Sofia Development Association is a resource centre for research, analyses, innovations and experiment, which creates conditions and encourages the constant dialogue between civil society, business, Sofia Municipality and academic institutions. The Association was established by Sofia Municipal Council Resolution № 348 as of 08.07.2010. It is an independent organization, registered by the Sofia City Court on 16.08.2010, company case 495/2010, in public benefit under the Not-for-Profit Legal Entities Act.
Within the meaning of Art. 4 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation; Regulation; GDPR) SDA is a controller of personal data. As such, it collects and processes information about natural persons that can be classified as personal data.
This information may relate to employees, managers, founders, members, customers, suppliers, contractors, partners with their representatives, business contacts, visitors of SDA's website and website managed by SDA and other natural persons with whom the Data controller has a relationship or wants to establish contact.
This data protection policy regulates the ways of collecting, processing and storing personal data in order to meet the standards of the Data controller and to comply with legal requirements.
I. LEGAL BASIS:
This Personal Data Protection Policy (PDPP) is issued on the basis of and in accordance with the mandatory requirements of the Personal Data Protection Act and the General Data Protection Regulation EU 2016/679 (GDPR).
The Bulgarian legislation and the GDPR provide rules on how organizations should collect, process and store personal data (PD). These rules are applied by the Data controller, regardless of whether the data are processed electronically or on paper.
In order for the processing of PD to be in accordance with the legal requirements, PD are collected and used reasonably, stored safely and for a limited time, in accordance with the purpose of collection and processing, and SDA takes the necessary measures to prevent the processed PD from being illegally disclosure.
II. PRINCIPLES FOR PROCESSING PERSONAL DATA:
The Data controller of PD follows the principles set out in the GDPR, namely:
1. Legality - processing of personal data in full compliance with the law and for purposes that do not contradict existing legal norms;
2. Integrity - processing of personal data, in so far as it is necessary only to ensure higher quality of services and activities provided by SDA and ensure effective partnership;
3. Transparency - personal data is not processed in ways about which data subjects have not been informed by these rules and / or explicitly in other communication, and more information can be obtained from those wishing in normal working hours of SDA from the specified contact persons within a reasonable time;
4. Purpose-limitation - processing of personal data only for the reasons set out below.
5. Data minimization - processing only of this personal data, without which the purposes of their processing cannot be achieved
6. Accuracy - maintaining and updating the personal data processed by SDA, as provided, corresponding to the objective reality
7. Restriction of storage - storage of personal data only in so far as and as long as the purposes of their processing are met.
8. Integrity and confidentiality - processing of personal data in the manner of and in accordance with the conditions, under which, they were obtained, subject to strict confidentiality. No personal data shall be provided to other persons and the same shall not be made public, except in the cases explicitly provided by law or with the explicit consent of the data subject.
9. Accountability/ Reporting - evidence is created and maintained, also in electronic format for all actions related to the processing of PD.
10. Security - Personal data shall be processed with appropriate technical and organizational measures to ensure their security, including against unwanted or unlawful processing, loss, destruction or damage;
To comply with these principles, the SDA Management applies good management practices and strictly monitors the criteria and control:
a) full compliance with the conditions for the collection and use of the information;
b) specifying the purposes for which the information is used;
c) collecting and processing relevant information and only in so far as it is necessary to achieve the objectives and in compliance with legal requirements;
d) implementation of strict checks to determine the duration of the information stored;
e) guaranteeing the rights of the data subjects;
f) taking appropriate technical and organizational security measures for the protection of personal information.
III. POLICY OBJECTIVES
The main objective of this policy is to inform the interested parties about the principles, rules and measures that SDA has taken in the performance of its duties as a Data Controller.
Through it, the management ensures that the activities of the Association are aimed at complying with the requirements of the Regulation and the Personal Data Protection Act. Management's data protection policy integrates existing and updated SDA policies, procedures and processes in order to ensure a comprehensive corporate approach to data protection.
In particular, this policy aims to create and maintain an environment in which SDA to:
- comply with applicable legislation regarding personal data and establish good practices;
- introduce mechanisms for administration of the processes for processing PD, as well as their protection;
- determine the obligations of the employees and the persons processing PD on its behalf, incl. and external accounting, and their liability for non-compliance with these obligations;
- ensure transparency of the processes for processing PD and allow direct contact with the Data controller, for the right of access to the collected personal information and all associated rights of the subjects, according to GDPR;
- establish the necessary technical and organizational measures for protection of PD from illegal processing;
- introduce a procedure for action in case of detection of a PD breach;
- protect the rights of staff, customers, partners and other entities carriers of PD;
- minimizes the risk of violations in the PD security.
This policy applies to the processing of personal data of employees, persons, employed under civil contracts, seconded persons, managers, founders, members, self-insured persons, suppliers, customers and partners, as described in the relevant registers, according to Art. 30 of the GDPR (Registers of Processing Activities), other business contacts, as well as to SDA's website visitors.
Categories of personal data that SDA may process:
A / Identification personal data:
- Names, date and place of birth, PIN or other personal identification number, data from an identity document;
- Address, telephone numbers; Email;
- Age, gender, photos (which do not represent biometric data - are not processed by special technical means, allowing unique identification or authentication of a certain natural person);
- Marital status, children;
- Financial information (bank data, statements, etc.);
- Online identifier - IP identifier (taken automatically), MAC address, cookies, etc.);
- Website from which the visitor came to the SDA website and project-based websites powered by SDA;;
- Date and duration of access to the SDA website and project-based websites powered by SDA;
- Amount of data transferred to the SDA site by the subject and project-based websites powered by SDA;
- Browser and information system used by the subject visiting the site of the Data controller;
- Education, training and qualification;
- Information on employment, including data from his employment record;
- Memberships in trade or other associations, societies, etc.;
- Membership in professional organizations.
B/ Sensitive personal data
- Health and mental condition - data concerning the health status of employees (according to medical certificates and assessments by the Occupational Health Service, decisions of the medical disability commission, etc.), as well as citizens who have voluntarily signed a declaration/contract for informed consent when participating in test/pilot project;
- Data related to criminal records.
C / Personal data, incl. sensitive ones, which are processed by SDA exceptionally, in the cases when the implementation of a project financed by a European program requires the following:
- Electronic data for localization (GSM location, GPS, etc.);
- Racial and ethnic information
- Political opinions;
- Religious or similar beliefs;
- Sex life;
- Biometric and genetic data.
V. PERSONAL DATA SUBJECTS
SDA collects personal data in relation to the following categories of persons - data subjects:
- subjects representing the Data controller - managers and directors, as well as its members in the cases provided by law;
- subjects representing companies, organizations with which the Data controller has contractual or other business and partnership relations;
- subjects designated for contact by companies, organizations and partnerships with which the Data controller has contractual or other business and partnership relations;
- employees of the Data controller;
- children of employees of the Data controller;
- job applicants;
- participants in hackathons, datathones and various types of events of a competitive nature, organized by the Association;
- participants in public meetings, seminars, conferences, etc.
- expressed interest in receiving information services - newsletter, etc.;
VI. PURPOSES OF DATA PROCESSING
SDA processes PD with regard to the fulfillment of one or more of the following purposes:
1. For implementation of activities - subject of contracts, implementation of projects and partnership relationships (clients, suppliers of goods and services, partners, implementation contractors, according to the Law of Obligations and Contracts):
- for preparation of documents, administering the relations between the administrator and the companies, and the organizations - parties to contractual and partnership relations or at group level;
- to establish contact with the person or persons designated by the parties to contractual and partnership relations or at group level;
- for delivery and / or acceptance of goods / services under contractual and partnership relationships;
- for keeping accounting records in relation to the implementation of contractual relations of which the Data controller is a party;
- for processing payments, in relation to the performance of contractual relations of which the Data controller is a party;
- to send important information to subjects in relation to changes in any of the Data controller's policies;
- to ensure the proper functioning of SDA website and project-based websites powered by SDA, and analyze how visitors
2. For fulfillment of the legal requirements of the Data controller when hiring staff and the relations with them:
- when selecting job applicants;
- when hiring new employees;
- when registering employment and other contracts and additional agreements with natural persons;
- when implementing the Health and Safety at Work Act and all related normative documents for health working conditions;
- in case of secondment of employees and executors of civil contracts;
- when making a payment of remuneration to employees and persons employed under civil contracts;
- when making a payment of the due obligations to the state budget;
- when processing sick leaves and medical certificates of employees;
- when issuing official notes, certificates, retirement certificate, recommendations, references and other documents of employees and persons employed under civil contracts;
- when paying dividends;
- in case of periodic assessments of the performance of the employees, set by the management of the Data controller;
3. For marketing purposes - after obtaining the explicit consent of the data subjects.
Disclosure of personal data to third parties might be carried out in compliance with this Policy and provision of guarantees by these third parties for compliance with the minimum standards of protection set out in it. Such parties might be:
1. state bodies, institutions and persons to whom SDA is obliged to provide personal data by law;
2. persons who, by assignment, maintain equipment, software and hardware used for personal data processing, SDA employees, lawyers, accountants or other persons, who by assignment or by law have access to personal data processed by SDA. All of these persons have confidentiality agreements with SDA and have adopted internal security rules for the processing of personal data;
3. partners who work on assignment of SDA on the basis of contractual relations and perform services producing activities of SDA and with whom SDA has agreements for preservation of the confidentiality of the information and protection of personal data.
4. service providers in the processing of personal data for certain purposes, such as measuring and tracking user behavior on SDA sites, sending e-mails, sharing content by users, logging in with a social network profile, etc.
VII. GROUNDS FOR THE PROCESSING OF PERSONAL DATA
According to the provisions of the GDPR, the grounds for collection and processing of PD by the Data controller are:
In compliance with the principles set out in Section II, SDA processes personal data received from the data subject on at least one of the following grounds:
7.1. An explicit, prior consent obtained from the data subject for their processing, for purposes for which the subject has been informed in advance or which they have defined themselves. For example, when SDA wishes to keep its partners informed of news, products and campaigns, consent is required to obtain a personal email address to which this information can be sent. In other cases, such as when a letter was sent to the correspondence address or email address of SDA in which the subject himself provided personal data because he considered it necessary, consent to the processing of personal data is considered to have been obtained. (Legal basis: Article 6, paragraph 1, letter "a" of the GDPR).
In any case of consent obtained from the subject for the processing of his personal data on this basis, he may withdraw this consent completely free of charge and at any time using the contact form or send a letter or message from which it is unequivocally clear, that he has withdrawn his consent. A withdrawal form can be downloaded here.
7.2. personal data are necessary for concluding a contract and for ensuring its fulfillment. For example, in order to conclude a works contract, will be required at least the three names, PIN or other identifier, if applicable, ID card address, contact information (Legal basis: Article 6, paragraph 1, letter “b“ of the GDPR);
7.3. the legislation obliges SDA to collect certain personal data in fulfilment of regulatory obligations. For example, if for SDA employees, in the performance of their duties as an employer, additional information should be processed to ensure appropriate conditions according to the requirements of occupational medicine (Legal basis: Article 6, paragraph 1, letter "c" of the GDPR);
7.4. we need personal data to protect the vital interests of the data subject or another natural person. For example, in the case of a wanted person or the protection of the rights of third parties in connection with comments made by the subject in the framework of some of the materials published by SDA, open for comment (Legal basis: Article 6, paragraph 1, letter "d" of the GDPR);
7.5. the processing of personal data is necessary for the performance of a task of public interest or in the exercise of formal powers conferred on us by a public authority (Legal basis: Article 6, paragraph 1, letter "e" of the GDPR);
7.6. the processing of personal data aims to protect the legitimate interest of SDA or other persons, insofar as these interests do not take precedence over the fundamental rights and freedoms of the data subject. An example of such processing is claims against SDA by third parties in connection with comments under SDA publications on the website or protection of SDA rights before state and judicial authorities in connection with contractual or non-contractual conduct that has led to infringement of rights and interests of the Data controller (Legal basis: Article 6, paragraph 1, letter “e” of the GDPR).
The persons are acquainted/notified in advance or at the time their data are obtained about the provisions of this Policy, as well as the basis on which their data are collected and processed.
VIII. RIGHTS OF INDIVIDUALS WHOSE PERSONAL DATA ARE PROCESSED BY THE DATA CONTROLLER.
8.1. At any time, the data subject may request information and assistance concerning his or her personal data processed by SDA through the above contact information and state a preferred way of obtaining it. SDA will respond no later than one month after receipt of the respective request in the requested manner, as far as possible. Depending on the specific type of request, additional information may be needed to verify the identity of the applicant, of which he will be notified in a timely manner.
8.2. At any time, the data subject has the right to ask SDA to confirm whether the Data controller processes his personal data and, if so, to provide it to him or her along with information about:
a) processing purposes;
b) the relevant categories of personal data;
c) recipients or categories of recipients to whom personal data are or will be disclosed, in particular recipients in third countries or international organizations;
d) where possible, the intended period for which the personal data will be stored and, if this is not possible, the criteria used to determine this period;
e) the existence of the right to request the rectification or erasure of personal data or the restriction of their processing, or to object to such processing;
f) the right to appeal to a supervisory body, which for Bulgaria is the Commission for Personal Data Protection, the contact details are given in section X;
g) any available information about their source, when personal data are not provided by the data subject himself;
h) whether there is automated decision-making, including profiling, together with essential information about the logic used, as well as the significance and intended consequences for the data subject of this processing.
8.3. At any time, the data subject may request the Data controller to correct his personal data without undue delay, which are inaccurate and/or incomplete.
8.4. SDA guarantees the right of the data subject to request the deletion of his personal data without undue delay, insofar as:
a) personal data are no longer needed for the purposes for which they were collected or otherwise processed;
b) the data subject has withdrawn his consent on which the data processing is based and there is no other legal basis for the processing;
c) the data subject objects to the processing at any time and on grounds related to his specific situation insofar as it is necessary for the performance of a public interest task or in the exercise of official authority which are provided to SDA or the processing is necessary for legitimate interests of the Data controller or of a third party, except where such interests take precedence over the interests of the data subject or fundamental rights and freedoms which require the protection of personal data, especially when it comes to a child.
A necessary condition for granting the request in this case is that there are no legal grounds for the processing of the data, which take precendence, or that there is an objection to the processing of the data for the purposes of direct marketing.
d) personal data have been processed illegally;
e) personal data must be deleted in order to comply with a legal obligation under European Union law or the law of a Member State applicable to SDA;
f) personal data have been collected in relation to the offering of information society services to persons under 16 years of age.
8.5. The data subject has the right to ask the Data controller to restrict the processing of his personal data insofar as:
a) the accuracy of personal data is disputed, for a reasonable period of time, which allows to verify the accuracy of the personal data;
b) processing is unlawful, but the subject does not want his personal data to be deleted, but instead wants to restrict their use;
c) SDA no longer needs personal data for processing purposes, but they are necessary for the subject to establish, exercise or defend legal claims;
d) the data subject has objected to the processing pursuant to Article 5.4., letter c) pending verification that the legitimate interests of SDA take precedence over those of the data subject.
8.6. SDA has a legal obligation to notify the data subject in any case of correction, deletion or restriction of the processing of his personal data.
8.7. The data subject has the right to receive his personal data in a structured, widely used and machine-readable format and to request that this data be transferred to another controller insofar as this does not prevent the Data controller, provided that the Data controller has obtained the personal data on the basis of a given by the data subject consent to the processing or performance of contractual obligations and SDA processes this data in an automated manner.
8.8. The data subject may at any time and on grounds related to his specific situation object to the processing of his personal data, insofar as the processing is necessary for the performance of a task of public interest or in the exercise of official authority (powers) conferred on SDA or processing necessary for the purposes of the legitimate interests of SDA or of a third party, except where such interests take precedence over the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, especially when they concern children, including profiling. In this case, SDA will terminate the processing of personal data, unless there are compelling legal grounds for the processing that take precedence over the data subject's interests, rights and freedoms, or are related to the establishment, exercise or protection of legal claims.
8.9. The data subject has the right at any time to object to the processing of his personal data for the purposes of direct marketing, the processing being terminated from the moment of receipt of his objection.
It should be borne in mind that the exercise of the rights under this section is not absolute and may be refused if, under the conditions laid down by law, their exercise would create a risk of:
1. national security;
3. public order and security;
4. the prevention, investigation, detection or prosecution of criminal offenses or the enforcement of imposed penalties, including the protection and prevention of threats to public policy or security;
5. other important objectives of wide public interest, and in particular an important economic or financial interest, including monetary, budgetary and fiscal matters, public health and social security;
6. protection of the independence of the judiciary and judicial proceedings;
7. the prevention, investigation, detection or prosecution of criminal offenses or the enforcement of penalties, including the protection and prevention of threats to public policy or public security;
8. the protection of the data subject or the rights and freedoms of others;
9. enforcement of civil claims.
In order to exercise the rights under this section, a written application should be sent in a form that you can download here.
IX. TECHNICAL AND ORGANIZATIONAL MEASURES FOR DATA PROTECTION
The processing of all types of data, regardless of their category, is carried out with the highest possible degree of protection, taking into account the rights, freedoms and legal interests of individuals.
The data are stored on paper and electronic media, which, if necessary for the performance of assigned work to the Data controller and/or in implementation of a legal provision, may be handed over to third parties, both by hard copy and/or electronically, subject to the conditions for this type of processing, including compliance with the applicable technical security measures.
The protection of data on paper copy, as well as on electronic media from unauthorized access, damage, loss or destruction is ensured by a series of internally regulated technical and organizational measures.
- physical: restrictions on the physical access of unauthorized persons to places where personal data are processed and stored;
- personal: obligation not to distribute personal data, duly written in the job descriptions of the staff processing personal data on behalf of the Data controller;
- organisational: determination of processing conditions; access levels; procedures and internal rules; deadlines and responsibilities;
- technical: entering access codes; installation of antivirus programs; regularly and periodically create a backup and copy the information to the Data controller’s server.
In order to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to transferred, stored or otherwise processed personal data, SDA has taken measures such as encryption, pseudonymization, established procedures for regular testing, estimation and evaluation of the effectiveness of technical and organizational measures. SDA applies mechanisms for timely restoration of the availability and access to personal data in case of a physical or technical accident, etc.
X. TRANSFER OF PERSONAL DATA
SDA does not transfer personal data to countries outside the European Union.
If this is necessary, SDA will ensure the security of personal data by:
- complying with and applying the EU General Data Protection Regulation 2016/679 (GDPR);
- following and implementing EC decisions on the adequate level of data protection;
- following and implementing EC decisions on standard contractual clauses for the transfer of personal data to third countries;
- ensuring that the third country receiving the personal data maintains an adequate level of protection of the personal data;
- complying with the established mandatory company rules.
XI. VIOLATIONS. NOTIFICATION OF VIOLATIONS
A data security breach occurs when the personal data for which SDA is responsible is affected by a security incident that results in a breach of the confidentiality, availability or integrity of the personal data. In this sense, a data breach occurs when there is a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of data that is transmitted, stored or otherwise processed.
In case of violation of the security of personal data, the employees Denitsa Lozanova and Rumyana Grozeva should be notified immediately, in their capacity of processing personal data on behalf of the Data controller
After the relevant SDA employee receives information about a violation, he must determine whether the specific event constitutes a violation of personal data and notify the managers of the Data controller of the event.
In the event of a breach of personal data security, where there is a likelihood of a risk to the rights and freedoms of individuals, SDA (through the relevant employee), without undue delay, and where this is feasible - no later than 72 hours after has learned about it, notifies the Commission for Personal Data Protection of the violation.
Where and to the extent that it is not possible to submit the information at the same time, the information may be submitted in stages without further undue delay.
Where the breach of personal data security is likely to pose a high risk to the rights and freedoms of individuals, SDA shall, without undue delay, notify the subject of the breach.
SDA shall document any breach of personal data security, including the facts related to the breach, its consequences and the actions taken to address it.
XII. STORAGE, PROCESSING TERM AND DESTRUCTION OF PERSONAL DATA
SDA stores personal data for the reasons specified in Section III for the maximum periods allowed by law, depending on the specific case and the type of data to which they relate. Insofar as a normative act does not provide for a longer or shorter period of retention, SDA shall store personal data for a period not longer than 5 years according to the general limitation period under the Obligations and Contracts Act.
In some cases, legislation requires longer retention periods, such as accounting rules. In other cases, for example when submitting documents for applying for a job in SDA, the legislation provides for a maximum period of storage and processing of the received personal data on the submitted applications of 6 months.
In cases of litigation, SDA stores personal data for up to 5 years after their completion.
After the expiration of the term for their retention, the information carriers (paper or technical), which are not subject to transfer to the National Archive Fund, may be destroyed.
Destruction of personal data is a type of processing according to the provisions of the GDPR. Data destruction is documented in accordance with SDA internal rules and regulations.
After the expiration of the data storage period, they are destroyed as soon as possible by destroying the paper media by shredding, and the technical media - by erasing and deleting the relevant files from the computers and servers of the Data controller. A protocol is being prepared for the destruction of personal data.
The subject of personal data is notified of the actions taken to destroy his data.
SDA takes action to ensure the competence and responsibility of employees who have access to personal data. Employees who process personal data sign contracts with clauses that clearly define the responsibilities of the employee in accessing and processing personal data.
Responsibility of SDA as a controller of personal data
1. Provide trained staff who are aware of their responsibilities under the Regulation and national law. SDA is responsible for familiarizing the processors of personal data with the policies and guidelines in the organization in order to ensure the activities are in line with the principles listed in this Policy.
2. Providing training, instruction and information to staff to ensure that employees understand their responsibilities.
3. Ensuring secure information systems for manual and computerized processing so that all data processing employees are aware of when, how and what appropriate security measures are taken.
4. Maintaining up-to-date information, up-to-date registers regarding the processing of personal data of citizens.
5. Ensuring guarantees that all SDA partners understand their responsibilities, are familiar with the current policy and use SDA practices as a benchmark for establishing contractual relations in the part regulating the processing of personal data within the partnership.
SDA in its capacity as Data Controller ensures that:
a) there are individuals in the organization who have specific responsibilities for data protection;
b) all requests by individuals for access to their personal data will in the first instance be referred to a responsible official, who will take reasonable steps to ensure that the request is processed within a specified time and with reasonable steps to ensure that that the data is processed in an appropriate manner;
c) every employee who manages and processes personal information is aware that he is responsible for the application of all known good data protection practices;
d) anyone who manages and processes personal information is properly trained to do so;
e) anyone who manages and processes personal information is properly controlled;
f) anyone who manages and processes personal information is aware of and refers to instructions to ensure the security of data exchange;
g) the methods for processing personal information are clearly described;
h) there will be a regular review and audit of the way personal information is managed
XIV. COMPETENT AUTHORITIES FOR THE PROTECTION OF PERSONAL DATA:
For the purposes of these internal rules:
§ 1. "Personal data" means any information relating to an identified or identifiable natural person ("data subject"). In the latter case, it means a person who can be identified, directly or indirectly, in particular by name, identification number, location data, online identifier or by one or more characteristics specific to the physical, physiological, genetic, mental, intelectual, economic, cultural or social identity of that individual.
§ 2. "Data controller" is Sofia Development Association, registered under the Law on Non-Profit Legal Entities, with UIC 175941584.
§ 3. "Processing" means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making the data available, arranging or combining, restricting, deleting or destroying.
§ 4. "Personal data processor" is a natural or legal person who processes personal data on behalf of the Data controller.
§ 5. "Data subject" means a natural person who is identified or who can be identified on the basis of certain information.
This Policy is brought to the notice of the persons involved in its implementation by order of the Managing Director and Data controller.