PRIVACY AND DATA PROTECTION POLICY in connection to Regulation /EU/ 2016/679 of the European Parliament and the Council from the 27.04.2016 in regards to the protection of natural persons in connection to the personal data processing and in connection to the free movement of such data and the revoking of Directive 95/46/EC
/General Data Protection Regulation/
Meteorites Ltd, a company, registered in the Commercial Registry at the National Registry Agency with UIC 118583892, with headquarters and business address: the city of Silistra, 3 P.K. Yavorov Street, floor 6, apartment 16 and with business performance address: the city of Sofia, 12G Ivan Peychev Street, floor 3, apartment 11, VAT ID No. BG118583892, represented by the Manager George Ilieff Penneff, phone No. 359878123333, е-mail: firstname.lastname@example.org, is a personal data administrator under Art. 4, paragraph 7 from Regulation /EU/ 2016/697 and uses a wide range of various data with the help of which individuals can be identified.
The business purpose of the company is work with precious metals and gemstones and items made with and from them.
Personal data protection committee
The city of Sofia – 1592, 2 Tsvetan Lazarov Boulevard
Business hours – from 09:00 until 17:30, official website: www.cpdp.bg, email: email@example.com
1. General Data Protection Regulation (Regulation / EU/2016/679)
The General Data Protection Regulation (GDPR) regulates the activities linked to personal data processing.
2. Legal Definitions
"Personal data" means every piece of information, related to an identified person or a person who can be identified ("data subject"); person who can be identified is a person who can be directly or indirectly identified, specifically through an identifier such as name, identification number, location data, online identifier or by one or more signs, specific to the physical, physiological, genetic, psychological, cognitive, economic, cultural or social identity of this person.
"Processing" – means every operation or a number of operations with personal data or a set of personal data through automatic or other means such as gathering, recording, organizing, structuring, storing, adapting or changing, extracting, consulting, using, disclosing through transmission, distribution or another way that makes data accessible, arranging or combining, limiting, deleting or obliterating;
"Personal data administrator" – means an individual or a legal entiry, public authority, agency or another structure that autonomously or together with third parties defines the goals and the means for the personal data processing; when the goals and the means for this processing are defined by the laws of the European Union or the laws of a member country, the administrator of the specific criteria for appointing the administrator can be identified in the laws of the of the European Union or in the laws of a member country.
"Personal data processor" means a natural or a legal person, public authority, agency or another structure that processes personal data on behalf of the administrator.
3. Meteorites Ltd in its capacity of a personal data administrator processes the personal data:
• Autonomously, through its employees, under specific directions they carry out activities linked to personal data processing under Art. 29 of Regulation /EU/2016/679;
• Through delegating to a personal data processor, as Meteorites Ltd defines the goals and the means for the personal data processing when there are the respective applicable legal grounds for this, under the requirements of the General Data Protection Regulation and Regulation / EU/2016/679.
4. General principles of personal data processing
• The principle of lawfulness, fairness and transparency.
• The purpose limitation principle
• The data minimization principle
• The principle of accuracy
• Limit to the retention of personal data principle.
• The Integrity and confidentiality principle
Meteorites Ltd is responsible for and is capable of proving that the principles have been adhered to ("accountability").
Meteorites Ltd guarantees that it respects and adheres to the principle while using the current methods for gathering and processing personal data.
5. Objectives of personal data processing
Meteorites Ltd processes personal data in regards to the fulfillment of the following objectives:
5.1. Human resources management (job applicants, employees and contractors under employment contracts and free independent contracts, considering:
5.1.1. Individualization of employment, service and civil relations;
5.1.2. Compliance with regulatory requirements of the Labour Code, the Social Security Code, the Accountancy Act, the Taxation of the Income of Natural Persons Act, the National Archive Reserve Act, etc;
5.1.3. Using the data of the respective individuals gathered for official objectives:
a/ for all activities, linked to the existence, changes made in and the termination of employment and civil relationships;
b/ for the drafting of any kind of documents of the individuals in this relation (contracts, additional agreements, documents that certify the person’s period of employment, official notices, references, certificates and other similar documents);
c/ for establishing connection with the individual over the phone, connection linked to the fulfillment of their duties under employment contracts;
d/ for accounting purposes, deducting taxes due and other activities in regards to the remuneration of the above-mentioned individuals under employment, service and civil legal relationships;
5.2. For carrying out activities, linked to the signing of, existing of, the changes in and the termination of contractual relationships, including such for:
• Drafting of all sorts of documents;
• Fulfillment of the regulatory requirements of the Commerial Law, the Accountancy Act, the Value Added Tax Act, the Corporate Income Tax Act and so on;
• for establishing connection with the individual over the phone, via e-mail or in any other way which is legal;
• For the provision of or the receiving of goods/services, for communicating in regards of the provision of or the receiving of goods/services and for the provision of the customer service, linked to them;
• For the accountancy purposes in relation to the fulfillment of contracts where the administrator is a party under these contracts;
• For the processing of payments in relation to the signed by the administrator contracts;
6. Data subjects categories
The administrator processes the personal data of the following subjects:
6.1. Personnel (under employment, civil contracts and job applicants);
6.2. Counterparties (clients, suppliers, commercial partners, contractors, etc.) in case they are:
• Individuals or
• Their representatives and/or points of contact, in case they are legal entities.
7. Personal data categories being processed
Meteorites Ltd in its capacity of personal data administrator processes the following personal data categories:
7.1. Personnel data (under employment legal relationships):
• Identification data – names, address, phone number;
• Personal identification number – PIN;
• Education – document for acquired educational degree; certificate for qualification, when such is required to fill in the position. The data is necessary in order for the regulatory requirements for filling in the respective positions by the individuals to be fulfilled;
• Labour activity – documents for period of employment in this professional area, professional qualification;
• Family identity – marital status. This data is necessary for the realization of the legally established rights of the individuals to paid maternity or paternity leave, when there’s garnishment. Declaration for using tax relief for children, the use of paid leave under Article 157 of the Labour Act for the fulfillment of civil, public and other duties (marriage, blood donation, the death of a close relative, etc.);
• Economic and financial information – income with another employer, bank account. The data is necessary for the annual tax recalculation under the Taxation of the Income of Natural Persons Act, for the payment of monetary compensation for temporary disability and remuneration;
• Data for the health state – document for employment (granting a certain amount of protection to the employees), hospital sheet (sending the hospital sheet to the NSSI (National Social Security Institute);
• Criminal record certificate – when under the requirements of a law or a regulatory act the certification of the judicial background is required.
7.2. Personnel data (under independent contracts):
• dentification data – names, address, phone number;
• Personal identification number – PIN;
• Economic and financial information – bank account. This data is required in order for the respective remuneration to be paid to the individual (s).
The processing is made in connection to the signing of, the existence of, the changes made in and the termination of the independent contracts when the regulatory requirements of the Labour Code, the Social Security Code, the Accountancy Act, the Tax and Social Insurance Procedure Code, the Accountancy Code and the Law on Obligations and Contracts, etc. are followed, applied and adhered to.
7.3. Personnel data (job applicants):
Meteorites Ltd processed the personal data of individuals throughout the job application process for filling in an available position in the company, for example:
• Biography data – names, date of birth, previous labour activity, education, qualifications;
• Contact information – address, phone number, e-mail address;
The administrator gathers and processes the personal data in order to initiate the steps needed before signing a contract, for the execution of which the legal obligation in relation to Art. 6, Point 1 b "b" and "c" from the General Data Protection Regulation needs to be kept. Personal data is being submitted by the individual as a response to the job advertisement (е-mail: firstname.lastname@example.org, or on paper, in person or via mail) and in relation to the Labour Code.
7.4.Counterparties data (clients, suppliers, commercial partnetrs, contractors, lessors, lessees, etc.):
• Identification data – names, address, phone number, e-mail address;
• Personal Identification Number – PIN;
• Economic and financial information – bank account. The data is necessary for payments processing;
The administrator processes the data in regards to the fulfillment of the legal duty in relation to the to the signing of a contract and/or the fulfillment of duties under a signed contract under the provisions of the Commercial Law, the Accountancy Act, the Law on Obligations and Contracts, the Value Added Tax Law and other and the conditions listed in the commercial contract.
The indicated personal data in points 7.1, 7.2, 7.3 and 7.4 is processed in fulfillment of a statutory obligation, contract and consent / the Labour Code, the Social Security Code, the Taxation of the Income of Natural Persons Act and other legal and by-legal acts/trough employees, authorized to process personal data, as Meteorites Ltd defines the objectives and the means for the personal data processing when there are the respective applicable legal grounds for this, under the requirements of the General Data Protection Regulation and Regulation / EU/2016/679.
8. Exercising rights under Art. 15 – 22 of the General Data Protection Regulation. Order for exercising the rights of the data subjects.
You, in your capacity of data subjects, have the following rights which are defined in Art. 15 – 22 of the General Data Protection Regulation:
♦ the right to be informed;
♦ the right to access;
♦ the right to correction of the existing data;
♦ the right to obliteration of the personal data ("the right to be forgotten");
♦ the tight to the limitation of the data processing;
♦ the right to data portability;
♦ the right to objection;
♦ rights in connection to the automated data processing and profiling.
These rights can be exercised through request to Meteorites Ltd , submitted in person or through a proxy, via regular mail sent to the address of the administrator or via email sent to email@example.com of the administrator with electronic signature.
Information about actions taken under the Request is being provided under the conditions of Art. 12, Point 3 of Regulation / EU/2016/679.
In case of any fears linked to the identity of the individual, who is submitting the Request, the administrator has the right to require the provision of additional information, needed for the identity of the data subject to be verified.
9. Data processing conformity with law. Consequences of refusing to provide personal data.
Meteorites Ltd stores and processes personal data only under the appointed legal grounds depending on the case, as it documents the connection between the grounds and the circumstances in accordance with the General Data Protection Regulation, namely:
9.1. Execution of contract
When the data gathered and being processed is needed for the execution of a contract signed with the data subject. These grounds are applicable in the cases where the data provided is important for the execution of the contract.
9.2. Legal obligation
When the data is gathered and being processed in order for a legal obligation to be fulfilled.
9.3. Vital interest of the data subject or of another individual
It is legal for us to receive and process personal data if it is necessary for the protection of the vital interests of the data subject or of another individual. Meteorites Ltd will only process personal data on these grounds in the event of vital interests actually being affected and the circumstances will be documented in detail so that this can be demonstrated.
9.4. Performing a task of public interest
When Meteorites Ltd has to perform a task which it believes is in the public interest or is part of a job, the consent of the data subject will not be required. The assessment of whether it is of public interest and/or professional duty is documented and can serve as evidence if need be.
9.5. Legitimate interest
Meteorites Ltd processes data for the protection of legitimate interest in case the rights and freedoms of data subjects are not significantly affected. In this case, the assessment of whether an interest is legitimate and the extent to which the rights and freedoms of the data subjects are affected will be documented.
In case of refusal to provide the requested personal data, Meteorites Ltd will be able to fulfill its statutory obligations, including that it may not be able to provide its services/goods.
10. Protection at the design stage
Meteorites Ltd respects the principle of protection at the design stage. The planning and construction of all new or substantially modified existing systems that gather, store or process data will be evaluated in the light of potential security issues. A data protection impact assessment will be carried out for each project and appropriate protection measures will be taken.
The data protection impact assessment shall include:
● Review of the methods for processing personal data and the objectives;
● Assess whether the expected data processing method is applicable and appropriate for the objective set;
● Risk assessment for data subjects when processing their data;
● What controls and security measures are needed to minimize the risk identified and to comply with the requirements of GDPR.
Techniques such as pseudonymizing and storing only the necessary information will be used whenever possible.
11. Provision of personal data outside the company
The personal data, processed by Meteorites Ltd, is provided to:
1. The individuals who are the data subjects;
2. To individuals, if provided for in a regulatory act - public bodies (the National Revenue Agency, the National Social Security Institute, the Ministry of Interior, judicial bodies, controlling bodies, local self-government bodies, etc.) in quantities which do not exceed the objectives for which the data has been required;
3. Personal data processors (individuals or legal entities that process the personal data on behalf of the administrator and by order or assignment of the administrator):
- Occupational health services
4. business partners - for the purposes of fulfilling a legal obligation and / or contract;
5. to credit institutions (banks) - in connection with the payment of the remunerations to employees and contractors under independent agreements;
6. to courier companies and postal operators – на куриерски фирми и пощенски оператори – for the purposes of correspondence with the data subjects, receiving, transferring and delivering and addressing the packages to individuals.
12. International data transfer
Meteorites Ltd does not submit the stored and processed personal data to third countries or international organizations.
13. Contracts, including the processing of personal data
Meteorites Ltd ensures that all contracts it concludes and whose scope covers the processing of personal data will contain the necessary information and conditions required by the GDPR.
14. Data storing period.
In its capacity of a data administrator, Meteorites Ltd stores and processes data for a period of time with a minimal length pursuant to the processing objectives and the provided in the applicable legislation in accordance to the principle of retention.
|Years||Defining a period|
|50 years||Payroll, personnel files - Art. 38 of the Tax-Insurance Procedure Code|
|10 years||Accounting records and financial statements, including tax controls, audits and ex-post financial inspections – Art. 12 from the Accountancy Code and the Tax-Insurance Procedure Code, Art. 38 of the Tax-Insurance Procedure Code|
|5 years||After the expiry of the limitation period for repayment of the public obligation to which they are related Tax control documents – Art. 38 from the Tax-Insurance Procedure Code|
15. Data Protection Officer (DPO)
GDPR obliges every public organization that processes a large volume of personal data or gathers/stores "sensitive" data to have a data protection officer. The latter should have the requisite amount of knowledge and skills for the purposes of GDPR, but may be either an individual from the company or a third party.
In accordance with the requirements set out in the regulation, Meteorites Ltd shall also hire a data protection officer.
Contact with the data protection officer: firstname.lastname@example.org
16. Technical and organizational measures for the protection of personal data
The protection of paper and electronic data against unauthorized access, corruption, loss or destruction shall be ensured through internally regulated technical and organizational measures.:
1. Program-technical – reliable and secure identification and authentication of the individuals who process personal data in electronic form, using access passwords and certain user rights for working with the data; maintaining an electronic archive and regular archiving of databases containing personal data; keeping operating systems and antivirus programs up to date.
2. Physical – system of measures for the protection of the premises where the personal data is processed and stored, as well as access control.
3. Organizational and administrative – regulated by the Manager of Meteorites Ltd.
17. Notification for data security breach
In the event of a data security breach, Meteorites Ltd shall take the necessary steps to alert the individuals concerned.
The a should be proportionate to the offense and the principle of transparency should be respected. GDPR obliges the organization to notify the supervisory authority (the Committee for personal data protection)within 72 hours in the event of a breach that could jeopardize the rights and freedoms of individuals.
Meteorites Ltd documents each and every personal data security breach, including the facts, linked to the breach, the consequences of the breach and the measures taken in order for the breach to be dealt with.
18. Achieving compliance with GDPR
The following actions have been taken by Meteorites Ltd in order for a full compliance with GDPR to be achieved:
● The legislation in the field of personal data has been analyzed;
● Employees involved in the gathering and processing of personal data understand their obligations and the responsibility to comply with the organization's personal data protection policies and procedures;
● The personnel has been instructed on the required level of data protection;
● Opportunities to exercise the rights of the data subjects are provided and their requests are managed effectively;
● Periodic reviews are conducted to update data protection policies / procedures;
● The principle of design stage protection for all new or drastically modified systems and processes is adhered to;
● The following documentation of processing activities is kept:
● The name of the organization and other necessary details
● Objectives of the data processing
● Categories of individuals and their personal data being processed
● Categories of personal data processors
● Periods for storing the personal
● Organizational and technical measures for ensuring the data protection
Meteorites Ltd guarantees that these activities shall be periodically reviewed as part of the overall data protection audit and will be carried out by the company's governing bodies.
§1. The current policy has been updated and approved by the Manager of Meteorites Ltd through order from the 29.12.2019