PERSONAL DATA PROTECTION POLICY OF NOBEL INTERNATIONAL EAD
INFORMATION ABOUT US
Nobel International EAD is a company registered in the Commercial Register with the Registry Agency, under company number (EIK) 202158922, having its registered address and principal place of business: town of Elin Pelin, 48, Vitosha Blvd., tel.: 00359 24210232; email: firstname.lastname@example.org
INFORMATION ABOUT PERSONAL DATA PROTECTION
NOBEL INTERNATIONAL EAD (hereinafter referred to as ‘the Company’ or ‘us’) processes personal data for the purpose of provision better quality and more diversified products and services. We always aim to improve our services for the purpose of developing strategic business partnerships in pursuit of satisfying the needs of our clients when using our product portfolio.
Data privacy is very important to us and to the success of our business. The security of your data is ensured through appropriate technical and organizational measures aiming to prevent unauthorized access, unlawful use, loss or destruction of information. We collect and process personal data in compliance with the requirements of the law while being aware that personal data processing is not unlimited and shall be made for a purpose.
By adopting this Policy, the Company aims to make its business compliant with the requirements of the General Data Protection Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as ”the Regulation”). This Policy has been prepared in accordance with the instructions of the Work Group under art. 29, the instructions of the Commission on Personal Data Protection, the effective Personal Data Protection Act and its statutory instruments and the draft of the Amending and Supplementing Act of the Personal Data Protection Act.
This Policy lays down the basic principles through which the Company shall process personal data in the Union (in the meaning of art. 1-3 of the Regulation) of users, clients, suppliers, business partners, employees and other persons and specifies the responsibilities of the data processors in the course of personal data processing. It is applicable for the Company, its regional units/branches and related parties in the meaning of the Commercial Act and the applicable regulations from the EU law.
For the purpose of this Policy:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
„Sensitive personal data” means personal data revealing racial or ethnic origin, political views, religious or philosophic beliefs or membership to trade unions as well as processing of genetic data, biometric data for the only purpose of identification of a natural person, data about health status or data about sexual life or sexual orientation of the natural person.
We do not process personal data unless this is required for the performance of statutory obligations, for example obligations ensuing from our labour, social insurance or anti-discrimination law.
‘Data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
‘Data processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘Personal data processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘Cross-border processing’ means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Data, which may not be related to or associated with a specific natural person, are not considered “personal data”.
WHAT CATEGORIES OF PERSONAL DATA DO WE PROCESS?
The personal data that we process include:
Basic information such as your name (including surname), personal number/foreigner’s personal number, data from your identity card/passport – number, issue date, place of issue and term of validity; the organization, which you represent or work about and your position.
Contact details such as mailing address, email address, telephone number, fax number and Skype name.
Data about your family identity: marital status – existence of marriage, number of children in the family and their age;
Data about your education: educational degree, acquired major, additional qualifications;
Data about your labour activity – professional CV; data from your record of service book and/or official book’;
Data about your health status:
Data about your economic identity: salary, additional benefits, insurable income – its sources and amount; earnings from employment and non-employment relations; your debit card number or your bank account number related to the performance of specific financial transaction or a series of such transactions;
Other personal data, which you have provided to us or which have been provided to us on your behalf or which have been generated in connection with the preparation and the performance of the order, which you placed with us, for example order or payments history.
Technical information such as data generated as a result of using our website or any built-in application (app, plugin, etc.), as well as data connected with materials and communications, which we receive from you or send to you by electronic means.
SOURCES AND METHODS OF PERSONAL DATA COLLECTION
- Personal data that you provide to us directly:
A part of the personal data, which we collect and process, are provided directly by you (for example when you apply for a job with us or when you register and use our website or contact us by phone or online to receive information about the goods and services that we offer).
Particularly personal data that you provide to us directly include:
Identification data such as: Your name/personal number, foreigner’s personal number, data from identity card/ passport – number, issue date, place of issue and validity term, your face image (photo); date and place of birth, permanent/present address, delivery address or mailing address, telephone number and email address;
Data about your family identity, education and labour activity as well as data about your economic identity as described in Section II above.
In specific cases, when this is allowed by law, we collect data about sentences and offences. For example, if the law provides that we shall not employ on a specific position individual convicted for specific crimes, we will process the data provided by you to such extent as required for the performance of our statutory obligation.
Personal data that are contained in electronic communications, which you have sent to us, for example data contained in an email message addressed to us or to our employee or business representative.
Data created by you in the context of placing and performing of orders, which you have made by using our website or otherwise, for example history of orders including data about the date of placing and/or acceptance of the orders and their performance status;
Data that you generate by using specific social plug-in, for example the Facebook plug-in “like” or “follow” for the purpose of expressing your attitude to specific material or content, which we have published on our website or on our sites in the social networks, which we support.
Other data which you have provided at our request, when we are required or are entitled by law to collect these data for the purpose of your identification or confirmation of information, which we have obtained.
- Personal data that we collect automatically
A part of the personal data, which we process, are collected automatically when you register or use our website in order to contact us or place an order. This information is provided by the devices (for example from your personal or office PC, smartphone or tablet, etc.), which you use to access our website, our sites in the social networks or applications and other online services that we offer, for example the device ID or unique identifier connected to the device or the browser, which you use, location data, type of device or type of your browser.
We do not carry out automated decision making, including profiling as a result of automatic personal data processing.
- Personal data that we collect from other sources
In addition to the personal data that we collect directly from you or from the device that you use, we collect information from other sources too. For example, in specific cases we collect information connected to your credit history as well as other similar information provided by credit officers or licensed credit or financial institutions with which you have had or have financial or business relations when the law allows so.
Personal data provided to third persons include data contained in your public profile in the social networks to which we obtain access when you choose to log in your client’s profile by using your account in social networks such as Facebook or G+. Please note that a great part of the data, which you have published on your profiles in the social networks, such as your public profile, location data, language, public posts and comments are public and this brings specific responsibilities and risks regarding your privacy. You control what kind of data to share with us from the settings of the site of the relevant social network as well as the consents that you provide to us in connection with the processing of your data stored on the sites of the social networks.
PURPOSES FOR WHICH WE PROCESS PERSONAL DATA AND THE LEGAL BASIS FOR SUCH PROCESSING
We collect, store and process otherwise personal data to the extent it is compliant with the effective laws and corresponds to our own personal data protection policies. We process personal data for different business purpose and such processing is made on different legal bases. The law requires that we have a legal basis to process your personal data. Particularly we process personal data in pursuance of our statutory obligations ensuing from the circumstance that we are simultaneously an employer and a buyer and a seller of goods and services. Depending on the basis on which we process your personal data, you have specific rights. More information about your rights is available in Section IX of this policy.
A/ USE OF PERSONAL DATA FOR PERFORMANCE OF STATUTORY OBLIGATIONS
We process personal data when this is provided in regulatory acts in pursuance of obligations:
- laid down in the Accounting Act, the Independent Financial Audit Act, the Code on Tax and Social Security Proceedings and other related regulations in connection with the statutory keeping of the Company’s accounts.
- in connection with the observance of the labour and the social insurance law for our employees, workers and subcontractors including obligations ensuing from the Labour Code, the Social Insurance Code, the Health Insurance Act and law in the field of natural persons income taxation as well as their equivalents in other EU member states;
- for provision of information to the court and third persons consistent with the requirements of the acts of procedure and the regulatory acts of the real right applicable to the proceedings;
- for identification of clients, when this is required for the performance of our obligations under the Measures against Money Laundering Act or the Measures against Terrorism Financing Act;
- for provision of information to the Personal Data Protection Commission related to obligations laid down in the General Data Protection Regulation (Regulation 2016/ 679) and other applicable law in the field of personal data protection.
- for remote sales and/or off-site sales as stipulated in the Consumer Protection Act where applicable;
- for providing information to the Consumers Protection Commission or third persons as provided in the Consumers Protection Act.
- related to our obligation to assist the competent authorities in the course of inspections, checks and audits carried out by them as well as in all other cases when these authorities exercise their controlling powers on a legal basis.
B/ USE OF PERSONAL DATA FOR PERFORMANCE OF CONTRACTUAL OBLIGATIONS
We process personal data for provision of products and/or services, which you have requested from us and in pursuance of contractual obligations and rights. Processing is carried out for the following purposes:
- establishment of the client’s identity through a business channel;
- management and completion of order for products and/or services, contract performance;
- elaboration of offers for contract conclusion;
- preparation and sending a bill/invoice for products and/or services from us;
- provision of service and collection of money due for products and/or services;
- notification for products and/or services, sending various notices for problems, errors or in reply to received notices, claims;
- preparation of aggregate statistical information about sales and/or services and/or clients, which we may provide to third persons;
- analysis and elaboration of a user profile for determination of appropriate offer;
- protection and ensuring the safety of our activities, our employees and clients;
- evaluation and measurement of the efficiency of our advertisements as well as offering appropriate advertisements;
- processing of data from bills/invoices for purposes compatible with the initial purpose of their collection in order to prepare general overview of our products and/or services;
- research and analysis of products and/or services based on anonymous or personalized information including upon cooperation with third parties for development of products and/or services;
- data processing including from common controllers, upon conclusion of contract, assignment, reporting, acceptance, payment.
C/ USE OF PERSONAL DATA AFTER OBTAINING YOUR CONSENT
- The consent represents a basis for personal data processing and the purpose of processing is specified therein. In some cases, personal data processing is carried out only subject to obtaining your consent in advance. Upon giving the relevant consent and until its withdrawal and/or termination we may prepare appropriate proposals for products and/or services of NOBEL INTERNATIONAL EAD by carrying out analyses of the personal data and/or data for consumption.
- The submitted consent may be withdrawn at any time and does not affect the performance of our contractual obligations, if any. Upon withdrawal of the consent for personal data processing for any or all grounds, NOBEL INTERNATIONAL EAD will not use the personal data for the purposes specified in such consent.
- Withdrawal of the consent does not affect the lawfulness of processing based on the consent given before the withdrawal. Withdrawal of consent shall be made in the manners specified in it or by using our contact details.
- In specific cases, after we obtain your consent for specific processing of your personal data, we may use these data:
– for the purpose of direct marketing of products and services offered by us, by our related parties, which marketing may be carried out in the form of telephone calls, sending letters or short text messages or emails. We take measures to limit the marketing consent that we send to a reasonable and proportional volume by sending to you only such consent, which we consider that could be interesting for you or which may be relevant for you on the basis of the information, which we have.
– for the purpose of your participation in different inquiries, surveys, events and activities of business and non-business nature, for example parties organized by us or by any of affiliates.
D/ USING PERSONAL DATA FOR OUR LEGITIMATE INTEREST
We may process your personal data, when we have a legitimate interest to do so, as for example:
- We use video surveillance on the territory of our enterprise, with a view to our legitimate interest, in order to control the access to the work place, observance of the working hours and the labour discipline and protection of the company’s property as well as to ensure the safety of workers, employees and visitors of the enterprise.
- to improve and develop on a permanent and ongoing basis the products and services that we offer including their functionalities, design and/ or content;
- to promote and oversee the introduction and the application of improved and/or innovative measures on the safe use of the products and the services offered by us or by our affiliates;
- to monitor or analyse our performance on the relevant market;
- to develop the skills of the staff and our subcontractors to work with clients on the relevant markets;
- to customize the products and the services that we offer to you for the purpose of improvement of your overall satisfaction and from your communication with us;
- to monitor the technical status of our information systems and resources including our online shops and other websites as well as to eliminate any problems connected with their correct functioning or security and integrity.
PERSONAL DATA PROTECTION
We apply organizational and technical measures provided by our law and applicable in our organizational practice to ensure protection of the data of our employees/ workers, users and our business partners. The company has determined data protection officers who support the processes of personal data protection and security.
The measures specified above include:
- establishment of internal policies for personal data processing which aim to prevent unauthorized access to our systems and to the premises where we store your personal data;
- establishment of obligation for confidentiality for our employees, subcontractors and suppliers; The company takes measures that any natural person under its guidance who has access to personal data, processes such personal data only according to the instructions of the Company unless the said person is not required to do so pursuant to the Union or a member state law.
- assignment of the personal data processing only to such organisations that process personal data in accordance with the law by ensuring their security including by taking the required technical and organizational measures for personal data protection;
- for the purpose of maximum security of processing, transfer and retention of personal data, we use protection mechanisms such as encryption, etc.
When the Company becomes aware of potential or actual breach of personal data, the Executive Director shall carry out internal investigation and shall promptly take appropriate measures to remedy it in accordance with the policy applicable for breach of data security. When there is a risk for the rights and freedoms of the data subjects, the Company shall notify the relevant authorities for data protection without undue delay and, if possible, within 72 hours.
TERM FOR PERSONAL DATA RETENTION AND ERASURE
We retain personal data for the period, which is required or allowed for the purpose for which we process them. After completion of the purpose and after cancellation of our legitimate interest or legal basis for data processing (for example upon withdrawal of the consent for processing specific data), we will erase the personal data without undue delay.
The use of personal data connected with contractual relationship is terminated upon termination of the contract; however, such data are not erased for a period of one year after contract termination or until the final settlement of all financial obligations and expiration of the statutory obligations for data retention, as follows:
- under the Accounting Act for retention and processing of accounting data (11 years);
- under the Accounting Act for retention of payrolls (50 years);
- under the Contracts and Obligations Act, until expiration of the relevant periods of limitation for lodging claims (5 years);
- under the Electronic Communications Act for retention and provision of information for the purpose of detection and investigation of crimes, obligations (6 months)
- regarding obligations for provision of information to a court, competent government authorities and on other grounds stipulated in the valid law (5 years).
SHARING PERSONAL DATA WITH THIRD PARTIES
- Personal data are provided to third parties mainly for the purpose of supporting our business by persons qualified to provide the relevant services as well as for offering high quality and integrated service on our part – to ensure that the products and/or the services that we offer meet the user’s expectations.
- We do not provide personal data to third parties if we are not sure in the existence of technical and organizational measures for protection of these data by such third parties. In this case we remain responsible for the personal data confidentiality and security.
- When the Company uses the services of a contractor who processes personal data on our behalf, it should be ensured that such provider will apply security measures for data protection, which are adequate to the related risks – for example misuse, unauthorized access, unauthorized disclosure, destruction, etc. in accordance with the principle that the protection goes along with the data. For that purpose, the responsible person shall require that the contractor ensures the same level of data protection – through compliance with the Regulation including through mandatory contractual clauses for personal data protection.
- The contractor shall process only personal data required to perform its obligations to the Company or based on the instructions of the Company and not for any other purpose. When the Company processes personal data jointly with independent third party, the Company shall explicitly state its relevant responsibilities and the responsibilities of the third party in the relevant contract or by means of another binding document.
- We do not allow our contractors to use any personal data provided to them for their own purpose including for the purpose of the direct marketing.
- We may provide personal data to third persons if we have obtained your explicit consent in advance, for example companies that may provide information or offers for their own products and services.
PROVISION OF PERSONAL DATA BY CATEGORIES OF USERS
Persons processing data on behalf of NOBEL INTERNATIONAL EAD:
- accounting and audit companies that process personal data for the purpose of the reporting and auditing our financial statements as well as for the performance of our statutory obligations in the field of labour, tax and social insurance law;
- occupational medical services for the purpose of performance of contracts for occupational medical services concluded by the Company in the capacity of client;
- distributors of NOBEL INTERNATIONAL EAD that act as representatives of the company for the sale of our products and/ or services;
- individuals hired under a freelance contract by NOBEL INTERNATIONAL EAD to support the processes of sale, logistics, delivery, etc.;
- individuals that provide maintenance and support based on a contract for equipment, software and hardware, used for personal data processing and required for building the network of the Company and for provision of services such as technical maintenance, etc.;
- providers of electronic certification services, when a document, connected with the provision of a product or a service is signed by electronic signature;
- banks and other financial institutions servicing our payments;
- security companies holding license for provision of private security services in connection with processing of videos and/or ensuring the admission regime of the enterprise;
- persons providing consulting services in different spheres such as our legal advisers and our legal representatives in connection with receiving a legal advice or preparation and organization of our defence under existing or threatened legal disputes, including for the purpose of our participation in mediation or other procedure for voluntary resolution of disputes;
- licensed post operators and transport or forwarding companies with a view to sending parcels and the need of certification of the identity upon their delivery;
Individuals processing data on their behalf
- competent authorities which pursuant to a regulatory act have authorities to request the provision of personal data – courts of justice, prosecutor’s office, regulatory authorities as well as public authorities.
TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES
Generally the Company does not transfer your data to non-EU third countries. In individual cases your data may be transferred to a third country pursuant to a contract between us and a company acting as our contractor. In these cases, our Company guarantees that this transfer will be made in full compliance with the legal provisions in that respect and guarantees a level of protection of your data (including but not limited to conclusion of standard transfer clauses approved by the European Commission) and if necessary will ask for permission from the relevant data protection authority. Data protection goes along with your data. If our partners are based in the USA, then we check their certification under the Privacy Shield, which is a legal mechanism allowing data transfer to that country.
RIGHTS RELATED TO YOUR PERSONAL DATA PROCESSING
At any time while we process your personal data, you have specific rights, as detailed below. You can exercise your rights under this policy and the General Data Protection Regulation by sending to us an email or letter by post containing your particular request and which, if possible, shall be signed manually or by a qualified electronic signature. If you are not able to sign your request in any of the preferred methods, we may ask you to provide additional information in order to establish your identity. We will reply to your request free of charge and without undue delay. We may refuse processing requests, which are unreasonably repeated, require disproportionate efforts, jeopardise the confidentiality of third persons as well as requests that are very impractical or to which access is not required otherwise according to the law.
According to the applicable law, you have the rights listed below:
- Right to information
You are entitled to:
- a) information whether or not your personal data are processed, the purpose of processing, the categories of data and the recipients to whom data are disclosed;
- b) message in a legible form containing your personal data, which are processed as well as information about their source;
- c) information about each automated personal data processing, referring to you, if possible.
- Right to rectification
At any time during the processing of incomplete or inaccurate data you are entitled to ask:
- a) that the inaccurate personal data are rectified without undue delay;
- b) filling the incomplete personal data including by adding a statement;
- Right to erasure
You are entitled to ask for erasure when:
- a) the personal data are not necessary any more for the purposes for which they have been collected or otherwise processed;
- b) you withdraw your consent on processing;
- b) the personal data are not processed lawfully;
- d) for the purpose of compliance with a statutory obligation under the Union and a member state law, which is applicable to the controller.
- Right to restriction of processing
You have the right to ask for restriction of processing when:
(a) the accuracy of the personal data is contested, for a period enabling us to verify their accuracy;
(b) the processing is unlawful and you oppose their erasure and request the restriction of their use instead;
(c) you need these data for establishing, exercising or protection of legal claims and we don’t need these data;
(d) you have objected to data processing while waiting for a check whether the grounds are lawful.
- Right to withdraw consent
When we process your personal data based on your consent, you are entitled to withdraw such consent with immediate effect. In such case we will stop processing your personal data in the future.
- Right to portability
You may ask from us to make you available the personal data, which you have provided to us in a structured, commonly used and machine-readable format if:
- a) we process data according to contract and based on consent form, which may be withdrawn or based on contractual obligation;
- b) processing is carried out automatically.
- Right to object
At any time and on grounds referring to the particular situation, you are entitled:
а/ to object to processing personal data subject to a legal ground in that respect;
- b) if the objection is reasonable, personal data of the relevant natural person will not be processed anymore;
- c) to object to personal data processing for the purpose of direct marketing.
- Right to lodge a complaint
You are entitled to lodge a complaint to the supervisory authority within the EU and to the Personal Data Protection Commission of the Republic of Bulgaria:
Name: Personal Data Protection Commission
Registered address and principal place of business: Sofia City 1592, 2, Prof. Tsvetan Lazarov Str.
Mailing address: Sofia City 1592, 2, Prof. Tsvetan Lazarov Str.
Telephone: 02 915 3 518
Request for exercising your rights may be submitted in person or through explicitly authorized person by a notarized power of attorney. Request may also be submitted by electronic means pursuant to the Electronic Signature and Electronic Document Act. We will decide on your request within 14 days. If a longer term is reasonably required for the purpose of collecting all requested data or if this will seriously obstruct our work, this term may be extended to 30 days.
CHANGES AND UPDATES OF THE PERSONAL DATA PROTECTION POLICY OF NOBEL INTERNATIONAL EAD
- This Personal Data Protection Policy will be regularly updated. If material changes are required, notices will be published on our website www.nobel.bg.
- We recommend that you regularly check our Personal Data Protection Policy to be informed about your personal data protection.
- The privacy terms of our website and detailed information are available http://nobel.bg/gdpr-4/.
HOW TO CONTACT US
For all matters connected to processing your personal data or exercising your rights please use the following contact details:
Address: town of Elin Pelin 2100, 48, Vitosha Str.;
Telephone: 00359 24210232
This policy was approved by the Executive Director on 21.05.2018
This policy shall enter into force on 25.05.2018.