INTERNAL RULES FOR THE PROCESSING AND PROTECTION OF PERSONAL DATA
(1) The rules in force (Regulation) have been drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ('Regulation') on the protection of individuals with regard to the processing personal data and for the free circulation of such data.
(2) The Rules define the order in which JOB TRUST LTD, with a VAT number: 139995275 collects, processes, structures, stores, modifies, retrieves, discloses by transmission, dissemination or other means by which data is made available, the types, limits and / or deletion of personal data for the purposes of its activity.
(3 ) Depending on the situation, "Company" can process data as an administrator or processor.
Article 2. These rules shall govern:
(1) the principles and mechanisms for processing personal customer data.
(2) the obligations of authorized persons processing personal data and their liability in case of non-fulfillment of these obligations;
(3) The rights of the individuals whose data are processed by granting, opposing and withdrawing consent, as well as the management of requests for the enjoyment of other rights of the data subject ·
(4) The necessary technical and organizational measures to protect personal data from unauthorized processing.
(5) the rules for the transfer of personal data to third parties in Bulgaria and abroad ·
(6) Technical resources applied to the processing of personal data.
Article. 3. (1) "JOB TRUST" with PIC number 139995275, is the administrator of personal data within the meaning of the Regulation and processes only the data required for the conduct of its commercial activity.
DATA SUBJECTS AND CATEGORIES OF PERSONAL DATA
Article 4. (1) The Company collects and processes personal data necessary for the fulfillment of its rights and obligations as an employer, service provider and contractor in accordance with the requirements of the applicable legislation. The personal data processed by the Company are classified in records of processing activities containing personal data processing rules concerning:
• employees / staff and contractors under civil contracts
• service providers
(2) The following personal data are collected for individuals who are subject to employment / civil or legal relationships in the company:
a) Identification: Name, VAT number, date of birth, fixed and / or current address, telephone, ID or passport number, e-mail
b) Education and vocational training; data on education, professional experience, professional and personal qualifications and skills ·
c) Health Data: Health Status, Workplace Assessment Commission Decisions, Medical Certificates, Hospital Documents, and any related documentation;
d) Other information: bank account details, criminal record;
(3) As regards to individuals, clients of the company, the following personal data are collected:
• Name, VAT number, date of birth, fixed and / or current address, telephone, ID or passport number, e-mail
(4) The individuals, the company's service providers, collect the necessary data for the conclusion and execution of the service contracts of the company by external providers, as follows:
• Name, VAT number, date of birth, fixed and / or current address, telephone, ID or passport number, e-mail
(5) The Company processes sensitive data only to the extent necessary to fulfill its specific rights and obligations in the field of labor law and social security legislation.
OBJECTIVES AND PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
Article 5. The purposes of processing personal data are:
(1) The fulfillment of the obligations of JOB TRUST resulting from the lawful management of human resources, payment of salaries and fulfillment of the employer's obligations to deduct and pay employee's health and social security contributions, taxes and other rights and obligations of the Company as an employer.
(2) managing customer relations and providing services,
(3) the conclusion and execution of contracts with suppliers for the provision of services to the Company.
Article 6. Personal data shall be processed in a lawful, conscientious and transparent manner in accordance with the following principles:
(1) The subject of the data is informed in advance about the processing of his or her personal data.
(2) Personal data are collected for specific, accurate and legitimate purposes and will not be further processed in a manner incompatible with these purposes.
(3) Personal data corresponds to the purposes which it is collected for.
(4) Personal data must be accurate and, if necessary, to be updated.
(5) Personal data are deleted or corrected when they are found to be inaccurate or incompatible with the purposes for which they are processed.
(6) Personal data shall be kept in a form which permits the identification of the persons concerned, for a period not exceeding the time necessary for the purposes for which they are processed.
Article 7. For the lawful processing of the data, at least one of the following conditions shall exist:
(1) The data subject has given his / her consent.
(2) Processing is necessary for the performance of a contract to which the data subject is subject or for taking action upon the request of the data subject prior to the conclusion of the contract.
(3) Processing is necessary to comply with a legal obligation applicable to the processor.
(4) Processing is necessary to protect the vital interests of the data subject or another person.
(5) Processing is necessary for the fulfillment of a public interest task.
(6) Processing is necessary for the purposes of the legitimate interests of the processor, unless the interests or fundamental rights and freedoms of the data subject override those interests.
Article 8. (1) For the reasons stated in Article. 30 of the Regulation The Company maintains the following registers of the data processing activities of natural persons:
1. "staff" register.
2. "Customer" Register.
3. "Suppliers" Register.
Article. 9. (1) General description of the "Staff" registry:
1. Personal data of employees / contractors and contractors under the political conventions referred to in Article 1.4, par. 2 of this Regulation.
2. The sources from which the data is collected are: the natural persons to whom the data refer, with their explicit consent.
(2) Technological description of the register:
1.Data carriers - Registry data is processed on paper and / or on technical means (computer). Once collected and processed, the paper data is sorted into separate files stored in our office. Data in technical means is stored and handled only on computers housed in our database with access control.
2. Processing technology - Registry data is provided by natural persons when applying for employment under a labor contract or following a political contract with a natural person and enrolled directly in labor or political contracts, supplementary agreements, and other documents that certify service duration, official notes, reports, certificates, correspondence, etc.
3. Storage period - all items in the "Staff" registry are kept for a period of five years from the expiry of the employment contract or political contract with the person concerned, except for the items of the accounting records which, according to the law, must be kept for 50 years.
4. Services provided - data of the "staff" register are not provided outside the scope of their processing, with the exception of: upon express request and order of the person or his heirs within the storage period; if required by law and / or in case of need of protection of the public interest - to the state bodies in the performance of their official duties (tax officers, NSSG employees, labor inspector, police, etc.); in court cases - to a legal representative or directly to the court strictly observing the provisions of the law and the applicable rules.
(3) The impact assessment shall be carried out periodically every two years or when the nature of the processed personal data and the number of persons affected.
Article 10. (1) General Description of the Customer Register:
1. The personal data of the clients referred to in the article. 4, par. (3) of this Regulation.
2. The sources of data collection are: from customers - the natural persons to whom the data refer, with their explicit consent, in person or, in some cases, with the consent of their representative.
(2) Technological description of the register:
1. Data carriers - Registry data is processed on paper and / or on a technical medium (computer). Once collected and processed, the paper data is sorted into separate files stored in our office. Data in a technical medium is stored and handled only on computers housed in our database with access control.
2. Storage period - all elements of the "Clients" registry are retained for a period of time determined by a regulatory act or, failing that, no later than five years from the date of conclusion of the service contract or from which the person first submitted statement - consent to the processing of his data as a client of the Company.
3. Services provided - Data from the "Clients" registry are not provided outside the scope of their processing, with the exception of: upon express request and order of the person or his heirs within the storage period; if required by law and / or in case of need of protection - the public bodies in the performance of their official duties (tax officers, employees of the NSSG, labor inspector, police, etc.);
(3) The impact assessment shall be carried out periodically every two years or when the nature of the processed personal data and the number of persons affected are altered.
Article. 11. (1) General description of the Suppliers Register:
1. Personal data of the natural persons referred to in Article. 4, par. (3) of this Regulation.
2. The sources from which data is collected are: from natural persons, with their explicit consent or in accordance with the requirements of applicable law.
(2) Technological description of the register:
1. Data carriers - Registry data is processed on paper and on technical media (computer).
2. Processing technology: After being collected and processed, the paper data is sorted into separate files located in a separate room with access control. Data on a technical medium is stored and processed only on a computer with access control. The data is used for mailing, preparing, reviewing mail and sending a reply to the sender.
3. Storage period - All records are kept for a period of 5 years after delivery, unless otherwise provided for by law.
4. Services Provided - Data from the Suppliers Register is not provided outside the scope of their processing, with the exception of: upon express request and order of the person; if required by law and / or in case of need of protection of the public interest; the execution of their official duties (tax officers, employees of the NSSG, labor inspector, police, etc.); in court cases - to a legal representative or directly to the court.
(3) The impact assessment shall be carried out periodically every two years or when the nature of the processed personal data and the number of persons affected
Article 12. If the data subject / employee, customer or provider / request that his data be deleted before the expiry of the storage period prescribed by these rules, the data is deleted within 30 days of submission application, unless this is legally permissible or there are other limitations.
Article 13. (1) The data subject agrees with the processing if he expresses this clearly and unequivocally, in a categorical manner - by a statement or other confirmatory act.
(2) Data subjects may at any time withdraw their consent for processing and revocation will be accepted in due course. If there is no other requirement for the legitimacy of processing, with the withdrawal of consent, data processing is terminated.
(3) The company maintains consent statements, while data processing operations are carried out on this basis in order to comply with the principle of accountability.
PROCEDURES FOR THE PROCESSING OF PERSONAL DATA
Article 14. (1) Personal data relating to the three categories of persons referred to in this Regulation shall be collected during the recruitment of staff, the submission of a service request or the conclusion of a contract, when concluding, amending and terminating the contracts. The data of each employee / employee of the Company is stored in personal files and some data may be stored or processed by technical means. The data from competitions and interviews are stored in technical and / or printed media as needed.
(2) Personal files are stored in special filing rooms located in the office of the person responsible for the processing of personal data. Access to the office is provided only to the person authorized to process the personal data by creating a special request to enter the premises through a key, other appropriate means and / or escort device.
(3) The person authorized to process personal data shall take all organizational and technical measures for the preservation and protection of personal files and relevant information, including the limitation of their availability to outsiders and unauthorized employees.
(4) Employee records, as well as the details of the company's customers and suppliers, are not exported outside the company building.
RIGHTS OF DATA SUBJECTS
Article 15. (1) Everyone has the right to request access to his or her personal data, including the request to confirm the processing of the data relating to him, to be informed of the purposes of such processing, the data categories and the recipients of the data, and for the purposes of the processing of personal data concerning him / her.
(2) The right of access is granted at the request of the person concerned, which is received at the registered office of the Company or in the official e-mail.
(3) Everyone has the right to request the deletion, correction or exclusion of his or her personal data if the processing does not meet the requirements of the law.
(4) Everyone has the right to object in writing to the processing and / or disclosure of personal data to third parties without the necessary legal basis.
(5) The Company shall notify the applicant, within two weeks of receipt of an application in accordance with the preceding paragraphs, of the legal grounds for the application. If the Company finds that there are legal grounds for granting the application, it shall also inform the person and the manner in which he can exert his / her right.
(6) Data subjects are also entitled to:
- withdraw their consent for processing at any time;
- oppose the use of their personal data for direct marketing purposes;
- request information on the basis of which their personal data is processed for the processing of a non EU / EEA processor;
- oppose a decision taken entirely on the basis of automated processing, including formatting;
- be informed of a breach of data protection, which may lead to a high risk to their rights and freedoms;
- lodge complaints with the regulatory body;
- in some cases, receive or request the transfer of their personal data to third parties in a structured, machine-readable form (transport right).
MEASURES FOR THE PROTECTION OF PERSONAL DATA
Article 16. (1) All premises where personal data are stored and processed have access control means. The possible technical means of access control are:
- plant safety;
- video surveillance;
- a policy of accepting external agents at the company's premises only with an accompanying member of the company's staff.
(2) The company's facilities are insured with fire-fighting measures in accordance with the Bulgarian legislation.
Document protection measures
Article 17. (1) The Company shall establish procedures for the processing of personal data, the regulation of access to data, the destruction procedures and the storage deadlines detailed in this Regulation. For individual categories of data, pseudonymisation may be envisaged at the proposal of the person responsible for personal data.
(2) Reproduction and distribution of documents or files containing personal data must be carried out only by authorized personnel in case of need.
Personal protection measures
Article 18 (1) Persons who exercise the protection and processing of personal data shall:
- assume non-dissemination of personal data to which they have access;
- familiarize themselves with the company's legal framework, internal rules and policies on the protection of personal data;
- undergo training to respond to situations that threaten data security;
- are informed about the risks associated with the personal data managed by the company;
- undertake not to share critical information with each other and with external partners other than the procedure established by these rules.
Measures for the protection of automated information systems and cryptographic protection
Article 19. (1) Access to the operating system containing personal data files shall be restricted to persons whose duties or specific tasks require access. Access is only by password.
(2) Electronic databases are protected by logical security features, such as an automatically updated virus protection program, firewalls, and more.
(3) Backup of personal data in a technical medium is done periodically to store the information.
Article 20 (1) Protection of electronic data from unauthorized access, damage, loss or destruction committed intentionally by a person or in case of technical malfunctions, accidents, disasters, etc. is provided by storing information:
- entering passwords for computers that provide access to personal data and files that contain personal data- antivirus programs, checks for illegally installed software;
- Periodic checks of database integrity and updating of system information, maintenance of the data access system;
- periodical data archiving in technical media, keeping information in print (archival copies).
(2) The person responsible for personal data shall report periodically to the management of the company the measures taken to ensure the level of security in the processing of personal data.
Article 21 (1) Persons detecting signs of data security breach shall immediately report to the controller of personal data by providing him with all available information.
(2) The person responsible for personal data shall immediately check the entry submitted in an attempt to determine whether a security breach has occurred and which data is affected.
((3) The person responsible for personal data shall immediately report to the Director of the Company the information available on the breach of security, including information on the nature and timing of the event, the type of damage, the measures taken at the moment and the measures he/she deems necessary to take.
(4) After consulting with the company's management, the person responsible for personal data takes measures to prevent or mitigate the impact and data recovery capabilities.
(5) In case of urgency, if the coordination with the administration slows down the reaction and causes serious damage, the Data Protection Officer may, at his / her discretion, take measures to prevent or mitigate the consequences of the breach of security. In this case, the person responsible for personal data will immediately notify the administration of the measures taken and follow the monitoring instructions received.
Article 22. (1) If the breach of security creates a risk to the rights and freedoms of the data subjects and after being approved by the company's management, the person responsible for personal data organizes the notification to the Commission for the Protection of Personnel Data (CPDP).
(2) CPDP notification must be made without undue delay and, where possible, no later than 72 hours after the initial knowledge of the breach.
(3) The CPDP notice contains the following information:
(a) a description of the breach of security; the categories and approximate number of persons and categories of data concerned and the approximate amount of relevant personal data files;
(b) the name and contact details of the person responsible for personal data;
(c) a description of the possible consequences of the breach of security;
(d) a description of the measures taken or proposed to address the breach of security, including measures to mitigate possible adverse effects.
(4) In the event that the violation of personal data may pose a high risk to the rights and freedoms of individuals, the person responsible for personal data shall inform without delay and in accordance with applicable law the persons concerned.
Article 23 (1) The Company shall maintain a security breach record containing the following information:
(a) date of the infringement
(b) description of the offense - source, type and size of the relevant data, cause of the breach (if any);
(c) a description of the notifications made: notification of the CPDP and affected persons, if they have been
(d) the measures taken to prevent and mitigate the adverse consequences for the data subject and the Company
(e) measures taken to limit the likelihood of subsequent security breaches.
(2) The file is kept electronically by the person responsible for the personal data.
PROVISION OF PERSONAL DATA TO THIRD MEMBERS
Article 24. (1) The Company may, if necessary, provide personal data to third parties acting as processors under an explicit agreement.
(2) In case of providing data to employees, clients or processing service providers, the Company:
(a) requires adequate guarantees from the processor to comply with legal requirements and good practices for the processing and protection of personal data
(b) conclude a written agreement or other legal act having the same effect as the processor's duties and meets the requirements of the Article. 28 of Regulation (EC) 2016/679
(c) inform the natural persons whose data will be provided to the processor.
(3) Processing of personal data by processors outside the EU / EEA is possible only if:
(a) The European Commission has adopted a decision confirming that the country in which the transfer takes place provides for an adequate level of protection of the rights and freedoms of the data subjects
(b) Appropriate safeguards are in place - such as the FCC, the standard contractual clauses approved by the European Commission, the approved code of conduct or the certification mechanism
(c) The data subject has given his explicit consent to the transfer after being informed of the potential risks or
(d) Transfers are necessary for one of the purposes listed in the Regulation, including the performance of a contract with the entity, the protection of the public interest, the establishment and defense of legal disputes, the protection of the vital or legitimate interests of the data subject when he is physically or legally incapable of giving consent.
DESTRUCTION OF DATA
Article 25. (1) The destruction of personal data shall be done by the Company or by an authorized person without undermining the rights of the persons to whom the data subject to destruction and in accordance with the provisions of the relevant regulatory acts
(2) Information in the registers shall be destroyed once the processing objectives have been achieved and the need for storage is eliminated.
(3) The destruction of data in print media is by cutting with a shredder or other suitable device / tool. Electronic data are erased from the computer database in a non-recoverable way.
PERSONS RESPONSIBLE FOR COLLECTING, PROCESSING AND STORING PERSONAL DATA AND ACCESS TO PERSONAL DATA
Article 26. The person responsible for the personal data and the persons processing the personal data on behalf of the company are natural or legal persons who have the necessary competence and are appointed and / or authorized by a written act.
Article 27. The person responsible for processing, storing and deleting personal data in the Company, who is also a contact person for the purposes of the Regulation, is Irina Aslanov, contact telephone: 0030 2310 327 761, email adress: and has the following responsibilities:
- To help the Company and the persons processing the personal data in fulfilling their obligations to protect personal data by ensuring the implementation and maintenance of the necessary technical and organizational measures and means for the implementation of data protection;
- Ensure smooth operation of the aforementioned protection systems
- Control the entire process of data collection and processing
- Perform all reporting and data breach management obligations
- Periodically request information from data processors in relation to their collection, access and processing
- To notify the Company in time of any irregularities found in connection with the fulfillment of its obligations
- Destroy the papers and technical data in accordance with the law and the deadlines set out in this Regulation
- Re-authorize natural or legal persons by a written act on the protection of personal data.
Article 28. (1) The collection, processing, storage and protection of personal data shall be carried out only by persons to whom it is expressly mentioned and whose duties or specific duties require so.
(2) When assigning activities requiring the processing of personal data by business registers, service providers should comply with applicable legal requirements concerning the processing of personal data and procedures in accordance with these rules.
(3) Access to personal data may also be made by the competent governmental bodies - court, investigation, prosecutor's office, review bodies, etc. The abovementioned state bodies may request data in a fixed order in relation to the exercise of their powers.
CHANGES IN THE INTERNAL RULES
Article 29. The Company may change these Rules at any time. All changes must be notified immediately to interested parties.
Article 30. For matters not covered by these rules, the provisions of Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 and the Law on the protection of personal data.