Privacy Policy

"HIDROSTROITEL PA" EOOD, registered in the Commercial Register and RJSC under UIC No. 131240101, applies in its business relations with employees under employment contract and with its contractors this Privacy Policy:  "HIDROSTROITEL PA is a "personal data controller" within the meaning of Article 4(7) of the General Data Protection Regulation and as such collects, processes and stores certain information about individuals.

I. Legal basis
This Privacy Policy is issued on the basis of the Personal Data Protection Act and its regulations and the General Data Protection Regulation (EU) 2016/679.

1. The controller shall take the necessary measures to ensure that personal data processed are not subject to unlawful disclosure. The data controller is aware of and follows the principles set out in the General Regulation, namely:

1.1. personal data shall be processed lawfully, fairly and transparently. Each employee or contractor voluntarily consents to the processing of the personal data provided by him/her in the course of the negotiation and performance of a contract between him/her and the Data Controller

1.2. the personal data is collected for specific, explicit and legitimate purposes and is not further processed in a manner incompatible with those purposes.

1.3. the personal data is appropriate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

1.4. each employee/representative of a counterparty and client is required to ensure that the personal data they provide is accurate and, where necessary, keep it up to date.

1.5. personal data shall be kept in a form which permits identification of the persons concerned for no longer than is necessary for the purposes for which the personal data are processed.

1.6. personal data are processed in a manner that ensures an adequate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organisational measures.

1.7. the right to erasure ("right to be forgotten") of personal data that is unlawfully processed or that no longer has a legal basis. Each employee/customer/contractor shall have the possibility at any time to request the rectification and/or erasure of the personal data provided by him/her, following the termination of the contractual relationship with him/her. The controller shall be obliged to consider and comply with the request without undue delay and in any event within one
month of receipt of the request.

1.8 right to data portability - the data subject shall have the right to receive the personal data concerning him or her which he or she has provided to the Controller in a readable format.

II. Objectives of the Policy

2. This Policy aims to:

2.1. be compliant with applicable personal data legislation and follow established best practices;

2.2. establish the mechanisms for keeping, maintaining and protecting accountable records;

2.3. establish the obligations of the officials processing personal data and/or persons who have access to personal data and work under the direction of the processors, their liability for failure to comply with these obligations;

2.4. protect the rights of staff, customers and partners;

2.5. be open about how it stores and protects the personal data of individuals

III. Scope
This Policy applies to the processing of personal data of employees, managers, customers, suppliers, contractors, business contacts and other individuals with whom the Controller has a relationship or wishes to establish business contact.

IV. Collection of Personal Data

Personal data is any information relating to an individual who is identified or identifiable, directly or indirectly, by an identification number or by one or more specific attributes. It covers data of any nature which, alone or in combination  with other data, can uniquely identify a specific natural person.

4.1 Purposes of data collection

The controller collects personal data in connection with the fulfilment of the following purposes:

4.1.1. For the performance of activities related to the conclusion, existence, modification and termination of contractual relationships, including: for the preparation of any documents; for contacting the contact person by telephone, e-mail or any other lawful means; for keeping accounting records in relation to the performance of contracts to which the Administrator is a party; for processing payments in relation to contracts entered into by the Administrator;

4.2 Data collection

The personal data for each person are provided voluntarily by the persons themselves and are collected by the Administrator in fulfilment of a legal obligation in connection with the conclusion of a contract and/or the performance of  obligations under a contract concluded in accordance with the provisions of the Labour Code, the Compulsory Social Insurance Code, the Commercial Act, the Accounting Act, the Obligations and Contracts Act, the Value Added Tax Act, etc. and the conditions specified in the specific contract by means of: paper documents (including powers of attorney, contracts, etc)

V. Processing of personal data

The processing of personal data is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval,  consultation, use, disclosure to third parties for transmission, dissemination or any other form, accession or combination, blocking, erasure or destruction.

5.1 The data provided by employees and natural persons representing contractors are: full name, permanent and/or current address, e-mail address and telephone number, and financial data.

VI. Violations. Notification of infringements

A data breach occurs when the personal data for which HIDROSTROITEL PA is responsible is affected by a security incident that results in a breach of the confidentiality, availability or integrity of the personal data. In this sense, a data  breach occurs when there is a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of data that is transmitted, stored or otherwise processed.

6.1 In the event of a personal data breach that is likely to pose a risk to the rights and freedoms of individuals, the Data Controller (through the relevant officer) shall, without undue delay and where practicable not later than 72 hours after  becoming aware of it, notify the Personal Data Protection Commission of the breach.

6.2 The controller shall document any personal data breach, including the facts relating to the breach, the consequences of the breach and the action taken to address the breach.

VII. Destruction 

Accounting and business information as well as all other information and documents relevant for taxation and compulsory social security contributions shall be kept by the Controller for the following periods:

7.1.1. payrolls - 50 years; 7.1.2. accounting records and financial statements - 10 years;

7.1.3. documents for tax and social security control - 5 years after the expiry of the limitation period for repayment of the public debt to which they are related;

7.1.4. all other media - 5 years.

7.2. After the expiration of the period for their preservation, information carriers (paper or technical) which are not subject to transfer to the National Archive Fund may be destroyed.

7.3. After the end of the retention period, the data shall be destroyed as quickly as possible by destroying the paper media by shredding, and the technical media by deleting and erasing the relevant files from the computers of the Company  Administrator.

IX. Additional provisions

For the purposes of this Policy:

§ 1. "Personal Data Controller" is "HIDROSTROITEL PA"- limited liability company, with UIC 131240101 , and actions on behalf of the controller are carried out by the manager - Eng. Plamen Antgelov or a person expressly authorized by  him.

§ 2. The "personal data processor" for the employees and workers employed under employment or other type of contracts to carry out certain work in "HIDROSTROITEL PA" EOOD is the designated personal data protection officer.

§ 3. An integral part of this Policy are the registers kept by the company administrator - "Personal data of employees" and "Personal data of contractors”.

§ 4. The Personal Data Protection Policy was approved by the CEO of HIDROSTROITEL PA on 14.05.2018 and is available to every employee/contractor in paper or electronic version.