Data for the Administrator:
 
Contact information for "VULKAN" EOOD:
Location:
Country: Bulgaria
Address: town of PERNIK, quarter Tvardi livadi, block 9, apartment 3
Phone: 0898648904
 
E-mail: gummi@abv.bg
Website: www.vulkan-gumi.com
 
Contact details for the Data Protection Officer:
You can contact our Data Protection Officer directly here:
E-mail: gummi@abv.bg
Phone:
 
I. Introduction
 
1. General regulation for the protection of personal data
 
Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and repealing Directive 95/46/EC, enters into legal force as of May 25, 2018 and has direct effect and implies a change in the legislation of the member countries in the field of personal data protection. Its purpose is to protect the "rights and freedoms" of individuals and to ensure that personal data is not processed without their knowledge and, where possible, is processed with their consent.
 
2. Scope outlined by the General Data Protection Regulation
Material scope – The General Data Protection Regulation applies to the processing of personal data in whole or in part by automatic means, as well as to the processing by other means of personal data which are part of a register of personal data or which are intended to form part of register with personal data.
Territorial scope The rules of the General Data Protection Regulation will apply to all data controllers established in the EU who process personal data of natural persons in the context of their business. It will also apply to non-EU controllers who process personal data for the purpose of offering goods and services or if they monitor the behavior of data subjects who reside in the EU.
 
3. Concepts
 
"Personal Data" - any information relating to an identified natural person or an identifiable natural person ("data subject"); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more characteristics specific to the physical, the physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person;
 
"Special categories of personal data" - personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, or membership in trade union organizations and the processing of genetic data, biometric data for the unique identification of a natural person, data relating to health or data regarding an individual's sex life or sexual orientation.
 
"Processing" - means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission , distribution or other way in which data is made available, arranged or combined, restricted, deleted or destroyed;
 
"Administrator" - any natural or legal person, public body, agency or other structure that alone or jointly with others determines the purposes and means of personal data processing; where the purposes and means of this processing are determined by EU law or the law of a Member State, the controller or the special criteria for its determination may be established in Union law or in the law of a Member State;
 
"Data subject" - any living natural person who is the subject of the personal data stored by the Administrator.
 
"Consent of the data subject" - any freely expressed, specific, informed and unequivocal indication of the will of the data subject, by means of a statement or a clear affirmative action, which expresses his consent to the personal data relating to him being processed;
 
"Child" - The Regulation defines a child as anyone under the age of 16 although this may be reduced to 13 by Member State law. The processing of a child's personal data is only lawful if a parent or guardian has given consent. The administrator makes reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given or is authorized to give consent.
 
"Profiling" - any form of automated processing of personal data, consisting in the use of personal data to assess certain personal aspects related to a natural person, and more specifically to analyze or predict aspects related to the performance of professional duties that individual's economic status, health, personal preferences, interests, reliability, conduct, location or movement;
 
"Personal Data Security Breach" - a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed;
 
"Principal place of establishment" - the controller's seat in the EU will be the place where it makes the main decisions about the purpose and means of its data processing activities. In relation to the personal data processor, its main place of establishment in the EU will be its administrative centre.
If the controller is based outside the EU, it must appoint a representative in the jurisdiction where the controller operates to act on behalf of the controller and deal with supervisory authorities.
 
"Recipient" - natural or legal person, public body, agency or other structure to which the personal data is disclosed, regardless of whether it is a third party or not. At the same time, public authorities that may receive personal data within the framework of a specific investigation in accordance with Union law or the law of a Member State are not considered "recipients"; the processing of this data by the specified public authorities complies with the applicable data protection rules in accordance with the purposes of the processing;
 
"Third party" - any natural or legal person, public body, agency or other body other than the data subject, the controller, the personal data processor and the persons who, under the direct supervision of the controller or the personal data processor, have the right to process the personal data ;
 
 
II. Statement on the personal data protection policy
 
1. This Policy for the protection of available data of natural persons is prepared and approved by "VULKAN" EOOD and is an integral part of the conditions for entering into and implementing legal relations with "VULKAN" EOOD.
Any interested person should familiarize himself with and read this document carefully.
If you do not agree with the conditions and procedures provided for in it, you will not be able to enter into legal relations with "VULKAN" EOOD.
In case of changes to the Policy, the changes will be approved by the management body of "VULKAN" EOOD and published on its website - www.vulkangumi.com
2. The management of "VULKAN" EOOD undertakes to ensure compliance with the legislation of the EU and the member states regarding the processing of personal data and the protection of the "rights and freedoms" of individuals whose personal data "VULKAN" EOOD collects and processed according to the General Data Protection Regulation (Regulation (EU) 2016/679).
3. In accordance with the General Data Protection Regulation, other relevant documents as well as related processes and procedures are described in this policy.
4. Regulation (EU) 2016/679 and this policy apply to all functions of the processing of personal data of natural persons, including those performed on personal data of employees/workers, customers, users, contractors, suppliers and partners and any other personal data that the organization processes from various sources.
5. The Data Protection Officer is responsible for revising the "Register of Controller's Processing Activities" annually in light of any changes in the activities of "VULKAN" EOOD as well as any additional requirements, data protection impact assessments. This register shall be available upon request by the supervisory authority.
6. This policy applies to all natural persons - employees/workers/job candidates, customers, users, contractors, suppliers, subcontractors, partners of "VULKAN" EOOD and/or their representatives, as well as other interested parties (e.g. persons who have submitted a claim, complaint, request, signal, inquiry; persons who are users of the "VULKAN" EOOD Internet site and online store, etc.).
Any violation of the General Regulation regarding the protection of data by the workers/employees of "VULKAN" EOOD will be considered as a violation of labor discipline, and in the event that there is an assumption that a crime has been committed, the matter will be submitted for consideration in the shortest possible time of the relevant state authorities.
7. Partners, subcontractors and third parties who work with or for "VULKAN" EOOD, as well as who have or may have access to the personal data of natural persons, will be expected to familiarize themselves with, understand and comply with this Policy .
No third party may have access to personal data of individuals stored by "VULKAN" EOOD without having previously entered into a data confidentiality agreement, which imposes on the third party obligations no less burdensome than those that " VULKAN EOOD has taken over, which gives the right to "VULKAN" EOOD to carry out inspections of compliance with the obligations imposed by the agreement.
 
III. Obligations and roles under Regulation (EU) 2016/679
 
1. "VULKAN" EOOD is a data controller, according to Regulation (EU) 2016/679.
2. The top management and all members of the governing bodies of "VULKAN" EOOD are responsible for developing and promoting good practices in the field of information processing at "VULKAN" EOOD.
3. The Data Protection Officer (DPO for short), with a role defined in Regulation (EU) 2016/679, must be part of the senior management, and report to the management body(s) of "VULKAN" EOOD for the management of personal data within the organization and to ensure the ability to demonstrate compliance with data protection legislation and good practice.
This reporting to the Data Protection Officer includes:
developing and implementing the requirements of Regulation (EU) 2016/679 as required by this policy;
security and risk management regarding policy compliance.4. The Data Protection Officer, whom the governing body considers to be a suitable, qualified and experienced person, has been appointed to take responsibility for VULKAN EOOD's compliance with this policy on a day-to-day basis. The OZD is directly responsible for ensuring that both the organization of "VULKAN" EOOD as a whole and the activities of each member of the management team, which is carried out within his area of responsibility, comply with the requirements of Regulation (EU) 2016/679 .
5. The DPO has specific responsibilities regarding procedures such as the "Procedure for the Management of Subject Requests" and are the point of contact for the controller's employees/employees seeking clarification on any aspect of data protection compliance.
6. Compliance with data protection legislation is the responsibility of all employees of "VULKAN" EOOD who process personal data.
7. The training policy of "VULKAN" EOOD ("Training Policy") defines the specific requirements for training and awareness in relation to the specific roles of employees/workers of "VULKAN" EOOD.
 
IV. Data protection principles
 
All processing of personal data must be carried out in accordance with the data protection principles set out in Article 5 of Regulation (EU) 2016/679. The policies and procedures of "VULKAN" EOOD are intended to ensure compliance with these principles.
 
1. Personal data must be processed lawfully, in good faith and transparently
Lawful – to identify a lawful basis before it can process personal data. These are often referred to as 'processing grounds'.
In good faith – for the processing to be in good faith, the data controller must provide certain information to the data subjects as far as is practically possible. This applies regardless of whether the personal data is obtained directly from the data subjects or from other sources.
Regulation (EU) 2016/679 increases the requirements on what information must be available to data subjects that is covered by the "transparency" requirement.
Transparent - The General Data Protection Regulation includes rules on the provision of confidential information to data subjects in Articles 12, 13 and 14 of the Regulation. They are detailed and specific, emphasizing that privacy notices are understandable and accessible. The information must be communicated to the data subject in an understandable form, using clear and understandable language.
The rules for notifying the data subject by "VULKAN" EOOD are defined in the Procedure for Transparency in the Processing of Personal Data and the notification is recorded in the "Notice of Confidential Treatment of Personal Data (Privacy Statement)".
The specific information to be provided to the data subject should include, as a minimum:
data that identifies the controller and the contact details of the controller and, if any, of the controller's representative;
the contacts of the Data Protection Authority;
the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
the period for which the personal data will be stored;
the existence of the following rights – to request access to the data, rectification, erasure (right to be forgotten), restriction of processing, as well as the right to object to the conditions (or lack thereof) in connection with the exercise of these rights;
the categories of personal data;
the recipients or categories of recipients of personal data, where applicable;
where applicable, whether the controller intends to transfer the personal data to a recipient in a third country and the level of data protection;
any additional information necessary to ensure fair processing.
 
2. Personal data may only be collected for specific, explicitly specified and lawful purposes
 
The data obtained for specific purposes must not be used for a purpose that differs from those officially announced to the supervisory authority as part of the "Register of data processing activities of the administrator "VULKAN" EOOD (Article 30 GDPR). "Procedure for transparency in the processing of personal data" sets out the relevant rules.
 
3. Personal data must be adequate, relevant, limited to what is necessary for their processing for the relevant purpose. (minimum necessary principle)
The data protection officer is responsible for ensuring that VULKAN EOOD does not collect information that is not strictly necessary for the purpose for which it was obtained.
All data collection forms (electronic or paper), including data collection requirements in new information systems, must include a fair processing statement or a link "Notice of Confidential Treatment of Personal Data (Privacy Statement)" and be approved by the OZD.
The Data Protection Officer will ensure that on an annual basis all data collection methods are reviewed by internal audit to ensure that the data collected continues to be adequate, relevant, not excessive ("Procedure for impact assessment on data protection and the impact assessment methodology used').
4. Personal data must be accurate and up-to-date at all times, and the necessary efforts have been made to enable immediate (within possible technical solutions) deletion or correction.
The data held by the data controller must be reviewed and updated as necessary. Data should not be stored where it is likely to be inaccurate.
The Data Protection Officer is responsible for ensuring that all staff are trained in the importance of accurate data collection and maintenance (Training Procedure).
Also, it is the duty of the data subject to declare that the data they transmit for storage by "VULKAN" EOOD is accurate and up-to-date. Completion of a form by the data subject intended for the controller will include a statement that the data contained therein is accurate as of the date of submission.
The data subject should be required to notify VULKAN EOOD of any changes in circumstances so that personal data records can be updated. It is the responsibility of "VULKAN" EOOD to ensure that any notice of change of circumstances is recorded and action is taken.
The Data Protection Officer is responsible for ensuring that appropriate procedures and policies are in place to maintain the accuracy and up-to-dateness of personal data, taking into account the volume of data collected, the rate at which it may change, other relevant factors.
At least on an annual basis, the Data Protection Officer will review the retention periods of all personal data processed by "VULKAN" EOOD, referring to the data inventory and identify any data that is no longer required in the context of the registered purpose. This data will be securely destroyed in accordance with the administrator's procedures and policies.
The Data Protection Officer is responsible for complying with requests for data correction within one month (“Procedure for the Management of Requests from Subjects”). This deadline can be extended by another two months for complex requests. If VULKAN EOOD decides not to comply with the request, the Data Protection Officer must respond to the data subject to explain his reasons and inform him of his right to lodge a complaint with the supervisory authority and seek legal redress .
The data protection officer is responsible for taking appropriate measures, in cases where third-party organizations have inaccurate or outdated personal data, to inform them that the information is inaccurate or outdated and is not to be used to make decisions about individuals, to inform the relevant parties; and forward any correction of personal data to third parties where necessary.
 
5. Personal data must be stored in such a form that the data subject can be identified only for as long as is necessary for the processing.
When personal data is retained after the date of processing, it will be stored in an appropriate manner (the data is stored in specialized premises, guarded with an effective security system; access to the administrative departments of "VULKAN" EOOD is limited - a controlled access system has been established; outsiders are admitted only after their identification; there is an active video surveillance system on the territory of "VULKAN" EOOD commercial establishments; access to the data, which are in electronic form, are stored in specialized software programs, and only the relevant persons in charge have access to them (management employees) for which separate accounts with a separate username and password have been created, which are known only to the person in charge; frequent changes of access passwords have been established in order to achieve a higher level of data protection; different levels of access to the data; specialized software products are used in connection with the GDPR with a high level of protection - only certain persons with separate accounts protected by separate passwords have access; electronic records are stored on a server with a high level of protection; there are established various procedures that guarantee security in the processing, storage and destruction of data; antivirus software and firewalls are installed on all computer devices; in case of inactivity of software programs containing data, access to them is automatically disabled; each employee who works with a computing device enters a username and password to be able to use it; the data, which are on paper, are stored in a locked cabinet, to which only the person in charge has access; Regarding information security, the following protections are implemented in the software product used by the financial/accounting department: login to the system is done with a username and password, which are encrypted and sent encrypted to the server where they are checked for validity; the information exchanged between the workstations and the server is encrypted; each user is associated with a certain role(s), which determines what data they have access to and what operations they can perform with the system; the system itself is implemented as a 3-layer architecture - Client application with which users work, Application server and database. Application server and database run on a single physical server to which only an administrator can access. The server is locked in a separate room; the database is backed up every night and a backup is kept for 10 days on a separate disk on the server. Every night an archive is uploaded to the FTP of "VULKAN" EOOD hosting; The servers of "VULKAN" EOOD are two in number and are located in specially adapted and air-conditioned rooms with limited access) in order to protect the identity of the data subject in the event of a data breach.
Personal data will be kept in accordance with the "Data Storage and Destruction Procedure" and after its storage period has passed, it must be securely destroyed as directed in this procedure.
The Data Protection Officer must specifically approve any data retention that exceeds the retention period defined in the "Data Retention and Destruction Procedure" and must ensure that the rationale is clearly defined and complies with the requirements of the legislation on data protection. This approval must be in writing.
 
6. Personal data must be processed in a way that guarantees adequate security (Art. 24, Art. 32 of the Regulation)
The data protection officer will carry out an impact assessment (risk assessment), taking into account all circumstances related to the data management or processing operations of "VULKAN" EOOD.
In determining how appropriate the processing is, the Data Protection Officer must also consider the extent of potential harm or loss that may be caused to natural persons (eg staff or contractors) if a security breach occurs, and any possible damage to the controller's reputation, including a possible loss of trust of counterparties, suppliers, subcontractors, users and customers.
In assessing appropriate technical measures, the Data Protection Officer will consider the following:
Password protection;
Automatic locking of idle workstations in the network;
Remove access rights for USB and other portable storage media;
Antivirus software and firewalls;
Role-based access rights, including those of assigned temporary staff
The protection of devices that leave the organization's premises, such as laptops or others;
Security of local and wide area networks;
Privacy-enhancing technologies such as pseudonymization and anonymization;
Identification of appropriate international security standards suitable for "VULKAN" EOOD.
In assessing the appropriate organizational measures, the Data Protection Officer will take into account the following:
The levels of appropriate training at "VULKAN" EOOD;
The measures that take into account the trustworthiness of employees (for example, attestation ratings, references, etc.);
The inclusion of data protection in employment contracts;
Identification of disciplinary measures for violations in relation to data processing;
Regular inspection of personnel for compliance with relevant security standards;
Physical access control to electronic and paper-based records;
The adoption of a "clean workplace" policy (when leaving the workplace, all work documentation is removed or stored in appropriate and restricted places - special cabinets, locked rooms, destruction of no longer needed documents, etc.) ;
Storage of database paper in lockable wall cabinets;
Limiting the use of portable electronic devices outside the workplace;
Limiting employee use of personal devices in the workplace;
Accepting clear rules for creating and using passwords;
Regular creation of backup copies of personal data and physical storage of media with copies outside the office;
Imposing contractual obligations on counterparty organizations to take appropriate security measures when transferring data outside the EU.
These controls are selected based on the identified risks to personal data, as well as the potential for harm, to the individuals whose data is being processed.
 
 
7. Compliance with the principle of accountability
 
Regulation (EU) 2016/679 includes provisions that promote accountability and governance and complement transparency requirements. The principle of accountability provided for in Art. 5, par. 2 of the Regulation requires the administrator to prove that he complies with the other principles in the Regulation and expressly states that this is his responsibility.
"VULKAN" EOOD will demonstrate compliance with data protection principles by implementing data protection policies, adhering to codes of conduct, implementing appropriate technical and organizational measures, as well as adopting data protection techniques at the stage of design and default data protection, privacy impact assessment, personal data breach notification procedure, etc.
 
V. Rights of data subjects
 
1. Data subjects have the following rights in relation to data processing, as well as data recorded about them:
To make requests to confirm whether personal data related to him is being processed and, if so, to obtain access to the data, as well as information who are the recipients of this data.
To request a copy of your personal data from the administrator;
To ask the administrator to correct personal data when they are inaccurate, as well as when they are no longer up-to-date;
To request from the administrator the deletion of personal data ("right to be forgotten");
To ask the administrator to limit the processing of personal data, in which case the data will only be stored, but not processed.;
To object to the processing of his personal data;
To object to the processing of personal data concerning him for direct marketing purposes.
To file a complaint with a supervisory authority if he believes that any of the provisions of the GDPR have been violated;
To request and be provided with personal data in a structured, widely used and machine-readable format;
To withdraw consent to the processing of personal data at any time with a separate request addressed to the administrator;
Not to be the subject of automated decisions that affect him to a significant extent, without the possibility of human intervention;
To oppose automated profiling that occurs without his consent;
2. "VULKAN" EOOD provides conditions to guarantee the exercise of these rights by the data subject:
Data subjects may make data access requests as described in the Procedure for Managing Requests from Subjects; this procedure also describes how VULKAN EOOD will ensure that the response to the data subject's request meets the requirements of the Regulation.
Data subjects have the right to submit complaints to "VULKAN" EOOD related to the processing of their personal data, the processing of a request from the data subject and an appeal by the data subject, regarding the manner of processing complaints in accordance with the Procedure for the Methods of communication in case of complaints and requests from the data subject.
 
VI. Consent
 
1. By "consent" "VULKAN" EOOD will understand any freely expressed, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or a clear confirming action, which expresses his consent to the personal data related to him being processed. The data subject can withdraw their consent at any time.
2. "VULKAN" EOOD understands by "consent" only the cases in which the data subject was fully informed about the planned processing and expressed his consent and without any pressure being exerted on him. Consent obtained under duress or based on misleading information will not be a valid basis for processing personal data.
3. Consent cannot be inferred from a lack of response to a message to the data subject. There must be active communication between the controller and the subject for consent to exist. The administrator must be able to demonstrate that consent to the processing activities has been obtained by a declaration or form completed and signed by the subject, by the express acceptance of a privacy notice addressed to the subject, by ticking the relevant box for consent given online, or by any another way and method in which it can be unambiguously concluded that the subject has given explicit informed consent to the processing of his personal data.
4. For special categories of data, explicit written consent must be obtained, "Procedure for obtaining consent for the processing of personal data of data subjects", unless there is an alternative legal basis for processing.
5. In most cases, the consent to process personal and special categories of data is routinely obtained by "VULKAN" EOOD, using standard consent documents (declarations/forms) e.g. when a new counterparty, customer or user or supplier wishes to be prepared with an offer, signs a contract or invoice or during the recruitment of new staff, etc.
6. When "VULKAN" EOOD processes personal data of children, permission must be obtained from those exercising parental rights (parents, guardians, etc.). This requirement applies to children under the age of 16 (unless the Member State has provided for a lower age limit, which cannot be lower than 13 years).
 
VII. Data security
1. All employees/workers are responsible for ensuring the security of the storage of the data for which they are responsible and which VULKAN EOOD holds, and that the data is stored securely and is not disclosed under any circumstances to third parties , unless "VULKAN" EOOD has given such rights to this third party by entering into a confidentiality agreement/clause.
2. All personal data must be accessible only to those who need it, and access can only be granted in accordance with established access control rules. All personal data must be treated with the utmost security and must be stored:
in a private room with controlled access; and/or in a locked cabinet or filing cabinet; and/or
if it is computerized, protected by a password in accordance with the internal requirements specified in the organizational and technical measures for controlling access to information (Rules for controlling access); and/or
stored on portable computer media that are protected in accordance with organizational and technical measures to control access to information.
3. To create an organization to ensure that the computer screens and terminals cannot be viewed by anyone other than the authorized employees/workers of "VULKAN" EOOD. All employees/employees are required to be trained and accept the relevant contractual clauses/declaration to comply with organizational and technical access measures as well as workstation lockout rules before being granted access to information of any kind.
4. Paper records must not be left where they can be accessed by unauthorized persons and cannot be removed from designated office premises without express permission. As soon as paper documents are no longer needed for the ongoing work of supporting contractors, suppliers, users and customers, they must be destroyed in accordance with established procedure/rules and relevant protocol.
5. Personal data may be deleted or destroyed only in accordance with the "Data Storage and Destruction Procedure". Paper records that have reached their retention date should be shredded and destroyed as "confidential waste". Data on the hard drives of redundant personal computers must be erased or the drives destroyed according to established policies/procedures.
6. Processing of personal data "outside the office" poses a potentially greater risk of loss, theft or breach of personal data. Personnel must be specifically authorized to process the data outside of the controller's premises.
 
VIII. Disclosure of data
1. "VULKAN" EOOD must ensure conditions under which personal data is not disclosed to unauthorized third parties, which includes family members, friends, government authorities, even investigating them, if there is reasonable doubt that they are not required according to the established order . All employees/employees should exercise caution when asked to disclose stored personal data about another person to a third party. It is important to consider whether the disclosure of the information is related or not to the needs of the activity carried out by the organization.
It is necessary to provide employees with special training and periodic briefings in order to avoid the risk of such a violation.
2. All requests from third parties to provide data must be supported by appropriate documentation and all such data disclosures must be specifically authorized by the Data Protection Officer.
 
IX. Storage and destruction of data