characteristics of the physical environment and areas with controlled access;

  • placement of the equipment - on a work desk;

  • locking filing cabinets and cash registers, in which the data is stored on paper;

  • determining the organization of physical access - only individuals have physical access to personal data, processing personal data, and in compliance with the relevant legal rules and third parties.

Personal protection measures

  • knowledge of the regulations in the field of personal data protection;

  • knowledge of the dangers to personal data, processed by the Company;

  • undertake an obligation not to distribute personal data by signing the Declaration of non-disclosure of personal data – Appendix No. 4 to this Policy;

  • knowledge of the Privacy Policy and protection of personal data;

  • following a clean desk and clean screen policy;

  • not sharing critical information between staff (e.g. identifiers, access passwords, etc.);

  • employee training, processing personal data;

  • incident response staff training, endangering the security of personal data.

Personal protection measures guarantee access to personal data only to individuals, whose official duties or specifically assigned task require such access, subject to the "need to know" principle.

Documentary protection measures

  • All registers, are maintained both on paper and on electronic media;

  • The terms of storage and the order of destruction of personal data in all registers described in item 11, are determined, as follows:

  • For the "Personnel" register

  • 10 years, counted from 01.01. of the year, next year, during which the employment was terminated (civil) contract - for the data in the works (civil ones) agreements;

  • for the data in the payroll of employees - 50 year, counted from 01.01. of the year, next year, through which they are composed;

  • for the data in resumes and other documents of job candidates - up to one month after concluding a contract with the selected candidate, unless the person has given consent for a longer period to participate in a new selection;

  • for the data in other accounting documents – 3 years, counted from 01.01. of the year, next year, through which they are composed;

  • for data in copies of hospital sheets – 3 years, counted from 01.01. of the year, next year, through which they were issued;

Copies of identity cards are not kept. Criminal records are not required and copies are not kept. Copies of sick sheets are kept in lockable cabinets and premises of the Company and after expiry of 3 annual period are destroyed as "confidential" waste or returned to the individuals, for which they apply against a signature.

After the expiration of the stipulated terms, the personal data and media, on which they are recorded are destroyed as follows - paper media are shredded as "confidential" waste, and the electronic records, by deleting in a way, guarantor, that their recovery will be impossible. For the destruction of personal data, a Protocol - Appendix No. 8 to this Policy is drawn up and signed.

Measures to protect automated information systems and/or networks

The main measures to protect the automated information systems and/or networks of the Company as an Administrator and as a Processor are the use of a username and password to access the server and to the information and data in the software product Sugar CRM PRO, on which personal data is stored and processed. Passwords are individual for each employee and are changed periodically and necessarily after an employee leaves, having access to them.

The Company's activities as an Administrator include the necessary technical and organizational measures to protect personal data from accidental or illegal destruction, or from accidental loss, from unauthorized access, modification or distribution, as well as from other illegal forms of processing - backup disk with data backups, which is kept in a separate lockable cabinet in the company's office, for which key the Manager has and the employee/s, determined by special order of the Manager/s.

Communication with the NRA and NOI is carried out with the Company's electronic signature. This gives a high level of communication security.

Reliable anti-virus protections are used.

11. PROCESSING ACTIVITIES ACCORDING TO ART. 30 of the GDPR

Personal data processing activities are specified in the register maintained by the Administrator. The company documents personal data processing activities in compliance with the principle of accountability and the principles of lawful processing of personal data.

The Company processes personal data in the following registers:

STAFF"

11.1. STAFF register

11.1.1. General description of the supported registry

A "Personnel" register is maintained on a basis, Labour Code (CT), Social security code (CSR), Law on Health and Safety at Work (ZZBUT), Law on Health Insurance (PHI), the by-laws on their implementation.

Personal data under this register are collected and processed for the following purposes: human resource Management (incl. recruitment, change in the contractual terms of the employment relationship, secondment of employees in the country and abroad, payment of wages to employees, withholding and remittance of taxes, health and insurance contributions.

Categories of personal data, are processed in the register:

1. of physical identity type: Names, EGN/LNC, data from identity documents - number and date of issue of the identity card, address - permanent and place of residence, field, date of birth, phone number, gender;

2. of social identity type: type of education, additional qualification, place, number and date of issue of the diploma, previous experience, data on labor discipline, certificates of courses and qualifications, number, date of issue and category of driver's license, other personal data, provided by the relevant person in a CV when applying for a job or in the selection process;

3. of the family identity type: data on the marital status of the natural person (availability for marriage, divorce, number of family members, including children up to 18 years), data of spouse and other relatives, kinship ties;

4. of physiological identity type: general health status (the data is contained in a medical record from a personal physician, LKK, TELK, NELC, medical institutions), information about the person's mental state;

5. others: bank account information, salary and social benefits.

When the Company maintains the register in its capacity as a Processor, it additionally enters the name of the Administrator and the availability of an Agreement for the processing of personal data.

11.1.2. Technological description of the register

The administrator collects and processes personal data (secure electronic register, accessible by username, password) and non-automated (paper medium). Personal data is maintained in the type and format, which allow identifying the identity of natural persons.

The data of each worker and employee of the Company, as well as job applicants, are collected, processed and stored on paper and technical media by the employee/s, determined by special order of the Manager/s.

The paper carriers of the employees' personal data are stored in employment files, which are arranged in special lockable rooms or lockable cabinets, in the working premises of the persons, authorized to process personal data. Some data may also be stored or processed on a technical medium. The data from conducted competitions and interviews are stored in technical and/or paper format, in special lockers with a lock in the working premises of the persons, responsible for personal data.

Employee files, as well as the data of job applicants are not taken outside the Company's premises.

11.1.3.Impact assessment and corresponding level of protection

name

LEVEL

NA

IMPACT

of the registry

privacy

completeness

availability

general for the register

STAFF"

low

low

low

low

11.1.4. Technical and organizational protection measures

The types of personal data protection in the "Personnel" register are physical, personal, documentary, protection of automated information systems and/or networks. No special cryptographic protection is applied, beyond the standard cryptographic capabilities of operating systems and communications equipment.

11.2. Client register

11.2.1. General description of the supported registry

Register "CUSTOMERS” is maintained on the basis of Accounting Law and the by-laws on its implementation. It is about personal data of natural persons - clients of the Administrator. First of all, these are lawyers, notaries and other self-insured persons, Sole traders, etc.

11.2.2.Categories of personal data, are processed in the register:

1. of physical identity type: Names, EGN/LNC, data from identity documents - number and date of issue of the identity card, address - permanent and place of residence, field, date of birth, phone number, email;

2. of social identity type: data on work experience;

3. of the family identity type: data on the marital status of the natural person (availability for marriage, divorce, number of family members, including children up to 18 years), data of spouse and other relatives, kinship ties;

4. others: bank account information, salary and social benefits; data on properties bought and sold, details of bank accounts and their balances, owned financial assets, etc.

Special categories of data, which we process:

  • Health data: hospital papers, decisions of TELC/NELC, etc.

11.2.3. Technological description of the register

The administrator collects and processes the personal data in the registry automatically (secure electronic register, by using the software product Sugar CRM PRO, accessible by username, password and/or electronic key) and non-automated (paper medium). Personal data is maintained in the type and format, which allow identifying the identity of natural persons.

Data in the register on paper and technical media are collected, processed and stored at the Company's office. The paper carriers of the personal data of individuals under this register are kept in folders, which are arranged in special lockable rooms or lockable cabinets, in the working premises of the persons, authorized to process personal data. The premises are not accessible to outsiders and have access control only for authorized employees of the Company. Some data may also be stored or processed on a technical medium.

11.2.4. Impact assessment and protection level determination

name

LEVEL

NA

IMPACT

of the registry

privacy

completeness

availability

general for the register

CUSTOMERS'

low

low

low

low

Given the relatively small number of subjects, as well as the amount of damages, which could be caused to the subjects, whose data is processed, the security risk rating for this data is low.

11.2.5. Technical and organizational protection measures

The types of personal data protection in the "Clients" register are physical, personal, document and protection of automated information systems and/or networks. No special cryptographic protection is applied, beyond the standard cryptographic capabilities of operating systems and communications equipment.

12. UNIVERSE CONSULT" Ltd, EIC 121109258 AS PROCESSOR OF PERSONAL DATA

12.1. In certain cases, UNIVERSE CONSULT" Ltd, EIC 121109258, Toas mentioned in this Policy above is the Personal Data Processor, when processing personal data of employees and counterparties – natural persons of its clients under a contract for accounting services. In these cases, the relations between UNIVERSE CONSULT" Ltd, EIC 121109258 as a Personal Data Processor and the relevant Administrator will be governed by a purposeful agreement. The manager of UNIVERSE CONSULT" Ltd, EIC 121109258 will always have a duty to instruct employees, if required of them to take a different approach and actions than those provided for in this Policy according to the requirements of the specific Administrator.

12.2.For personal data processing activities in the capacity of Processor, UNIVERSE CONSULT" Ltd, EIC 121109258 keep a register according to Art. 30, al. 2 from GDPR – Agreed v. 11.2. from this Policy.

In cases, when UNIVERSE CONSULT" Ltd, EIC 121109258, The Processor monitors whether an Agreement for the processing of personal data has been signed with the relevant Administrator. In case, that it was not signed, no personal data of employees is processed, clients or contractors of the Administrator until such an agreement is signed.

This Policy and its annexes are introduced with the Minutes of the General Meeting of the partners of UNIVERSE CONSULT" Ltd, EIC 121109258 from 25.05.2018 г.

13. APPLICATIONS

Application 1 – Declaration – employee privacy notice;

Application 2 – Training and briefing protocol;

Application 3 - Declaration of non-disclosure of personal data;

Application 4 – Declaration-consent for the processing of personal data;

Application 5 – Application for access, deletion/correction, restriction of processing, portability, objection to processing of personal data;

Application 6 – Log for registering personal data security breaches and requests of personal data subjects;

Application 7 –Notification regarding personal data security breach;

Application 8 – Protocol for the destruction of personal data;