TRANSPARENCY POLICY FOR THE PROCESSING OF PERSONAL DATA
- Purpose of the Policy
This Policy covers all actions for the collection and processing of personal data by Attractive Design EOOD, with UIC 203901404 and is in accordance with the legal framework of the General Data Protection Regulation (GDPR).
- Liabilities and responsibilities
An official responsible for the protection of personal data at Attractive Design Ltd. is responsible for making the information provided when collecting personal data legal, complete and clear. before Attractive Design Ltd. starts collecting and processing their data. All employees of Attractive Design Ltd. who, by virtue of their employment obligations, process personal data must comply with this policy.
- Nature of politics.
- 1. Identification of categories of personal data and legal grounds for processing
“Attractive Design” Ltd. identifies the legal basis for processing personal data before carrying out any processing operations. For each category of personal data, the company shall clearly identify, identify and document:
- one or more specific purposes for which the data will be used;
- the basis for the lawful processing of the data with a view to achieving those purposes, which may be one or more of the following:
– consent freely expressed by the data subject;
– the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to the conclusion of a contract;
– the processing is necessary for compliance with a legal obligation, which applies to “Attractive Design” Ltd.
– processing is necessary in order to protect the vital interests of the data subject or of another natural person;
– processing is necessary for the purposes of the legitimate interests of Attractive Design Ltd. or of a third party, except where the interests or fundamental rights and freedoms of the data subject prevail over such interests.
- 2. Identification of the existence or absence of special categories of personal data processed
“Attractive Design” Ltd. identifies that it does not process special categories of personal data, as defined in Art. 9(1) gdpr, therefore it is not necessary to establish, define and document the existence of a legal basis for lifting the prohibition on processing them.
- 3. Information communications on transparency to the data subject
3.1 “Attractive Design” Ltd. provides the subjects of personal data, upon their collection, with the following information:
- the data that identify “Attractive Design” Ltd. and the contact details of the company;
- purposes of the processing for which the personal data are intended;
- the legal basis for the processing of personal data;
- where appropriate, the legitimate and legal interests of Attractive Design Ltd., which provide the legal basis for the processing;
- categories of personal data being processed;
- recipients or categories of recipients of the personal data;
- the period for which the personal data from “Attractive Design” Ltd. will be stored, and if this is not possible, the criteria used to determine this period;
- an instruction to the data subject on his rights to request “Attractive Design” Ltd. access to the data, rectification or erasure of his/her personal data, as well as his rights to restriction of processing, objection to processing, as well as portability of the data;
- where the legal basis for the processing is consent, Attractive Design Ltd. informs the data subject of the existence of the right to withdraw consent at any time, as well as the lawfulness of the processing until the moment of withdrawal;
- the right to complain to the Commission for personal data protection;
- where the legal basis is not the consent of the subject, but is a mandatory or contractual requirement or a requirement necessary for the conclusion of a contract, Attractive Design Ltd. informs the data subject thereof, as well as whether he/she is obliged to provide the personal data and the possible consequences if such data are not provided.
3.2 When personal data are obtained from a source other than the data subject, Attractive Design Ltd. provides it with the information specified in item 3.1 above.
- 4. Time limits, exceptions and method of provision of information
In providing the information, Attractive Design Ltd. complies with the following requirements of the GDPR:
- When collecting personal data from the data subject, Attractive Design Ltd. provides it with the specified information at the time of receipt of the information;
- When collecting personal data from a source other than the data subject, Attractive Design Ltd. provides the subject with the specified information within one month of receipt of the personal data in accordance with the specific circumstances of the processing;
- In cases where the data are used for communication with the data subject, Attractive Design Ltd. communicates the information at the latest when making the first contact with it;
- In cases where the personal data are disclosed to another recipient, Attractive Design Ltd. communicates the information at the latest when the personal data are disclosed for the first time;
- “Attractive Design” Ltd. should not provide this information if the data subject already has it;
- “Attractive Design” Ltd. does not provide this information in case the provision proves impossible or would lead to excessive effort;
- “Attractive Design” Ltd. has no obligation to provide this information in case the receipt or disclosure of personal data is expressly regulated by national law;
- “Attractive Design” Ltd. has no obligation to provide this information if the personal data must remain confidential in compliance with an obligation of professional secrecy regulated by national law, including a legal obligation of secrecy;
- “Attractive Design” Ltd. provides the data subject with any additional information necessary to ensure good faith and transparent processing;
- “Attractive Design” Ltd. provides all information to the data subject in an easily accessible machine-readable format – XML, using clear and simple language.
- 5. Management of requests by a data subject or employee
5.1. Purpose of the procedure.
All personal data processed by Attractive Design Ltd. fall within the scope of this procedure, which in accordance with the legal framework of Articles 12, 15, 16, 17, 18, 20 and 21 of the General Data Protection Regulation (GDPR).
The data subject or any employee may, in defence of his or her rights, make the following requests to the company:
- · Request for data portability (Article 12 GDPR)
- · Request for access (Article 15 GDPR)
- · Request for rectification(Article 16 GDPR);
- · Request for erasure (‘right to be forgotten’)(Article 17 GDPR);
- · Request for restriction of processing(Article 18 GDPR);
- · Request for data transfer(Article 20 GDPR);
- · Objection to processing(Article 21 GDPR).
5.2. Course of procedure
The methods for submitting requests to Attractive Design Ltd. are described in the Procedure for how to communicate in case of complaints and requests from the data subject.
“Attractive Design” Ltd. accepts requests of data subjects committed in any other way, observing the terms of this procedure.
- 1. Request from the data subject, including an employee of the company
The request is submitted on paper to the administrative address of the company: Sofia, Krasno Selo, Bl. 196, or by email:[email protected], in person, through an authorized representative or accordingly signed by electronic signature, if submitted electronically. The following rules shall be complied with when making the request:
- The data subject shall indicate the specific type of request under item 5.1;
- The data subject may request all his/her personal data stored by Attractive Design Ltd. without specifying their specific appearance;
- The data subject provides attractive design EOOD with data about his/her identity to identify him securely and unambiguously (data from personal documents, position held, client number, email address, etc.).
- “Attractive Design” Ltd. necessarily checks the identification data to make sure that the request is submitted by the entity that the data identify;
- “Attractive Design” Ltd. documents the date of receipt of the request;
- Once the request has been received, it shall be immediately forwarded to the manager of the company, to decide on the request/complaint and to send/provide a reply to the data subject/employee.
- 2. Processing of the request
The processing of the request shall be carried out as follows:
- The identification (search) of personal data is carried out in all repositories of data and all relevant backup systems, including all archived files (automatic or manual archives) and all folders of e-mail and their archives.
- Where the request is for access to information, the official shall, when transmitting a copy of the information, carry out data processing in order to remove any identification information for third parties.
- Attractive Design Ltd. provides the requested information and responds to the requests of the data subject within 1 (one) month at the latest from the date of receipt of the request for access.
- 3. Additional information sent upon request for access
In case of a request from the data subject to gain access to his or her data, in addition to providing access to them (for example, by providing a copy thereof), Attractive Design Ltd. also sends him the following information:
- purposes of the processing;
- categories of personal data;
- recipients or categories of recipients of the personal data (if any);
- the period for which Attractive Design Ltd. will store the personal data;
- its rights to request from Attractive Design Ltd. rectification or erasure of its personal data, as well as its rights to restriction of processing, objection to processing, as well as data portability;
- · the right to complain to the FOLD;
- · where personal data are not collected by the data subject, any available information on their source.
- 4. Actions in the event of requests for rectification, erasure or restriction and objections to processing
Upon request of the data subject for rectification, erasure, restriction or objection to the processed personal data, the manager of “Attractive Design” Ltd. should assess each of these requests (outside the request for access to data) in view of the merits of the right of the entity/employee of the company and the existence of other legal requirements for its satisfaction.
Upon receipt of the relevant request:
- “Attractive Design” Ltd. removes personal data from the systems and terminates their processing operations without undue delay if the request for erasure submitted by the data subject is justified;
- “Attractive Design” Ltd. announces any rectification, erasure or restriction of the processing of any recipient to whom the personal data have been disclosed by sending him/her a message to an email address that he has for communication with him or if he does not have one – by post, with receipt, to the current address of the entity at his/her disposal;
- “Attractive Design” Ltd. informs the data subject about these recipients, if the data subject so requests, and documents this communication;
- Attractive Design Ltd. takes appropriate measures without undue delay in case:
- the data subject has submitted a request objecting to the processing of personal data in whole or in part;
- the ground for processing under a legal obligation has been dropped;
- have been unlawfully processed.
“Attractive Design” Ltd. uses the following email address to respond to the requests of the data subjects: [email protected] or the following address for correspondence, if the answer is on paper: Sofia, Krasno Selo, bl.196
EU or national law may provide for restrictions on the exercise of the rights of data subjects in the performance of this procedure in order to ensure:
- national security and defence;
- public security;
- the prevention, investigation, detection or prosecution of criminal offences or the execution of penalties imposed, including the prevention and prevention of threats to public security;
- important objectives of general public interest;
- important economic or financial interest of the Union or of a Member State, monetary, budgetary and tax matters;
- public health and social security;
- the protection of judicial independence and judicial proceedings;
- the prevention, investigation, detection and prosecution of breaches of ethical codes in regulated professions;
- a monitoring, verification or regulation function relating, if only occasionally, to the exercise of official powers in cases;
- protection of the data subject or of the rights and freedoms of others;
- enforcement in civil actions.
5.4. Transfer of personal data
“Attractive Design” Ltd. is responsible for the transfer of the data without difficulties and ensures that they are transmitted with the appropriate level of communication security. Attractive Design Ltd. assesses the specific risks associated with data portability and takes appropriate measures to reduce the risk.
5.5. Transfer of personal data or transfer to another controller
“Attractive Design” Ltd. informs the data subjects about the existence of the right to portability at the time of receipt of personal data.
Upon receipt of a request for transfer or transfer of personal data to another controller, Attractive Design Ltd. processes the request of the entity in compliance with the following rules:
- Any request received shall be sent without delay to the official who verifies clear and irrefutable evidence of the identity of the data subject in the form of data from personal documents, customer number, email address, position (for employees) or other unique identifier;
- The official shall verify that the data subject/employee has been obtained on the basis of consent or contract and that they have been processed in an automated manner. If these requirements are not met, Attractive Design Ltd. has the right to refuse to grant the request;
- Where the requested data concern a third party(s) the manager of the company shall assess whether the transfer of data to another data controller would harm the rights and freedoms of other data subjects;
- The official shall verify that the personal data prepared for transfer/transfer are only and precisely those that the data subject/employee has requested to be transmitted, respectively. transferred;
- The requested information is provided to the data subject/employee in a structured, widely used and machine-readable format – XML, which allows effective reuse of the data;
- When transmitting the data to another data controller, Attractive Design Ltd. forwards them in an interoperable format. In case there are technical obstacles preventing their direct transfer, Attractive Design Ltd. explains these obstacles to the data subject/employee;
- “Attractive Design” Ltd. provides the requested information within 1 (one) one month from the date of the application. If the application is complex, Attractive Design Ltd. can extend this time frame up to a maximum of three months from the date of its submission.
- “Attractive Design” Ltd. informs the data subject of the reasons for the delay through the means by which he has submitted his/her request (email address, current address) within one month of the initial request;
5.6. Receiving personal data from another controller
“Attractive Design” Ltd. accepts and stores only the data that are necessary and relevant to the service provided by the company or to the employment status of an employee of the company. Attractive Design Ltd. does not accept or process personal data “by default”, even when received from another administrator, after a request for their transfer, and does not store such received data.
Attractive Design Ltd. may choose whether to accept data from a data subject or from another controller, as a result of a request of the data subject for transfer to the company, but is not obliged to do so and may refuse such transfer.
If the data received contains data from third parties, Attractive Design Ltd. stores the data under the control of the applicant entity. This data is managed only for its needs, but not for other purposes of Attractive Design Ltd.
- 6. Meansof communication in the case of complaints and requests from a data subject oran employee
6.1.Purpose of the procedure
This procedure is in line with the legal framework of Chapter III, Data Subjects’ Rights of the General Data Protection Regulation (GDPR) and concerns:
- complaints and requests from data subjects related to the processing of their personal data by Attractive Design Ltd.;
- processing of requests from data subjects regarding the exercise of their rights under the GDPR;
- complaints of data subjects about how their requests or complaints are processed.
- 1. General information and communications
Attractive Design Ltd. announces the contact details in connection with making complaints and requests by publishing them on its website at: www.bikeparkings.com
Attractive Design Ltd. places clear and understandable instructions on its website regarding the submission of requests and complaints by data subjects.
- 2. Possibilities of the data subject
Data subjects, including employees of the company can submit to “Attractive Design” Ltd.:
- requests for the exercise of their rights in the protection of personal data – request for access, for erasure, for restriction of processing, objection to processing, for data transfer;
- complaints about how their request for access to the data is considered;
- complaints about how their request/complaint is addressed;
- decision taken following a request/complaint.
- 3. Method of lodging requests and complaints
Data subjects can make requests and complaints directly to the following e-mail: [email protected] or address them on paper to the administrative address of the company: Sofia, Krasno Selo, Bl. 196
- 4. Reply and deadlines
“Attractive Design” Ltd. examines and decides on the request or complaint submitted, subject to the following rules and deadlines:
- Requests/complaints shall be directed to the manager of the company, who shall take a decision and communicate it as a reply to the data subject no later than 1 (one) month after their receipt;
- If necessary, taking into account the complexity and number of requests, the manager of Attractive Design Ltd. may extend the term by a further 2 (two) months. In this case, the data subject shall be informed of the extension within one month of receipt of the request/complaint.
- An appeal against the decision taken by the Manager of Attractive Design Ltd. at the request and/or complaint must be heard and resolved within 14 (fourteen) calendar days.
- If Attractive Design Ltd. does not satisfy the data subject’s request within the required deadlines or refuses to grant the complaint, it shall state in clear and intelligible language the reasons why it has not taken action or refused.
- Attractive Design Ltd. informs the data subject in his/her reply about his right to submit complaints directly to the Commission for Personal Data Protection, while simultaneously providing the data subject with the contact details of the Commission and informing him of his right to seek redress.
All actions of “Attractive Design” Ltd. undertaken in implementation of this procedure are carried out without payment by the data subject.
In the event that the requests and/or complaints are repeated, manifestly unfounded or excessive, Attractive Design Ltd. may refuse, on these grounds, to consider them.
- 7. Notification of a personal data breach
7.1.Purpose of the procedure
This procedure, in accordance with the rules laid down in Articles 33 and 34 of the General Data Protection Regulation (GDPR), shall apply in the event of a personal data breach and shall contain the rules on:
- Notification to the Commission for Personal Data Protection (FOLD) of a personal data breach
- Communication to a data subject of a breach of the security of his or her personal data
7.2.Duties and roles
All persons related to “Attractive Design” Ltd.: employees, contractors and partners, temporary employees, must be familiar with and apply this procedure in case of personal data breach.
All employees, contractors and partners, temporary employees, are obliged to report to the manager of “Attractive Design” Ltd. any personal data breach.
- Notification procedure of Attractive Design Ltd.
Any processor, without exception, with which Attractive Design Ltd. has a contractual relationship, notifies the manager of Attractive Design Ltd. without undue delay, and if possible no more than 36 hours from the knowledge, of any personal data breach or of any other data security incident in general.
The message shall be sent [email protected] email, indicating all the necessary details, details and details in connection with the infringement committed.
The manager of the company sends a confirmation of receipt of the notification to the email address from which the message was received.
- Notification procedure to the supervisory authority
2.1. Attractive Design Ltd. assesses whether it is necessary to notify the supervisory authority of the violation. Under Article 33(1) gdpr,no notification needs to be sent if the personal data breach is unlikely to pose a risk to the rights and freedoms of natural persons. For this purpose, Attractive Design Ltd. carries out an impact assessment of the violation according to the methodology for impact assessment adopted in the company.
2.2. If it finds that there is a risk to the rights and freedoms of data subjects, Attractive Design Ltd. notifies the Commission for Personal Data Protection of the personal data breach without undue delay and no later than 72 hours after learning of it. In the event that the notification is not made within 72 hours, the Manager of Attractive Design Ltd. notifies the FOLD at the earliest opportunity, and the notification in addition sets out the reasons for the delay.
2.3. The notification to the FOLD shall contain the following information:
- Description of the nature of the personal data breach;
- The categories of personal data affected by the breach;
- The categories and approximate number of data subjects concerned;
- The approximate amount of personal data records affected;
- The names and contact details of the Data Protection Officer;
- Description of the consequences of the security breach;
- The measures taken or proposed by Attractive Design Ltd. to deal with the violation.
2.4. Where and to the extent that it is not possible to submit all the necessary information at the same time, it shall be submitted in stages, without further undue delay. The notification to the FOLD shall be sent in accordance with the procedure and method of communication specified by the committee.
2.5. “Attractive Design” Ltd. records information about the confirmation by the FOLD for receipt of the notification.
- Procedure for sending a message to the data subject
3.1. Where the personal data breach is likely to pose a high risk to the rights and freedoms of data subjects, Attractive Design Ltd. shall, without undue delay, communicate the data subjects concerned about the breach.
3.2. The communication to the data subject(s) shall contain the same information as shall be sent to the CHILD and shall be specified in item 2.3 of this procedure.
Information is provided in plain, simple and understandable Bulgarian.
- Taking measures from Attractive Design Ltd. to deal with the violation
Within 36 hours of learning of the breach, Attractive Design Ltd. takes all appropriate measures to make personal data incomprehensible to any person who does not have permission to access them by encrypting or protecting them with passwords.
Within 36 hours of learning of the breach, Attractive Design Ltd. takes follow-up measures to ensure that a high risk to the rights and freedoms of data subjects is not likely to materialize.
If the breach affects a large number of data subjects and personal data records, Attractive Design Ltd. takes a decision based on an assessment of the amount of effort required to notify each data subject individually and whether the ability of Attractive Design Ltd. to send the necessary messages on time would be hindered.
Where this assessment shows that communication to a large number of entities would lead to disproportionate efforts, Attractive Design Ltd. makes a public announcement on its website or takes another similar measure to ensure that data subjects are equally effectively informed.
If Attractive Design Ltd. has not notified the data subject(s) of the personal data breach and the FOLD considers and gives explicit instructions that the breach is highly likely to pose a high risk, Attractive Design Ltd. shall communicate to the data subject(s) about the breach within 24 hours.
“Attractive Design” Ltd. documents all personal data security violations, indicating the relevant facts, the consequences and the measures taken to mitigate their impact.