- General terms
1.1 The present internal rules are regulating the organization and internal order of personal data processing by Bulgarian Association for Development of Psychomotricity, UIC 206276865 (the „Association“) for the sake of performance of Association ’s obligations as personal data controller.
1.2 The present rules were drafted in accordance with the Bulgarian Personal Data Protection Act („PDPA“), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “Regulation”) and aim the protection of natural persons, clients, employees and partners of the Association against the illegal or wrongful processing of their personal data.
1.3 For the purpose of the present internal rules:
1.3.1 „Personal Data Controller“ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Bulgarian Association for Development of Psychomotricity is a Personal Data Controller.
1.3.2 „Personal Data“ any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.3.3 „Processing“ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.3.4 „Personal Data Processor“ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
1.4 All employees are obliged to follow the present internal rules in case of personal data processing performed for execution of their official duties.
- Legal grounds for personal data processing and basic principles of the Association that shall be complied with
2.1 The Association shall process personal data only in case there is a legal ground for the respective processing, namely:
- processing is necessary for compliance with a legal obligation to which the Association is subject to;
- for the performance of a contract to which the data subject is party;
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2.2 Upon personal data processing based on consent, the consent shall be explicit, free and expressed in the form of a written declaration. The consent shall refer to the specific data subject to processing and shall cover the specific purpose/es of such processing. Prior to signing of a declaration of consent, the Association shall provide and clarify to the data subject the up-to-date information contained in Attachment No 1. The data subject shall have the right to withdraw his/her consent for processing at any time by means of a written notification served at the office of the Association.
2.3 The personal data processed by the Association shall contain the minimum information required for the purpose of processing. The Association shall not prepare or keep copies of personal identity documents of employees, contracting parties, clients or third parties except for the occasions where a specific legal provision obliges the Association to do so, such as the provisions of the Anti-Money Laundering Measures Act. The personal data subject to processing shall be accurate and if necessary or required by the data subject shall be updated or corrected.
2.4 Being a personal data controller, the Association shall follow the restrictions for processing of specific types of personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Exceptions are only allowed in view of performance of Association’s obligations as an employer regarding the employment relations with its employees, originating from the labour and social security legislation and concerning processing of personal data for membership in trade unions, data contained in sickness notes as well as medical certificates and criminal record certificates required by the employer upon commencement of work.
- Term for personal data processing
3.1 The Association shall keep and process personal data for a term – not longer than necessary for performance of the specific purpose of processing as it shall comply with the terms provided in Art. 12 of the Bulgarian Accountancy Act, providing the periods for data storage, namely:
- payroll information – for the period of 50 years;
- information contained in accounting registers and financial statements – 10 years;
- all other media of accounting information – 3 years;
- any other information –3 years.
3.3 After expiration of the respective term for personal data storage the Association shall procure its obliteration or destruction. The physical destruction of personal data shall be accomplished by means of shredder machine cut.
- Registers, types of personal data and levels of protection
4.1 The Association shall maintain the following personal data registered (hereinafter referred to as the “Registers”):
- Personal data concerning Association’s employees collected upon commencement of work, processed within the entire period of existence of the employment relations and kept in register “Employees”;
- Personal data concerning job applicants kept in register „Job Applicants”;
- Personal data of partners of the Association collected upon signing of a contract, processed and kept in register “Partners”;
4.2 The Registers shall contain the following personal data:
4.2.1 Register „Employees” shall contain data about:
- Physical identity– names, identification number, address, e-mail, phone number;
- Education – documents regarding education, qualification and specific capacity;
- Professional experience – documents for professional experience;
- Medical data – certificate for initial medical examination performed prior to commencement of work and sickness notes;
- Criminal record certificates – where applicable.
Register Employees shall have a medium level of protection.
4.2.2 Register Job Applicants shall contain data about:
- Physical identity – names, identification number, address, e-mail, phone number;
- Education – documents regarding education, qualification and specific capacity;
- Professional experience – documents for professional experience;
Register Job Applicants shall have a low level of protection.
4.2.3 Register Partners shall contain data about physical identity of partners or representatives of partners legal entities such as names, personal identification number, address, e-mail, phone number.
Register Partners shall have a low level of protection.
- Data protection impact assessment and determination of the level of protection
5.1 The Association shall perform an impact assessment in order to determine the level of protection which shall be applicable to each register. The assessment shall determine the levels of impact over specific person or group of people in case of breaches in the security, integrity, availability of personal data and shall depend on the type of personal data and number of affected people.
5.2 In case some processing might cause a high risk for the rights and freedoms of the data subjects due to the use of high-tech and in view of the specifics purposes for processing, the Association as controller shall perform an impact assessment of the future operations in view of personal data protection. The same assessment may investigate a number of similar operations, which may cause similar risk levels.
5.3 The assessment shall contain listing of the specific operations, purpose of the processing including, where applicable, the legitimate interest pursued by the controller, an assessment of the necessity and proportionality of the processing operations in relation to the purposes, an assessment of the risks to the rights and freedoms of the data subjects, the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the regulations taking into account the rights and legitimate interests of data subjects and other persons concerned.
5.4 The Association shall perform a risk assessment once on every two calendar years and in case of changes causing amendments in the levels of protection and shall also undertake the necessary actions for data protection including amendment of the present internal rules.
- Personal data bearers and measures for protection
6.1 The Registers shall be maintained and kept on paper and in electronic form.
6.2 The Association shall organize and undertake measures corresponding to the technological progress and risks related to the type of personal data which needs to be protected against accidental or illegal destruction, illegal access, amendment or distribution as well as any other form of illegal processing.
6.3 The paper documents containing personal data shall be kept in folders. The folders shall be arranged in special lockers. Only the managers shall have the keys for all lockers. The premises where personal data are kept, shall be located in an office with regulated access, equipped with extinguishers, in a building with regulated access guarded physically and under surveillance.
6.4 Access to the folders containing personal data shall be granted only to the managers of the Association and the chief accountant.
6.5 Personal Data in an electronic form may be kept in the personal e-mail of the managers and the chief accountant and also in an electronic database with limited access through computers protected with passwords.
6.6 Personal e-mails shall be accessed only by their holders.
6.7 The electronic database may be accessed by the managers and the chief accountant through an access code (password).
6.8 Personal data protection against illegal access, damage, loss or destruction is achieved by means of encrypting, up-to-date antivirus software, regular archive, limitation of the rights to erase personal data granted only to the managers.
6.9 The Association shall perform the following personal data protection measures:
- Software and technical measures – aiming identification and authentication of sender and receiver of personal data and confidentiality, integrity during personal data transfer, maintenance of electronic archive and regular archive of the information in database, maintenance of up-to-date anti-virus systems, cryptographic methods for personal data protection shall be applied to the registers with medium or high level of protection.
- Physical measures – including a system of measures for protection and control of the access to the building, premises and equipment where personal data is processed and kept, archiving of the paper documents and limitation of the physical access to them.
- Regulative – compliance with the applicable rules and regulations introduced by the effective legislation.
- Positions involved in personal data processing and protection
7.1 The managers of the Association shall be responsible for the implementation and performance of the legal policy for personal data protection. The managers shall have the following rights and responsibilities:
- To procure the organization for maintenance of the Registers according to the applicable measures for achieving of adequate protection.
- To follow the implementation of the respective measures and access control;
- To control the implementation of the rules for protection of the Registers;
- To communicate with the Personal Data Protection Commission
- To specify the technical resources applied upon personal data processing;
- To specify the rules for obtaining, use and changing of passwords and actions in case of irregular obtaining of passwords of cryptographic keys;
- To ensure regular prophylaxis of computers and communication tools, including inspections for viruses, illegal software, integrity of the electronic database, archiving of data and actualization of the system information, etc.;
- To ensure periodical control for personal data protection and in case of irregularities, undertake actions for their remedy;
- To introduce the legal policies and strategies of the Association and regulations regarding personal data protection, as well as the present internal rules to the employees;
- To organize trainings for Association’s employees in case of amendments in the applicable regulation in the area of personal data protection and changes in the present internal rules;
- Organize regular check-ups of the reliability of the data protection systems.
7.2 The persons responsible for the Registers and authorized to process personal data is the manager.
7.3 The responsible persons shall:
- Process the personal data contained in the Registers;
- Ensure the implementation of the rules for maintenance of the Registers and application of the measures ensuring adequate personal data protection;
- Multiply documents containing personal data contained in the Registers in accordance with the present rules and the applicable regulation.
7.4 Full access to all Registers shall only be ensured to the manager.
7.5 For the sake of performance of official duties or Association ’s activities, upon approval of the manager access to documents containing personal data may be granted to third parties in case the personal data have been process in such a way so that the data subject cannot be identified or in accordance with a written order issued by the managers by virtue of which a specific employee may be granted access to the data contained in specific register for the sake of personal data processing.
7.6 Personal data contained in the Registers may be provided to legal or accounting consultants, insurers or third parties according to manager’s approval but only in case and after the data subjects have provided their explicit written consent for such transfer and after signing of a written agreement arranging the terms for the processing and the manner of data transfer.
7.7 In case of personal data processing the managers and the employees of the Association shall be obliged to:
- Process the personal data legally and in good faith, in compliance with the present rules, to keep their confidentiality, and not to provide personal data to third parties including other employees of the Association;
- Use and process the personal data available to them in accordance with the purpose of their collection and to refrain from other type of processing incompatible to the initial purpose;
- Update the Registers if necessary;
- Obliterate and correct personal data if it turns to be incorrect or unproportioned to the purpose of processing;
- Keep the personal data for a period corresponding to the purpose of processing;
- Collect personal data proportional to the respective purpose of processing.
- Transfer of information to third parties
8.1 The Association shall not provide personal data to third parties unless the data subject provides his/her explicit written consent for such transfer, except for the occasions where such data is provided to the competent state bodies in accordance with the labour, tax and social security regulations or unless the Association is legally obliged to do so by virtue of an effective legal obligation provided by the law.
8.2 The consent shall be freely given, explicit and expressed in written form.
8.3 No consent shall be required in case personal data are duly requested by the competent state authorities and the Association is legally obliged to provide the data.
8.4 Provision or transfer of personal data to third parties for the sake of performance of accounting, audit, legal and other types of services shall be achieved only upon and after provision of explicit consent by the data subject and after signing of an agreement with the respective third party arranging the terms for the processing and third party’s obligations to ensure the necessary measures for personal data protection and compliance with the regulations in the area of personal data protection.
- Procedure for initial provision of information
9.1 The Association shall, at the time when personal data are obtained, provide the data subject with all of the following information, contained in Attachment No 1, namely:
- the identification and the contact details of the controller;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- where the processing is based on legitimate interests – the legitimate interests pursued by the controller or by a third party;
- the recipients or categories of recipients of the personal data, if any;
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- where processing is based on data subject’s consent – the right to withdraw such consent;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
- Procedure for granting of access to personal data to the data subjects
10.1 The data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, to receive access to the personal data as well as information about the ground and the term of the processing.
10.2 In order to obtain access to personal data the data subject shall file a written request at the office of the Association – personally or through a duly authorized proxy.
10.3 The application shall contain the names of the data subject and other identification data, the substance of its request, signature, date and correspondence address. If submitted by a proxy, the request shall be attached to a power of attorney.
10.4 The application shall be submitted to the managers of the Association who shall review the request and if the latter is lawful, shall grant access to the requested personal data.
10.5 The term for reviewing of the application and issuing of a resolution is 14 days following submission and can be extended to 30 days in case more time will be required for personal data collection.
10.6 Where the personal data are not available or shall not be provided due to effective prohibition provided by the law, the access shall be denied by virtue of a written resolution of the managers.
10.7 The requested information or Association’s refusal shall be submitted to the data subject in the requested form including via e-mail.
- Procedure for rectification, restriction of processing and erasure of personal data upon data subject’s consent
11.1 The data subject shall have the right to request rectification of incorrect data and completion of incomplete personal data by means of a written application submitted to the Association.
11.2 The data subject shall have the right to request and the Association shall have the obligation to erase personal data without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent for processing, and where there is no other legal ground for the processing; the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the personal data has been used for the purpose of digital marketing; the personal data have been unlawfully processed; the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
11.3 The data subject shall have the right to request restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for the period of verification of the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; the data subject has objected to processing performed on the ground of legitimate interests pending the verification whether the legitimate grounds of the data subject.
11.4 The data subject shall have the right to object to processing of personal data concerning him or her which is based on controller’s or third party’s legitimate interest, including in case of profiling. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
11.5 The applications under Art. 11.1-11.4 shall be submitted to the Association in a written form and shall be provided to the manager. The latter shall undertake the respective actions within the term of 30 days starting from submission of the application and update the data subject about the respective actions undertaken by the Association.
- Right to data portability
12.1 Data subject shall have the right to have the personal data transmitted directly from the Association to another controller, where technically feasible. Otherwise, the data shall be provided to the data subject who shall submit them to the new controller.
12.2 The application for data portability shall be submitted and reviewed under the term of Art. 11.5 above.
- Procedure for destruction and obliteration of personal data
13.1 Personal data collected and processed by the Association, kept on paper documents shall be physically destroyed:
- not later than the end of the term for their processing and safekeeping;
- upon data subject’s request – not later than 30 days after submission of a reasonable request;
- within the term of 30 days after withdrawal of consent.
13.2 The physical destruction shall be performed by means shredder machine by the manager or another employee, specified by a written order of the managers.
13.3 The destruction shall be certified by a written protocol.
13.4 Personal data collected and processed by the Association, kept on electronic devices shall be obliterated:
- not later than the end of the term for their processing and safekeeping;
- upon data subject’s request – not later than 30 days after submission of a reasonable request;
- within the term of 30 days after withdrawal of consent.
13.5 The obliteration shall be performed by the manager and certified by a written protocol.
13.6 In the occasions where personal data processing is based on data subject’s consent, the data shall be destroyed and/or obliterated in accordance with the above rules within the term of 30 days following withdrawal of consent irrespective whether the data subject has specifically requested such destruction/obliteration.
- Training of the employees
14.1 The managers shall introduce the data protection regulations, the policies, strategies and the present internal rules of the Association to the newly assigned employees at commencement of their work.
14.2 Following such introduction, the new employee shall confirm in writing that he or she is familiar with and shall follow the regulations about personal data protection, and shall follow Association’s policies, strategies and internal rules.
14.3 The managers shall organize trainings for the employees in order to introduce and clarify new regulations in the area of personal data protections and/or amendments of the present rules.
- Actions in case of breaches in data security
15.1 In the occasion of security breach which may affect the right and freedoms of the data subjects, the Association shall notify the Personal Data Protection Commission within the term of 72 hours after discovering the breach. In case of emergency, the Association shall notify the Commission within the shortest possible term following expiration of the 72 hours as the Association shall explain in its notification the reasons which caused the delay.
15.2 In the events under Art. 15.1 the Association shall also notify the data subjects whose personal data have been endangered in case the data has not been encrypted.
15.3 The Association shall immediately undertake the necessary actions for neutralization and limitation of the breach and limitation of the damages for the data subjects.
- Additional provisions
16.1 Non-compliance with the present rules and the legal regulations concerning personal data protection shall lead to responsibility according to the Personal Data Protection Act and the Labour Code.
16.2 The present rules shall be introduced by all employees of the Association immediately after their approval.
16.3 The present rules shall enter into force on the day of their approval.
16.4 A copy of the present internal rules is available for Association’s employees at any time for their information and execution.
16.5 A copy of the present internal rules may be provided to the data subject at any time.
16.6 The present internal rules have approved and shall enter into force on 09.12.2020 г.
Approved by:
__________________
Vanya Dunkova, manager
ATTACHMENT NO 1
INTERNAL RULES REGARDING PERSONAL DATA PROCESSING AND PROTECTION OF THE BULGARIAN ASSOCIATION FOR DEVELOPMENT OF PSYCHOMOTRICITY, UIC 206276865
Basic Information provided to the natural persons (Data Subjects) related to the processing of their personal data
- Personal data
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Personal data controller
Bulgarian Association for Development of Psychomotricity, a non-profit organization operated in public benefit, registered with the Commercial Registry at the Registry Agency under unified identification code 206276865, having its seat and registered address at Sofia 1407, Lozenets Region, 15 Golo Bardo street, represented by Vanya Emilova Dunkova in her capacity of manager, phone number ++359 885 416 841.
- Legal ground for processing
Please specify one of the grounds under Art. 2.1 of the Internal rules, namely:
- A legal obligation to which the Association is subject to;
- Contract dated [date]
- Data subject’s written consent dated [date].
- Purpose for the processing
Please specify the definite purpose, such as:
Preparing of documentation related to the employment relations and performance of Employer’s obligations under the effective labour, tax and social security legislation.
- Performance of the obligations under Contract dated [date]
- Or other purpose –specifically indicated.
- Term for processing and keeping of the personal data
Personal data is processed and kept by the Association for the entire period of validity of the contractual relations with the data subject and kept within the terms under Art. 12 of the Accountancy Act, namely:
- payroll information – for the period of 50 years;
- information contained in accounting registers and financial statements – 10 years;
- all other media of accounting information – 3 years
- any other information –3 years.
Or until dropping out of the legal ground for processing, performance of the purpose of processing or withdrawal of data subject’s consent.
- Provision of the personal data to third parties
The Association shall not provide personal data to third parties unless the data subject provides its explicit written consent for such actions, except for the competent state bodies in accordance with the labour, tax and social security regulations or unless the Association is legally obliged to do so by virtue of an effective legal obligation provided by the law.
- Rights of the data subject
7.1 Right to withdraw consent for personal data processing
Upon processing of personal data based on the consent of the data subject, the latter is entitled to withdraw its consent at any time, by means of a written notice addressed to the controller.
7.2 Right of access to the personal data
The data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data as well as information for the ground and the term of their processing.
7.3 Right to rectification
The data subject shall have the right to obtain from the controller rectification of inaccurate personal data and completion of incomplete personal data.
7.4 Right to erasure
The data subject shall have the right to request and the Association shall have the obligation to erase personal data without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing, and where there is no other legal ground for the processing; the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data; the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
7.5 Right to restriction of processing
The data subject shall have the right to request and restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for the period of verification of the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; the data subject has objected to processing performed on the ground of legitimate interests pending the verification whether the legitimate grounds of the controller override those of the data subject.
7.6 Right to object
The data subject shall have the right to object to processing of personal data concerning him or her which is based on controller’s or third party’s legitimate interest. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
7.7 Right to data portability
Data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means. Data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
7.8 Right to file a complaint
The data subject is entitled to contact the Personal Data Protection Commission, in case its rights are neglected or his or her personal data are unlawfully processed, by submission of appeal against the unlawful actions or lack of such with the Personal Data Protection Commission.
7.9 Competent authority
Personal Data Protection Commission
Address; No 2 Tsvetan Lazarov boulevard, 1592 Sofia.
Information and contact centre:
+359 2 91 53 518
Working hours with citizens: 9:00 – 17:30.
E-mail: kzld@cpdp.bg
Website: www.cpdp.bg
The above information was provided to me by the Bulgarian Association for Development of Psychomotricity on [date].
_________________________
(signature)
___________________________________________________________
(names)