Policy on Personal Data Protection
1. Who are we?
„EUSYSTEM“ LTD.– company, registered on the territory of Republic of Bulgaria, headquarters and address of management: the city of Sofia, Mladost 4 residence estate, bl. 451, entr. 1. fl. 1, apt. 2 , UIC: 205849098, phone: 0877 077 753 and email: email@example.com
In connection with its activity – software for organization of the service activity - „EUSYSTEM“ Ltd. - „the Company“ processes data, including personal data, as per the Law on Personal Data Protection and Regulation (EU) 2016/679, therefore it is considered as controller of personal data
The present policy aims to inform the users of www.eusystem.eu how their personal data is processed and also about their rights methods for personal data protection, used by the controller, to whom the Company is allowed to transfer the collected personal data as well as the methods for the data subjects to exercise their rights.
GDPR is the general regulation for personal data protection (Regulation 2016/679 of the European Parliament and the Council). The Regulation significantly increases the rights of the European citizens and also assigns more obligations to the organization, collecting and processing personal data. This is effective since 25.05.2018 and shall be applicable in all EU member-states.
Personal data are collected for particular, explicitly listed and legitimate purposes and they are not subject of further processing, incompatible with those purposes.The processing is fulfilled legally, earnestly and in transparent manner regarding the data subject.
3. Purpose and scope of the Policy:
The present Policy on Personal Data Protection helps „EUSYSTEM“ LTD. to report the confidentiality and the inviolability of the personal data. In line with the legislation and the good practices the Company applies the required technical and organizational measures for protection of the personal data of the individuals.
By the present Policy for Personal Data Protection the Company targets to inform the individuals for the purposes of processing personal data, the recipients or the categories of recipients, to whom the data may be disclosed, the obligatory or the voluntary nature of providing data and the consequences from a refusal to provide it, information on right of access and correction of collected data.
4. Terms definitions:
„personal data“ means any information, related to the identification of an individual or an individual, that may be identified („data subject“); an individual that may be identified is a person, that may be identified, directly or indirectly, especially through an identification index like name, identification number, location data, online identification or one or more features, specifically for the physical the physical, genetic, psychological, mental, economic, cultural or social identity of that individual;
„genetic data“ means personal data relating to an individual's inherited or acquired genetic traits which give unique information about the characteristics or health of that individual and which are obtained, in particular, from the analysis of a biological sample of the same individual;
„biometric data“ means personal data obtained as a result of specific technical processing which relate to the physical, physiological or behavioral characteristics of an individual and which allow or confirm the unique identification of that individual, such as facial images or dactyloscopic data;
„consent of the data subject“ means any freely expressed, specific, informed and unambiguous indication of the data subject's will, by means of a statement or clearly confirmatory action, which expresses his or her consent to the processing of personal data relating to him or her;
„processing“ means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing, transmitting, distributing or otherwise the way the data is made available, arranged or combined, restricted, deleted or destroyed;
„controller“ means a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for determining it may be laid down in the EU legislation or in the law of a Member State;
„personal data processor“ means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
„representative“ means a natural or legal person established within the Union who is appointed by the controller or processor in writing in accordance with Art. 27 and represents the controller or processor in relation to their respective obligations under Regulation (EU) 2016/679;
„recipient“ means a natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether a third party or not. However, public authorities which may obtain personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered as „recipient“; the processing of this data by those public authorities complies with the applicable data protection rules in accordance with the purposes of the processing;
„supervisory body“ means an independent public body, established by a member-state and responsible for the observation of the application of Regulation (ЕС) 2016/679.
„violation of personal data security“ means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data which is transmitted, stored or otherwise processed.
„profiling“ means any form of automated processing of personal data, expressed in the use of personal data for the assessment of certain personal qualities related to an individual and more – precisely for analyzing and forecasting of aspects, concerning the fulfillment of the professional obligations of this individual, its economic condition, health, personal preferences, interests, reliability, behavior, location, or movement;
5. Main principles, related to the processing of personal data, we observe:
- legal, earnest and transparent processing of personal data
- processing of personal data for particular purposes
- minimizing data
- accuracy and maintenance up to date
- storage restriction
- completeness and confidentiality
6. Purpose of the processing:
„EUSYSTEM“ Ltd. process personal data for implementing activities – software for organization of the service activity.
Personal data is collected for specific, precisely defined by law purposes, must be processed lawfully and in good faith. The data shall not be further processed in a manner incompatible with these purposes. Further processing of personal data for archiving purposes in the public interest, for scientific, historical research or statistical purposes shall not be considered incompatible with the original purposes.
The Company does not collect personal data for marketing and advertisement purposes. The data, collected by „EUSYSTEM“ LTD is done entirely and only after explicit, free, clear and informed consent of the user, marked by the latter after reading the present policy for personal data protection.
Out of the scope of the above-listed purposes and in connection with the principles, listed in Art. 5 of Regulation (EU) 2016/679, „EUSYSTEM“ Ltd. does not collect and process other personal data of its workers . Employees, partners and clients. The Company does not process personal data for the purposes of automated decision making, incl. „profiling“. The Organization collects data from the data subject.
7. The company collects personal data only when:
-it has received clear, free, informed and unambiguous consent of data subjects who are aware in advance of what their personal data will be used for with this policy.;
- when there is a contractual obligation, in order to perform a contract, one party being the natural person (when the Company processes data of its employees) and for the exercise, establishment and protection of rights and legitimate interests;
- when processing is necessary to perform a task performed in public interest (according to EU or national law);
8. What kind of data are collected and processed:
Important: „EUSYSTEM“ Ltd. does not collect, nor process sensitive data for its clients and site users www.eusystem.eu.
Data collected and processed are, as follows:
- First and family name of the user – for the purpose of identifying the subject, when an enquiry is sent;
- Electronic address – for quick and easy correspondence;
- Phone – for contact, if needed;
- Others, admissible under the Regulation, if needed for the implementation of obligation of the Company or related to a particular service.
The provider of personal data is entitled to restrain from sharing all persona data required. In cases when those personal data are required for the implementation of a particular service, definite specialized function or effective answer of a given enquiry (excl. direct marketing) - „EUSYSTEM“ LTD wouldn’t be able to fulfill the enquiry, because of lack of data, for which the user is specifically informed, through the means of the personal data policy.
9. Recepients of personal data, to whom the Company is entitled to disclose data:
The company provides personal data to the competent state authorities and institutions when required by the legislation of the country and in accordance with the rules set out therein (for example: National Revenue Agency, National Social Security Institute, Employment Agency, judicial and investigative bodies, health institutions, etc.). It also provides the personal data of individuals to accounting companies, banking institutions, HR agencies and mobile operators for statutory purposes or those specified in a contract concluded with the individuals.
Personal data of users www.eusystem.eu shall not be provided to third entities, outside the scope of the legislative requirements. The Organization does not provide personal data to Parties, outside the EU.
10. Rights of the individuals – data subjects:
The measures taken to protect personal data in accordance with the requirements of Regulation (EU) 2016/679 are aimed at ensuring the protection of the rights of personal data subjects, namely:
- Access right;
- Right to correct incomplete or inaccurate data;
- Deletion right (the right „to be forgotten“), if the terms and condition of Art. 17 of Regulation (EU) 2016/679 are applicable;
- Right to restrict the processing;
- Right to data portability, if the terms and conditions for portability under Art. 20 of Regulation (EU) 2016/679 are applicable;
- Right of objection, if the terms and conditions of Art. 21 of Regulation (ЕС) 2016/679 are applicable;
- Right of appeal in front of the Commission for personal data protection or Regional Court
- Right of the data subject not to be a subject of decision, grounded only on automatic processing, including profiling;
11. Period for data storage:
When the controller of personal data „EUSYSTEM“ LTD processes data for a period as per the provided in the current legislation and in line with the principle for restriction of storage.
The remaining data shall be stored for different periods of time, depending on the type of data, determining the legal obligation for processing, including storage.
- in case of enquiry from the form on the website, the data shall be stored for 6 months, or as long as it is needed, for all points of view of the enquiry to be clarified and the client to receive a satisfactory answer.
- personal data of workers / Employees of „EUSYSTEM“ LTD shall be stored and processed for a longer period, considering the requirements of the Accountancy Law;
12. Responsibility of the Company for personal data protection:
In connection with the responsibility of the Personal Data Controller, introduced with Regulation (ЕU) 2016/679 and the Law on Personal Data Protection, and for the purposes of provision of adequate data protection, the Company shall apply all required organizational and technical measures for the individuals personal data protection. For the purposes of maximum security at processing, transfer and storage of personal data, the Organization uses mechanisms for data protection, such as storage in electronic form and on paper.
Computer access through the local network to files, consisting of personal data shall be fulfilled only by Employees of „EUSYSTEM“ LTD. or an official in data protection, authorized by the regulated rights, only from their physical working place, from a specially designated computer and after system identification with an user name and password. The Employees turn off the local computer after working hours.
In order to promote the access security, the Employees shall obligatory change their passwords on a period of time, determined by „EUSYSTEM“ LTD. but not longer than 2 months. For the fulfillment of the personal data protection functions, the Company uses only licensed operation system. The usage of any unlicensed software is prohibited to be used.
Only specially designated parties shall install program products on the office computers; and those are IT-specialists.
13. Policy change:
The Company shall be entitled to update, amend and supplement the personal data protection policy at any future time, when needed.
14. Contact data of the personal data controller:
адрес: the city of Sofia, 4 Mladost residence estate, bl. 451, entr. 1. fl. 1, apt. 2
phone number: 0877 077 753
Supervisory body for data protection:
Supervisory body for data protection on national level is the Commission for Personal Data Protection. It observes the correct application of Regulation (ЕU) 2016/679 and any individual, who considers that his rights in connection with the personal data protection are violated , may submit an appeal with the Commission on the following address:
Address: the city of Sofia, Str. “Prof. Tsvetan Lazarov” № 2