Personal data

POLITICS

/INSTRUCTION/

on the measures and means of personal data protection

collected, processed, stored and provided by ASM EOOD

Document title:

Privacy Notice.

Purpose of the document:

This document explains to data subjects how ASM EOOD collects and uses their personal data. It informs data subjects of the controller’s purposes for data processing, the legal basis for such processing and the conditions under which their data will be protected, shared and stored.

The document is provided to: all individuals and legal entities that are in commercial/contractual relations with ASM EOOD and is available on the organization’s website.

Version 1 / date: 25.05.2018

Updated / date: 15.08.2022

Section one

GENERAL

Article 1. This Instruction governs the organization and internal order of ASM EOOD, as a personal data controller, as well as the level of technical and organizational measures in processing personal data and the permissible type of protection.

Art. 2. The instruction has been prepared in accordance with the provisions of the Personal Data Protection Act (PPA), Ordinance No. 1 of 30.01.2013 on the minimum level of technical and organizational measures and the permissible type of personal data protection (Ordinance No. 1), Regulation ( Es) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data, and aims to protect the interests of natural persons and natural persons representing legal entities, as well as the employees of ASM EOOD from illegal and dishonest processing of their personal data.

Art. 3. For the purposes of this Instruction, the terms below have the following meaning:

1. “Personal data” is any information relating to natural persons and the natural persons representing legal clients and partners, called counterparties, as well as that related to employees who are identified or through which they can be identified directly or indirectly through an identification number or through one or more specific features.

2. “Processing of personal data” is any action or set of actions that ASM EOOD performs with regard to personal data by automatic or non-automatic means (collection, recording, organization, storage, adaptation or modification, recovery, consultation, use, disclosure by transmitting, distributing, providing, updating or combining, blocking, deleting or destroying, etc.).

3. “Administrator of personal data” is ASM EOOD, which processes personal data independently or by assigning another person.

4. “Sensitive personal data” are signs related to physical, physiological, genetic, mental, psychological, economic, cultural, social or other identity of the person.

5. “Register of personal data” is a structured set of personal data, accessible according to certain criteria according to the internal documents of ASM EOOD.

6. “Consent of a natural person” is any freely expressed, specific and informed statement of will by which the natural person to whom the personal data refers unequivocally agrees to their processing.

Art. 4. (1) ASM EOOD processes only legally collected personal data necessary for specific, precisely defined and legal purposes. The personal data it collects and processes should be accurate and, if necessary, updated. Personal data is deleted or corrected when it is found to be inaccurate or inconsistent with the purposes for which it is processed.

(2) ASM EOOD maintains the personal data in the form and format that allow identifying the identity of the natural persons for a period not longer than necessary to fulfill the purposes for which the personal data is processed.

(3) ASM EOOD complies with the principle of prohibiting the processing of special categories of data according to Art. 5, para. 1 of the GDPR (disclosure of racial or ethnic origin; disclosure of political, religious or philosophical beliefs; membership in political parties or organizations; associations with religious, philosophical, political or trade union objectives; personal data relating to health, sexual life or to the human genome), with exceptions allowed only in the cases provided for in Art. 5, para. 2 of the Labor Code.

Art. 5. (1) The natural person – the owner of the personal data – freely expresses his consent regarding the processing of his personal data.

(2) The natural person has the right at any time during the processing to request or destroy (delete) personal data collected for him, in cases where he disputes their accuracy or their processing is illegal.

(3) In cases where the data has not been received by the person, ASM EOOD informs him about the purposes and legal basis of the processing, about the categories of data provided and their source, about the recipients to whom they will be provided, as well as about his right of access to his personal data.

Art. 6. As a personal data administrator, ASM EOOD maintains personal data in a form that allows identification of individuals.

Art. 7. Personal data is processed when:

1. This is necessary to fulfill a legally established obligation.

2. The natural person to whom the data refers has given his express consent. The counterparties and employees of ASM EOOD are identified by means of an official identity document (identity card). After checking and entering the data in the employment contract, it is returned to the person.

3. The processing is necessary for the fulfillment of obligations under a contract to which the natural person to whom the data refer is a party, as well as for actions preceding the conclusion of a contract and undertaken at his request.

Art. 8. All employees of ASM EOOD upon assuming office are obliged to observe confidentiality regarding the database, including personal data, as well as not to disclose data and information that became known to them during and on the occasion of the performance of their official duties.

Art. 9. ASM EOOD maintains an internal order as a personal data administrator, providing technical and organizational protection measures.

Section two

DESCRIPTION OF REGISTERS

Art. 10. ASM EOOD maintains the following registers:

Personal data of employees, which are collected, processed and stored in “Employee” Registers;

(2) Personal data of natural persons, representatives of natural persons with whom ASM EOOD works (customers and partners) in the “Counterparties” register

(3) “Video Surveillance”;

(4) “Salaries”

(5) “Sick Lists”

Art. 11. (1) To protect personal data from accidental or illegal destruction, from illegal access, from modification or distribution, as well as from other illegal forms of processing, ASM EOOD organizes and undertakes measures in line with modern technological achievements and the risks associated with the nature of the data , which must be protected.

Section Three

TECHNOLOGICAL DESCRIPTION OF THE SUPPORTED REGISTRIES – DATA CARRIERS, PROCESSING TECHNOLOGY, STORAGE PERIOD AND PROVIDED SERVICES

Art. 12. (1) ASM EOOD collects and processes personal data automatically and non-automated /paper medium/.

Art. 13. (1) The following types of personal data are stored in the “Employees” register:

1. physical identity – names, social security number, address, telephone, passport data;

2. education – document of acquired education, qualification, legal capacity;

3. work activity – according to the attached documents for work experience and professional biography;

4. medical data – a card for a preliminary medical examination for entering work;

5 criminal record certificate where required;

(2) The collection, processing and storage of personal data in the “Employees” Register is regulated in the Instruction on the mechanism of personal data processing and their protection from illegal forms of processing in the “Employees” Register, approved by Order No. 247/25.05.2018 .

(3) Data in the register on paper and technical media are collected, processed and stored in the “Human Resources” sector.

(4) The personal data in the “Employees” register are collected when submitting documents for employment under employment and official legal relationship, with the consent of the data subject (freely expressed, as well as in written form using the form “Application for appointment”; compliance with the principles of personal data protection according to Article 5 of the Regulation).

(5) ASM EOOD does not maintain a separate register of candidates for announced positions for vacant jobs. Data for the aforementioned are stored only in the personal profile of ASM EOOD at www.jobs.bg, under the conditions and requirements of jobs.bg, in connection with the new regulation on Personal Data Protection, with access restricted and protected by a password.

Art. 14 (1) Personal data of natural persons, representatives of the legal entities with which ASM EOOD works are collected and processed in the “Counterparties” register: Name, address, telephone, number in the Registration Agency (BULSTAT, EGN);

(2) The collection, processing and storage of personal data in the “Counterparties” Register is in accordance with the principles of the new Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons in connection with the processing of personal data data and regarding the free movement of such data, and aims to protect the interests of natural persons and natural persons representing legal entities from illegal and dishonest processing of their personal data and is in accordance with the provisions of the Personal Data Protection Act (PAPA), Ordinance No. 1 of 30.01.2013 on the minimum level of technical and organizational measures and the permissible type of personal data protection.

(3) Data in the register on paper and technical media are collected, processed and stored in the “Accounting” department.

(4) The data are collected and processed during the joint work with the specific legal entities, with a commercial purpose (purchase – sale of goods), with freely expressed consent.

Art. 15. (1) The “Video Surveillance” register is filled with data from automatic round-the-clock video surveillance (video image) for the movement of employees and visitors to the approaches to the buildings and premises. Video recordings are stored on a separate personal computer installed in the physical security room.

(2) The data in the register are provided voluntarily by the persons upon entering the building. At the entrances to the building, warning signs have been placed that the site is under permanent video surveillance. Data from this register is stored for 14 days.

(3) The physical protection of personal data is carried out by round-the-clock physical security.

Art. 16. (1) The “Salaries” register contains the following data – name, social security number, identity card number, address, bank account, tax office by place of residence, monthly income;

(2) The physical protection of personal data from the register is organized as an element of the general physical protection of the buildings and work premises under strict control of access to them.

Art. 17. The “Hospital Lists” register contains the following data – name, social security number, address.

Art. 18. ASM EOOD takes the following measures to protect personal data:

(1) software-technical – cryptographic methods and means and protection when transferring the information, reliable and secure identification and authentication of the sender and the recipient of the information and ensuring confidentiality, integrity of the transferred information

(3) physical – a system of measures for the protection of the buildings, premises and facilities in which personal data are created, processed and stored and the control of access to them;

(4) organizational and administrative – regulated by rules and orders of the Manager and/or Procurator of ASM EOOD;

(5) normative, provided for in legal and by-laws and in accordance with the requirements provided for in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data.

Art. 19. (1) The storage terms are in accordance with the descriptions in part 2 of the relevant register, as follows:

1. for the “Employees” Register and the “Counterparties” register – 50 years;

2. for the “Video Surveillance” Register – 14 days;

5. for the “Salaries” Register – 50 years;

6, for the “Hospital Lists” Register – 3 years;

(2) ASM EOOD should comply with the technology for safe maintenance and storage, updating, deletion, destruction, etc. of personal data.

Section four

DUTIES RELATED TO PROCESSING AND PROTECTION OF PERSONAL DATA. RIGHTS AND OBLIGATIONS

Art. 20. (1) The persons in charge of personal data protection in ASM EOOD are determined by an Order of the Procurator.

(2) Personal data protection officers have the following powers:

1. ensure the organization of keeping the registers, according to the provided measures to guarantee adequate protection;

2. monitor compliance with the specific measures for protection and access control in accordance with the specifics of the kept registers;

3. carries out control over compliance with the requirements for the protection of registers;

4. controls the observance of the rights of users in relation to the registers and software and technical resources for their processing;

5. specifies the technical resources applied to the processing of personal data;

6. monitors compliance with the organizational procedure for personal data processing, including time, place and order of processing, such as by registering all performed actions with the registers in the computer environment.

7. determines the procedure for storing and destroying information carriers;

8. determines the procedure for setting, using and changing passwords, as well as the actions in case of knowledge of a password and/or cryptographic key;

9. defines rules for conducting regular prevention of computer and communication means, including checking for viruses, for illegally installed software, for the integrity of the database, as well as data archiving, updating of system information, etc. ;

10. conducts periodic control for compliance with data protection requirements and, in case of detected irregularities, takes measures to eliminate them.

Art. 21. The manager of ASM EOOD determines by order the list of persons who process personal data. The lists are drawn up separately for each register.

Art. 22. Employees are obliged to:

1. to process personal data lawfully and in good faith;

2. to use the personal data to which they have access in accordance with the purposes for which they are collected and not to process them further in a manner incompatible with these purposes;

3. to update personal data registers (if necessary);

4. to delete or correct personal data when it is established that they are inaccurate or disproportionate in relation to the purposes for which they are processed;

5. to maintain the personal data in a form that allows identification of the relevant natural persons for a period not longer than necessary for the purposes for which these data are processed;

Art. 23. (1) Employees are responsible for non-compliance with the provisions of this instruction under the Personal Data Protection Act and the Labor Code.

(2) If, as a result of the actions of a relevant personal data processing officer, damage has occurred to a third party, the latter may be held liable under general civil legislation or under criminal law, if the act constitutes a more serious act, for which provides for criminal liability.

Art. 24. (1) Programmatic technical means for personal data protection are the subject of a separate Instruction for the organization of the work and workplaces of employees who are granted rights to work with information systems, approved by Order No. 248/25.05.2018.

The person responsible for organizing the work and workplaces of employees who have been granted rights to work with information systems has the following powers:

1. determines the procedure for storing and destroying information carriers;

2. determines the procedure for setting, using and changing passwords, as well as the actions in case of knowledge of a password and/or cryptographic key;

3. defines rules for conducting regular prevention of computer and communication means, including checking for viruses, for illegally installed software, for the integrity of the database, as well as data archiving, updating of system information, etc. ;

4. conducts periodic checks for compliance with data protection requirements and, in case of detected irregularities, takes measures to remedy them.

(2) When implementing a new software product for the processing of personal data, a special committee should be set up to test and verify the capabilities of the product with a view to complying with the requirements of the Personal Data Protection Act and ensuring their maximum protection against unlawful access, loss , damage or destruction.

Art. 25. (1) The following have the right to access the data in the “Employees” register:

1. The persons to whom the data in the register refer, at their express request expressed in writing (with a Form for access to information from the personal file signed by the person);

2. The Manager and the Procurator of ASM EOOD in the exercise of their powers under the Labor Code.

3. The processors and operators of personal data – the employees of the “Human Resources” sector (defined by Order 247/25.05.2018) and the employees of the company that serves ASM EOOD with the relevant program, specific persons carrying out technical operations on the processing and control of the data. The specific employees of the “Human Resources” sector are allowed password-protected access to the module in the program in which the “Employees” register is maintained.

4. State bodies, duly legitimized with relevant documents – written orders of the relevant body, which indicate the reason, the names of the persons to whom it is necessary to provide access to the personal data.

(2) Data from the register shall not be transferred to third parties. (Outside the company, the personal data of the employees are provided only to public bodies – National Revenue Agency, National Institute of Internal Affairs, Ministry of Internal Affairs, judicial bodies, control bodies, local self-government bodies, according to Art. 24 (1) item 4 of this instruction.

(3) The protection of the premises where personal data is stored is achieved with controlled access with a key and video surveillance.

(4) The persons collecting and processing personal data in the “Employees” register have the following rights and obligations:

1. to use personal data in compliance with the provisions of the Labor Code, in the event of employment and service legal relationships.

2. to use the personal data to fulfill the obligations under the Law on Health Insurance /Health Insurance/.

3. not to export and store personal data outside the places specifically designated for the purpose, regulated by a special access regime;

4. not to use personal data in an unregulated manner /falsification and other types of abuse/.

Art. 26. The following have the right to access the “Counterparties” register:

1. The Manager and the Procurator of ASM EOOD in the exercise of their powers under the Labor Code.

2. Employees from the “Accounting” Department, “Commercial Department”, “Information Technologies” Department, Legal Department and “Logistics” Department – for the purposes of commercial relations with counterparties.

3. Data from the register are not passed on to third parties, with the exception of public, administrative and judicial bodies.

Art. 27. (1) The following have the right to access the data in the “Video Surveillance” register:

1. The persons to whom the data in the register refer, at their express request;

2. The Manager and the Procurator of ASM EOOD in the exercise of their powers under the Labor Code.

3. The official who maintains the “Video Surveillance” register must monitor the serviceability of the equipment used.

4. The processors and operators of personal data – the employees carrying out technical operations on data processing and control.

5. State bodies, duly legitimized with relevant documents – written orders of the relevant body stating the reason, the names of the persons to whom it is necessary to provide access to the personal data.

(2) Data from the register cannot be transmitted electronically.

(3) The official who maintains the “Video Surveillance” register must monitor the serviceability of the equipment used.

(4) The protection of the register is carried out by means of premises with controlled access, which are protected from accidental penetration into them.

Art. 28. (1) The following have the right to access the data in the “Salaries” and “Sick Lists” registers:

1. The persons to whom the data in the register refer, at their express request expressed in writing (with a Form for access to information from the personal file signed by the person);

2. The Manager and the Procurator of ASM EOOD in the exercise of their powers under the Labor Code.

3. The processors and operators of personal data – the employees of the “Human Resources” sector (defined by Order 247/25.05.2018) and the employees of the company that serves ASM EOOD with the relevant program, specific persons carrying out technical operations on the processing and control of the data determined by Order 248/25.05.2018.

4. State bodies, duly legitimized with relevant documents – written orders of the relevant body, which indicate the reason, the names of the persons to whom it is necessary to provide access to the personal data.

(2) The data from the “Salaries” and “Sick Lists” registers

are provided to:

1. Natural persons to whom the data refer;

2. The relevant TDs of the NRA;

3. The relevant TA of the NOI.

4. State bodies duly legitimized with relevant documents – written orders of the relevant body, which indicate the reason, the names of the persons to whom it is necessary to ensure access to personal data for the purposes of their activity.

5. The data from the register can be transmitted electronically to the relevant TDs of the NRA and the National Institute of National Insurance through a qualified electronic signature.

Section Five

ASSESSMENT OF IMPACT AND DETERMINATION OF APPROPRIATE LEVEL OF PROTECTION

Art. 29. Impact assessment is a process for determining the levels of impact on a specific individual or group of individuals, depending on the nature of the personal data processed and the number of affected individuals in the event of breach of confidentiality, integrity or availability of personal data.

Art. 30. Levels of protection:

(1) For the “Employees” Register and the “Counterparties” Register, a degree of protection is defined – “medium level”;

(2) A level of protection is defined for the “Video Surveillance” Register – “low level”;

(3) A “low level” of protection is defined for the “Salaries” and “Sick Lists” registers;

Section Six

TECHNICAL AND ORGANIZATIONAL MEASURES

Art. 31. ASM EOOD has taken protective measures, both technical and organizational, namely:

1. personal data are stored in cabinets with locking devices;

2. work and storage when working with computer systems is secured with anti-virus programs, access passwords;

3. has an electronic signature.

Section Seven

PROTECTIVE ACTIONS IN CASE OF ACCIDENTS, INCIDENTS AND DISASTERS

Art. 32. ASM EOOD takes preventive actions in the protection of personal data by drawing up an action plan in the various cases of force majeure events, namely:

1. protection in case of accidents independent of the company – specific actions are taken depending on the specific situation;

2. fire protection – immediate extinguishing with own means / fire extinguishers / and notification of the relevant authorities;

3. flood protection – measures are taken to limit the spread, and water is pumped out or scooped up with one’s own means.

SUPERVISOR

If you believe that we have violated your rights in relation to your personal data, you can file a complaint with the supervisory authority of Bulgaria, which is the Personal Data Protection Commission. More information can be found at: www.cpdp.bg.

Personal data protection officer of ASM EOOD:

Montana, 5 Gotso Mitov St., e-mail: office@acm-montana.com, phone: 096391515, mobile: 0889524195.

This instruction has been accepted and confirmed by Order of the Procurator of ASM EOOD.