This Internal Policy is established on the basis of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, The Personal Data Protection Act and Ordinance N1 of 30.01.2013 on the minimal level of technical and organizational measures and the admissible type of protection.
Regulation (EU) 2016/679 and this Internal Policy apply to the processing of personal data, part of the record of personal data, regardless of the means of processing (manually or automatically).
2. Glossary of terms
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘special categories of personal data’ include racial or ethnic origin, political opinions, religious or philosophical views, trade union membership, sexual orientation, and health;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘data subject’ a natural person whose personal data is processed by a controller or processor;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘personal data breach’ is a breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data
‘main establishment’ as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
3. Data protection declaration
The management of “Ezclick” EAD, EIK 204199530, with headquarters and management address: Sofia, Studentski grad, “Akademik Stefan Mladenov” Str, 46, entr. A, fl. 3, office 8 hereinafter referred as to “Company” or “Administrator”, ensures compliance with legislation regarding the processing of personal data and protection of the rights and freedoms of the individuals whose personal data is collected and processed by the Company under the General Data Protection Regulation (EU) 2016/679.
Controller of personal data “Ezclick” EAD, EIK 204199530
tel.: +359 2 45 14 804
Data Protection Officer at “Ezclick” EAD is Elena Vasileva Kaneva
tel.: +359 2 45 14 804
According to the General Regulation of this policy, other relevant documents are described, as well as related processes and procedures.
The Data Protection Officer shall be responsible for reviewing the "Registry of Processing Activities" annually in the light of any changes in the activities of the Company as well as any additional requirements, data protection impact assessments. This register must be available at the request of the supervisory authority.
This policy applies to all employees/workers, clients, external suppliers, logistic companies and partners in relation to the Company.
Partners and third parties working with or for the Company and who have or may have access to personal data will be expected to become acquainted, understand and comply with this policy. No third party can access the personal data stored by the Company without having previously entered into a data privacy agreement which imposes on the third party obligations no less burdensome than those which the Company has taken over and entitles.
4. Obligations and roles under Regulation (EU) 2016/679
The Company is data controller and processor under Regulation (EU) 2016/679.
Compliance with data protection legislation is the responsibility of all employees of The Company, which process personal data.
The responsible person for personal data protection is employed by the Company and reports directly to the highest management level of the data controller or processor.
• adopting data protection techniques and implementing the requirements of the Regulation (EU) 2016/679
• managing all the risks identified by the Impact Assessment in order to reduce the probability of non-compliance with these rules.
The Data Protection Officer is responsible for the Company’s compliance with this Policy on a daily basis.
Everyone responsible for using personal data has to follow strict rules according to Regulation (EU) 2016/679.
5. Data protection principles
This Policy aims to ensure compliance with the Regulation (EU) 2016/679.
6. Lawful, fair and transparent data processing
The Company identifies a lawful basis for processing personal data based on a contractual relationship with the data subject (when the data subject has given his consent to the processing).
The Company provides certain information to the subject of the data as far as possible. This applies irrespective of whether the personal data is obtained directly from the data subject or another source(s).
The Company shall take appropriate measures to provide any information and any communication relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
7. Purpose of data processing
Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
The Company processes personal data for the purposes of:
- Making product offers;
- Selling goods online;
- Concluding and implementing a contract for the sale of goods;
- Concluding contracts for distribution;
- Preparing customer invoices;
- Providing customer service related to the return policy;
- Concluding labor and civil contracts with employees; to communicate with employees by telephone, for correspondence, accounting, pension and health insurance.
- Delivering goods to clients via logistic companies.
- Labor medicine service;
- Rental agreement;
- Direct marketing;
- Video surveillance;
- Protection of the legal rights and interests of the Company.
8. Legal basis
The Company processes personal data on a contractual basis when concluding contracts with clients with the purpose of selling goods, contracts with logistic companies, labor and civil contracts, labor medicine service contracts.
The Company processes personal data on a legal basis in case of preparing invoices, processing documents to NRA and NSSI, offer requests or claim damages of goods by clients.
The Company processes personal data on a consensual basis in case of processing personal data by third parties on behalf of the Company, direct marketing, registration of new customers on the website (online store), responding to requests by individuals.
The Company uses video surveillance in order to protect its legal interests and its own property.
9. Data minimization
The principle of data minimization is essentially the idea that, subject to limited exceptions, an organization should only process the personal data that it actually needs to process in order to achieve its processing purposes.
The Data Protection Officer annually reviews the methods of collecting personal data in order to ensure the data collected is adequate and relevant but not excessive. This means the personal data collection, storage and usage shall be limited to the purpose for which the data is collected.
10. Personal data update
The Administrator shall ensure the accuracy of the processed personal data and shall seek immediate correction or removal (taking the appropriate technical measures). Personal data processed and stored by the Administrator is reviewed and updated every 6 (six) months. Data that is not accurate shall not be stored.
The subject of the data declares that the shared personal data is accurate and up to date. The employees, the clients and the third companies are obliged to inform the Company in case of change of the circumstances (e.g. representative, address, telephone number). The Company shall update the register immediately.
11. Storage period duration
- The duration of the storage period depends on the collection purposes.
- Personal data collected through email requests from individuals shall be stored for 3 (three) months.
- Personal data processed for the purpose of concluding a contract with clients, partners, logistic companies shall be stored for the duration of the contract and up to 5 (five) years from the expiration of the contract in order to protect the Company’s legal interests.
- Personal data collected online shall be stored for an undefined period of time or until the individual requests to remove their profile.
- Personal data processed for the purpose of concluding a labor contracts shall be stored until the expiration of the contract and up to 3 (three) years in order to protect the Company’s legal interests.
- Personal data necessary for the purpose of pension insurance shall be stored for a period of 50 (fifty) years after the termination of the employment.
- Personal data processed for issuing accounting or financial documents for tax and social security purposes (e.g. invoices, credit notes, delivery protocols etc.) shall be stored within the statutory terms.
- Personal data processed in relation to patients’ charts, documents issued by the Territorial expert medical commission or any other kind of document related to the health condition of the employees of the Company shall be stored for a period of 3 (three) years as from 1st of January of the year following the year of issue of the relevant hospital document.
- Personal data processed for the purpose of concluding civil contracts shall be stored for the duration of the contract and up to 5 (five) years from the expiration of the contract in order to protect the Company’s legal interests.
- Personal data processed for the purpose of direct marketing of goods and services shall be stored until the consent of the data subject is withdrawn.
- Personal data processed for the purpose of protecting the Company’s property through video surveillance shall be stored for a period of 15 (fifteen) days.
The Company destroys the personal data files according to the legal procedure.
12. Personal data categories
The Company processes the following personal data of its employees: full name, PIN, date of birth, ID card data, postal address, email address, telephone number, education, professional qualification, bank account details, job experience, foreign languages, evaluation of the work, username, password, IP address, personal service number.
The Company processes the following personal data of the representatives of legal entities-contractors: full name, PIN, email address, physical address, phone number.
The Company processes the following personal data of legal representatives of legal entities: full name, telephone number, business address, email address.
The Company has the right to process other personal data according to law.
Employee selection process
The personal data of the applicants shall be processed only for administrative purposes (during the selection).
The applicant gives his or her consent by submitting a form/a questionnaire to the Company before signing the employment contract. The applicant gives his or her consent for processing his personal data under the statutory order for processing personal data to the Labor Office at the Ministry of Labor and Social Policy of the Republic of Bulgaria, private employment agencies or web portals for job search the Company has a service contract with.
The applicant has the right not to give his consent to process his or her personal data without indicating the reason. The Company must immediately cease to process the applicant’s personal data.
The personal data of the applicants shall be stored until the selection process is over. After the process is over, the applicant’s personal data shall be processed only with his or her consent given and not for a period longer than 3 (three) years.
13. Processing on behalf of the administrator
The Company has the right to disclose the personal data of its clients and employees as far as it concerns the fulfillment of the contractual obligations and the performance of the Company’s business activity. Persons having the right to process personal data on behalf of the Company are:
- Logistic organizations the Company has signed a contract with;
- Consultants (incl. lawyers) of the Company;
- Labor medicine service.
In those cases, the provisions of Regulation 2016/679, The Personal Data Protection Act, the internal regulations and other mandatory legal provisions apply to personal data processing.
14. Rights of the data subject
The Administrator provides information to the subject of the data, in short, transparent easily accessible writing form incl. via electronic means.
The subject of the data has the following rights:
14.1. Right of access by the data subject
The data subject has the right to obtain confirmation that his or her personal data is being processed and, in this case, the data subject has the right to access the data and the following information:
- the responsible person for his or her data protection;
- the purposes of processing and the legal basis;
- the recipients of his or her personal data;
- the period of storage of the data;
- the right to withdraw his or her consent granted for the data collecting and processing.
14.2. Right of rectification
The data subject has the right to request from the administrator to copy the inaccurate personal data related to him or her. Considering the purposes of the processing the data subject has the right to complete his or her incomplete data, incl. via annex.
14.3. Right to erasure
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation;
- the personal data have been collected in relation to the offer of information society services.
14.4. Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies::
- the accuracy of the personal data is contested by the data subject;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
- the data subject has objected to processing pending the verification whether legitimate grounds of the controller override those of the data subject.
14.5. Right to data portability
The subject of the data shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
14.6. Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
14.7. Right to lodge a complaint with a supervisory authority
In Bulgaria, the supervisory body is the Commission for Personal Data Protection.
15. Transfer of personal data
Personal data will not be transferred outside the European Union.
16. Data security. Persons with access to personal data
The persons having the right to access personal data are: Data Protection Officer, Human Resources staff, accountants of the Company, lawyers of the Company, accountants, security guards, state judicial and administrative bodies.
Employees are not allowed to use Internet and email communication at work for personal use.
Emails and other means of communication may be screened in order to ensure their security, the transfer of functions, dispute settlement, protection of material and non-material interests of the Company, protection of confidential information of the Company and other legitimate cases.
18. Technical and organizational measures for protection
The Company shall implement and maintain appropriate technical and organizational security measures in order to protect the personal data, to ensure the ongoing confidentiality, incl. protection against unauthorized or unlawful processing of personal data, accidental loss or damage.
19. Risk assessment
According to Ordinance N1/30.01.2013, the Company has carried out a risk assessment on the minimum necessary level of technical and organizational measures, as well as the admissible type of protection by analyzing the processing operations and the purposes of processing, the necessity and proportionality of the processing operations in relation to the purposes, the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, security measures and mechanisms to ensure the protection of personal data taking into account the rights and legitimate interests of data subjects. As a result of the analysis, the Company has a low risk of unauthorized or accidental disclosure of, or access to, personal data which may lead to physical, material or non-material damage for personal data.
20. Security breach
In case of a personal data breach, the Controller shall without undue delay, where feasible, notify the personal data breach to the Administrator unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The Controller shall document any personal data breaches, its effects and the remedial action taken. The notification to the Administrator shall contain all necessary details of the breach, in written form.
The Administrator shall notify the supervisory authority in case of need. According to Regulation 2016/679, breaches that are unlikely to result in a risk to the rights and freedoms of natural persons do not require notification to the supervisory authority.
Breaches that are likely to result in a risk to the rights and freedoms of natural persons require notification to the supervisory authority nor later than 72 hours after having become aware of it. Where the notification to the supervisory authority is not made within 72 hours, the Data Protection Officer shall accompany the notification by the reasons for the delay.
The Administrator “Ezclick” EAD documents all security breaches and violations of personal data in a record of violations of personal data, indicating the facts, the consequences and the measures taken to mitigate the impact.
21. Records of processing activities
The Company maintains a record of processing activities under its responsibility. The record contains all of the following information: business activities processing personal data, personal data sources, number of data subjects, description of the categories of personal data and elements of each category, processing activities, purposes of processing, legal basis, recipients, main systems and storage places, personal data transferred outside EU, personal data storage periods.
The Company assesses the level of risk to individuals whose personal data is being processed. In cases where a particular type of processing can lead to a high risk to the rights and freedoms of individuals, the Company shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Approved by Christos Georgios Moulas, Chief Executive Officer of “Ezclick” EAD on 31 May 2018.
/Chief Executive Officer/