Bulgarian Industrial Association – Union of the Bulgarian Business (BIA) is a non-profit association, which operates for the benefits of its members – Bulgarian and foreign legal and sui juris individuals, performing economic activity.

BIA actively participates in the social dialogue system at national and international level and works for the achievement of economic and social progress in the country. In its activity, BIA defends the interests of business by pursuing policies and activities based on the principles of respecting the law, promoting free enterprise, transparency, competence and correctness.

BIA is a controller of personal data within the meaning of Regulation (EU) 2016/679 Of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the Personal Data Protection Act.

BIA has been assessed and certified in accordance with the requirements of ISO/IEC 27001:2013 “Information Security Management Systems”.

As a controller of personal data, BIA processes the personal data of natural persons in accordance with the principles of data legality, expediency and proportionality and applies the necessary technical and organizational measures to ensure their confidentiality. For this purpose, internal rules and procedures for protection of personal data, compliant with the legal requirements, as well as a policy for transparency in the processing of personal data of natural persons have been developed.

1. Contact details of the Bulgarian Industrial Association

Republic of Bulgaria, Sofia, 16-20 Alabin Str.

Phone: +359 02 932 09 11

E-mail: office@bia-bg.com

Website: www.bia-bg.com

2. Contact details of BIA on the protection of personal data

Phone: +359 02 932 09 11

E-mail: office@bia-bg.com

3. Personal data, which BIA collects and processes

“Personal data” means any information relating to an identified natural person or identifiable person (data subject).

BIA collects and processes personal data in accordance with the “data minimisation” principle exclusively and only for specific, explicit and legitimate purposes.

The source of the personal data BIA processes are:

3.1. Ordinary categories of personal data:

(a) names, national identification number, date and place of birth, age, gender, nationality, photographs;

(b) contact details – telephone numbers, current and permanent address, email address;

(c) data on marital status and children under 18 years of age (if processing is necessary to protect employees’ rights);

(d) data on labor and civil relations income (if processing is necessary to meet the statutory obligation of the data controller);

(e) data on education, qualification, length of service, professional biography;

(f) data on bank accounts in connection with employment contacts, contracts concluded, etc.

3.2. Special categories of personal data: health status data (if processing is necessary to protect the rights of the data subject in performing employment and related to it relations).

3.3. Personal data collected under a statutory instrument on criminal law status – conviction status certificate; a certificate that the person is not under trial and consequence (if applicable for taking up a job or performing a specific activity).

3.4. Personal data collected in CCTV for security purposes, in compliance with the requirements of the Private Security Act and the Personal Data Protection Act.

4. Objectives of the processing of personal data:

The personal data BIA processes are used only for the following purposes:

4.1. Human resource management:

4.2. Execution of obligations under concluded contracts; to exercise rights deriving from contracts concluded; for the purposes of reporting on the performance of contracts; auditing the performance of contracts.

4.3. For purposes explicitly stated in the subject’s declaration of consent for the processing of his or her personal data. For example:

(a) for communication with informational, advertising and/or marketing purposes;

(b) when collecting data for statistical surveys;

(c) when subscribing to newsletters prepared by BIA.

The declaration of consent explicitly states what personal data are collected by BIA and what the purpose of their processing is. The data subject is entitled at any time to withdraw his or her consent to the processing of personal data at a written request or in a free form.

4.4. When processing the data for a purpose other than the original one, BIA informs the data subject and requires his/her consent.

5. Consequences of refusal to provide personal data

Where the reason for the collection and processing of data is the consent or execution of a contract/pre-contract relations, the refusal to provide personal data results in impossibility of establishing a relation and/or service provision and/or conclusion of a contract in respect of which the data have been requested.

6. Transfer of personal data

The collected personal data may be provided to third parties only in the following cases:

6.1. In fulfilling legal requirements related to:

(a) labor relations: data are provided to public authorities, in view of their powers and competencies (National Revenue Agency, National Social Security Institute, Executive Agency “General Labour Inspectorate” and others);

(b) member legal relations – Council of Ministers, Ministry of Labor and Social Policy, court;

(c) arbitration cases – court, bailiffs;

(d) issuance of certificates of origin of goods – data are provided to the customs authorities in the country and abroad, Ministry of Finance;

(e) other public authorities which receive the data by virtue of a law.

6.2. On a contractual basis – to pay salaries and fees and to fulfill legal obligations related to the obligations of BIA for ensuring healthy and safe working conditions (Occupational Health Service, accounting offices).

6.3. On the basis of consent to data processing – in accordance with the consent of the data subject.

7. Personal data storage periods

7.1. Statutory data storage periods:

7.2. Data storage periods for the precluding of statutory limitation periods related to obligations under civil and commercial contracts:

7.3. Data storage periods related to the processing objectives: contractual deadlines, deadlines for completion and reporting of contractual and financial relations under contracts related to national, European and international funding.

7.4. Data storage periods for information for tax and accounting purposes, tax audits and public financial control.

7.5. BIA sets the following storage periods for data collected by using information technologies:

(a) data collected using information technology – Internet Protocol (IP) address, cookie ID – 3 months;

(b) internet traffic on personal computers – 1 week;

(c) logs related to security, technical support, development, etc. – 3 months;

(d) server logs, Web Application Firewalls logs and other devices falling under this category – 3 months;

(e) data collected on the basis of consent of the data subject to receive information and other newsletters from the BIA website and other information systems administered by BIA – until the consent is withdrawn, respectively – termination of the account/registration;

(f) data on the withdrawn consent of the data subject – indefinitely;

(g) data collected by video surveillance – 1 week;

(h) data of applicants for appointment to the controller – 30 days after completion of the application and selection process.

7.6. After expiry of the storage periods, unless otherwise justified, the data on a technical medium shall be erased and, in paper form, if they are not subject to a statutory transfer, shall be destroyed.

8. Rights of personal data subjects and order of their exercise

8.1. Right to information and access

The data subject is entitled to information about his or her personal data processed by BIA, as well as the right to access to them.

The data subject is entitled to receive a copy of the personal data that are being processed by BIA in electronic or paper form. For this purpose, a written request must be submitted personally or through an authorized person to BIA, including electronically.

8.2. Right to data confidentiality

Personal data processed by BIA are confidential, subject to the obligation of professional secrecy. BIA employees sign a confidentiality statement about the personal data they are working with, within their professional responsibilities.

8.3. Right to rectification of processed data

The data subject has the right to request from BIA the rectification, without undue delay, of inaccurate personal data related to him or her, as well as data that are not up to date. For this purpose, a written request must be submitted personally or through an authorized person to BIA, including electronically.

8.4. Right to erasure (“right to be forgotten”)

8.4.1. The data subject may request BIA to erase his or her personal data without undue delay in any of the following circumstances:

(a) personal data are no longer necessary for the purposes for which they were collected;

(b) upon withdrawal of the given consent for the processing of personal data;

(c) in objection of processing;

(d) where the processing of personal data is unlawful;

(e) where personal data must be erased in order to comply with an obligation under European Union or national legislation of the Republic of Bulgaria that applies to BIA as a personal data controller;

(f) where personal data have been collected in relation to the provision of information society services.

In order to exercise the right to erase data, the data subject must submit a written request personally or through an authorized person to BIA, including electronically.

8.4.2. BIA may refuse to erase the data subject’s personal data for the following reasons:

(a) for compliance with a statutory obligation by BIA or the performance of a task of public interest;

(b) in exercise of the right to freedom of expression and the right to information;

(c) in exercise of official authority (if applicable);

(d) for the establishment, exercise or protection of legal claims.

8.5. Right to restriction of processing

The data subject has the right to request BIA to restrict the processing of his or her personal data. In this case, the data will be stored within the specified data storage periods (referred to in para 7 of this Transparency Policy) but not processed unless there is a legal basis for this. For this purpose, it is necessary for the data subject to submit a written request personally or through an authorized person to BIA, including electronically.

8.6. Right to object to processing

The data subject has the right to object to the processing of his or her personal data by BIA (for example, see Article 21 (2) and (6) of the General Data Protection Regulation). In order to exercise the right to object to the processing, the data subject must admit a written request personally or through an authorized person to BIA, including electronically.

8.7. BIA does not carry out automated decision-making, including profiling.

8.8. Right to data portability

The data subject has the right to receive the personal data that concerns him or her and which he or she has provided to BIA in a structured, commonly used and machine-readable format, as well as to request such data to be transmitted to another data controller when the processing is based on consent or a contractual obligation, provided that BIA carries out the processing by automated means.

8.9. Right to lodge a complaint

The data subject has the right to lodge a complaint concerning the processing of his or her personal data through BIA by using the contact details given in para 2 of this Transparency Policy.

A complaint may also be lodged with the supervisory authority – Commission for Personal Data Protection, address: Sofia, 1592, “Prof. Tsvetan Lazarov” 2 Blvd., email: kzld@cpdp.bg, website: www.cpdp.bg

8.10. The exercise of the rights under item 8.1., item 8.3. – 8.6. is free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, BIA may:

(a) charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested;

(b) refuse to act on the request.

8.11. The period for consideration of the requests under item 8.1., item 8.3. – 8.6. and for their pronouncement by BIA, as a data controller, is 30 days from the receipt of the request and may be extended by 2 months, taking into account the complexity and the number of requests.

The Bulgarian Industrial Association reserves the right to amend and supplement this Transparency Policy for the processing of personal data of natural persons in the event of changes to the applicable data protection legislation.