{"id":12334,"date":"2021-09-28T14:14:05","date_gmt":"2021-09-28T14:14:05","guid":{"rendered":"https:\/\/sr-management.bg\/privacy-policy\/"},"modified":"2021-09-28T14:14:05","modified_gmt":"2021-09-28T14:14:05","slug":"privacy-policy","status":"publish","type":"page","link":"https:\/\/sr-management.bg\/nl\/privacy-policy\/","title":{"rendered":"Privacy policy"},"content":{"rendered":"

[vc_row css=”.vc_custom_1632842533071{padding-bottom: 16px !important;}”][vc_column][vc_column_text]POLICY FOR PROTECTION OF PERSONAL DATA of \u201cSR MANAGEMENT AND CONSULTING\u201d EOOD<\/p>\n

I. GENERAL PROVISIONS<\/p>\n

Art. 1. (1) The present policy for protection of personal data regulates the terms and conditions for the processing of personal data and their protection, as well as the procedure for keeping registers of personal data in \u201cSR MANAGEMENT AND CONSULTING\u201d EOOD, a sole limited liability company , duly incorporated and valid under the laws of the Republic of Bulgaria, registered in the Commercial Register under UIC 203504721, with registered office and headquarters in the city of Sofia 1407, Triaditza district, 1G Dimitar Manchev Str,ent. A, floor 5, apt. H5.2.
\n(2) This policy applies also to the website http:\/\/sr-management.bg, owned by SR MANAGEMENT AND CONSULTING EOOD, UIC 203504721.
\n(3) This policy is issued on the basis of the Personal Data Protection Act and Regulation (EU) 2016\/679 on the protection of individuals with regard to the processing of personal data and with regard to the free movement of such data.<\/p>\n

Goals
\nArt. 2. (1) This policy aims to regulate:
\n(2) the procedures, mechanisms and conditions for the lawful processing and storage of personal data;
\n(3) types of registers of personal data and how to maintain them;
\n(4) the necessary technical and organizational measures to protect personal data from unauthorized processing (accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, unauthorized modification or dissemination, and all other unlawful forms of processing of personal data);
\n(5) the rights and obligations of the Controller of personal data, the Processor of personal data and \/ or persons having access to personal data and working under the authority of the personal data controller, their liability for non-performance of those obligations;
\n(6) the rights of individuals to whom personal data or data subjects are processed or stored or so called subjects of data;
\n(7) reporting, management and incident response procedures.<\/p>\n

Scope
\nArt. 3. (1) This policy is mandatory and shall be applied by all employees of \u201cSR MANAGEMENT AND CONSULTING\u201d EOOD, engaged in labor or civil relations.
\n(2) This policy is mandatory and applies to all external consultants who are in a contractual relationship with \u201cSR MANAGEMENT AND CONSULTING\u201d EOOD. External consultants are personal data processors within the meaning of Article 28 of Regulation (EC) 2016\/679.<\/p>\n

II. USED TERMS AND DEFINITIONS<\/p>\n

Art. 4. (1) For the purposes of these rules:<\/p>\n

(2) Personal data is any information relating to an individual who is identified or can be identified directly or indirectly by an identification number or by one or more specific features.
\n(3) Processing of personal data is any operation or set of operations that \u201cSR MANAGEMENT AND CONSULTING\u201d EOOD performs with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modification, retrieval, counseling, use, disclosure by transmission, dissemination or other means by which data becomes available, arranged or combined, limited, erased or destroyed.
\n(4) Controller of personal data is \u201cSR MANAGEMENT AND CONSULTING\u201d EOOD, as well as any other natural or legal person, public body, agency or other entity which, alone or jointly with others, determines the purposes and means for the processing of personal data.
\n(5) Processor of personal data is any natural or legal person, public body, agency or other entity that processes personal data on behalf of \u201cSR MANAGEMENT AND CONSULTING\u201d EOOD.<\/p>\n

(6) A Personal Data Register is any structured set of personal data that is available under defined criteria, centralized, decentralized or distributed on a functional or geographic basis<\/p>\n

III. PROCESSING OF PERSONAL DATA<\/p>\n

Art. 5. (1) \u201cSR MANAGEMENT AND CONSULTING\u201d Ltd. as a personal data controller processes personal data through a set of actions with automatic or non-automatic means such as collecting, recording, organizing, structuring, storing, adapting or changing, retrieving, consulting, using , disclosure by transmission, distribution, or other means by which data becomes available, arranged or combined, restricted, deleted or destroyed.
\n(2) \u201d SR MANAGEMENT AND CONSULTING \u201d EOOD processes the personal data either on its own or by assigning to the data processors, defining the objectives and the volume of the obligations assigned by the controller, subject to the relevant legal basis, according to LPDP (The law for personal data protection) and Regulation (EC) 2016\/679.<\/p>\n

(3) Data processing persons on behalf of \u201cSR MANAGEMENT AND CONSULTING \u201d EOOD are all employees of the Company, whose rights and obligations in relation to processing are governed by this policy.
\n(4) The Controller may designate external consultants, such as lawyers, accountants and information service specialists, to process personal data on behalf of him to fulfill the purposes set out in Article 8. In that case, the relationship between the controller and the external consultants shall be regulated by the contract between them. This privacy policy is mandatory and is also complied with by external consultants acting on behalf of the Controller.
\nPrinciples of processing<\/p>\n

Art. 6. \u201cSR MANAGEMENT AND CONSULTING\u201d Ltd. processes the personal data in compliance with the following principles:
\nPrinciple of lawful processing \u2013 personal data are processed in a lawful, conscientious and transparent way;
\nThe principle of limited collection \u2013 the collection of personal data must be within the necessary limits;
\nPrinciple of Limited Use, Disclosure and Storage \u2013 Personal data should not be used for purposes other than those for which they were collected, except with the consent of the individual or in the cases expressly provided for by the law. Personal data should only be stored for as long as is necessary to meet these goals;
\nPrinciple of precision \u2013 personal data must be accurate, complete and up to date, as far as is necessary for the purposes for which they are used;
\nSecurity and Privacy Principle \u2013 Personal data must be protected by security measures that are responsive to the sensitivity of the information;<\/p>\n

Grounds for lawfull processing<\/p>\n

Art.7. \u201cSR MANAGEMENT AND CONSULTING\u201d Ltd. as a personal data controller always processes the personal data under one of the following grounds for lawful processing:
\nLegal basis \u2013 the processing of personal data is necessary to fulfill a statutory obligation. Such obligations include, for example, the keeping of accounting documents in accordance with the Accounting Act, obligations arising from the Money Laundering Act, as well as all other statutory obligations of the controller;
\nExplicit written consent \u2013 the natural person, through a written declaration, expressly agrees to the processing of the personal data, both for what purposes and for what period (Appendix 1);
\nPerformance of a contract \u2013 the processing is necessary for the conclusion or performance of a contract by which the natural person to whom the data relate is a party or a representative of the party;
\nPublic interest \u2013 processing is necessary for the performance of a task that is carried out in the public interest.
\nProcessing Goals<\/p>\n

Art. 8. (1) \u201cSR MANAGEMENT AND CONSULTING\u201d Ltd., as a personal data controller, lawfully processes the personal data for the execution of the services offered by the Company and for that purpose the natural persons have previously stated and expressed their explicit consent.
\n(2) \u201cSR MANAGEMENT AND CONSULTING\u201d Ltd. processes personal data in connection with the implementation of the following services but not only:<\/p>\n

preparation and establishment of commercial companies;
\nlegal services such as consultations and drafting of all types of contracts, agreements, powers of attorney and any other legal documents;
\nMediation for opening bank accounts;
\naccounting and financial services;
\nadvertising and marketing services;
\nmanagement and business development of commercial companies.
\n3) The purpose of processing personal data is to uniquely identify individuals, namely contractors, clients, current and future employees of the Company. Data processing is most often the result of an explicit written declaration of consent and fulfillment of a statutory obligation of the data controller.
\n(4) In connection with the fulfillment of statutory obligations, in the course of carrying out its activity, the Company processes personal data to individuals for the following purposes:<\/p>\n

Identification and exchange of information for the purposes of commercial, labor, social and tax law.<\/p>\n

Identification of clients and verification of the identification of individuals by presenting an official identity document in compliance with the provisions of the Money Laundering Act.
\n(5) In order to perform the above mentioned services, the data controller collects, records, processes, stores and transmits the following categories of personal data:
\nIdentifier as names;
\nIdentity number (PIN) and date of birth;
\nIdentity card details;
\nAddress, phone, email address;
\nOnline identifiers, including IP address, etc.
\n\u2022 Art. 9. (1) \u201cSR MANAGEMENT AND CONSULTING\u201d Ltd. notify all persons that it does NOT collect, record, store or process in any way their Special categories of personal data within the meaning of Regulation (EC) 2016\/679.
\n(2) \u201cSR MANAGEMENT AND CONSULTING\u201d EOOD, subject to the legal requirements of labor and social security law, may occasionally process only for its employees Special categories of personal data within the meaning of Regulation (EC) 2016\/679, including personal data relating to the health of their employees such as sick leaves, medical certificates on taking up employment and other medical documents.
\nConsequence of refusal to provide personal data<\/p>\n

Art. 10. (1) In case of a refusal to voluntarily submit the required personal data, \u201cSR MANAGEMENT AND CONSULTING\u201d EOOD will not be able to provide and execute its products and services.
\n(2) The explicit consent of the natural persons whose data are processed is not always necessary if the Controller has another legal basis for the processing of personal data \u2013 for example a statutory obligation in relation to the requirements of the Money Laundering Act and the Rules its application.
\nIV. REGISTERS WITH PERSONAL DATA<\/p>\n

Types of registers
\nArt. 11. \u201cSR MANAGEMENT AND CONSULTING\u201d Ltd. collects and stores personal data for the fulfillment of the objectives pointed in Art. 8, keeping the following personal data registers:<\/p>\n

1. Register \u201cClients\u201d
\n2. Register \u201cWebsite users\u201d
\n3. Register \u201cContractors\u201d
\n4. Register \u201cEmployees and job applicants\u201d<\/p>\n

Register \u201cClients\u201d
\nArt. 12. (1) \u201cClients\u201d register contains information and personal data for all clients of \u201cSR MANAGEMENT AND CONSULTING\u201d EOOD, who have requested any of the offered services by the Company.
\n(2) The controller processes the personal data in the \u201cClients\u201d Register on the grounds of explicit consent of the individual, within the meaning of Art. 6, para. 1 (a) of Regulation (EU) 2016\/679.<\/p>\n

(3) In the absence of an explicit consent, the Controller may process the personal data on one of the other grounds specified in Art. 7.
\n(4) The controller maintains a structured file for each individual client that contains the following categories of personal data:<\/p>\n

Physical identity: names, date of birth, personal ID, citizenship, identity card details, address, telephone, email address and other personal data.
\n(5) The controller may transfer or disclose personal data from the Client\u2019s Register to third parties \u2013 recipients for the fulfillment of legal obligations and for the fulfillment of the objectives set forth in Art. 8. Third parties or so-called \u201crecipients\u201d are state authorities, agencies, banks and insurers, such as the National Revenue Agency, the Registry Agency and the Trade Register maintained by it and all banking institutions.
\nRegister \u201cWebsite Users\u201d
\nArt. 13. (1) Register \u201cWebsite Users\u201d contains information about all users and future clients of \u201cSR MANAGEMENT AND CONSULTING\u201d EOOD, who have used the services of the Company\u2019s website \u2013 http:\/\/sr-management.bg by filling in contact form and have sent a request to the Company.
\n(2) When filling in the contact form on the website \u201cEU MANAGEMENT AND CONSULTANCY\u201d Ltd. collects and processes the following personal data:
\nPhysical identity: names, phone, email address, and the organization in which they are employed.
\nThe user may additionally provide his \/ her own job, nationality, address.
\n(3) The controller processes the personal data in the \u201cUsers of the Website\u201d Register on the basis of an explicit consent of the individual, within the meaning of Art. 6, para. 1 (a) of Regulation (EC) 2016\/679. When filling out the contact form, the user with appointing in the check box that \u201cI agree to process my personal data\u201d gives his \/ her consent.<\/p>\n

(4) The checkbox \u201cI agree to process my personal data\u201d contains a hyperlink. When pressed, detailed information about the purposes and timing of processing, the rights of individuals, and other information regarding the processing of personal data are displayed.
\nRegister \u201cContractors\u201d
\nArt. 14. (1) The Register of Contractors shall contain information and personal data about all contractors with whom SR MANAGEMENT AND CONSULTING LTD. is in contractual relations, as well as for all persons involved in the process of carrying out the activity of the Company.<\/p>\n

(2) The administrator shall keep a structured file for each individual counterparty containing the following groups of personal data:
\nPhysical identity: names, date of birth, personal ID, citizenship, identity card details, address, telephone, email address and other personal data.
\nThe Register \u201cEmployees and job applicants\u201d
\nArt. 15. (1) The Register \u201cEmployees and job applicants\u201d shall contain personal data of the employees of \u201cSR MANAGEMENT AND CONSULTING\u201d EOOD, appointed by labor or hired under a civil law relationship.
\n(2) The Register \u201d Employees and Job Applicants\u201d also contains personal data for all individuals who have applied for employment by sending their CV-s.<\/p>\n

(3) The controller processes the personal data on a legal basis and on the basis of explicit written consent for the processing of the personal data.
\n(4) The controller shall keep a structured official employment file for all employees assigned to an employment relationship, which shall contain the following data sets:<\/p>\n

Physical identity: names, date of birth, PIN, citizenship, identity card details, address, telephone, email address.
\nEducation: type of education, specialty, place of acquisition of education, diploma number and date of issue, grades and titles, etc .;
\nOccupational activity: employment in a particular profession, economic sectors in which the person has worked, remuneration, etc.;
\nSpecial categories of data \u2013 health information collected only to meet statutory requirements such as sick leaves, medical certificates upon entry into employment, etc.)
\n(4) The controller may transfer or disclose personal data from the Register \u201cEmployees and Applicants for Employment\u201d to third persons \u2013 recipients for the fulfillment of statutory obligations in connection with labor and social security legislation. Third parties or so-called \u201crecipients\u201d are state bodies, agencies and banks such as the National Revenue Agency, the National Social Security Institute, the General Labor Inspectorate and all banking institutions
\nRegistry forms
\nArt. 16. \u201cSR MANAGEMENT AND CONSULTING\u201d Ltd. keeps registers with personal data in paper or technical form.
\nArt. 17. The form of organization and storage of personal data on paper:
\n(1) The form of organization and storage of personal data is written (documentary).
\n(2) The folders are located in the office cabinets in the employees\u2019 offices, and the access to them is controlled. The rights and obligations of the employees are regulated in their job descriptions. The provision, modification or termination of authorized access to registers is controlled by the Data Controller
\n(3) The location of the cabinet \u2013 can be placed in a room designed for the individual work of the personal data processor or in a common room for work with other activities;<\/p>\n

(4) Form for the provision of the data by the natural persons \u2013 the personal data of each person shall be collected in pursuance of the purposes set out in Art. 8 through the following forms:
\nOral \u2013 through an interview;
\nPaper carrier \u2013 providing a written application containing the data of the individual;
\n(5) The personal data of the persons shall be submitted to the personal data controller and the authorized person appointed for processing them \u2013 processing personal data.
\n(6) Access to personal data \u2013 such there is only the personal data processor.
\nArt. 18. Form of organization and storage of personal data on a technical medium:
\n(1) Personal data shall be stored on a hard disk on the computer of the personal data processor as well as on a central server from a computer network. The computer is connected to the local network with secure access to personal data, as only the personal data processor accessing it.
\n(2) When processing the data, the corresponding software products are processed. They can be adapted to the specific needs of the data controller. Data is input to the computer from a hard copy.<\/p>\n

(3) Only personal data processors have access to the personal data on a technical medium. Access to computers and the central server is done after entering a password unique to each of the processors.
\n(4) Location of computers \u2013 in a room for self-handling of the personal data processor. Server location \u2013 in the premises of the system administrator (external specialist)
\n(5) The protection of electronic data from unauthorized access, corruption, loss or destruction is ensured by maintaining antivirus programs, periodically archiving data on separate electronic media, and storing the information on paper. The system administrator is responsible for archiving data on the central server as well as for the data on isolated computers used by the data processors.
\nTerm for processing personal data
\nArt. 19. The personal data saved in the above registers are processing for the following terms:
\n(1) The personal data, saved in Register \u201cClients\u201d, processed on the basis of explicit written consent, are processing till the end of the term in the written declarations, as this term shall be not longer than 3 years. The personal data shall be deleted or transferred to another controller after the expiration of the term or after withdraw of the written consent of the natural person.
\n(2) The personal data, saved in Register \u201cUsers of the website\u201d, processed on the basis of explicit written consent, are processing till the end of the term in the written declarations, as this term shall be not longer than 1 year. The personal data shall be deleted or transferred to another controller after the expiration of the term or after withdraw of the written consent of the natural person.
\n(3) The personal data, saved in Register \u201cContractors\u201d, processed on the basis for performance of a contract, are processing till the end of the contract, as this term shall be not longer than 3 years. The personal data shall be deleted or transferred to another controller after the expiration of this term.
\n(4) The personal data, saved in Register \u201cEmployees and job applicants\u201d for the employees hired on labor or civil relationship are processed for the term until the end of the labor or civil relationship. The controller can continue to process part of the personal data for ex employees for the performance of legal basis, for the term, pointed in the relevant law. The personal data shall be deleted or transferred to another controller after the expiration of this term.
\n(5) The personal data, saved in Register \u201cEmployees and Job Applicants\u201d for the applicant who are not hired are processing for a term who shall be not longer than 1 year after the job interview. The personal data shall be deleted or transferred to another controller after the expiration of this term.<\/p>\n

Obligations of the persons, responsible for keeping the data in the registers
\nArt. 20. (1) With the present policy, the Controller of personal data, as well with the Employee Job Description, designates all of his employees for Processors of personal data and for persons responsible for keeping and storing the data in the registers.
\n(2) The obligations of the persons responsible for keeping and storing the data in the register (the authorized persons) include the collection, processing, updating and storage of personal data.
\n(3) Employees are required to apply and strictly to perform the current privacy policy.
\n(4) Employees are required to comply with all technical and organizational measures for the protection of personal data set out in Chapter V of the present policy.
\n(5) Employees are obliged to don\u2019t copy, record, and not distribute in any way the personal data become known to them in the work process. For this purpose, all employees sign a Declaration of Non-Disclosure of Personal Data (Appendix 5).
\n(6) Employees are required to report immediately to the Administrator in case of breaches of personal data security, with compliance the procedures in Article 31.<\/p>\n

Updating the personal data
\nArt. 21. (1) Updating the personal data is an addition or modification of existing information in the Company. An update of personal data is made in the following occasions:
\nat the request of the natural person, for which one the personal data relate to him, when he or she has found that there is an error or incompleteness in them, and certifies this with a document;
\nat the initiative of the processor of personal data \u2013 if there is a document justifying an update;
\nif an error has occurred in the processing of personal data by the controller or processor of personal data;
\n(2) When there is update of personal data, the file shall be updated with a registration number of the document, source of the update data, date of the update. The update is performed by the person processing the personal data.
\nTransfer of personal data to third countries
\nArt. 22. (1) The controller may transfer personal data to third countries for which one the European Commission officially announce a decision that this third country provides an adequate level of protection.
\n(2) When transfering personal data, the Controller shall implement the procedures of Articles 44, 45 and 46 of Regulation (EU) 2016\/679.
\nV. PERSONAL DATA SECURITY MEASURES<\/p>\n

Art. 23. The Controller shall undertake the following technical and organizational measures to protect data from accidental or unlawful destruction or from accidental loss, unauthorized access, alteration or distribution, as well as from other unlawful forms of processing.
\nPhysical protection
\nArt. 24. The physical protection of personal data shall be in accordance with the following measures:
\n1. The personal data from the registers shall be processed in the offices of the persons authorized under Art. 5, para. 3.
\n2. All paper documents containing personal data are stored in locked cabinets in a restricted-access area only for authorized persons.
\n3. The elements of the communication and information systems used for the processing of personal data are located in a locked cabinet in a restricted-access area only for authorized persons.
\n4. Access to the areas, where personal data are stored and processed is strictly controlled by a system for physical access. Only authorized persons through a special device have direct access to the areas. External persons do not have free access.
\n5. The areas are equipped with fire alarm and fire extinguishing systems.
\n6. Access to the building, where the office is located is controlled by the Security and Security System, including camera surveillance. Security and camera surveillance are provided by an external consultant responsible for security, camera surveillance and overall access to the office building. The relationship between the controller and the external consultant is regulated by a contract.
\nPersonal protection
\nArt. 25. The personal protection of personal data shall be in accordance with the following measures:
\n1. Persons processing personal data are fully acquainted with data protection regulations, as well and with the present policy when they enter at the job.
\n2. Persons processing personal data are going through training including familiarization with privacy policy and guides, awareness of personal data hazards processed by the controller, and training of staff to respond to events that threaten data security.
\n3. Persons processing personal data agree, when they are entering into employment by signing their labor agreement or a special declaration to undertake an obligation for non-disclosure personal data.
\n4. The processing of personal data is performed only by authorized persons in compliance with the \u201cNeed to know\u201d principle.
\nDocumentation protection
\nArt. 26. The documentation protection of personal data shall be in accordance with the following measures:
\n1. The registers under Art. 11, item 1, item 3 and item 4 shall be kept on paper and on a technical basis.
\n2. Access to the register shall have the persons under Art. 5, para. 3 in accordance with the \u201cneed to know\u201d principle.
\n3. The personal data is collected only for a specific purpose, in accordance with the legal requirements. Data is classified according to its purpose and nature and shall be stored in lockable cabinet in restricted areas.
\n4. The terms for the processing of personal data for each specific register are defined in Art. 19.
\n5. The personal data may be copied and multiplied only by authorized persons, if it is necessary for the performance of official duties or if they are properly requested by state authorities in compliance with legal requirements.
\n6. After the expiration of the processing period or in case of a dropped processing ground, personal data shall be destroyed by a special device (shredder).
\nProtection of automated information systems and networks
\nArt. 27. The protection of automated information systems and networks shall be in accordance with the following measures:
\n1. The registers under Art. 11, items 1-4 shall be stored on a technical carrier \u2013 a central server.
\n2. Every authorized person, processing personal data has a separate personal account for access to his \/ her computer and a separate personal account for access to the central server. Access is through unique usernames and passwords (identification and authentication).
\n3. Working computer configurations, as well and all IT infrastructure, including Internet access, are used only for business purposes in pursuance of Art. 8.
\n4. The controller creates and maintains standard and secure configurations for each computer and network platform, including standard and basic security system configurations, firewalls, routers, and network devices. For the data protection is installed an antivirus program, as well periodic maintenance of the software and system files is performed.
\n5. For all computer configurations, servers, and communication tools that support the proper maintenance of databases, uninterruptible power supplies (UPSs) are provided.
\n6. Access to the areas where computers and communication equipment is located is strictly controlled by a physical access control system. Only authorized persons through a special device have direct access to the areas. External persons do not have free access.
\n7. The overall maintenance and prevention of automated information systems and networks is carried out by an external information service specialist. The information service specialist is responsible for periodic and regular checks of the security systems and the protection of automated information systems and networks.
\n8. The external information service specialist provides copy opportunities and back-ups of data stored on the central server.
\nIT policies for protection personal data
\n9. The external iformation service specialist regulates his \/ her relationship and responsibilities in protecting automated information systems and networks with the controller through an additional IT data protection policy.<\/p>\n

Cryptographic protection
\nArt. 28. The controller uses standard cryptographic capabilities of operating systems, database management systems, and communications equipment.<\/p>\n

Data protection assessment and impact levels
\nArt. 29. (1) The controller shall carry out an impact assessment periodically every two years or when the nature of the personal data processed is changed.
\n(2) In the impact assessment, the controller analyzes the nature of the data processing. For this purpose, the controller performs systematisation and assessment of personal aspects related to the natural person or \u201cprofiling\u201d. The controller checks and reports whether there is a change in the type of data processing, or if there is collecting of a special categories of personal data, personal data in large-scale personal data registers, which one according to decision of the Commission for Data Protection endangers the rights and legitimate interests of the natural persons.
\nProcedure for deletion personal data
\nArt. 30 (1) The controller shall delete the storaged personal data, when one or more of the following applies:
\nwithdrawn consent for processing personal data;
\nexpire term of the written declaration for consent for processing personal data;
\nexecuted contract, when the ground is performance a contract;
\nother grounds for deletion of personal data, in relation to the legal acts for protection of personal data;
\n(2) The controller determines with an order the persons responsible for deletion the personal data among the persons under Art. 5, para. 3.
\n(3) Personal data stored on paper carrier shall be destroyed by a special shredder device. For the deletion of personal data, a protocol describing the categories of deleted personal data shall be made and signed by the authorized persons.
\n(4) Personal data stored on a technical carrier shall be destroyed by automated actions for deleting the data from the employees\u2019 computers and from the central server.
\nNotification to the Commission for personal data protection in case of a security breach
\nArt. 31. (1) In case of a breach in the security of personal data, the controller is obliged without undue delay and no later than 72 hours to notify the data protection supervisory authority, namely the Commission for personal data protection, when the breach of security poses a risk to the rights and freedoms of the natural persons.
\n(2) When the processors of personal data detect a personal data breach, they shall, without undue delay and no later than 24 hours to notify the controller who shall performs the procedure under paragraph 1.
\n(3) The controller sends the notification to the Commission for personal data protection, with complaince to the requirements of Article 33 of Regulation (EU) 2016\/679 and the Personal Data Protection Act.<\/p>\n

VI. NATURAL PERSONS RIGHTS<\/p>\n

Right of information and access to personal data
\nArt. 32. (1) Any natural person who has reason to believe that the controller processes personal data relating to him has the right to submit a written application with a request for the provision of the information under Art. 15 item 1 of Regulation (EU) 2016\/679 and for access to his personal data.
\n(2) The application (Appendix 2) contains the name of the person and other identification data \u2013 PIN, correspondence address, description of the request, preferred form of granting access to the personal data, signature and date; power of attorney \u2013 when the application is filed by an authorized person. The application is entered into the administrator\u2019s general inbox.
\nRight of correction
\nArt. 33. (1) A natural person for whom personal data are processed has the right to ask the controller to correct inaccurate personal data related to him.
\n(2) For the purpose, the natural person shall completes personally or sends a correction request (Appendix 3) to the controller\u2019s address, specifying exactly and clearly what adjustments should be made.
\nRight to erasure
\nArt. 34 (1) A natural person for whom personal data are processed shall have the right to ask the controller to delete the personal data related to him if one of the following grounds applies:
\nthe natural person withdraws his consent, on which one the processing is based;
\nthe personal data are no longer needed for the purposes for which they were processed;
\nthe personal data is being processed unlawfully;
\n(2) The natural person sends a Request for erasure of personal data (Appendix 4) whereby the controller is obliged to delete all personal data, if one of the above conditions applies, following the procedure for the deletion personal data in Art. 28.
\nRight to withdraw the consent
\nArt. 35. Any natural person for whom the processing is on the grounds of explicit consent is entitled at any time to withdraw his consent.
\nRight to restrict the processing
\nArt. 36 A natural person for whom personal data are processed shall have the right to require the controller to restrict the processing of personal data related to him, in the presence of the grounds in Art. 18 item 1 of Regulation (EU) 2016\/679.
\nRight of portability
\nArt. 37. A natural person for whom personal data are processed has the right to obtain personal data related to him in a structured, widely used and machine-readable form. If it\u2019s technically possible, the controller may transfer the data directly to another controller, under the express request of the natural person.
\nRight of objection
\nArt. 38. A natural person for whom personal data are processed may at any time to object to the processing of personal data, including profiling and processing for direct marketing purposes.
\nRight to file a complaint to the supervisory authority
\nArt. 39. The natural person has the right to file a complaint in front of supervisory authority, namely the Commission for personal data protection, which shall be filed in the form and requisites specified in the Personal Data Protection Act.
\nProcedure for fulfillment the rights under chapter VI.
\nArt. 40. (1) For the fulfillment of the rights under Chapter VI, the natural persons submits or sends his applications and requests personally or by courier to the address of the controller, namely Sofia 1463, Triaditsa district, 49 Patriarh Evtimii Blvd, Prestige Business Center, floor 4 or to email: office@sr-management.bg.
\n(2) \u201cSR MANAGEMENT AND CONSULTING\u201d Ltd. provides standardized forms for the above-mentioned applications and requests for execution of your rights under Chapter VI. If you do not use hem, your Application or Request should contain: the name of the applicant and other identification data, the Personal Identification Number, the address for correspondence, the right you wish to use, the exact description of the request, all the circumstances surrounding the request , a preferred form of granting access to personal data, signature and date; power of attorney \u2013 when the application is filed by an authorized person.
\n(3) Access to the person\u2019s data is provided in the form of:
\n1. verbal reference;
\n2. a written reference;
\n3. personal data review;
\n4. providing a copy of the requested information.
\n(4) The controller shall perform a check within 14 days of receiving the Application or the request under paragraph 2 or 30 days, respectively, where more time is needed to collect the person\u2019s personal data in case of possible difficulties in the controller\u2019s activity.
\n(5) The controller shall perform all acts of exercising the rights of the natural persons with whom he is seized without undue delay within 14 days of receiving the application or the request. The controller sends a notification to the natural persons with information and the result on his request.
\n(6) After conducting the check under Art. 29, the controller shall notify the Applicant under paragraph 2 with the results, in accordance with the chosen method of granting the decision.
\n(7) If the check under Art. 29 has concluded with a result that establishes that personal data are not being processed with respect to the Applicant, the controller shall inform him for the lack of personal data related to him.
\n(8) If the check under Art. 29 has concluded in a result establishes that personal data is being processed with respect to the Applicant, the controller shall provide the following information:
\ndata for the controller, processing personal data;
\nthe processing goals;
\nthe lawfull grounds for processing;
\nthe relevant categories of personal data;
\nrecipients or categories of recipients of personal data;
\nterm for processing the personal data;
\nother information, related to the personal data;
\n(8) The controller shall perform and provide information to the natural persons for all Applications or requests.<\/p>\n

VI. CLOSING PROVISIONS<\/p>\n

Art. 41 (1) The present data protection policy is approved by Order No .. \/ 2018 of the managing director of \u201cSR MANAGEMENT AND CONSULTING Ltd.
\n(2) \u201cSR MANAGEMENT AND CONSULTING Ltd. has the right to unilaterally change the current policy for protection of personal data to implement future changes in the legal acts in the field of personal data protection.
\n(3) The present policy, as well as all its Appendixes, are accepted in two versions \u2013 in Bulgarian and in English. In case of discrepancy or contradiction between the English and Bulgarian texts, the Bulgarian text shall prevail.<\/p>\n

Appendixes:
\n1. Declaration for consent for processing personal data;
\n2. Application for access and information for personal data;
\n3. Request for correcting of personal data;
\n4. Request for deletion of personal data;
\n5. Declaration for non-disclosure of personal data[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"

[vc_row css=”.vc_custom_1632842533071{padding-bottom: 16px !important;}”][vc_column][vc_column_text]POLICY FOR PROTECTION OF PERSONAL DATA of \u201cSR MANAGEMENT AND CONSULTING\u201d EOOD I. GENERAL PROVISIONS Art. 1….<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"content-type":"","footnotes":""},"class_list":["post-12334","page","type-page","status-publish"],"_links":{"self":[{"href":"https:\/\/sr-management.bg\/nl\/wp-json\/wp\/v2\/pages\/12334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sr-management.bg\/nl\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sr-management.bg\/nl\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sr-management.bg\/nl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sr-management.bg\/nl\/wp-json\/wp\/v2\/comments?post=12334"}],"version-history":[{"count":0,"href":"https:\/\/sr-management.bg\/nl\/wp-json\/wp\/v2\/pages\/12334\/revisions"}],"wp:attachment":[{"href":"https:\/\/sr-management.bg\/nl\/wp-json\/wp\/v2\/media?parent=12334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}