- 1.2. Keeping confidentiality of our users’ personal data is a top priority for us. BAALO in its capacity as a data controller and in accordance with the legislation and good practices, implements the required technical and organizational measures to protect the personal data of individuals.
2. Information regarding BAALO in its capacity of personal data administrator
- 2.1. To obtain more information regarding your data processing, you can use the contacts listed below:
Name: BAALO Country: Bulgaria Address: 16 Dobri Chintulov Str. Phone number: (0359)895 567 151 Town/Province: Sliven e-mail: firstname.lastname@example.org Postal code: 8800 Website: https://www.baszz.net
- If you believe that we are in violation of your rights related to the processing of your personal data and in compliance with the requirements of the General Data Protection Regulation-regulation (EU) 2016/679, you have the right to complain to the Technical Secretary, to file a complaint with a supervisory authority and to seek judicial redress as follows:
- 2.2. Right of appeal to a supervisory authority
Under article 14 (2) (e)If you wish to file a complaint regarding the processing of your personal data by us or about how we have examined your complaint, you have the right to complain to the Commission for Personal Data Protection and the Data Protection Officer (if available).
- You can file a complaint in one of the following ways:
- 1. In person on paper at the office of the CPDP at: 1592 Sofia, Bulgaria Prof. 2 Tsvetan Lazarov.
- 2. By letter 1592 Sofia, Bulgaria Prof. 2 Tsvetan Lazarov, Commission for Personal Data Protection.
- 3. By fax 029153525.
- 4. Electronically to the email address of the CPDP (email@example.com). In this case, your complaint must be styled as an electronic document signed with an electronic signature (not scanned)
- 5. Via the website of the CPDP at https://cpdp.bg/?p=pages&aid=6 in the manner described on the respective page. In this case, your complaint must be styled as an electronic document signed with an electronic signature.
- In either of these cases, the complaint should contain:
- Applicant Details – names, address, telephone number, email address (if available)
- Nature of the complaint
- Other information and documents you consider relevant to the complaint
- Date and signature (for electronic documents – electronic, for paper documents – handwritten)
- The CPDP provides a complaint form to the Commission (to assist and direct the citizens) in relation to misuse of personal data in the voter lists supporting the registration of political entities. The form can be downloaded from the following page: https://cpdp.bg/userfiles/file/Documents_2017/Forma_jalba_politicheski subekti.doc.
3. Legal Basis
- 3.2. Bulgarian legislation and the GDPR provide rules on how BAALO has to collect, process and store personal data.
- 3.3. In order to be able to process personal data in accordance with legal
requirements, personal data is collected and used lawfully, the necessary security of processing
operations, BAALO has taken the necessary measures to avoid personal data to be subjected to
unlawful disclosure. According to the basic principles respected by BAALO, your personal data is:
- 3.3.1. processed lawfully, in good faith and in a transparent manner with respect to the data subject (legality, fairness and transparency);
- 3.3.2. collected for clearly specified, explicit and legitimate purposes and not further processed in a manner incompatible with these purposes (purpose limitation);
- 3.3.3. relevant, related and limited to what is necessary in relation to the purposes for which they are processed (Data minimisation);
- 3.3.4. accurate and kept up to date; BAALO has taken all necessary measures to ensure that inaccurate personal data is deleted or corrected in view of the purposes for which they are processed (accuracy), in a timely manner;
- 3.3.5. Kept in a form which permits identification of the data subject for a period not exceeding what is necessary for the purposes for which the personal data is processed; (Storage Restriction);
- 3.3.6. Processed in a manner that ensures an appropriate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organisational measures ( integrity and confidentiality);
- 3.3.7. BAALO is fully responsible and able to demonstrate that it respects the basic principles relating to the processing of personal data (accountability).
4. Policy Aims
- 4.1. With the adoption and application of this policy by BAALO under the Bulgarian Legislation and Regulation (EU) 2016/679, the rules regarding the protection of natural persons with regard to the processing of personal data, as well as the rules regarding the free movement of personal data, are defined.
- 4.2. With the adoption and application of this policy by BAALO under the Personal Data Protection Act and Regulation (EU) 2016/679 protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data are defined.
- 4.3. By implementing the current policy, BAALO aims to guarantee the following:
- 4.3.1. Lawfulness of the processing of personal data carried out by BAALO;
- 4.3.2. The rights of natural persons subject to personal data under Regulation (EU) 2016/679;
- 4.3.3. Compliance with BAALO’s regulation requirements on behalf of the Administrator and/or
Data Processor, including:
- 18.104.22.168. Data protection at the design and default stage
- 22.214.171.124. Records of processing activities
- 126.96.36.199. Appropriate technical and organisational measures to be reviewed and, where necessary, updated
- 188.8.131.52. Risk assessment measures relating to the processing of personal data
- 184.108.40.206. Compliance with the requirements when assigning the processing of your personal data to third parties (Processing)
- 220.127.116.11. The duties of officials processing personal data and/or persons having access to personal data and working under the authority of processors personal data, their liability for failure to comply with those obligations;
- 4.3.4. Taking into consideration technical progress, the costs of implementation and the nature, scope, context and purposes of the processing and the risks of varying likelihood and severity to the rights and freedoms of natural persons, BAALO in its capacity of an administrator and/or processor, shall implement appropriate technical and organisational measures to ensure a level of security that is consistent with that risk.
- 4.3.5. Ensure compliance with the basic principles for transfers of personal data to third countries or international organisations outside the EU.
- 5.1. Definitions:
- 5.1.1. ‘Personal data’ means any information relating to an identified or identifiable natural person (data subject); An identifiable natural person is a person who can be identified, directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more signs, specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- 5.1.2. ‘Processing’ means any operation or set of operations carried out with personal data or a collection of personal data, by automatic or other means such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- 5.2. The data protection policy applies to the processing of personal data of users, employees, where they become known to partners and suppliers, as described in the records of processing activities established in accordance with article 30 of the General Data Protection Regulation-Regulation (EU) 2016/679 (Records of processing activities).
- 5.1. Definitions:
6. Data Processing Purposes
- 6.1. Subject to the requirements of section I-Transparency and the conditions of the general Data Protection Regulation- (EU) 2016/679, BAALO shall provide transparent information, communication and conditions for the exercise of the rights of data subjects pursuant to Article 12 of the Regulation.
- 6.2. The purposes and information regarding the treatment of personal data carried out by BAALO shall be provided in accordance with the “Transparent communication procedure” (P_A2_BG), the “Procedure for the Collection Personal Data” (P_A13_BG) and the “Procedure for Obtaining Personal Data ‘ (P_A14_BG).
- 6.3. The purposes and information regarding the processing of personal data are specified in the documents provided to the data subjects “Information on the processing of personal data collection” (D_A13_BG) and “Information provided when receiving personal data” (D_ A14_BG).
7. Transparency. The rights of individuals whose personal data is processed by BAALO
- Information on your rights related to personal data processing
Under Article 14 (2) (v)
Rights Legal Basis Right Description Right to Access Article 15 Right to confirm processing and access to your personal data. Right to Rectification Article 16 Right to rectify inaccurate or incomplete data Right to Erasure Article 17 Right to require personal data erasure. Right to Restrict Data processing Article 18 Right to require a limit when personal data is processed. Right to Be Notified Article 19 Right to require that you be notified of any action that is related to correcting, deleting, or restricting processing. Right to Object Article 21 Right to object at any time to the processing of your personal data: for the performance of a task in the public interest or on the basis of official authority or for the purposes of legitimate interests, including profiling. processing for direct marketing purposes scientific or historical research purposes or for statistical purposes. Right to Reject Automated Processing Article 22 Right to refuse to be subject to a decision based solely on automated processing, including profiling, which produces legal consequences for you or concerns you significantly. Data Portability Article 20 Right to receive personal data. Right to Appeal and Effective Judicial Protection Articleове 77, 78 & 79 You have the right to complain to the Commission for Personal Data Protection in case of breaches of Regulation (EU) No 2016/679 of 27 April 2016 and the Right to Effective Protection against the CPDP, administrator or processor of your personal data. Right to Compensation Article 82 You are entitled to compensation for material or intangible damages suffered as a result of an infringement of regulation (EU) No 2016/679.
- 7.1. All subjects of personal data (users, customers or employees where such data
have become known to partners or suppliers, as described in the records of processing activities)
have the right to exercise their rights in the following way:
- At the head office: Address: 16 Dobri Chintulov Str, Sliven, 8800
- On the Internet: Website: https://www.baszz.net e-mail: firstname.lastname@example.org
- Information on your rights related to personal data processing
8. Transfer of Personal Data to third countries or international organisations
- 8.1. Transfer of personal data which are processed or are intended to be processed after the transfer to a third country or an international organisation outside the EU, shall be carried out by BAALO only under the terms of the general Data Protection Regulation- (EU) 2016/679, subject to the conditions set out in chapter V of the regulation.
- 8.2. BAALO shall apply all the provisions of the Regulation so that the necessary level of protection of natural persons provided by the Regulation is not compromised.
- 8.3. In the event that BAALO transfers personal data to a third country or to an international organisation outside the EU, this transfer shall be carried out in accordance with the “Non-EU data transfer procedure” (P_A44_BG) and the data subjects shall be informed In advance with “Information on the processing of personal data in collection” (D_A13_BG) and “Information provided upon receipt of personal data” (D_A14_BG), requiring their “Consent to the transfer of personal data” (D_A49_BG).
9. Infringements and notification of breaches
- 9.1. “Personal data breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is transmitted, stored or otherwise processed by BAALO.
- 9.2. In the event of a personal data breach, the following contacts should be immediately notified: email@example.com. Contact Phone: (0359) 895 567 151
- 9.3. In the case of a personal data breach which is likely to create a risk to the rights and freedoms of natural persons, without undue delay and where feasible, no later than 72 hours after being aware of that, BAALO will inform the Commission for the Protection of Personal Data.
- 9.4. In the event that a specific infringement poses a risk to the rights and freedoms of natural persons, BAALO shall take measures to inform the persons concerned in order to minimise any adverse effects.
- 9.5. BAALO takes action according to the “Procedure for Personal Data Breach” (P_A33_BG).
10. Destruction of Personal Data
- 10.1. BAALO follows the specific procedure for the destruction of personal data (P_A17_BG_01).
11. Changes in Data Confidentiality Policy
12. Document Owner and Approval
- 12.1. The technical secretary shall be the owner of this document and shall be responsible for reviewing this procedure in accordance with the requirements for review and update of EU Regulation 2016/679.
- 12.2. The current version of this document is available on paper in the office to all members of the staff and the electronic version of the documents is available on BAALO’s server, the GDPR file.
- 12.3. This procedure has been approved by the Association Chairman on 11/18/2019 and has been issued by the controlled version approved by the Chairman’s signature.
Document Alteration History
Version Description of Alteration Approval Data of introduction of the new version 1 Initial Version Chairperson 11/18/2019