PRIVACY POLICY OF THE PERSONAL DATA OF ASSOCIATION "CENTER FOR TOP ACHIEVEMENTS HERITAGE BG"
SUBJECT
Art. 1. This PRIVACY POLICY (hereinafter “the Policy") has been adopted by the ASSOCIATION "CENTER FOR TOP ACHIEVEMENTS HERITAGE BG", with EIK 205313741, with headquarters and management address in the city of Sofia 1000, 7A "Gen. Yosif V. Gurko" str, represented by the Chairman of the Board of Directors (hereinafter "CVP" or "THE ASSOCIATION"), in his capacity as a personal data administrator, in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of The Council of 27 April 2016 on the protection of individual persons in relation to the processing of personal data and on the free movement of such data (hereinafter "the EU General Data Protection Regulation" or "GDPR") and the Law on the Protection of Personal Data (hereinafter "DPL").
Art. 2. (1) The right to privacy of personal data is the main priority of the CVP. The association is obliged to strictly implement the applicable provisions of the national and European legislation regarding the protection and safe storage of the personal data of employees, contractors and partners, as well as of the individuals who have provided their personal data through the Internet page with the address https:/ /portal.nasledstvo.bg/ (hereinafter "PORTAL") and the PORTAL-related mobile application (hereinafter "MOBILE APPLICATION") and E-learning modules (https://ed.nasledstvo.bg), Knowledge Center ( https://el.nasledstvo.bg), Knowledge Network (https://im1.nasledstvo.bg) and Practical Community (https://im.nasledstvo.bg) (hereinafter "MODULES").
(2) CVP observes the basic principles introduced as mandatory in the processing of personal data: legality, good faith and transparency, limitation of purposes, reduction of data to a minimum, accuracy, limitation of storage, integrity and confidentiality, accountability.
DEFINITIONS
Art. 3. The terms used in this Policy have the following meaning according to GDPR:
1. "Personal data" - any information related to an identified individual or an identifiable individual ("data subject"); an identifiable individual is a person who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more characteristics specific to the physical, the physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person;
2. "Special categories of personal data" - personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, or membership in trade union organizations and the processing of genetic data, biometric data for unique identification of a natural person, data relating to health or data regarding an individual's sex life or sexual orientation.
3. "Processing" - means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmitting, distributing or otherwise making the data accessible, arranging or combining, limiting, erasing or destroying;
4. "Administrator" - any natural or legal person, public body, agency or other structure that alone or jointly with others determines the purposes and means of processing personal data; when the purposes and means of such processing are determined by EU law or the law of a Member State, the controller or the special criteria for its determination may be established in Union law or in the law of a Member State;
5. "Data subject" - any living person who is the subject of the personal data stored by the Administrator.
6. "Consent of the data subject" - any freely expressed, specific, informed and unequivocal indication of the will of the data subject, by means of a statement or a clear affirmative action, which expresses his consent for the personal data related to him to be processed;
7. "Child" - The General Regulation defines a child as anyone under the age of 16 years. The processing of a child's personal data is only lawful if a parent or guardian has given consent. The administrator makes reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given or is authorized to give consent.
8. "Profiling" - any form of automated processing of personal data, consisting in the use of personal data to evaluate certain personal aspects related to a natural person, and more specifically to analyze or predict aspects related to the performance of that individual's professional duties, economic status, health, personal preferences, interests, reliability, behavior, location or movement;
9. "Disturbance of the security of personal data" - a security disturbance that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed;
10. "Basic place of establishment" - the headquarters of the controller in the EU will be the place where it makes the main decisions about the purpose and means of its data processing activities. In relation to the personal data processor, its main place of establishment in the EU will be its administrative center.
11. "Recipient" – an individual or legal person, public body, agency or other structure to which the personal data is disclosed, regardless of whether it is a third party or not. At the same time, the public bodies that may receive personal data within the framework of a specific investigation in compliance with Union law or the law of a Member State, are not considered "recipients"; the processing of this data by the specified public authorities complies with the applicable data protection rules in accordance with the purposes of the processing;
12. "Third side" - any natural or legal person, public body, agency or other body other than the data subject, the administrator, the personal data processor and the persons who, under the direct supervision of the administrator or the personal data processor, have the right to process personal data;
WHO PROCESSES YOUR PERSONAL DATA
Art. 4. The administrator of personal data is the ASSOCIATION "CENTER FOR TOP ACHIEVEMENTS HERITAGE BG", with EIK 205313741, with headquarters and management address in the city of Sofia 1000, 7A "Gen. Yosif V. Gurko" str, represented by the Chairman of the Board.
ADMINISTRATOR CONTACT DETAILS
Art. 5. The administrator has the following correspondence data:
1. Address: Sofia 1504, 15 Tsar Osvoboditel Blvd., North Wing, Floor 1, Room 220;
2. Email address: project@nasledstvo.uni-sofia.bg,
3. Phone: +359888666239;
WHEN WE PROCESS PERSONAL DATA
Art. 6. The association does not collect personal data for its own purposes and without limitation. CVP collects only those personal data that are necessary for the implementation of the relevant lawful activities of the association. In the main personal data processing activity of the Company - Management of subscriptions and sales of goods and services in the PORTAL - personal data is processed in connection with the execution of distance contracts. In this case, the minimum necessary identifying personal data is collected, which allows us to fulfill the contract. CVP also processes personal data in the non-specific activities that are characteristic of most legal entities - management of labor relations, recruitment of job candidates, management of the contact form on the PORTAL, conclusion of contracts with counterparties and partners - individuals, etc.
INDIVIDUALS WHOSE PERSONAL DATA WE PROCESS
Art. 7. The company processes personal data of the following categories of natural persons:
• Personnel – current and former employees of the Central Administrative Court, as well as job applicants;
• Counterparts, suppliers or potential partners of CVP;
• Users and customers of the PORTAL, MOBILE APPLICATION and MODULES who have registered.
• Persons who have voluntarily provided their personal data through the contact form on the PORTAL;
CATEGORIES OF PERSONAL DATA WE PROCESS
Art. 8. In its main activity of processing personal data, the CVP processes personal data provided directly by the data subjects. In this sense, data subjects themselves determine the volume of personal data to provide in view of the various purposes. CVP stores only the personal data that is necessary to fulfill the purposes of the processing, such as:
1. To register in the PORTAL: three names, email and phone number;
2. To place an order through the PORTAL: three names, email, phone number, information about the means of payment (bank card date);
3. To use the MOBILE APPLICATION: three names, email, phone number, geolocation data.
PURPOSES OF PROCESSING
Art. 9. CVP processes personal data only for specific and legitimate purposes and does not further process them in a manner incompatible with the established purposes. The association processes personal data for the following purposes:
• Fulfillment of legal obligations, including in relation to the management of labor relations, as well as in relation to tax, social security and accounting regulations;
• Execution of orders of competent public authorities;
• Fulfillment of contractual relations in the economic activity of the Association, including civil contracts with natural persons;
• Selection of employees by employment law;
• Provision of services, including in connection with the performance of distance contracts, to registered users of the PORTAL, MOBILE APPLICATION and MODULES;
• Making contact with potential contractors or users through the contact form of the PORTAL, including when requesting consent to receive messages from the PORTAL;
LEGAL GROUNDS FOR PROCESSING
Art. 10. CVP processes personal data of data subjects on the basis of Art. 6, paragraph 1, letter "a", letter "b", letter "c" and letter "f" of the General Regulation, namely:
a) the data subject has consented to the processing of his personal data for one or more specific purposes - /for example, when requesting through the PORTAL to receive messages (type "newsletter")/;
b) the processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject before concluding a contract /for example, when registering in the PORTAL or when ordering a product or service through the PORTAL/;
c) the processing is necessary for compliance with a legal obligation that applies to the controller;
d) the processing is necessary for the purposes of the legitimate interests of the controller or a third party, except when such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular when the data subject is child (for example - to manage inquiries through the contact form on the PORTAL).
TO WHOM WE MAY PROVIDE OR DISCLOSE PERSONAL INFORMATION
Art. 11. (1) CVP may transfer or disclose personal data to the following entities:
• Competent state bodies, which by virtue of a normative act, have the authority to demand from the Central Government the provision of information, including personal data - court, investigative bodies (police bodies, the investigation, the prosecutor's office), DANS, supervisory/regulatory bodies;
• NRA, NOI, IA GIT and other competent public bodies in fulfillment of an obligation provided for by law;
• Processing personal data, and in these cases appropriate measures are foreseen to guarantee the security of personal data;
• The courier companies that deliver the products according to the orders of the customers of the PORTAL;
• To payment service providers in connection with electronic payments through the PORTAL.
(2) CVP does not transmit personal data to other countries, including non-EU countries.
STORAGE PERIOD OF PERSONAL DATA
Art. 12. The duration of storage of personal data depends on the processing purposes for which they were collected. Personal data are stored for a period not longer than the period provided for in the relevant legal act. In case that the law does not regulate the storage period for the relevant record with personal data, the Association complies with the Schedule for the storage and destruction of records with personal data implemented in the organization, in which the maximum periods for the storage of personal data are determined - in accordance with the purpose for which they are collected. The personal data of registered users in the PORTAL and the MOBILE application are stored until the relevant registration is terminated. In cases where a registered user has placed an order and a remote contract has been concluded between the parties, personal data is stored for a period of 5 years, starting from the date of conclusion of the contract (in view of the statute of limitations under the PPE Act), unless the tax laws do not require a longer storage.
SECURITY OF PERSONAL DATA
Art. 13. The Association has implemented a Personal Data Management and Protection System, through which a number of internal documents governing the security of personal data have been introduced. We store your data on secure servers using the latest encryption algorithms and guarantee the storage of backup copies. In addition, the CEP implements all appropriate technical and organizational measures to ensure the security of personal data, including minimizing the volume of processed personal data necessary to achieve the relevant objectives; timely restoration of availability and access to personal data, in the event of a physical or technical incident; undertaking an express duty of confidentiality by employees, as well as other measures.
PROCESSING OF PERSONAL DATA VOLUNTARILY PROVIDED THROUGH THE CONTACT FORM ON THE PORTAL
Art. 14. When sending a message using the contact form on the PORTAL or when sending a request to receive messages (type "newsletter"), you declare that you have familiarized yourself with this Privacy Policy and voluntarily provide your personal data. In these cases, the Company processes the personal data that you have provided through the contact form – names, email and phone number, and the purpose of the processing is reduced to the need to prepare and send a response to your message. The basis for lawful processing in this case is Art. 6, paragraph 1, letter "f" of the GDPR. Your personal data will be stored for the period from receipt of the inquiry, request or question, until the purpose of their processing is achieved and/or the legal basis for processing your personal data ceases. The other provisions in this Privacy Policy apply to the features of personal data processing not regulated in this section.
PROCESSING OF PERSONAL GEO-LOCATION (LOCATION) DATA IN CONNECTION WITH THE SERVICES PROVIDED THROUGH THE MOBILE APPLICATION
Art. 15. By using some of the functions of the MOBILE APPLICATION, in particular the game "Become an explorer", You declare that you have read this Privacy Policy and voluntarily provide your personal data. In these cases, the Association processes the personal data that you have provided through the MOBILE APPLICATION - geolocation data, and the purpose of the processing is reduced to the performance of the services through the MOBILE APPLICATION. The basis for lawful processing in this case is Art. 6, paragraph 1, letter "a" of the GDPR. Your personal geolocation data will be stored for the period until your registration in the MOBILE APPLICATION is terminated or until you expressly request the destruction of the personal data in question. The other provisions in this Privacy Policy apply to the features of personal data processing not regulated in this section.
RIGHTS OF DATA SUBJECTS
Art. 16. Every natural person whose data is processed by CVP has the following rights:
• right of access to his personal data, including to receive a copy of them;
• right to correct or supplement inaccurate or incomplete personal data;
• right to delete personal data that are processed without a legal basis;
• right to limit the processing - in the presence of a legal dispute between the Data Controller and the person - until its resolution or for the establishment, exercise or defense of legal claims;
• right to object - at any time and on grounds related to the individual's specific situation, provided that there are no compelling legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject, or legal proceedings;
• right to portability - only in the event that personal data is processed automatically on the basis of consent or contract;
• right not to be the subject of a fully automated decision involving profiling that gives rise to legal consequences for the data subject or affects him to a significant extent.
In accordance with the GDPR and the GDPR, the above-mentioned rights can be exercised by submitting a written application electronically. The application is made personally by the data subject or by a person authorized by him. The Central Administrative Court rules on the data subject's request within 30 days of its submission.
PROTECTION OF THE RIGHTS OF DATA SUBJECTS.
Art. 17. In accordance with the Personal Data Protection Act and Regulation (EU) 2016/679, any natural person who considers that his right to the protection of his personal data has been violated may submit a complaint to the Commission for the Protection of Personal Data at the address: Sofia 1592, 2 Prof. Tsvetan Lazarov" Blvd , website: www.cpdp.bg.
