DATA PROTECTION POLICY
CONDEX EOOD, UIC 121210704
This Data Protection Policy of Condex EOOD, as a personal data controller, has been drafted in accordance with Regulation (EU) 2016/679, the Personal Data Protection Act (PDPA) and in compliance with the Instruction on the mechanism of processing personal data and their protection from illegal forms of processing in filing systems kept at Condex EOOD, UIC 121210704.
Personal data controller
Condex EOOD, registered in the Commercial Regsiter with the Registry Agency with UIC 121210704, with seat and management address city of Sofia, 87 Okolovrasten pat, e-mail: email@example.com, is the data controller.
Condex EOOD processes personal data
To fulfill statutory obligations
Condex EOOD processes relevant personal data in order to comply with its respective obligations, which are provided for in a regulatory act. For example:
- provision of information to the Commission for Personal Data Protection in relation to obligations provided for in the legal framework for the protection of personal data – Personal Data Protection Act, Regulation (EU) 2016/679 of April 27, 2016, etc.;
- obligations stipulated in the Labour Code, the Accountancy Act and the Tax and Social Insurance ProcedureCode and other related legal acts, in connection with keeping proper and lawful accounting and others;
- provision of information to the court and third parties, within the framework of proceedings before a court, in accordance with the requirements of the procedural and substantive legal acts applicable to the proceedings,
- in other cases provided by law and this policy.
In some cases, Condex EOOD processes relevant personal data only after the prior written consent of the data subjects. Consent is a separate basis for the processing of personal data and the purpose and term of the processing is specified therein.
To ensure adequate protection of the data of the company, of employees, contractors and other persons, Condex EOOD implements all the necessary organizational and technical measures provided for in the Personal Data Protection Act, including password protection of devices in which personal data are stored, locking systems, contracted security services, etc.
Terms for processing personal data
Staff payroll statements, etc. documents proving the experience and insurable service of employees are kept for 50 years in view of the requirements of the Accountancy Act.
The term for storing personal data of recruitment participants is 3 /three/ years.
The data in the “Contractors” filing system are stored for the period of preparing an offer for relevant equipment, goods and/or materials and/or services from the range of Condex EOOD, the conclusion of a respective contract for this equipment, goods and/or materials and/ or services, the performance of the concluded contract, resp. for concluding a contract for the acquisition by Condex EOOD of relevant equipment, goods and/or materials or services and up to 5 years and 2 months after the expiry of the term and execution of the relevant contract, but in no case less than 1 year and 2 months after the expiration of the validity of an offer and/or after the expiration of the relevant period for which the relevant personal data should be processed and stored in view of the current legislation or for another period by mutual agreement of the parties. After the expiration of these terms, the personal data in question should be destroyed according to the respective procedure except in cases where legal or executive proceedings have been initiated regarding the rights and obligations of the parties or tax audits and/or revisions by the competent authorities have begun and not been completed, inspections are carried out by other competent authorities or there are other legal grounds for continuing the processing and storage of personal data from this filing system, including the existence of proceedings for a data subject compaint according to the respective procedure.
The data of data subjects can also be anonymized. Anonymization is an alternative to data deletion. In case of anonymization, all personally identifiable elements / elements allowing the identification of the data subjects are irreversibly deleted. There is no legal obligation to delete anonymized data, as it does not constitute personal data.
Sharing and disclosure of personal data
Condex EOOD does not grant the right to use, does not sell or share with other persons information constituting personal data within the meaning of Regulation (EU) 2016/679 and the PDPA, except when this is necessary to provide services requested by the data subjects and when a corresponding authorization has been granted, or in any of the following cases:
- The information is provided by virtue of the law or in fulfillment of legal or contractual rights and obligations,
- The information is provided to trusted partners, including data processors who work on assignment by Condex EOOD based on contractual relations and pursuant to agreements. However, personal data processors do not have the right to independently share this information.
- The information is in compliance with the legal prescriptions of court orders on legitimate requests from authorized bodies (under the Criminal Procedure Code, the Criminal Code, etc.).
Right to information
Personal data subjects have the right to request:
- information on whether data relating to them is processed, information on the purposes of this processing, on the categories of data and on the recipients or categories of recipients to whom the data is disclosed;
- a message in comprehensible format containing their personal data being processed, as well as any available information about their source;
- information about the logic of any automated processing of personal data concerning the subjects, at least in the case of automated decisions.
Right to correction
In the event that we process incomplete or wrong/incorrect data, data subjects have the right, at any time, to request from us:
- to delete, correct or block the relevant personal data the processing of which does not meet the requirements of the law;
- to notify the third parties to whom his personal data has been disclosed of any deletion, correction or blocking, except in cases where this is impossible or involves disproportionate efforts.
Right to object
Data subjects also have the right to object to the processing at any time, in which case Condex EOOD will immediately terminate the processing for the relevant purposes, unless it proves that there are compelling legal grounds for the processing that take precedence over the interests, rights and the freedoms of data subjects, or for the establishment, exercise or defense of legal claims.
Right to restriction of processing
Personal data subjects may request the restriction of data processing if:
- the data processing is without legitimate basis, but instead of deleting them, you request their restricted processing;
- or we no longer need this data (for the specified purpose), but you need it for the establishment, exercise or defense of legal claims; or you have filed an objection to the processing of the data, pending verification of whether the controller’s grounds are legitimate.
Right to data portability
Personal data subjects may request that we provide the personal data you have entrusted to our care in an organized, orderly, structured, generally accepted electronic format if we process the data pursuant to the contract and based on the revocable consent statement or contractual obligation and processing is done automatically.
Right of appeal
In the event that you believe that we are in breach of applicable regulations, please contact us to clarify the matter. Of course, you have the right to file a complaint with the Personal Data Protection Commission – Sofia, 2 Prof. Tsvetan Lazarov Blvd. (www.cpdp.bg),
Natural persons – data subjects, can exercise their rights and obtain additional information in relation to the processing of personal data by our company by contacting us at the following contacts: Condex EOOD, Sofia, 87 Okolovrasten pat, e-mail: firstname.lastname@example.org
Exercise of rights under Regulation (EU) 2016/679 and other obligations
The exercise of any of the rights under Regulation (EU) 2016/679 in no way relieves the data subjects from their obligations in connection with contractual and other relations that have arisen.
Amny issues not settled in this policy shall be subject to the provisions of Regulation (EU) 2016/679, the PDPA, other current legal acts and the Instruction on the mechanism of processing personal data and their protection from illegal forms of processing in filing systems kept at Condex EOOD, UIC 121210704.
This policy was approved by the manager of Condex EOOD on 20.05.2018.