Policy for protection of personal data in connection with the application of Regulation (ÅU) 2016/679
POLICY FOR THE MEASURES AND MEANS FOR PROTECTION OF PERSONAL DFATA,
COLLECTED, PROCESSED AND STORED
BY BONITA STYLE EOOD
BONIRA STYLE EOOD, UIC 175373765, head office and registered office Sofia city, ¹ 163, Zaichar str., applies this policy for protection of personal data when processing of such data of its employees, consultants, partners, commercial contractors, customers and of any other third party. For the purposes of this document, BONITA STYLE EOOD shall be hereafter referred to as Administrator.
The current data protection policy is developed and adopted by the Administrator in order to comply with the provisions of Regulation (EU) 2016/679 (General data protection regulation) and the applicable national law.
The purpose of this document is:
to outline the rules adopted by the Administrator for protection of the personal data of natural persons and to guarantee that the personal data is not processed without the knowledge of the natural persons which they concern, respectively when necessary, that they are processed only after receipt of a written consent of these natural persons;
to approve the technical and organizational measures undertaken in the enterprise regarding protection of this data.
BONITA STYLE EOOD as personal data administrator collects and processes certain information concerning natural persons in the course of its business. This information can refer to employees, customers, suppliers, contractors, general managers and other management bodies, business contacts and other natural persons with which the Administrator makes contact within the range of his business activity.
This policy governs the way the personal data is administered (collected, processed and stored) within the enterprise, so that it is in line with the applicable law.
2. LEGAL BASIS.
This policy is introduced and adhered to according to Regulation (EU) 2016/679 (General data protection regulation), the Personal data protection act and the bylaws.
„Personal data" – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
„Special categories of personal data“ – personal data, revealing the racial or ethnical origin, political views, religious or philosophical convictions, or membership of trade unions and the processing of genetic data, biometrical data for unique identification of a natural person, data regarding the physical health or data concerning the sexual life or sexual orientation of a natural person.
„Processing" – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
„Administrator" – any individual or legal entity, public authority, agency or any other structure, which, alone or in common with others, defines the goals and means for personal data processing; when the goals and means for this processing are defined by the EU law or the law of any member state, the administrator or the special criteria for its determination can be specified by the Union law or by the law of a member state. For the purposes of this document, Administrator is BONITA STYLE EOOD, as well as any person, to whom personal data is provided subject to regulatory requirements and these policies;
„Data subject“ – every living individual subject to personal data, kept by the Administrator.
„Consent of the data subject" – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
„Child“ – The General regulation identifies a child as anyone of their age under 16 years although it can be decreased to 13 by the member state law. The processing of the personal data of a child is legal only if a parent or a trustee has agreed. The administrator makes reasonable efforts to check in such cases, if the holder of the parental responsibility for the child has given or is authorized to give his consent.
„Profiling" - any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
„Violation of personal data security" – violation of the security, which leads to accidental or unlawful destruction, loss, change, unauthorized disclosure or access to personal data, transmitted, stored or processed in another way;
„Main place of location“ – the EU head office of the administrator shall be the location, in which he takes the main decisions about the goal and the means for data processing. In regard to the data processor, its EU main place of location shall be its administrative center.
„Recipient" – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
„Third party“ – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
4. PRINCIPLES OF DATA PROTECTION
Any personal data processing has to be executed according to the data protection principles, given under article 5 of Regulation (EU) 2016/679. The Administrator’s policy is intended to ensure the compliance with these principles.
Lawfulness, good faith and transparency – processing in the presence of legal basis by taking due care and informing of the data subject;
Goals limitation – data collection for specific, explicitly indicated and legitimate goals and prohibition of further processing in a way incompatible with these objectives;
Minimizing of data – the data has to be appropriate, connected with and limited to what is necessary in connection to the processing purposes;
Accuracy – keeping up-to-date and taking of all reasonable measures to guarantee the timely deleting and correcting inaccurate data, taking into account the processing purposes;
Capture limitation – the data to be processed for a period of minimum duration according to the goals. Capture for longer terms is accessible for archiving purposes in the public interest, for scientific or historical investigations, or for statistical purposes but under the condition, that appropriate technical and organizational measures are applied;
Integrity and confidentiality – processing in a way, which guarantees an appropriate level of personal data security by applying of appropriate technical and organizational measures;
Reporting – the administrator is responsible and has to be in the position to prove the keeping of all principles connected with the personal data processing (keeping of a register of the activities for personal data processing, adopting of internal instructions / rules/ procedures policy for personal data protection, updating of the forms for documenting consent, updating of the agreements with the personal data processors etc.).
5. Categories of persons whose personal data is processed by the Administrator.
The Administrator processes the personal data of following categories of natural persons:
Candidates by recruitment;
Persons – legal representatives of legal entities – Administrator’s partners;
Persons, specified for contact with companies, with which the Administrator has business relations;
Persons with contractual relations with the enterprise.
6. GOALS OF THE PERSONAL DATA PROCESSING
The Administrator collects, processes and stores personal data in connection with:
Closing, execution, amendment and termination of employment contracts;
Closing, execution, amendment and termination of civil contracts, including private enterprise contracts within the meaning of the Obligations and Contracts Act;
Closing, execution, amendment and termination of commercial contracts within the scope of the business activity;
Preparation of any accompanying documents in connection with the execution of any kinds of contracts;
Accounting during the execution of the contracts, to which the Administrator is a party;
Processing of payments during the execution of the signed contracts.
The personal data is presented by the data subject and except for the purposes from above, they can be collected and processed by the Administrator in connection with the execution of his normative obligations according to the provisions of the Commercial Act, the Obligations and Contracts Act, the Accountancy Act, the Value Added Tax Act, the Corporate Income Tax Act, the Taxation of the Income of Natural persons Act, the Tax-insurance Procedure Code, the Social Security Code, the Health Insurance Act and other relevant normative and sub-normative acts.
7. PROVISION OF THE DATA TO THIRD PARTIES
During execution of its business activity, the Administrator can provide information, including one which contains personal data of third parties with a view of implementing the contractual relations between them (bookkeepers, lawyers, recruitment consultants, occupational health services and others). The Administrator has to take the necessary actions by closing of corresponding agreements with these persons in order to guarantee the maximum personal data protection of the natural persons.
As a part of the measures for guaranteeing and providing of personal data protection, the Administrator necessarily closes with the third persons a confidentiality agreement and a personal data protection agreement.
The administrator takes the necessary actions for obtaining a consent from the data subject by its processing. The consent of the data subject has to be:
freely expressed – not given under pressure or threat of adverse effects;
specific – separate consent for each individually defined goal;
informed – given based on full, exact and easily understandable information;
unambiguous – it should not be extracted or suggested based on other statement and actions of the person;
an explicit statement or a clearly confirming action - the silence of the person cannot be accepted as consent.
The consent is given in the form of a document (statement) prepared by the Administrator in advance at the time of data collection – when signing of commercial contract and/or the accompanying documents, at signing of employment contracts and others.
In case the Administrator processes personal data of children, he has to obtain permission from the one exercising the parental rights (parents, guardians and others). This requirement is applied for children under the age of 16.
The specific information, which has to be presented to the data subject on receipt of it from the Administrator, should include as a minimum:
data, which identifies the administrator and the administrator contact data;
the goals of processing, for which the personal data is intended, as well as the legal base for the processing;
the personal data storing period;
the existence of following rights - to ask for