POLICY FOR PROTECTION OF PERSONAL DATA of the company AFI Lagera Tulip EOOD
I. GENERAL PROVISIONS
Art. 1. (1) The present policy for protection of personal data regulates the terms and conditions for the processing of personal data and their protection, as well as the procedure for keeping registers of personal data in AFI Lagera Tulip EOOD, UIC 203504721, with registered office and headquarters in city of Sofia, Krasno selo District, Dobrotitsa Despot str., bl.41, ent.G, ground floor,
called “The Company”
(2) This policy is issued on the basis of the Personal Data Protection Act and Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and with regard to the free movement of such data.
Art. 2. (1) This policy aims to regulate:
(2) the procedures, mechanisms and conditions for the lawful processing and storage of personal data;
(3) types of registers of personal data and how to maintain them;
(4) the necessary technical and organizational measures to protect personal data from unauthorized processing (accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, unauthorized modification or dissemination, and all other unlawful forms of processing of personal data);
(5) the rights and obligations of the Controller of personal data, the Processor of personal data and / or persons having access to personal data and working under the authority of the personal data controller, their liability for non-performance of those obligations;
(6) the rights of individuals to whom personal data or data subjects are processed or stored or so called subjects of data;
(7) reporting, management and incident response procedures.
Art. 3. (1) This policy is mandatory and shall be applied by all engaged in labor or civil relations in the Company.
(2) This policy is mandatory and applies to all external consultants who are in a contractual relationship with the Company. External consultants are personal data processors within the meaning of Article 28 of Regulation (EC) 2016/679.
II. USED TERMS AND DEFINITIONS
Art. 4. (1) For the purposes of these rules:
(2) Personal data is any information relating to an individual who is identified or can be identified directly or indirectly by an identification number or by one or more specific features.
(3) Processing of personal data is any operation or set of operations that the Company performs with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modification, retrieval, counseling, use, disclosure by transmission, dissemination or other means by which data becomes available, arranged or combined, limited, erased or destroyed.
(4) Controller of personal data is the Company, as well as any other natural or legal person, public body, agency or other entity which, alone or jointly with others, determines the purposes and means for the processing of personal data.
(5) Processor of personal data is any natural or legal person, public body, agency or other entity that processes personal data on behalf of the Company.
(6) A Personal Data Register is any structured set of personal data that is available under defined criteria, centralized, decentralized or distributed on a functional or geographic basis
III. PROCESSING OF PERSONAL DATA
Art. 5. (1) The Company is a personal data controller processes personal data through a set of actions with automatic or non-automatic means such as collecting, recording, organizing, structuring, storing, adapting or changing, retrieving, consulting, using , disclosure by transmission, distribution, or other means by which data becomes available, arranged or combined, restricted, deleted or destroyed.
(2) The Company processes the personal data either on its own or by assigning to the data processors, defining the objectives and the volume of the obligations assigned by the controller, subject to the relevant legal basis, according to LPDP (The law for personal data protection) and Regulation (EC) 2016/679.
(3) Data processing persons on behalf of the Companies are all entities related to the Company, whose rights and obligations in relation to processing are governed by this policy.
Principles of processing
Art. 6. The Companies processes the personal data in compliance with the following principles:
• Principle of lawful processing - personal data are processed in a lawful, conscientious and transparent way;
• The principle of limited collection - the collection of personal data must be within the necessary limits;
• Principle of Limited Use, Disclosure and Storage - Personal data should not be used for purposes other than those for which they were collected, except with the consent of the individual or in the cases expressly provided for by the law. Personal data should only be stored for as long as is necessary to meet these goals;
• Principle of precision - personal data must be accurate, complete and up to date, as far as is necessary for the purposes for which they are used;
• Security and Privacy Principle - Personal data must be protected by security measures that are responsive to the sensitivity of the information;
Grounds for lawfull processing
Art.7. The Company as a personal data controller always processes the personal data under one of the following grounds for lawful processing:
• Legal basis - the processing of personal data is necessary to fulfill a statutory obligation. Such obligations include, for example, the keeping of accounting documents in accordance with the Accounting Act, obligations arising from the Money Laundering Act, as well as all other statutory obligations of the controller;
• Explicit written consent - the natural person, through a written declaration, expressly agrees to the processing of the personal data, both for what purposes and for what period ;
• Performance of a contract - the processing is necessary for the conclusion or performance of a contract by which the natural person to whom the data relate is a party or a representative of the party;
• Public interest - processing is necessary for the performance of a task that is carried out in the public interest.
Art. 8. (1) The Company, as a personal data controller, lawfully processes the personal data for the execution of the services offered by the Company and for that purpose the natural persons have previously stated and expressed their explicit consent.
(2) The Company processes personal data in connection with the implementation of the following services but not only:
• Conclusion of preliminary, final agreements with Buyers with regard to the real estates owned by Company;
• Concluding contracts for maintenance of the buildings with owners and tenants;
• drafting of all types of contracts, agreements, powers of attorney and any other legal documents related to the main subject of activities of the company concerning sale and rental of real estates;
• signing brokerage agreements with brokerage firms;
3) The purpose of processing personal data is to uniquely identify individuals, namely buyers, tenants, owners, contractors, clients of the Company. Data processing is most often the result of an explicit written consent and fulfillment of a statutory obligation of the data controller.
(4) In connection with the fulfillment of statutory obligations, in the course of carrying out its activity, the Company processes personal data to individuals for the following purposes:
• Identification and exchange of information for the purposes of commercial, social and tax law.
• Identification of clients and verification of the identification of individuals by presenting an official identity document in compliance with the provisions of the Money Laundering Act.
(5) In order to perform the above mentioned services, the data controller collects, records, processes, stores and transmits the following categories of personal data:
• Identifier as names;
• Identity number (PIN) and date of birth;
• Identity card details;
• Address, phone, email address;
• Online identifiers, including IP address, etc.
• Art. 9. (1) The Company notify all persons that it does NOT collect, record, store or process in any way their Special categories of personal data within the meaning of Regulation (EC) 2016/679.
Consequence of refusal to provide personal data
Art. 10. (1) In case of a refusal to voluntarily submit the required personal data, the Company will not be able to provide and execute its services.
(2) The explicit consent of the natural persons whose data are processed is not always necessary if the Controller has another legal basis for the processing of personal data - for example a statutory obligation in relation to the requirements of the Money Laundering Act and the Rules its application.
IV. REGISTERS WITH PERSONAL DATA
Types of registers
Art. 11. The Company collects and stores personal data for the fulfillment of the objectives pointed in Art. 8, keeping the following personal data registers:
1. Register "Clients"
2. Register "Contractors"
Art. 12. (1) "Clients" register contains information and personal data for all clients (Buyers) of the company, who have requested to buy or rent properties.
(2) The controller processes the personal data in the "Clients" Register on the grounds of explicit consent of the individual, within the meaning of Art. 6, para. 1 (a) of Regulation (EU) 2016/679.
(3) In the absence of an explicit consent, the Controller may process the personal data on one of the other grounds specified in Art. 7.
(4) The controller maintains a structured file for each individual client that contains the following categories of personal data:
• Physical identity: names, date of birth, personal ID, citizenship, identity card details, address, telephone, email address and other personal data.
(5) The controller may transfer or disclose personal data from the Client's Register to third parties - recipients for the fulfillment of legal obligations and for the fulfillment of the objectives set forth in Art. 8. Third parties or so-called "recipients" are state authorities, agencies, banks, notaries and insurers, such as the National Revenue Agency, the Registry Agency and the Trade Register maintained by it and all banking institutions.
Register "Website Users"
Art. 13. (1) Register "Website Users" contains information about all users and future clients of the Company, who have used the services of the Company's following website: http://lageratulip.bg , by filling in contact form and have sent a request to the Company.
(2) When filling in the contact form on the website the Company collects and processes the following personal data:
• Physical identity: names, phone, email address.
• The user may additionally provide his / her own nationality, address.
(3) The controller processes the personal data in the "Users of the Website" Register on the basis of an explicit consent of the individual, within the meaning of Art. 6, para. 1 (a) of Regulation (EC) 2016/679. When filling out the contact form, the user with appointing in the check box that "I agree to process my personal data" gives his / her consent.
(4) The checkbox "I agree to process my personal data" contains a hyperlink. When pressed, detailed information about the purposes and timing of processing, the rights of individuals, and other information regarding the processing of personal data are displayed.
Art. 14. The Register of Contractors shall contain information and personal data about all contractors with whom the Company is in contractual relations, as well as for all persons involved in the process of carrying out the activity of the Company.
Art. 15. The administrator shall keep a structured file for each individual counterparty containing the following groups of personal data:
• Physical identity of the representatives of the companies-contractors: names, personal ID, citizenship, address, telephone, email address.
Art. 16. The Company keeps registers with personal data in paper or technical form.
Art. 17. The form of organization and storage of personal data on paper:
(1) The form of organization and storage of personal data is written (documentary).
(2) The folders are located in the office cabinets, and the access to them is controlled. The provision, modification or termination of authorized access to registers is controlled by the Data Controller
(3) The location of the cabinet - can be placed in a room designed for the individual work of the personal data processor or in a common room for work with other activities;
(4) Form for the provision of the data by the natural persons - the personal data of each person shall be collected in pursuance of the purposes set out in Art. 8 through the following forms:
• Oral ;
• Paper carrier - providing a written application containing the data of the individual;
(5) The personal data of the persons shall be submitted to the personal data controller and the authorized person appointed for processing them - processing personal data.
(6) Access to personal data – such there is only the personal data processor.
Art. 18. Form of organization and storage of personal data on a technical medium:
(1) Personal data shall be stored on a hard disk on the computer of the personal data processor as well as on a central server from a computer network. The computer is connected to the local network with secure access to personal data, as only the personal data processor accessing it.
(2) When processing the data, the corresponding software products are processed. They can be adapted to the specific needs of the data controller. Data is input to the computer from a hard copy.
(3) Only personal data processors have access to the personal data on a technical medium. Access to computers and the central server is done after entering a password unique to each of the processors.
(4) Location of computers - in a room for self-handling of the personal data processor.
(5) The protection of electronic data from unauthorized access, corruption, loss or destruction is ensured by maintaining antivirus programs, periodically archiving data on separate electronic media, and storing the information on paper. The system administrator is responsible for archiving data on the central server as well as for the data on isolated computers used by the data processors.
Term for processing personal data
Art. 19. The personal data saved in the above registers are processing for the following terms:
(1) The personal data, saved in Register “Clients”, processed on the basis of explicit written consent, are processing till the end of the term in the written declarations, as this term shall be not longer than 10 years. The personal data shall be deleted or transferred to another controller after the expiration of the term or after withdraw of the written consent of the natural person.
(2) The personal data, saved in Register “Users of the website”, processed on the basis of explicit written consent, are processing till the end of the term in the written declarations, as this term shall be not longer than one year. The personal data shall be deleted or transferred to another controller after the expiration of the term or after withdraw of the written consent of the natural person.
(3) The personal data, saved in Register “Contractors”, processed on the basis for performance of a contract, are processing till the end of the contract, as this term shall be not longer than 5 years. The personal data shall be deleted or transferred to another controller after the expiration of this term.
Updating the personal data
Art. 20. (1) Updating the personal data is an addition or modification of existing information in the Company. An update of personal data is made in the following occasions:
• at the request of the natural person, for which one the personal data relate to him, when he or she has found that there is an error or incompleteness in them, and certifies this with a document;
• at the initiative of the processor of personal data - if there is a document justifying an update;
• if an error has occurred in the processing of personal data by the controller or processor of personal data;
(2) When there is update of personal data, the file shall be updated with a registration number of the document, source of the update data, date of the update. The update is performed by the person processing the personal data.
Transfer of personal data to third countries
Art. 21. (1) The controller may transfer personal data to third countries for which one the European Commission officially announce a decision that this third country provides an adequate level of protection.
(2) When transfering personal data, the Controller shall implement the procedures of Articles 44, 45 and 46 of Regulation (EU) 2016/679.
V. PERSONAL DATA SECURITY MEASURES
Art. 22. The Controller shall undertake the following technical and organizational measures to protect data from accidental or unlawful destruction or from accidental loss, unauthorized access, alteration or distribution, as well as from other unlawful forms of processing.
Art. 23. The physical protection of personal data shall be in accordance with the following measures:
1. The personal data from the registers shall be processed in the offices of the persons authorized under Art. 5, para. 3.
2. All paper documents containing personal data are stored in locked cabinets in a restricted-access area only for authorized persons.
3. The elements of the communication and information systems used for the processing of personal data are located in a locked cabinet in a restricted-access area only for authorized persons.
4. Access to the areas, where personal data are stored and processed is strictly controlled by a system for physical access. Only authorized persons through a special device have direct access to the areas. External persons do not have free access.
5. The areas are equipped with fire alarm and fire extinguishing systems.
6. Access to the building, where the office is located is controlled by the Security and Security System, including camera surveillance. Security and camera surveillance are provided by an external consultant responsible for security, camera surveillance and overall access to the office building. The relationship between the controller and the external consultant is regulated by a contract.
Art. 24. The personal protection of personal data shall be in accordance with the following measures:
1. Persons processing personal data are fully acquainted with data protection regulations, as well and with the present policy when they enter at the job.
3. Persons processing personal data agree, when they are entering into employment by signing their labor agreement or a special declaration to undertake an obligation for non-disclosure personal data.
4. The processing of personal data is performed only by authorized persons in compliance with the “Need to know” principle.
Art. 25. The documentation protection of personal data shall be in accordance with the following measures:
1. The registers under Art. 11, item 1, item 3 and item 4 shall be kept on paper and on a technical basis.
2. Access to the register shall have the persons under Art. 5, para. 3 in accordance with the "need to know" principle.
3. The personal data is collected only for a specific purpose, in accordance with the legal requirements. Data is classified according to its purpose and nature and shall be stored in lockable cabinet in restricted areas.
4. The terms for the processing of personal data for each specific register are defined in Art. 19.
5. The personal data may be copied and multiplied only by authorized persons, if it is necessary for the performance of official duties or if they are properly requested by state authorities in compliance with legal requirements.
6. After the expiration of the processing period or in case of a dropped processing ground, personal data shall be destroyed by a special device (shredder).
Protection of automated information systems and networks
Art. 26. The protection of automated information systems and networks shall be in accordance with the following measures:
1. The registers under Art. 11, items 1-4 shall be stored on a technical carrier - a central server.
2. Every authorized person, processing personal data has a separate personal account for access to his / her computer and a separate personal account for access to the central server. Access is through unique usernames and passwords (identification and authentication).
3. Working computer configurations, as well and all IT infrastructure, including Internet access, are used only for business purposes in pursuance of Art. 8.
4. The controller creates and maintains standard and secure configurations for each computer and network platform, including standard and basic security system configurations, firewalls, routers, and network devices. For the data protection is installed an antivirus program, as well periodic maintenance of the software and system files is performed.
5. For all computer configurations, servers, and communication tools that support the proper maintenance of databases, uninterruptible power supplies (UPSs) are provided.
6. Access to the areas where computers and communication equipment is located is strictly controlled by a physical access control system. Only authorized persons through a special device have direct access to the areas. External persons do not have free access.
7. The overall maintenance and prevention of automated information systems and networks is carried out by an external information service specialist. The information service specialist is responsible for periodic and regular checks of the security systems and the protection of automated information systems and networks.
8. The external information service specialist provides copy opportunities and back-ups of data stored on the central server.
IT policies for protection personal data
9. The external iformation service specialist regulates his / her relationship and responsibilities in protecting automated information systems and networks with the controller through an additional IT data protection policy.
Art. 27. The controller uses standard cryptographic capabilities of operating systems, database management systems, and communications equipment.
Data protection assessment and impact levels
Art. 28. (1) The controller shall carry out an impact assessment periodically every two years or when the nature of the personal data processed is changed.
(2) In the impact assessment, the controller analyzes the nature of the data processing. For this purpose, the controller performs systematisation and assessment of personal aspects related to the natural person or "profiling". The controller checks and reports whether there is a change in the type of data processing, or if there is collecting of a special categories of personal data, personal data in large-scale personal data registers, which one according to decision of the Commission for Data Protection endangers the rights and legitimate interests of the natural persons.
Procedure for deletion personal data
Art. 29 (1) The controller shall delete the storaged personal data, when one or more of the following applies:
• withdrawn consent for processing personal data;
• executed contract, when the ground is performance a contract;
• other grounds for deletion of personal data, in relation to the legal acts for protection of personal data;
(2) The controller determines with an order the persons responsible for deletion the personal data among the persons under Art. 5, para. 3.
(3) Personal data stored on paper carrier shall be destroyed by a special shredder device. For the deletion of personal data, a protocol describing the categories of deleted personal data shall be made and signed by the authorized persons.
(4) Personal data stored on a technical carrier shall be destroyed by automated actions for deleting the data from the employees' computers and from the central server.
Notification to the Commission for personal data protection in case of a security breach
Art. 30. (1) In case of a breach in the security of personal data, the controller is obliged without undue delay and no later than 72 hours to notify the data protection supervisory authority, namely the Commission for personal data protection, when the breach of security poses a risk to the rights and freedoms of the natural persons.
(2) When the processors of personal data detect a personal data breach, they shall, without undue delay and no later than 24 hours to notify the controller who shall performs the procedure under paragraph 1.
(3) The controller sends the notification to the Commission for personal data protection, with complaince to the requirements of Article 33 of Regulation (EU) 2016/679 and the Personal Data Protection Act.
VI. NATURAL PERSONS RIGHTS
Right of information and access to personal data
Art. 31. (1) Any natural person who has reason to believe that the controller processes personal data relating to him has the right to submit a written application with a request for the provision of the information under Art. 15 item 1 of Regulation (EU) 2016/679 and for access to his personal data.
(2) The application contains the name of the person and other identification data - PIN, correspondence address, description of the request, preferred form of granting access to the personal data, signature and date; power of attorney - when the application is filed by an authorized person. The application is entered into the administrator's general inbox.
Right of correction
Art. 32. (1) A natural person for whom personal data are processed has the right to ask the controller to correct inaccurate personal data related to him.
(2) For the purpose, the natural person shall completes personally or sends a correction request to the controller's address, specifying exactly and clearly what adjustments should be made.
Right to erasure
Art. 33 (1) A natural person for whom personal data are processed shall have the right to ask the controller to delete the personal data related to him if one of the following grounds applies:
• the natural person withdraws his consent, on which one the processing is based;
• the personal data are no longer needed for the purposes for which they were processed;
• the personal data is being processed unlawfully;
(2) The natural person sends a Request for erasure of personal data whereby the controller is obliged to delete all personal data, if one of the above conditions applies, following the procedure for the deletion personal data in Art. 28.
Right to withdraw the consent
Art. 34. Any natural person for whom the processing is on the grounds of explicit consent is entitled at any time to withdraw his consent.
Right to restrict the processing
Art. 35 A natural person for whom personal data are processed shall have the right to require the controller to restrict the processing of personal data related to him, in the presence of the grounds in Art. 18 item 1 of Regulation (EU) 2016/679.
Right of portability
Art. 36. A natural person for whom personal data are processed has the right to obtain personal data related to him in a structured, widely used and machine-readable form. If it’s technically possible, the controller may transfer the data directly to another controller, under the express request of the natural person.
Right of objection
Art. 37. A natural person for whom personal data are processed may at any time to object to the processing of personal data, including profiling and processing for direct marketing purposes.
Right to file a complaint to the supervisory authority
Art. 38. The natural person has the right to file a complaint in front of supervisory authority, namely the Commission for personal data protection, which shall be filed in the form and requisites specified in the Personal Data Protection Act.
Procedure for fulfillment the rights under chapter IV.
Art. 39. (1) For the fulfillment of the rights under Chapter VI, the natural persons submits or sends his applications and requests personally or by courier to the address of the controller, namely Sofia, Krasno selo District, Dobrotitsa Despot str., bl.41, ent.G, ground floor or to email: firstname.lastname@example.org.
(2) The Company provide standardized forms for the above-mentioned applications and requests for execution of your rights under Chapter VI. If you do not use hem, your Application or Request should contain: the name of the applicant and other identification data, the Personal Identification Number, the address for correspondence, the right you wish to use, the exact description of the request, all the circumstances surrounding the request , a preferred form of granting access to personal data, signature and date; power of attorney - when the application is filed by an authorized person.
(3) Access to the person's data is provided in the form of:
1. verbal reference;
2. a written reference;
3. personal data review;
4. providing a copy of the requested information.
(4) The controller shall perform a check within 14 days of receiving the Application or the request under paragraph 2 or 30 days, respectively, where more time is needed to collect the person's personal data in case of possible difficulties in the controller's activity.
(5) The controller shall perform all acts of exercising the rights of the natural persons with whom he is seized without undue delay within 14 days of receiving the application or the request. The controller sends a notification to the natural persons with information and the result on his request.
(6) After conducting the check under Art. 29, the controller shall notify the Applicant under paragraph 2 with the results, in accordance with the chosen method of granting the decision.
(7) If the check under Art. 29 has concluded with a result that establishes that personal data are not being processed with respect to the Applicant, the controller shall inform him for the lack of personal data related to him.
(8) If the check under Art. 29 has concluded in a result establishes that personal data is being processed with respect to the Applicant, the controller shall provide the following information:
• data for the controller, processing personal data;
• the processing goals;
• the lawfull grounds for processing;
• the relevant categories of personal data;
• recipients or categories of recipients of personal data;
• term for processing the personal data;
• other information, related to the personal data;
(8) The controller shall perform and provide information to the natural persons for all Applications or requests.
V. Intellectual Property Rights and Limitation of Liability
Art. 40.1 The website http://lageratulip.bg is the exclusive intellectual property of Afi Lagera Tulip EOOD. All website content (such as information, data, brands, logos, pictures, graphics, drawings, schemes, and any other distinctive features in general of all digital files) and the services of the website are defined as Intellectual Property of the Company, protected by Bulgarian, Community and international copyright, intellectual and industrial property laws.
40.2 No part of the above content of the Website may be sold, copied, reproduced, modified, transmitted, republished, and / or disseminated in any way or by any means, in whole or in part, unless the company did not agree in writing about this.
Limitation of Liability.
40.3. The Company is not responsible for damages arising from the access or inability to access the Company's site, as well as lost profits in connection with the access or inability to access or obtained information from the site.
V. CLOSING PROVISIONS
Art. 41 (1) The present data protection policy is approved by the representatives of the Company.
(2) The Company have the right to unilaterally change the current policy for protection of personal data to implement future changes in the legal acts in the field of personal data protection.
(3) The present policy, as well as all its Appendixes, are accepted in two versions - in Bulgarian and in English. In case of discrepancy or contradiction between the English and Bulgarian texts, the Bulgarian text shall prevail.