INTERNAL RULES FOR PERSONAL DATA PROTECTION
Personal data controller:
“INTER EXPO CENTER” EOOD
Sofia, 147 Tzarigradsko Shose Blvd.
Ivan Asenov Ivanov
phone: 02 9655300, fax: 02 9655231
I. Subject matter
III. Data subjects and registers
IV. Purposes and principles of personal data processing
VI. Personal data processing procedures
VII. Recording the processing of personal data
VIII. Personal data protection measures
IX. Security breaches
X. Transfer of personal data to third parties
XI. Data protection impact assessment
XII. Destruction of personal data
XIII. Transfer of personal data to another personal data controller
XIV. Personal data protection activities in the event of an emergency, accidents and disasters
XV. Persons in charge of the collection, processing and storage of personal data and access to personal data
XVI. Rights of the data subjects
XVII. Amendments to the internal rules
- Procedure for notification of personal data security breach to the commission for personal data protection
- Procedure for regular reviews regarding the need for processing personal data and their destruction
- Procedure for exercising of rights under Articles 16-22 of Regulation 2016/679
- Internal rules for carrying out an assessment and levels of impact on processed personal data and for determining the level of protection
- Registers – 8
- Rules for video surveillance
- Notification of personal data security breach to the Commission for personal data protection
- Notification of personal data security breach to the data subject concerned
- Objection under Article 21 of Regulation (EU) 2016/679
- Declaration of awareness
- Declaration under Article 6, para. 1, point ‘a’ of Regulation (EU) 2016/679
- Declaration – job applicants
- Request under Article 15 of Regulation (EU) 2016/679
- Request under Article 16 of Regulation (EU) 2016/679
- Request under Article 17 of Regulation (EU) 2016/679
- Request under Article 18 of Regulation (EU) 2016/679
- Order for appointing a processor
- Order for appointing a data protection officer in concurrent posts
I. SUBJECT MATTER
Article 1. (1) These rules (“the Rules”) lay down the way in which INTER EXPO CENTER EOOD, UIC 121122275, collects, records, organizes, structures, stores, adapts or alters, retrieves, consults, uses, discloses by transmission, dissemination or otherwise making the data accessible, arranges or combines, restricts, erases, destroys or otherwise processes personal data for the purposes of its operations.
(2) Depending on the specific situation, INTER EXPO CENTER EOOD may process data in its capacity of controller or processor.
(3) The Rules have been drawn up in compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(4) The Rules update the existing procedures on collection, organization, storage, processing and dissemination of personal data declared as an administrator in CPDP under ID No. 197567.
Article 2. These Rules regulate:
(1) The principles, procedures and mechanisms for personal data processing;
(2) The procedures for notifying the supervisory authority in the event of a security breach;
(3) The procedures for administration of requests for access to data, rectification of processed data, objections and withdrawal of consent, as well as administration of requests for exercising other rights to which the personal data subjects are entitled by law;
(4) Processors and their obligations;
(5) The rules for transfer of personal data to third parties in Bulgaria and abroad;
(6) The required technical and organizational measures for protection of personal data against unlawful processing and in the event of incidents, such as accidental or unlawful destruction, loss, unauthorized access, alteration or dissemination;
(7) The technical resources utilized in the processing of personal data.
Article 3. For the purposes of these Rules, the terms used shall have the following meaning:
• PDPA – Personal Data Protection Act.
• CPDP – Commission for personal data protection.
• GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
• Data Protection Officer – a natural person or organization, determined in accordance with the provisions of Article 37 and following of GDPR.
• Personal Data Controller – a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In these Rules, “controller” refers to INTER EXPO CENTER EOOD.
• Personal Data Processor – a natural or legal person that processes personal data on behalf of INTER EXPO CENTER EOOD.
• D ata Protection Notifications – separate notifications which include information that is provided to the data subjects at the time when INTER EXPO CENTER EOOD collects information about them. These notifications can be both general (for example, addressed to workers and employees or notifications on the website) and relating to processing with a specific purpose.
• Data Processing – any activity related to the use of personal data. This includes: receiving, recording, storage or performing an operation or a set of operations on the data, such as organization, editing, restoring, use, disclosure, erasure or destruction. Processing may also include transfer of personal data to third parties.
• Pseudonymisation – the replacement of information which explicitly or implicitly identifies a natural person with one or more identifiers (“pseudonyms”) in such a manner that the person can no longer be identified without access to additional information, provided that such additional information is kept separately and is confidential.
• Consent – any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
III. DATA SUBJECTS AND REGISTERS
Article 4. (1) INTER EXPO CENTER EOOD collects and processes data required for the performance of its rights and obligations as an employer, service provider and contracting party in compliance with the provisions of the applicable law. The personal data processed by INTER EXPO CENTER EOOD are grouped in registers by processing activities, containing the rules for processing of personal data relating to:
- STAFF REGISTER – workers, employees and contractors under civil employment contracts;
- JOB APPLICANTS REGISTER;
- CONTRACTING PARTIES REGISTER – customers; service providers;
- VISITORS REGISTER
- REQUESTS FOR EXERCISING OF RIGHTS REGISTER
- ESTABLISHING BREACHES REGISTER
- VIDEO SURVEILLANCE REGISTER
- ACCESS CONTROL REGISTER
а) The periods for which personal data are stored by individual registers are as follows:
The Accountancy Act
At the discretion of PDC
The Accountancy Act
At the discretion of PDC
Requests for exercising of rights
At the discretion of PDC
At the discretion of PDC
At the discretion of PDC
At the discretion of PDC
(2) INTER EXPO CENTER EOOD defines for each register separately and exhaustively what personal data are required, the purposes of collection, the methods and grounds for processing, the periods of storage.
(3) INTER EXPO CENTER EOOD processes sensitive data only to the extent to which this is necessary in order to perform its specific rights and obligations in the field of employment and social security law.
(4) Access to the personal data stored in the registers is granted only to INTER EXPO CENTER EOOD employees who require such access for performing their employment obligations, strictly observing the “need-to-know” principle.
IV. PURPOSES AND PRINCIPLES OF PERSONAL DATA PROCESSING
Article 5. The purposes of personal data processing are:
(1) human resources management, payment of remuneration and performance of the relevant obligations of the employer for deducting and paying the employees’ health and social security instalments, taxes, as well as other rights and obligations of INTER EXPO CENTER EOOD in its capacity of employer;
(2) administration of relations with customers of INTER EXPO CENTER EOOD and service delivery;
(3) concluding and implementing contracts with suppliers for provision of services to INTER EXPO CENTER EOOD.
Article 6. Personal data shall be processed lawfully, fairly and transparently in compliance with the following principles:
(1) The data subject shall be notified in advance about the processing of his or her personal data;
(2) The personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
(3) The personal data shall correspond to the purposes they are collected for;
(4) The personal data must be accurate and updated if necessary;
(5) The personal data shall be deleted or rectified when it is established that they are inaccurate or do not correspond to the purposes for which they are processed;
(6) The personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Article 7. Processing shall be lawful only if and to the extent that at least one of the following applies:
(1) The data subject has given his or her consent, including by signing a contract with INTER EXPO CENTER EOOD;
(2) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract ;
(3) Processing is necessary for compliance with a legal obligation to which the controller is subject;
(4) Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(5) Processing is necessary for the performance of a task carried out in the public interest;
(6) Processing is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. The purposes of processing personal data on this ground shall be described in the applicable data protection notifications.
Article 8. (1) No consent is required from the data subject if the data are necessary for compliance with a legal obligation to which the controller is subject. The data subject agrees to their processing provided that he or she expresses this consent explicitly and unambiguously – by a statement or another affirmative action. If the data subject's consent is given in the context of a document which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters.
(2) Data subjects should be able to easily withdraw their consent for processing at any time, and this withdrawal should be promptly respected. Provided that there are no other grounds for lawfulness of the processing, the latter shall be ceased at withdrawal of consent.
(3) The declarations of consent shall be stored by INTER EXPO CENTER EOOD while data processing activities on the grounds thereof are being carried out, with view of observing the accountability principle.
VI. PERSONAL DATA PROCESSING PROCEDURES
Processing procedures for personal data related to persons employed under a labor or civil employment contract at INTER EXPO CENTER EOOD, as well as to job applicants
Article 9. (1) The personal data related to persons employed under a labor or civil employment contract at INTER EXPO CENTER EOOD, as well as to job applicants, are also collected in the context of recruitment. The data of every worker or employee at INTER EXPO CENTER EOOD shall be stored in personal dossiers, and some data may be stored or processed on a technical carrier. The data from competition procedures and job interviews held shall be stored on a technical and/or paper carrier, as necessary.
(2) Personal dossiers shall be arranged in wooden cabinets with a lock, located in the office of the Data Protection Officer. Job applicants’ data stored on a paper carrier shall be stored in designated cabinets in the office of the Data Protection Officer. Access to the office shall be granted only to persons authorized to process the personal data, and access to the room shall be controlled via a key and magnetic chip card.
(3) The persons authorized to process personal data shall undertake all organizational and technical measures for storing and protecting the personal dossiers and information folders, including restricting access to them by outside persons and unauthorized employees.
(4) Workers’ and employees’ dossiers, as well as the data of job applicants, shall not be taken outside the building of INTER EXPO CENTER EOOD.
Processing procedure for personal data related to customers and service providers
Article 10. (1) Personal data related to customers shall be collected when a request for service provision is submitted or a contract is concluded with a customer of INTER EXPO CENTER EOOD.
(2) Personal data related to service providers shall be collected when a contract with a service provider is concluded, and usually the personal data are contained in the text of the contract itself.
(3) Personal data shall be stored on an electronic and paper carrier, classified in individual dossiers. The dossiers shall be stored in cabinets with a lock in the office of the Data Protection Officer. Electronic data shall be stored in data bases.
VII. RECORDING PERSONAL DATA PROCESSING
Article 11. (1) INTER EXPO CENTER EOOD shall maintain records of processing activities by observing the accountability principle.
(2) These records shall be sufficient to establish compliance with the principles of lawful processing of personal data.
(3) Data processing related to storage of data on servers owned by third persons; archiving or erasure of data; introduction of pseudonymization, as well as any other processing whose parameters are different from those described in these rules, shall be recorded by creating protocols containing the following information:
(а) the purposes of the processing;
(b) the categories of personal data and the categories of data subjects;
(c) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries;
(d) transfers of personal data to a third country ;
(e) where possible, the envisaged time limits for erasure of the different categories of data;
(f) where possible, a general description of the technical and organisational security measures .
(4) The protocols shall be prepared by the persons carrying out the relevant data processing under the instructions of the Data Protection Officer.
(5) The aggregation of all protocols containing the information described above shall comprise the register of processing activities under Article 30 of GDPR.
VIII. PERSONAL DATA PROTECTION MEASURES
Article 12. (1) All rooms where personal data are stored and processed shall have access control. Possible technical means for access control are:
- room security guards;
- recognition devices by a magnetic card and/or key;
- video surveillance in the corridors;
- a policy for allowing outside persons into the premises of INTER EXPO CENTER EOOD only when accompanied by a staff member of INTER EXPO CENTER EOOD.
(2) The premises of INTER EXPO CENTER EOOD are equipped with the relevant fire safety measure in compliance with Bulgarian legislation.
Document protection measures
Article 13. (1) INTER EXPO CENTER EOOD shall establish procedures for personal data processing, regulating access to data, procedures for destruction and storage time limits, set out in detail in these Rules. Pseudonymization may be envisaged for individual categories of data at the proposal of the Data Protection Officer.
(2) Multiplication and dissemination of documents or files containing personal data shall be carried out only and solely by authorized employees if the need arises.
Personal protection measures
Article 14. (1) Prior to taking on the respective position, the persons carrying out personal data protection and processing shall:
- undertake an obligation for non-disclosure of the personal data to which they have access;
- be acquainted with the regulatory framework, internal rules and policies of INTER EXPO CENTER EOOD regarding personal data protection;
- undergo training on response in the event of threats to data security;
- be instructed on the dangers to personal data processed by INTER EXPO CENTER EOOD;
- be obligated not to share critical information between themselves and with outside persons, except under the procedures established by these Rules.
(2) When they start their employment, all employees shall be briefed on response in the event of threats to data security, and shall undergo training on the obligations of INTER EXPO CENTER EOOD related to the processing of personal data and the data protection measures which should be undertaken in the work process. Further staff trainings and instructions shall be carried out on a regular basis to ensure that they are familiar with the regulatory framework, potential risks to data security and the measures for mitigating them.
Measures for protection of automated information systems and encryption protection
Article 15. (1) Access to the operating system containing the files with personal data shall be granted only to persons whose official obligations or specific task assigned require such an access. Access shall be gained by a password.
(2) Electronic data bases shall be protected by logical security controls, such as an anti-virus software updated automatically, firewalls, etc.
(3) Personal data shall be archived on a technical carrier on a regular basis to ensure information preservation.
Article 16. (1) The protection of electronic data against unlawful access, damage, loss or destruction, either premeditated or in the event of technical malfunction, failures, accidents, disasters, etc. shall be provided by:
- introducing passwords for the computers providing access to the personal data and the files containing personal data;
- anti-virus software, checks for illegally installed software;
- regular checks of the integrity of the data base and update of system information, maintenance of the system for access to data;
- regular backup of the data on technical carriers, maintenance of the information on a paper carrier (backup copies).
(2) The Data Protection Officer shall report regularly to the management of INTER EXPO CENTER EOOD on the measures undertaken to safeguard the level of security in personal data processing.
IX. SECURITY BREACHES
Article 17. (1) The persons who have identified indications of data security breaches shall report immediately to the Data Protection Officer, providing him or her with all the information available.
(2) The Data Protection Officer shall carry out an immediate inspection of the reported breach, trying to determine whether a security breach has taken place and which data are concerned.
(3) The Data Protection Officer shall report immediately to the partners in INTER EXPO CENTER EOOD the information available on the security breach, including information on the nature of the incident, the time of its detection, the type of damages, the measures undertaken and the measures he or she believes should be undertaken.
(4) After consultation with the management of INTER EXPO CENTER EOOD, the Data Protection Officer shall undertake measures to prevent or mitigate the consequences of the breach and the options for restoring the data.
(5) In the event of an emergency, when consultation with the management would delay the response and lead to substantial damages, the Data Protection Officer may at his or her discretion undertake measures to prevent or mitigate the consequences of the security breach. In such circumstances, the Data Protection Officer shall notify immediately the management about the undertaken measures and coordinate further actions with the instructions received.
Article 18. (1) If the security breach is likely to result in a risk to the rights and freedoms of natural persons whose data have been affected, and following approval by the management of INTER EXPO CENTER EOOD, the Data Protection Officer shall organize the notification to CPDP.
(2) CPDP shall be notified without undue delay and, where feasible, not later than 72 hours after the breach was originally detected.
(3) The notification to CPDP shall contain the following information:
(а) description of the security breach; the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) the name and contact details of the Data Protection Officer;
(c) description of the likely consequences of the security breach;
(d) description of the measures taken or proposed to be taken to address the personal data breach, including measures to mitigate its possible adverse effects .
(4) When it is likely that the personal data breach will result in a high risk to the rights and freedoms of natural persons, the Data Protection Officer shall, without undue delay and in compliance with relevant legislation, notify the natural persons concerned.
Article 19. (1) INTER EXPO CENTER EOOD shall keep a register of security breaches, containing the following information:
(а) date of breach detection;
(b) description of the breach – source, type and scope of the data concerned, reason for the breach (where applicable);
(c) description of performed notifications: notification to CPDP and to the person concerned, where applicable;
(d) measures taken to prevent and restrict the adverse consequences for data subjects and for INTER EXPO CENTER EOOD;
(e) measures taken to restrict the possibility of further security breaches.
(2) The register shall be kept in electronic form by the Data Protection Officer.
X. PROVIDING PERSONAL DATA TO THIRD PARTIES
Article 20. (1) INTER EXPO CENTER EOOD may, where necessary, provide personal data to third parties acting in their capacity of a processor, on the basis of a specific contract.
(2) In the event of provision of the data of staff, customers or service providers to a processor, INTER EXPO CENTER EOOD shall:
(а) request sufficient guarantees from the processor for compliance with legal requirements and good practices in personal data processing and protection;
(b) sign a written agreement or another legal action with identical force, regulating the obligations of the processor and in compliance with Article 28 of Regulation (EU) 2016/679;
(c) notify the natural persons whose data will be provided to a processor.
(3) Processing of personal data by processors outside the EU/EEA is only admissible where:
(а) the European Commission has adopted a decision confirming that the country to which the transfer is made provides an adequate level of protection of the rights and freedoms of the data subjects;
(b) There are suitable security measures in place – such as Binding Corporate Rules (BCR), standard contractual clauses approved by the European Commission, and approved code of conduct or certification mechanism;
(c) The subject data has given his or her explicit consent to the transfer, after being notified of the potential risks, or
(d) The transfer is necessary for one of the purposes listed in GDPR, including the performance of a contract with the subject, protection of public interest, settlement and protection of legal disputes, protection of vital interests of the data subject in the cases when he or she is physically or legally unable to provide consent.
XI. DATA PROTECTION IMPACT ASSESSMENT
Article 21. (1) An impact assessment shall be carried out where this is required by the applicable law and with view of the risk to natural persons and the nature of personal data processing carried out by INTER EXPO CENTER EOOD. An impact assessment shall be carried out for high-risk processing operations.
(2) An impact assessment is required in any implementation of a key system or replacement of a business program related to the processing of personal data, including:
- the initial implementation of new technologies or transition to new technologies;
- automated processing, including profiling or automated decision making;
- processing on a large scale of sensitive personal data;
- a systematic monitoring of a publicly accessible area on a large scale.
(3) A protocol shall be drawn up on the assessment, to be provided to CPDP on request.
XII. DESTRUCTION OF PERSONAL DATA
Article 22. (1) Destruction of personal data shall be carried out by INTER EXPO CENTER EOOD or an explicitly authorized person without prejudice to the rights of the persons the data to be destroyed relate to, and in compliance with the provisions of relevant regulatory acts.
(2) The information in the registers shall be destroyed after the purposes of processing are achieved and if storage is no longer required.
(3) Destruction of data on paper carrier shall be carried out via a shredder. Electronic data shall be deleted from the electronic data base in a manner which does not allow recovery of the information.
XIII. TRANSFER OF PERSONAL DATA TO ANOTHER PERSONAL DATA CONTROLLER.
1. All data transfers shall be carried out via secured means, including encryption or a virtual private network. 2. After the purpose of personal data processing is achieved, the storage of these personal data is only admissible in the cases provided for by law.
XIV. PERSONAL DATA PROTECTION ACTIVITIES IN THE EVENT OF AN EMERGENCY, ACCIDENTS AND DISASTERS (FIRE, FLOOD, ETC.)
1. During the regular briefing on safety rules on the premises of INTER EXPO CENTER EOOD and actions to be undertaken by staff in the event of an emergency, accident or disaster, authorized persons are also instructed how to take the registers out of the premises without a risk to their lives.
2. In the event of warnings about upcoming natural disasters and evacuation of the residents and those working in the areas under threat, the persons with authorized access/processors shall do everything possible, without putting their lives at risk, to take out the carriers storing personal data registers.
3. After the emergency, disaster or accident is over, the processors shall, as soon as possible, determine the state of the registers and backup copies and, where necessary and possible, take steps to restore the registers concerned.
XV. PERSONS IN CHARGE OF THE COLLECTION, PROCESSING AND STORAGE OF PERSONAL DATA AND ACCESS TO PERSONAL DATA
Article 23. The Data Protection Officer and the persons processing personal data on behalf of INTER EXPO CENTER EOOD are natural or legal persons with the required competences and/or authorized by a relevant written act, including by these Rules.
Article 24. The Data Protection Officer:
- assists INTER EXPO CENTER EOOD and the processors in the performance of their obligations related to personal data protection by ensuring the application of and maintaining the required technical and organizational measures and means for data protection;
- providing the proper functioning of the above security systems;
- exercising control throughout the process of data collection and processing;
- carries out all obligations related to reporting and managing data security breaches;
- regularly requests information from the processors in connection with the data collection, access and processing;
- notifies INTER EXPO CENTER EOOD promptly about all irregularities established in relation to the performance of his or her obligations;
- destroys the data on paper and technical carriers in compliance with the law and the time limits set out in these Rules;
- re-authorizes with a written act natural or legal persons to implement personal data protection.
Article 25. (1) Personal data collection, processing, storage and protection shall only be carried out by persons who have explicitly been instructed to this end and whose official responsibilities or specific task assigned require that.
(2) When assigning activities which require the processing of personal data from the registers of INTER EXPO CENTER EOOD, service providers shall observe the applicable regulatory requirements on personal data processing and the procedures under Article 19 of these Rules.
(3) Access to personal data may also be granted to the relevant state authorities – court, investigation, prosecutorial, inspection authorities, etc. The latter may request the data via the due procedure in relation to the performance of their authority.
XVI. RIGHTS OF DATA SUBJECTS
Article 26. (1) Any person shall be entitled to request access to his or her personal data including to request confirmation whether the data concerning him or her are being processed, to be notified of the purposes of this processing, the categories of data and about the recipients of the data, as well as the purposes of any processing of personal data concerning him or her.
(2) The right to access shall be exercised via a request of the natural person concerned, received at the registered address of INTER EXPO CENTER EOOD or the official e-mail address.
(3) Any natural person is entitled to request the deletion, rectification or blocking of his or her personal data which are not processed in compliance with legal requirements.
(4) Any person is entitled to object in writing against the processing and/or provision to third parties of his or her personal data without the required legal grounds.
(5) INTER EXPO CENTER EOOD is obliged, within two weeks of receiving a request under the previous paragraphs, to notify the requesting party whether there are legal grounds for respecting the request. If INTER EXPO CENTER EOOD determines that there are legal grounds to respect the request, it shall also notify the person of the way in which he or she can exercise his or her right.
(6) Data subjects also have the right to:
- withdraw their consent to processing at any time;
- object to the use of their personal data for the purposes of direct marketing;
- request information about the grounds on which their personal data have been provided for processing to a processor outside the EU/EEA;
- object to a decision taken entirely on the basis of automated processing, including profiling;
- be notified of a data security breach which is likely to result in a high risk to their rights and freedoms;
- file complaints to the regulatory authority;
- in some cases, to receive or request for their personal data to be transferred to a third country in a structured, commonly used form suitable for machine reading (right to portability).
XVII . AMENDMENTS TO THE INTERNAL RULES
Article 27. INTER EXPO CENTER EOOD may amend these Rules at any time. All amendments shall be immediately notified to the persons they concern.
These Rules have been adopted and enter into force on the day they are signed.
For and on behalf of INTER EXPO CENTER EOOD:
Date: 08.01.2019 APPROVED BY:.................................
Sofia Ivaylo Ivanov – Manager of
INTER EXPO CENTER EOOD