I. SUBJECT-MATTER, OBJECTIVE AND SCOPE
In their business activity, Agropolychim AD and its affiliated companies from the same economic group – Afer Bulgaria EOOD, Rimakem EOOD and Zarnen Temrinal Varna Zapad AD (hereinafter referred to as “the Companies from the Group” or “the Controllers”), take into consideration that it is important for natural persons to understand the process of collection, storing, sharing and use of any information constituting personal data.
The Companies from the Group, in their capacity as Controller within the meaning of the Personal Data Protection Act (Promulgated SG No. 1, 04.01.2002) and the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to “the Regulation” or “GDPR”), shall be committed to ensuring compliance with national legislation and with EU legislation with respect to the processing of personal data and protection of “the rights and freedoms” of the persons whose personal data they collect and process. Depending on the situation, the Companies from the Group process the data in their capacity as Processors within the meaning of the Regulation.
One of the main objectives of the Companies from the Group is the development and furthering of good practices in the area of personal data protection within the company.
In accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the European Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, this Policy provides information on the principles and rules related to processing of personal data, the rights of the data subjects, the ways, in which the personal data are processed and the means for data protection by the Companies in the Group, as well as their obligations and duties in their capacity as Controllers and/or Processors of personal data.
II. PRINCIPLES RELATED TO DATA PROCESSING AND PROTECTION
Personal data processing shall be carried out in line with the principles of data protection laid down in Article 5 of the Regulation, as follows:
1. Personal data shall be processed lawfully, fairly and in a transparent manner.
Prior to proceeding to personal data processing, a legal basis must be identified. Lawfulness in the processing of personal data shall mean full compliance of the behavior of the Controllers not only with the special provisions of the personal data protection instruments, but also with the entire legislation in force. Any processing of personal data shall be based on valid legal grounds, which may include:
- Compliance with a legal obligation that applies to the business of the Controllers;
- Performance of a contract, to which the natural person is a party or undertaking steps, upon a request of the natural person, prior to entering into an agreement (regulation of pre-contractual relations);
- Consent of the data subject for one or more objectives;
- Protection of vital interests of the data subject or of another natural person;
- Performance of a task of public interest;
- A legitimate interest of the Controllers, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Controllers, in their capacity as employers and assignors and with respect to the activities related to entering into and performance of labour contracts, shall process the personal data of employees on the basis of the applicable labour, insurance and tax legislation.
Personal data processing shall be fair where it does not affect the data subjects in an unjustified or unfavourable way, where it is carried out in full compliance with ethical norms and rules and good morals. Any information and communication relating to the processing of those personal data shall be easily accessible and easy to understand, and clear and plain language shall be used.
The implementation of the principle of transparency requires the Controller of data to provide specific information to the data subjects, necessary for each specific case and for each specific objective, in a manner that is intelligible, brief and accessible for the data subject, irrespective of whether the personal data were received directly from the data subjects or from other sources. The principle of transparency is guaranteed by providing an opportunity to exercise the right of awareness, the right to access.
Policies for awareness of the data subject are regulated in the Procedure for Transparency in Personal Data Processing and Notification for Confidential Handling of Personal Data.
The specific information provided to the data subject in the notification for personal data processing shall include:
- Data identifying the Controllers and the data for contact with the Controllers/the representative of the Controllers;
- The contact details of the data protection officer;
- The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- The period, for which the personal data shall be stored;
- Exercising the following rights of the data subject – to request access, correction, deletion (the right to be forgotten), limiting the processing of personal data, as well as the right to object against the conditions or the lack of conditions for exercising them in accordance with GDPR rules;
- The categories of personal data;
- The recipients or categories of recipients of the personal data;
- Where applicable, transfer of the personal data to a third country recipient (outside of the EU) and whether the necessary level of data protection has been ensured;
- Any additional information that is needed to guarantee the fair processing of the personal data.
2. Personal data are collected only for specified, explicit and legitimate purposes(“purpose limitation”).
The data obtained for specified, explicitly stated in the relevant normative acts and/or contracts and/or other documents legitimate purposes, shall be collected and processed only for the purposes they were collected for and which are in line with the processing activities included in the Records of Data Processing Activities of the Companies from the Group (Article 30 GDPR).
3. The personal data collected by the Controller shall be suitable and limited to those necessary for the relevant processing purpose (“data minimisation”), whereby :
- The data protection officer shall monitor that only information that is strictly required to achieve the processing purpose is collected;
- The data collection forms (electronic or paper) include a notification of personal data processing.
4. The personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure a possibility that they (within the limits of the possible technical solutions) are erased or rectified without delay (“accuracy of the personal data”).
- Data stored by the data Controllers, shall be reviewed and updated if necessary. Data shall not be stored in cases where there is a risk that they are inaccurate;
- The data subject shall declare that the data, which it transferred for processing by the Companies from the Group are accurate and up to date;
- At least once per year the responsible data protection officer shall review the data and if necessary shall update/correct the time periods for storage of all personal data processed by the Companies from the Group, based on the inventory of the data and shall identify all data, which are not required anymore in the context of the specified purpose;
- Requests for data correction shall be processed within a period of one month (pursuant to the Procedure for Handling of Requests and Complaints from the Data Subjects). If the Controller decides not to take the request into consideration, the data subject shall receive a response containing the grounds for the refusal
5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”).
Personal data shall be kept in accordance with statutory time limits for storage, expiration of validity or the operational significance of the information.
6. Personal data shall be processed in a manner that ensures their confidentiality, integrity and availability (“integrity and confidentiality”).
The Controller shall process the personal data applying an appropriate level of security (technical and organisational measures) and ensuring their confidentiality, integrity and availability, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Personal data shall be processed in a manner ensuring a suitable level of security (Article 24 and Article 32 of GDPR). The security of personal data shall be guaranteed by technical and organisational measures, that include as a minimum:
- Individual password protection of the electronic technical devices;
- Automatic locking of idle work stations in the network (at the work place);
- Anti-virus software and firewalls;
- Limiting the rights to access rooms where documents are stored;
- Inclusion of data protection in the job description of employees;
- Determining of disciplinary measures for data processing violations;
- A regular procedure for inspection of the staff with respect to adherence to the respective security practices and applicable internal procedures and data protection rules;
- Control of the physical access to electronic and paper records;
- Storage of documents containing personal data in lockable wall cabinets;
- Adoption of clear rules for creation and use of passwords;
- Professional confidentiality shall apply as a rule to the processing of personal data.
When assessing the suitable measures, the identified risks for the personal data shall be taken into consideration, as well as the potential harm to the persons whose data is processed.
III. CATEGORIES OF PERSONAL DATA PROCESSED AT COMPANIES FROM THE GROUP
1. Standard personal data:
Identification data; official identity; family identity; qualification; data concerning contacts with business partners and clients; information concerning consumer profiles; contractual and financial information; information on accruals, deductions, professional experience, work experience, attendance, official business correspondence, information generated when using official electronic devices, video recordings from security cameras; information concerning location of office automobiles.
2. Special personal data:
Data concerning the health status of employees shall be processed if there are legal grounds in order to monitor the health status of workers and to ensure safe labour conditions, process a medical note for the purposes of labour and insurance legislation, work capacity assessment. This category of personal data shall be processed also in view of safeguarding the legitimate interest of the companies.
The following types of special personal data shall not be processed by the Controllers: personal data disclosing racial or ethnic origin; political views, religious and philosophical beliefs; genetic and biometric data; data related to sexual life and sexual orientation.
IV. CATEGORIES OF DATA SUBJECTS
This Policy shall apply to the activities related to processing of all personal data, including processing related to personal data provided by the data subject, on his own initiative, for the purpose of performance by the Controller of an activity requested by the data subject or in relation to the exercise of his rights. Personal data of the following persons shall be processed:
- Workers and employees within the meaning of the Labour Code – natural persons, which are in labour relations with Companies from the Group;
- Candidates for work or natural persons who have entered into civil contracts with Companies from the Group, in their capacity as external contractors;
- Visitors who are in commercial relations with Companies from the Group or have been admitted to the territory of the plant;
- Employees of trade partners, with whom communication is ensured concerning trade relations with Companies from the Group or who have been admitted to the territory of the plant;
- Subjects who have not provided their data personally but the same are processed by the Controllers pursuant to contracts entered into with trade partners (the data was obtained through the trade partners);
- Employees of external companies operating on the territory of the plant;
- Suppliers, parties to trade relations;
- Truck drivers;
- Natural persons participating in initiatives and events organised by the Companies from the Group;
- Recipients of donations;
- Other subjects, which have been provided to the Controllers from other sources, unspecified above.
V. PURPOSES OF PROCESSING OF THE PERSONAL DATA
The personal data are processed with a view to fulfilment of the basic and auxiliary activities of the Controllers, related to: performance of contracts; labour relations with employees; personnel selection; performing the basic production processes; sale and distribution of products and goods; supply of raw materials, materials, goods, services and equipment; ensuring safe working conditions and monitoring the health status; administrative, legal, accountancy and tax services; maintenance and exploitation of machines and installations; control over environmental protection; control over the quality of the products and ensuring another type of services related to the commercial activities of Companies from the Group; to ensure safeguarding of the rights of Companies from the Group against possible claims.
VI. GROUNDS FOR PERSONAL DATA PROCESSING
The personal data of Companies from the Group shall be carried out on the basis of:
- Compliance with legal obligations of the Controllers under the accountancy, tax, health insurance, social insurance or other legislation, including for submission of information before the competent state bodies;
- Performance of labour, civil and commercial contracts;
- Legitimate interest – exercising and protection of legitimate rights and interests of the Controllers;
- Consent of the data subject
The Controllers shall process the personal data independently, under an agreement with a Processor under the supervision of the Controllers and/or pursuant to an agreement on joint controllers. In certain cases, the Companies from the Group shall process personal data also in the capacity of Processors.
VII. RIGHTS OF DATA SUBJECTS
The Controllers shall provide information under Articles 13, 14 and any communication under Articles 15 – 22 and Article 34 of the GDPR, related to the processing, to the data subject in a short, transparent, intelligible and accessible form, using clear and plain language. The information shall be provided in writing or by other means.
The Controllers shall provide assistance in the exercise of the rights of the data subject with respect to the processing of his personal data.
1. Right to Access
The data subject shall be entitled to receive information concerning the personal data related to him, which are processed by the Controllers and concerning the purpose, for which they are processed, including to gain access to the data, and to information on who the recipients of these data are and the third parties, to whom the data is transferred, if possible, the foreseen period for storage of the personal data, and if this is not possible, the criteria used to determine this period; the existence of the right to request from the Controllers rectification or erasure of personal data or restriction of processing or to object to such processing, unless the processing is pursuant to a statutory or contractual obligation; the right to lodge a complaint with a supervisory authority; the source of the personal data in cases where they have not been collected from the data subject; the existence of automated decision-making, including profiling, as well as the significance and the envisaged consequences of such processing for the data subject.
The data subject shall be entitled to request a copy of its personal data from the Controller, in cases where this is economically justified.
2. Right to Rectification
The data subject shall be entitled to request rectification of personal data from the Controller in cases where they are inaccurate or when they are not up to date.
3. Right to Erasure
The data subject shall be entitled to request from the Controllers erasure of personal data (the right to be forgotten). The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they have been collected or processed;
- The data subject withdraws his consent, which was the basis for the processing of his data and there is no other legal basis for their processing;
- The data subject objects against their processing (pursuant to Article 21 (1) of GDPR) and there is no legal basis for the processing and there are no overriding legitimate grounds, or the data subject objects against the processing (pursuant to Article 21 (2) of GDPR);
- The personal data have been unlawfully processed.
4. Right to Restriction of Processing
The data subject shall be entitled to request from the Controllers to restrict the processing of personal data, in which case the data shall only be stored but not processed. The data subject may exercise its right to restrict the processing in cases where the Controller no longer needs the data for the purposes, for which they were processed, but the subject requires them for establishment, exercise or defence of legal claims; where the processing is unlawful but the subject does not wish its personal data to be erased completely and instead requires a restriction of their use; the data subject objected against the processing pursuant to Article 21 (1) of the GDPR.
5. Right to Object
The subject shall have the right to object to the processing of its personal data. Where personal data are processed for the purposes of direct marketing, the data subject shall have the right to object to such processing at any time.
6. Right to Lodge a Complaint with a Supervisory Authority
The data subject shall have the right to lodge a complaint with a supervisory authority if it considers that any of the provisions of the GDPR has been violated.
7. Right to Data Portability
The data subject may request to receive the personal data concerning the data subject in a structured, commonly used and machine-readable format.
8. Right to Withdraw Consent
The data subject shall have the right to withdraw its consent to the processing of the personal data at any time with a separate request to the Controllers.
9. Right to Protection Against Automated Decision-making
The data subject shall have the right not to be subject to automated decision-making, which affects it to a significant extent, without the possibility for human intervention; to object against automated profiling that occurs without its consent.
Controllers shall ensure conditions guaranteeing the exercise of these rights by the data subjects, as follows:
- The data subjects may make requests for access to data pursuant to the Procedure for Management of Requests and Complaints of Data Subjects;
- The data subjects shall have the right to lodge complaints with the Controllers in relation to the processing of their personal data. Processing of the request of the data subject and the lodging of complaints by the data subject, shall be carried out pursuant to the Procedure for Management of Requests and Complaints of Data Subjects.
Complaints may be lodged with the supervisory authority, whereas for Bulgaria the competent body is Commission for Personal Data Protection, address: 1592 Sofia city, 2, Professor Tsvetan Lazarov Blvd., (www.cpdp.bg).
VIII. CONSENT FOR PERSONAL DATA PROCESSING
Consent of the subject of personal data shall always be required when there is no alternative legal basis for the processing. The consent must be a freely given, specific, informed and unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him; The data subject shall have the right to withdraw his or her consent at any time.
Consent for processing of personal or special categories of data shall be provided on the basis of the relevant consent document provided by the data subject to the Controllers for each specific processing purpose. Where the subject is party to a contract, consent shall not be required because its data is collected on another legal basis.
IX. SECURITY OF PERSONAL DATA
The Controllers shall introduce adequate physical, technical and administrative security measures, intended to protect the personal data from loss, misuse, alteration, destruction or damage. The employees of the Controllers, who pursuant to their job descriptions must process specific personal data on behalf of the Controllers, must ensure security while they are processing and storing the data, including to guarantee that they shall not disclose the data to third parties, except to third parties authorised by virtue of the law or a contract.
The personal data or parts of them shall be accessible only to persons, which have the obligation to process/store them. All personal data shall be kept in rooms with controlled access and/or in a locked cabinet and/or in a password protected information system. Recordings on a paper carrier shall not be accessed by unauthorised persons and shall not be removed from the designated office rooms without explicit permission and until completion of the specified task.
All employees/workers shall be required to observe the internal labour order, the technological order in the processing of personal data, as well as the rules for safe use of the work stations, the central databases and the personal accounts for access to the information.
In case of breach of the security of personal data, the Controller shall apply the Procedure for Informing in Case of a Personal Data Security Breach. The procedure shall cover the requirements under Article 33 for notifying the supervisory authority of a security breach of the personal data and Article 34 for informing the data subject of a personal data security breach, of the Regulation.
X. DATA DISCLOSURE AND TRANSFER
For the attainment of the goals described herein, the personal data may be shared among the organizational units of the Companies from the Group, in strict compliance with the requirements of the Regulation.
All requests from third parties working with or for Companies from the Group, including external organisations (recipients) processing personal data with respect to the executed work processes: suppliers of goods and services, distributors, partners, clients, state institutions, agencies, inspections, supervisory bodies, banks, insurers, brokers, notaries, port administration, the National Social Security Institute, Labour Expert Medical Commission etc., as well as third parties having or which could have access to the personal data collected and processed by the Controllers, should be supported with appropriate grounds and/or documentation.
The personal data shall be provided to the competent public bodies upon or in relation to the exercise of their powers and discharge of the obligations of the Controllers with respect to them.
Personal data shall not be disclosed to non-authorized third parties, which includes family members, all other persons, state bodies, if there are well-founded doubts that they are requested in accordance with the established procedure, taking into consideration whether the data disclosure is related or not to the needs of the activities performed by the Companies.
Controllers shall conclude an agreement for data confidentiality with any third party, to which they provide access to the personal data processed by them.
XI. PERSONAL DATA CONTROLLER AND PROCESSOR
The relations between Controller and Processor are regulated by a contract in writing, once the Processor proves the necessary guarantee for application of suitable technical and organisational measures for compliance with the requirements of the PDPA and the GDPR ensuring an adequate level of protection of the rights of the data subjects, as follows:
- The processor shall guarantee that any person having access to personal data has committed to confidentiality or has a statutory obligation to observe confidentiality;
- The Processor shall process the personal data on behalf of the Controller solely in line with the documented orders of the Controller;
- The Processor shall immediately notify the Controller, if according to the Processor a given order of the Controller violates the Regulation or other applicable personal data protection rules;
- The Processor shall immediately notify the Controller in case of any investigation activities undertaken by a supervisory authority with respect to personal data protection concerning the activities of the Processor related to personal data processing;
- The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller; shall respond to all Controller queries concerning the personal data processing;
- The Processor shall support the Controller, carry out the specific orders of the Controller and provide the necessary information, in the performance of the Controller’s obligation to respond to requests for exercising the rights of the data subjects;
- The Processor may not transfer personal data, made available by the Controller, to a third country or an international organisation, unless required to do so by EU acquis or by a Member State law, to which the Processor is subject; in such a case, the Processor shall notify the Controller of that legal requirement before processing, unless the said legislation prohibits such notification on important grounds of public interest;
- The Processor shall support the Controller to carry out the obligation to notify the data subjects concerning breaches of the security of personal data under Article 34 of the Regulation, by carrying out the specific orders of the Controller and providing the necessary information;
- The Processor shall not have the right to include another Processor for performance of activities related to personal data processing on behalf of the Controller without the prior written consent of the Controller. In cases where the Processor includes another Processor after the prior written consent of the Controller, the Processor shall bear full responsibility before the Controller with respect to the performance of the data protection obligations by the other Processor.
- The Processor shall provide written confirmation to the Controller that the personal data have been returned, erased and/or stored. If the Processor stores personal data after the termination of the effect of the contract or of specific activities related to personal data processing, the Processor shall inform the Controller concerning the legal basis for storing and shall agree and guarantee that he shall store them in line with the Regulation and other applicable personal data protection rules.
XII. RECORDS OF PERSONAL DATA PROCESSING ACTIVITIES
In the Companies from the Group a process of inventorying of the data has been established as part of the adopted approach for dealing with the risks related to processing of specific types of personal data and observing the policy in compliance with the Regulation. The following are ascertained and described in the inventorisation process:
- The business processes, in which personal data are used;
- The personal data sources;
- The data subjects category;
- The categories of personal data and the elements in each category;
- Activities related to personal data processing;
- The purposes of the processing, for which the personal data are intended;
- Legal basis for the processing;
- The recipients or categories of recipients of the personal data;
- The main systems and places of storage;
- Personal data subject to transfer outside of the EU;
- Periods for storage and erasure.
XIII. IMPACT ASSESSMENT
The risk level related to the processing of their personal data is assessed and managed. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
XIV. DATA STORAGE AND DESTRUCTION
Personal data shall be preserved only for the time needed to fulfil the purpose, for which they were collected by the Controllers or provided by the data subject, including in view of the framework of the applicable statutory period.
The storage period for any category of personal data, as well as the criteria used to determine this period, are in line with the statutory obligations requiring Companies from the Group to store the data. Personal data shall be processed in accordance with the principle of ensuring appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
XV. COOPERATION WITH THE SUPERVISORY AUTHORITY AND COMMUNICATION WITH THE DATA SUBJECTS
The Controllers cooperate with the advisory body – the Commission for Personal Data Protection.
The data subject may address all requests and queries related to exercising personal data protection rights and receive clarification concerning the grounds and the manner of exercising, and any additional information concerning his rights related to personal data processing in line with this Policy to Agropolychim AD, Industrial Zone, 9160 Devnya, to the attention of the Personal Data Protection Officer, tel: + 359 519 97 674 or via e-mail to firstname.lastname@example.org.
“Personal data” – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, intellectual, economic, cultural or social identity of that natural person, as well as any other information defined as personal data by the applicable legislation;
“Special (sensitive) categories of personal data” – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation, as well as any other data determined as such by the national legislation of the Member State of the European Union (EU, the Union).
“Processing” – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Controller” – means any natural or legal person, public authority, agency or other authority which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“Processor” – The processor and any person acting under the authority of the Controllers or of the processor, who has access to personal data, shall not process those data except on instructions from the Controllers, unless required to do so by Union or Member State law.
“Data subject” – any living natural person, whose personal data are subject to processing by the Controllers.
“Consent of the data subject” – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“Profiling” – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, his economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
“Personal data breach” – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
“Recipient” – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
“Third party” – a natural or legal person, public authority, agency or authority other than the data subject, the Controllers, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
All other terms that are not defined above but are used in this Personal Data Protection Policy shall have the meaning set forth in Regulation (EU) 2016/679.
XVIІ. ENTRY INTO FORCE
This Policy has been drawn up on the basis of Article 24 of Regulation (EU) 2016/679 and has been approved by an order to the executive directors/managers of the Controllers.
Any updates of the current Policy shall be published on the website of Agropolychim AD – https://aropolychim.bg