TRANSPARENCY POLICY FOR THE PROCESSING OF PERSONAL DATA
The Bulgarian Chamber of Commerce - Union of Bulgarian Business (BUC) is a non-profit association that works for the benefit of its members - Bulgarian and foreign legal entities and able-bodied individuals carrying out business activities.
BSK actively participates in the system of social dialogue at the national and international level and works to achieve economic and social progress in the country. In its activities, BSK protects the interests of business by conducting policies and activities based on the principles of compliance with legality, promotion of free business initiative, transparency, competence and correctness.
BSK is the controller of personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation) and the Personal Data Protection Act.
BSK has been assessed and certified according to the requirements of the ISO/IEC 27001:2013 "Information Security Management Systems" standard.
As a personal data administrator, BSK processes the personal data of natural persons in accordance with the principles of legality, expediency and proportionality of the data, and applies the necessary technical and organizational measures, with a view to ensuring their privacy and confidentiality. For this purpose, internal rules and procedures for the protection of personal data have been developed in accordance with legal requirements, as well as a transparency policy for the processing of personal data of natural persons._cc781905 -5cde-3194-bb3b-136bad5cf58d_
1. Contact details for the Bulgarian Chamber of Commerce
Republic of Bulgaria, city of Sofia, 16-20 Alabin St
Phone: (02) 932 09 11
El. mail: office@bia-bg.com
Website: www.bia-bg.com
2. BSK contact details regarding personal data protection
Phone: (02) 932 09 11
El. mail: office@bia-bg.com
3. Personal data that BSK collects and processes
"Personal data" is any information relating to an identified or identifiable natural person (data subject).
BSK collects and processes personal data in compliance with the principle of "reducing data to a minimum", solely and only for specific, explicitly specified and legitimate purposes.
The source of the personal data that BSK processes are:
the data subject;
public registers with personal data to which free access is provided;
documents issued by competent authorities;
third parties, in connection with or on the occasion of their participation in contractor selection procedures.
The categories of personal data that BSK processes are:
3.1. Common categories of personal data:
a) names, uniform civil number, date and place of birth, age, gender, citizenship, photographs;
b) contact details - contact telephone numbers, current and permanent address, e-mail address;
c) data on marital status and children under 18 years of age (if the processing is necessary to protect the rights of a worker or employee);
d) data regarding income from employment and civil relations (if the processing is necessary to fulfill a legally established obligation of the personal data controller);
e) data on education, qualification, work experience, professional biography.
f) data on bank accounts in connection with employment relationships, concluded contracts, etc.
3.2. Special categories of personal data: health status data (if the processing is necessary to protect the rights of the data subject in the performance of employment and related relations).
3.3. Personal data collected pursuant to a legal act regarding criminal status - criminal record; a certificate that the person is not under trial and investigation (if applicable for holding a position or performing a specific activity).
3.4. Personal data collected during video surveillance carried out for security purposes, in compliance with the requirements of the Law on Private Security Activities (PSO) and the Law on Personal Data Protection (PPO).
4. Purposes of personal data processing activities
The personal data that BSK processes are used only for the following purposes:
4.1. Human resource Management:
Recruitment;
creation, modification and termination of employment and related relationships, which are exercised by virtue of law;
keeping accounting records of remuneration for tax and insurance purposes;
to establish contact with the persons by phone, email, home address and to send correspondence related to official, statutory, membership, management, etc. relationships;
protection of legal rights of data subjects;
protection of the interests of the data controller.
4.2. Fulfillment of obligations under concluded contracts; to exercise rights arising from concluded contracts; for the purposes of reporting the performance of contracts; audit of the execution of contracts.
4.3. For purposes expressly stated in declaration of consent of the subject for the processing of his personal data. For example:
a) for communication with informational, advertising and/or marketing purposes;
b) when collecting data for the purpose of statistical studies;
c) when subscribing to information bulletins prepared by BSK.
The declaration of consent explicitly states what personal data is collected by BSK and what is the purpose of their processing. The natural person - data subject, has the right at any time, with a written request or in a free form, to withdraw his consent to the processing of personal data.
4.4. If it is necessary to process the data for a purpose other than the original one, BSK informs the data subject and requests his consent.
5. Consequences of refusal to provide personal data
When the basis for providing and processing data is consent or performance of a contract/pre-contractual relations, the refusal to provide personal data has the consequence of the impossibility of establishing relations and/or providing a service and/or concluding a contract in view of which they are requested data.
6. Transfer of personal data
Collected personal data may be provided to third parties only in the following cases:
6.1. When fulfilling legal requirements related to:
a) labor relations: data are provided to public bodies, in view of their powers and competence (the National Revenue Agency, the National Insurance Institute, the Executive Agency "Main Labor Inspectorate" and others);
b) membership legal relations - the Council of Ministers, the Ministry of Labor and Social Policy, court;
c) arbitration cases - court, bailiffs;
d) issuance of certificates of origin of the goods - data are provided to customs authorities in the country and abroad, Ministry of Finance;
e) other public bodies that receive the data by virtue of law.
6.2. On a contractual basis - for the payment of remunerations and fees and the fulfillment of legal obligations related to the obligations of BSK to ensure health and safety at work (Occupational Medicine Office, accounting offices).
6.3. On the basis of consent to data processing - in accordance with the consent given by the data subject.
7. Terms for storing personal data
7.1. Statutory terms for storing data:
on labor relations, incl. payroll - 50 years;
accounting registers - 10 years, starting from January 1 of the accounting period following the accounting period to which they refer;
7.2. Terms related to the exclusion of rights under statutory limitation periods related to obligations under civil and commercial contracts:
for periodic payments - 3 years;
in the other cases – 5 years, counted from the date of claimability.
7.3. Deadlines related to the purposes of processing: contractual deadlines, deadlines for completion and reporting of contractual and financial relations under contracts related to national, European and international funding.
7.4. Terms related to information for the purposes of tax and accounting reporting, tax audits and audits and government financial control.
7.5. BSK determines the following terms of storage of data collected when using information technologies:
a) data collected when using information technologies - Internet Protocol (IP) address, "cookie" identification number - 3 months;
b) internet traffic of personal computers – 1 week;
c) logs related to security, technical support, development, etc. - 3 months;
d) server logs, logs of security protection devices (Web Application Firewalls), etc. devices falling into this category – 3 months;
e) data obtained on the basis of the data subject's consent to receive information and other bulletins from the BSK electronic page and other information systems administered by the BSK - until the consent is withdrawn, resp. - account/registration termination;
f) data on withdrawn consent by the data subject - indefinitely;
g) data collected during video surveillance - 1 week;
h) data of candidates for positions at the administrator - 30 days after the completion of the application and selection procedure.
7.6. After the expiration of the storage periods, if there is no other reason for their processing, the data on technical media are deleted, and on paper media, if they are not subject to transmission for storage by law, they are destroyed._cc781905-5cde-3194-bb3b- 136bad5cf58d_
8. Rights of the subjects of personal data and procedure for their exercise
8.1. Right to information and access
The natural person - data subject, has the right to information about his personal data processed by BSK, as well as the right to access them.
The data subject has the right to receive a copy of the personal data that is being processed by BSK, in electronic or paper form. For this purpose, it is necessary to submit a written request personally or through an authorized person to BSK, including electronically.
8.2. Right to data privacy
The personal data processed by BSK are confidential subject to the obligation to protect professional secrecy. BSK employees sign a confidentiality statement regarding the personal data they work with, within the scope of their professional responsibilities.
8.3. Right to rectification of processed data
The data subject has the right to request the BSK to correct, without undue delay, inaccurate personal data relating to him or her, as well as data that is no longer up-to-date. For this purpose, it is necessary to submit a written request personally or through an authorized person to BSK, including electronically.
8.4. Right to erasure (right to be forgotten)
8.4.1. The data subject has the right to request from BSK that his personal data be deleted without undue delay if any of the following grounds exist:
a) the personal data are no longer necessary for the purposes for which they were collected;
b) upon withdrawal of the given consent for personal data processing;
c) in case of objection to the processing;
d) when the processing of personal data is illegal;
e) when personal data must be deleted in order to comply with an obligation under the law of the European Union or the national legislation of the Republic of Bulgaria, which applies to BSK as a personal data controller;
f) when the personal data were collected in connection with the provision of information society services.
In order to exercise the right to delete data, the data subject should submit a written request to the BSK, including electronically, personally or through an authorized person.
8.4.2. BSK may refuse to delete the subject's personal data for the following reasons:
a) for compliance with a legal obligation by BSK or for the performance of a task of public interest;
b) when exercising the right to freedom of expression and the right to information;
c) in the exercise of official authority (if applicable);
d) to establish, exercise or defend legal claims.
8.5. Right to restriction of processing
The data subject has the right to request the BSK to limit the processing of his personal data. In this case, the data will be stored for the specified periods (specified in item 7 of this transparency policy), but not processed, unless there is a legal basis for this. For this purpose, it is necessary for the data subject to submit a written request personally or through an authorized person to BSK, including electronically.
8.6. Right to object to processing
The data subject has the right to object to the processing of his personal data carried out by BSK (for example, see Article 21, paragraph 2 and 6 of the General Data Protection Regulation). In order to benefit from the right to object to the processing, the data subject must submit a written request in person or through an authorized person to the BSK, including electronic path.
8.7. BSK does not perform automated decision-making, including profiling.
8.8. Right to data portability
The data subject has the right to receive the personal data concerning him and which he has provided to BSK in a structured, widely used and machine-readable format, and to request _cc781905-5cde-3194- bb3b-136bad5cf58d_these data to be transferred to another data controller when the processing is based on consent or a contractual obligation, provided that BSK carries out the processing in an automated manner.
8.9. Right of appeal
The data subject has the right to file a complaint regarding the processing of his personal data through BSK, using the contact details specified in item 2 of this transparency policy.
A complaint can also be submitted to the supervisory authority - Commission for the Protection of Personal Data, address: Sofia 1592, "Prof. Tsvetan Lazarov" No. 2, e-mail: kzld@cpdp.bg, website: www.cpdp.bg
8.10. The exercise of the rights under item 8.1., item 8.3. - 8.6. is free. Where a data subject's requests are manifestly unfounded or excessive, in particular due to their repetition, the BSK may:
a) charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the requested action;
b) refuse to act on the request.
8.11. The deadline for consideration of requests under item 8.1., item 8.3. - 8.6. and for ruling on them by BSK, in the capacity of personal data controller, is 30 days from receipt of the request and can be extended by 2 months, taking into account the complexity and number of requests._cc781905-5cde-3194-bb3b -136bad5cf58d_ _cc781905-5cde-3194-bb3b_
The Bulgarian Chamber of Commerce reserves the right to amend and supplement this Transparency Policy in the processing of personal data of natural persons in the event of changes in the applicable legislation for the protection of personal data.
_________
INTERNAL RULES
for the protection of the personal data of natural persons processed by BSK
_________
SAMPLE DOCUMENTS [doc]:
Data subject request regarding data access, correction, deletion, restriction, transfer, objection to processing or other