Personal Data Protection Policy of Technopanel JSC
PERSONAL DATA PROTECTION POLICY
Table of Contents
1. Purpose
2. Scope
3. Terms, definitions, abbreviations
4. General
4.1 Principles relating to processing of personal data
4.2 Rights of the data subjects
4.2.1 Right to be informed
4.2.2 Right of access
4.2.3 Right to rectification
4.2.4 Right to erasure
4.2.5 Right to data portability
4.2.6 Right to object
4.2.7 Rights related to the automated decision-making, including profiling
5. Records of the categories of personal data processing activities
5.1 List of Records
5.2 Records content
6. Requirements to the staff processing personal data
6.1 General requirements
6.2 Data protection officer
6.2.1 General
6.2.1 Rights and obligations
7. Commission for complaints, inquiries and requests for personal data
8. Data protection impact assessment (DPIA)
8.1 General
8.2 Performance of DPIA
9. Security of processing
9.1 General
9.2 Actions in case of security breach
1. Purpose
This Policy contains the basic principles, rules and approaches for the organization and carrying out the activities related to the collection, processing, keeping, transfer, use and protection of personal data in Technopanel JSC.
This Policy is made in compliance with the requirements of the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council, and shall form and integral part of the Company business processes.
2. Scope
Each employee of Technopanel JSC shall apply the instructions contained in this Policy in his/her daily activities. Its provisions are of particular importance for employees processing personal data.
This Policy shall apply to the personal data of the Company employees, as well as to the personal data of other individuals to whom Technopanel JSC will act as controller or processor.
3. Terms, definitions, abbreviations
The terms and definitions used in this Policy shall have the meanings defined in the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council (please refer to Article 4).
The following abbreviations have been used in this Policy:
- PDPA: Personal Data Protection Act
- GDPR: (General Data Protection Regulation), also known as Regulation (EU) 2016/679 of the European Parliament and of the Council
- The Company: Technopanel JSC
- ED: the Executive Director
- DPO: Data protection officer
- CPDP: Commission for Personal Data Protection
- DPIA: Data Protection Impact Assessment
- Data subject: a natural person who can be identified or is identifiable by reference to a certain information.
4. General
4.1 Principles relating to processing of personal data
When processing personal data, Technopanel JSC shall adhere to the following principles:
- Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation
Personal data shall be collected and/or processed for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy
Personal data shall be accurate and kept up to date to ensure that they are suitable for the purposes for which they are processed.
- Storage limitation
Personal data shall be kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality
Personal data shall be collected, kept and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Accountability
In doing its business, the Company shall apply the above principles and shall keep and maintain all the necessary documents and records as a proof thereof.
4.2 Rights of the data subjects
Technopanel JSC as a controller or processor shall facilitate the exercising of the data subjects’ rights, which shall be as follows:
4.2.1 Right to be informed
Technopanel JSC, as a controller shall provide to the data subject information about:
- The data subject’s rights with regard to the collected data before, or at the time of data collection, or in case of subsequent amendment of the data processing purposes;
- The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- The recipients or categories of recipients of the personal data, if any;
- The period for which the personal data will be stored, or the criteria used to determine that period;
- The identity and the contact details of the Data protection officer.
4.2.2 Right of access
Technopanel JSC, as a controller shall confirm to the data subject as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- The categories of personal data concerned;
- The period for which the personal data will be stored, or the criteria used to determine that period;
- The recipients or categories of recipients of the personal data, if any;
- The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- The right to lodge a complaint with a supervisory authority;
- Where the personal data are not collected from the data subject, any available information as to their source;
- The existence of automated decision-making, including profiling, if applicable.
The information listed above shall not be provided, if the data subject already possesses the information.
4.2.3 Right to rectification
Technopanel JSC, as a controller shall provide to the data subject an opportunity of rectification of the inaccurate personal data concerning him or her without undue delay.
Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
4.2.4 Right to erasure
Technopanel JSC, as a controller shall upon request provide to the data subject an opportunity of erasure of the personal data concerning him or her without undue delay.
Technopanel JSC shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- The data subject withdraws consent on which the processing is based (if such consent has been granted);
- The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- The personal data have been unlawfully processed.
While erasing the personal data, Technopanel JSC, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
4.2.5 Right to data portability
Technopanel JSC, as a controller shall submit to the data subject, without hindrance, the personal data concerning him or her (subject to the conditions stipulated in Article 20 (1) of the GDPR) in a structured, commonly used and machine-readable format.
Technopanel JSC may directly transit the personal data to another controller, where technically feasible.
4.2.6 Right to object
Technopanel JSC, as a controller shall ensure to the data subject the right to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, including profiling.
Technopanel JSC shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4.2.7 Rights related to the automated decision-making, including profiling
Technopanel JSC, as a controller shall notify the data subject for the existence of automated decision-making (if actually used), including profiling (see Article 22 of the GDPR) and shall provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
5. Records of the categories of personal data processing activities
5.1 List of Records
Technopanel JSC, as a controller shall keep and maintain internal records of the following data processing activities:
- Personnel Records
- Records of Job Applicants
- Video Surveillance Records
- Records of Visitors
- Records of Customers
- Records of Suppliers
- Occupational Health and Safety Records
Technopanel JSC, as a processor shall keep and maintain internal records of the following data processing activities:
- Personnel Records
- Records of Job Applicants
- Records of Customers
- Records of Suppliers
- Occupational Health and Safety Records
5.2 Record contents
The internal records of the data processing activities kept by the Company shall contain the following information:
- The name and contact details of the controller/processor and, where applicable, the joint controllers/administrators, the controller’s representative and the Data protection officer;
- The purposes of the processing of personal data;
- A description of the categories of data subject and of the categories of personal data;
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- Where applicable, transfers of personal data to a third country or an international organisation, including the identification of the said third country or international organisation and provision of evidences for the availability of appropriate safeguards with regard to the protection of personal data;
- The envisaged time limits for erasure of the different categories of data;
- A general description of the technical and organisational security measures.
6. Requirements to the staff processing personal data
6.1 General requirements
Each employee of Technopanel JSC, involved in the personal data processing shall:
- Process personal data in a lawful and fair manner;
- Use the available personal data only for the purposes for which they have been collected, and restrain form any additional processing of such data in a manner incompatible with those purposes;
- Perform his or her obligations related to the personal data updating or erasure (where applicable) in an accurate and timely manner;
- Apply all personal data protection measures intended to ensure the personal data’s ongoing confidentiality, integrity, availability and resilience of processing systems and services; the employee shall immediately report in accordance with the established procedure for any discovered vulnerabilities or events having reference to the personal data security;
- In case of a dispute related to the personal data, he or she shall address the dispute to the competent Company employees, including the DPO (if any) prior to taking any action;
- Read, understand and adhere to the current external rules and regulations related to the personal data process;
- Read, understand and adhere to the internal rules and regulations related to the personal data management;
- Take part in any training or course intended to increase his or her qualification and improve his or her level of awareness and competence related to the personal data.
6.2 Data protection officer
6.2.1 General
Technopanel JSC shall designate a Data protection officer (DPO).
The DPO may carry out other tasks and perform other duties for the Company. However such duties and tasks shall not create conflicts of interest with his or her obligations as a DPO.
The Company shall ensure that the DPO is involved, properly and in a timely manner, in all issues, which relate to the protection of personal data.
The Company shall support the DPO in performing the tasks, including by providing resources necessary to carry out those tasks and access to the personal data and processing operations.
The Company shall further support the DPO in carrying out his or her specific tasks by maintaining his or her expert knowledge.
The Company shall ensure that the DPO does not receive any instructions regarding the exercise of those tasks to guarantee his or her independence and impartiality.
The DPO shall not be dismissed or penalised by the Management of Technopanel JSC for performing his tasks as DPO.
The DPO shall directly report to the ED.
Data subjects may contact the DPO with regard to all issues related to the processing of their personal data and to the exercise of their rights under the current personal data protection laws and regulations.
6.2.2 Rights and obligations
The Data protection officer shall have at least the following tasks:
- To inform and advise the employees who carry out processing of their obligations pursuant to the current personal data protection laws and regulations;
- To monitor compliance with GDPR, with the other data protection laws and regulations in the EU and Bulgaria and with the policies of Technopanel JSC in relation to the protection of personal data;
- To monitor and control the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- To provide advice where requested as regards the data protection impact assessment and monitor its performance;
- To cooperate with the supervisory authority - the Commission for Personal Data Protection (CPDP)
- To act as the contact point for CPDP on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter;
- To have due regard to the risks associated with processing operations, taking into account the nature, scope, context and purposes of processing;
- To keep the tasks carried out by him or her strictly confidential.
7. Commission for complaints, inquiries and requests for personal data
The Commission shall be a subsidiary body intended to manage the customer complaints, the inquiries form national authorities and the request for personal data related to the services provided by the Company.
The Commission shall be appointed by order of the ED and shall comprise of the following members, whose number may be further increased or specified:
- Chairman: The Manager of Technopanel JSC
- Member: The Deputy Manager of Technopanel JSC
- Member: The Head of Technopanel JSC Department
- Member: An Expert of Technopanel JSC
The Commission shall be convened at least once a month, or at any time where deemed necessary. The Commission may invite to the meeting or engage experts where deemed necessary.
The Commission shall:
- Review all requests, complaints and inquiries, and shall decide on the actions to be taken with reference to them;
- Control the observance of the actions’ deadlines;
- Review and propose for approval the replies to requests, complaints and inquiries;
- Keep records of the received complaints, inquiries and requests;
- Decide on controversial issues;
- Seek advice from legal advisors or the CPDP;
- Seek advice from the DPO (where designated);
- Decide on measures to improve the personal data processing.
8. Data protection impact assessment (DPIA)
8.1 General
DPIA shall be carried out any time, when:
- The processing falls within the List of the kind of processing operations which are subject to the requirement for a data protection impact assessment communicated by the supervisory body (CPDP);
- The processing is made for the purpose of profiling;
- There is a high risk to the rights and freedoms of natural persons resulting from:
- the use of new technologies;
- the nature, scope and context of the processing;
- the purposes of the processing.
The Company shall seek the advice of the DPO, where designated, when carrying out a data protection impact assessment.
DPIA shall be carried out in accordance with the provisions of the following standard: ISO/IEC 29134 Information technology. Security techniques. Guidelines for privacy impact assessment.
Where the DPIA indicates that the processing would result in a high risk to the rights and freedoms of natural persons, Technopanel JSC shall:
- consult the CPDP prior to processing;
- take measures to mitigate the risk.
DPIA shall be used by the Company as a:
- form of an early warning which helps to identify hidden vulnerabilities in the personal data processing;
- method to identify the possible issues before the control authorities or competitors.
8.2 Performance of DPIA
DPIA shall contain:
- A systematic description of the envisaged processing operations;
- A description of the purposes of the processing;
- A description of the legitimacy of the processing;
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- An assessment of the risks to the rights and freedoms of data subjects;
- The measures envisaged to address the risks in compliance with the provisions of GDPR.
Compliance with approved codes of conduct referred to in Article 40 of GDPR shall be taken into due account in assessing the impact of the processing operations performed by Technopanel JSC.
Where appropriate and applicable, Technopanel JSC shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
Technopanel JSC shall carry out a review to assess if processing is performed in accordance with the DPIA at least when there is a change of the risk represented by processing operations.
9. Security of processing
9.1 General
Technopanel JSC shall implement appropriate technical and organisational measures to ensure the necessary level of security of the processed personal data.
The Company has established and maintains high level of security, which ensures:
- The basic features of information: confidentiality, integrity and availability;
- Resilience of the processing systems and services: continuity, availability and reliability;
- Maintenance of the level of security by regularly testing, assessing and evaluating the effectiveness of technical and organisational measures;
- Prevention of unauthorised access to the personal data by application of adequate measures, such as pseudonymisation, encryption, anonymity and randomisation.
Technopanel JSC maintains certificates for compliance with the information security standard ISO 27001.
Technopanel JSC applies effective methods of assessing the risks to the rights and freedoms of data subjects during their personal data processing.
The identified major risks are related to:
- Accidental or unlawful destruction of data;
- Irrecoverable loss of data;
- Unauthorized or wrongful alteration of data;
- Unauthorized disclosure of or access to data.
The Company guarantees that its employees involved in the personal data processing have the necessary qualification and experience to process securely such data in compliance with the legal requirements and the internal rules of the Company.
The Company keeps and maintains all the necessary documents and records proving compliance with the GDPR requirements.
9.2 Actions in case of security breach
The Company uses automated means of monitoring the personal data processing activities to identify in a timely manner any security-related vulnerability, event or incident. These means record any breach in the personal data security, including any specific data, consequences and actions taken to deal with it.
In the event of a personal data breach that may result in violation of data subjects' rights and freedoms, Technopanel JSC notifies the CPDP within 72 hours of the occurrence of such breach.
In the event of a personal data breach, Technopanel JSC notifies the respective controller (if any) immediately after the breach has been established.
When the personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, Technopanel JSC shall immediately:
- Carry out objective assessment on the ability of the already taken security measures to ensure the personal data’s confidentiality;
- Take subsequent measures which ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialise;
- Estimate the efforts needed to notify each data subject affected by the breach;
- Depending on the outcome from the actions listed above, the Company, while keeping the GDPR requirements, will take one of the following actions:
- Takes no action to notify the data subjects;
- Notifies without delay the data subjects for the breach;
- Makes public communication or takes similar measure whereby the data subjects are informed in an equally effective manner.