RIGHTS OF THE DATA SUBJECT

To be able to perform our obligations, in our capacity as controllers of personal data related to ensuring a possibility for exercise of the rights of data subjects, in accordance with the personal data protection legislation, we hereby inform you of your rights and the procedure for exercising them.

Right of access of the data subject

When exercising the right of access to personal data, we shall provide the following information to you:

  • A confirmation whether your personal data is processed;
  • A copy of the personal data undergoing processing;
  • The purposes of the processing;
  • The categories of personal data;
  • The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • Clarifications concerning the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • Clarifications concerning the right to lodge a complaint with the supervisory body;
  • Where the personal data have not been provided by you personally, any available information concerning their source;
  • The existence of automated decision-making, including profiling, the logic used, as well as the significance and the foreseen consequences of this processing for you;
  • The intention of the controller to transfer your data to a third country or international organisation and whether the statutory conditions for this have been fulfilled;
  • The categories of personal data that the controller has about you, if he has not received them personally from you;
  • The source of the personal data and whether the data are from a publicly accessible source, if the controller has not received the data personally from you.

When providing a copy of personal data, data constituting confidential information, a trade secret, intellectual property, as well as other information protected by law shall not be disclosed. Personal data of third parties shall not be disclosed without their explicit consent. The provision of information concerning the personal data processed by the controller should not lead to a violation of a statutory obligation of the controller. In case of refusal to provide access to personal data, the personal data controller shall justify his refusal and inform the subject of his right to lodge a complaint with the supervisory body.

The request of the data subject shall be considered excessive, if it is repetitive over a relatively short period of time.  Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either refuse to undertake action with respect to the request or impose a fee.

Right to Rectification

You have the right to ask the controller to rectify the inaccurate personal data concerning you. You can exercise your right to rectification of personal data by submitting a request for personal data rectification.

Right to Erasure

You have the right to request from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they have been collected or otherwise processed;
  • you have withdrawn your consent, on which the data processing is based and there is no other legal basis for the processing;
  • you object to the processing and there are no overriding legitimate grounds for processing;
  • you object to the processing for the purposes of direct marketing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation, to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of Regulation (EU) 2016/679.

The Controller shall not be obliged to delete the personal data in cases where their processing is necessary for:

  • exercising the right of freedom of expression and the right to information;
  • observing a legal obligation requiring processing, which is applied with respect to the Controller;
  • reasons of public interest in the area of public health;
  • archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • establishing, exercising or defending legal claims.

Right to Restriction of Processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  • you dispute the accuracy of the personal data – for a period enabling the Controller to verify the accuracy of your personal data;
  • when the processing is unlawful but you oppose to the erasure of the personal data, and request the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
  • you have objected to processing pending the verification whether the legitimate grounds of the controller override your interests;
  • When you have objected against the processing of personal data, including profiling based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or against processing, including profiling, where it is necessary for pursuing the legitimate interests of the controller or of a third party, whereby the restriction in this case is applied pending the verification whether the legitimate grounds of the controller override your interests.

If you have requested from the controller to limit the processing, controller must inform you prior to lifting the restriction.

Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing

The controller shall communicate any rectification, erasure or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform you of these recipients, should you make such a request.

Right to Data Portability

You have the right to receive your personal data and which you have provided to the controller, in a structured, commonly used and machine-readable format and upon request, the data may be transmitted to another controller where this is technically possible.

You may exercise your right to data portability where the processing is based on consent or on a contractual obligation and the processing is carried out in an automated manner.

The right to portability may not adversely affect the rights and freedoms of others.

Right to Object

You have the right, at any time and on any grounds related to your specific situation, to object against the processing of your personal data needed for purposes related to legitimate interests of the relevant Controller or of a third party, processing, including profiling.

The Controller shall check whether compelling legitimate grounds for the processing exist, which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims and in case of failure to prove such, shall terminate the processing.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Automated Individual Decision-making, Including Profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects for the data subject or similarly significantly affects him.

You have the right to lodge a complaint under administrative procedures to the supervisory body, the Commission for Personal Data Protection, if you believe that the processing of your personal data violates the provisions of the Protection of Personal Data Act and Regulation (EU) 2016/679.

PROCEDURE FOR SUBMISSION AND PROCESSING OF A REQUEST FOR EXERCISING RIGHTS BY DATA SUBJECTS

1. You may exercise your rights by submitting an application form personally or through a person authorized in writing:

  • on site at Agropolychim AD, Devnya city, Industrial Zone
  • electronically to the following e-mail address: data.protection@agropolychim.bg.

2. Requests for exercising rights shall be drawn up also in free form. Mandatory requisites of a request/application for exercising the rights:

  • Data for identification of the applicant: name as per the identity document, Personal Number, mailing address;
  • How to receive the information – address, telephone, e-mail;
  • Description of the request;
  • Date and signature.

3. The application in electronic form is signed by a qualified electronic signature.

4. The data subject/authorized person shall present data concerning his identity when submitting the application, which identify him surely and unambiguously.

5. Application forms of free form texts received by mail at: name of the controller, Devnya city, Industrial Zone, shall not be carried out. In the cases referred to in Article 12(2) of the GDPR, the controller shall not refuse to act on the request of the data subject for exercising his rights under Articles 15-22, unless the controller demonstrates that it is not in a position to identify the data subject.

6. The applicant must prove his/her identity by presenting an identity document. You are not required to present an identity document when the request is in electronic form signed by a qualified electronic signature.

7. Data subjects may exercise their rights only if the foreseen statutory conditions for exercise of the rights of natural persons are present. When the request is examined, it should be considered that the rights of the data subjects refer only to personal data. The persons shall not be entitled to receive documents or records that do not contain their personal data.

8. The Controller shall provide the requested information and shall respond to the requests of the data subjects within one calendar month of the date, on which the request was received.

9. Requests for exercising rights, which are manifestly unfounded, shall not be processed. The request may be “manifestly unfounded” where the object of the request is not permitted in view of the rights of the data subject or if it is incorrectly formulated.

10. The request of the data subject shall be considered excessive, if it is repetitive over a relatively short period of time.  Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may refuse to undertake action with respect to it.

11. You shall have the right to make objections/complaints against decisions on requests for exercising the rights.  The objection/complaint shall be lodged on site. They shall be processed in accordance with the procedure for exercising the rights of the data subjects. A complaint/objection to a decision on the response to the request of the subject shall be examined within a period of one calendar month.

12. If the controller does not satisfy the request of the data subject within the mandatory periods or refuses to satisfy the complaint/objection, in its response it shall state in a clear and comprehensible language the reasons why it did not undertake action or refused.

13. The response to the data subject shall contain information concerning the right of the data subject to lodge complaints directly with the supervisory body (the Commission on Personal Data Protection) and contact details of the supervisory body.

14. The personal data controller shall examine all requests for exercising rights by the data subjects without undue delay and in any case within one calendar month of receiving the request (Article 12 (4)). If it is necessary to check the identity of the applicant or the scope of the request (or to receive the request in writing on site or via e-mail with a qualified electronic signature), the one month period shall start running from the completion of this check.

15. The period may be extended by two more months in cases where the request is particularly complex or when the applicant has made several requests.

16. All actions of the controller undertaken with respect to requests received from data subjects in relation to exercising their rights, shall be carried out free of charge for the data subject.