Privacy Policy

of BUL DOC LTD.

Bul Doc Ltd. (hereinafter referred to as the ‘Company’ or the ‘Data Controller’) operates in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR). This Privacy Policy is intended to inform the natural persons, whose personal data is collected, about the scope, purposes, grounds for processing personal data, periods of storage of personal data, and rights with regard to the processing of their personal data.

  1. Definitions

‘Personal Data’ shall mean any information relating to an identified or identifiable natural person (‘Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or by one or more factors specified to the physical, physiological, genetic, mental, intellectual, economic, cultural or social identity of that natural person’.

‘Processing of Personal Data’ shall mean any operation or set of operations which are performed by the Company on personal data, whether or not by automated means (such as, for example, collection, recording, organization, structuring, storage, adaptation, update or rectification, alteration, retrieval, consultation, use, disclosure by transmission or provision, dissemination, combination, blocking, erasure, destruction, etc.).

  1. Data Controller

Bul Doc Ltd. is a Personal Data Controller within the meaning of Regulation (EU) 2016/679 and, as such, collects, records, stores, destroys or otherwise processes personal data.

We provide the following information regarding the Data Controller of your personal data:

Name:

Bul Doc Ltd.

UIC:

121675072

Address:

No: 45 Graf Ignatiev street, floor 3, 1142 Sofia

Website:

Home

E-mail:

buldoc@mail.bg

Telephone:

Reasons and purposes of processing and storing your personal data

The Company shall collect and process personal data of the following categories of persons:

  • Employees of the Data Controller;

  • Natural persons with whom the Company has concluded employment contracts for part-time work;

  • Natural persons applying for a job with the Data Controller;

  • Contractors of the Company, who are natural persons, as well as the representatives or proxies of representatives of contractors, who are legal persons;

  • Natural persons visiting the premises of the Company;

  • Persons using the contact form on the Company’s website.

1. The Company shall collect and process personal data of its employees, namely: name, surname and last name; personal identification number(PIN); address; telephone and/ or e-mail for contact; employee qualification data (certificates of language proficiency), data on the validity of a driving license; professional experience – previous employment, including position, duration, work duties; information for children up to 3 years of age; information related to leaves according to the labor legislation – childbirth, marriage, death of a loved one; information on criminal history, including sentences and punishments only for employees holding accounting positions or other positions, where the position or profession is incompatible with the imposed punishment; information related to the exercise of the working activity – changes in the employment contract, work duties, working hours, leaves, violation of the rules of employment, imposed disciplinary sanctions; financial information – bank account, information on imposed attachments, if any; health data: health status, decisions of the Medical Disability Commission, medical certificates, sick notes;

The Data Controller shall process personal data on the following grounds:

  • Processing is necessary for compliance with a legal obligation, to which the Data Controller is subject, in the field of the tax, social security and labor legislation – Article 6, Paragraph 1, Subparagraph ‘c’ of the Regulation;

  • Processing is necessary for the conclusion and performance of an employment contract to which the Data Subject is party – Article 6, Paragraph 1, Subparagraph ‘b’ of the Regulation;

  • With regard to the processing of health data of the Company’s employees, the relevant special reason is the one described in Article 9, Paragraph 2, Subparagraph ‘b’ of the Regulation, namely: ‘Processing is necessary for the purposes of carrying out the obligations and exercising the special rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorized by Union or Member State law or a collective agreement pursuant to Member State law providing for adequate safeguards for the fundamental rights and the interests of the data subject’.

Personal data in the Register shall be collected from the persons which whom an employment contract is concluded. The personal data shall be transferred by the Data Subject to the Data Controller and/ or to an external accounting firm that is a Data Processor.

2. The Company shall collect and process personal data of the persons with whom an employment contract for part-time work has been concluded.

The Data Controller shall collect and process the following personal data: name, surname and last name, personal identification number (PIN), address, telephone and/ or e-mail for contact.

The Data Controller shall collect and process the personal data of these persons on the following grounds:

  • Processing is necessary for compliance with a legal obligation, to which the Data Controller is subject, in the field of tax and social security legislation – Article 6, Paragraph 1, Subparagraph ‘c’ of the Regulation;

  • Processing is necessary for the performance of a contract to which the Data Subject is party – Article 6, Paragraph 1, Subparagraph ‘b’ of the Regulation;

Personal data in the Register shall be collected from the persons with whom an employment contract for part-time work has been concluded. The personal data shall be transferred by the Data Subject to the Data Controller and/ or to an external accounting firm that is a Data Processor.

3. The Company shall collect and process personal data of natural persons who have applied for a job with the Data Controller.

The personal data that the Data Controller shall collect are: name, surname and last name; employee qualification data (certificates of language proficiency, professional or academic recommendation); certificate of foreign language; telephone and/ or e-mail for contact; professional experience – previous employment, including position, duration, work duties;

The Company shall collect and process personal data of job applicants on the grounds of Article 6, Paragraph 1, Subparagraph ‘b’ of the Regulation, namely: processing is necessary to take steps at the request of the Data Subject prior to entering into a contract.

The personal data shall be collected from the job applications upon their application for a position announced by the Company through the services of recruitment agencies (jobs.bg, zaplata.bg, etc.) or through the means of direct communication – e-mail, by main, personally in the office of the Company.

4. The Data Controller shall collect and process personal data of its contractors, who are natural persons, as well as of the representatives or proxies of representatives of contractors, who are legal persons.

The personal data that are collected and processed are: name, surname and last name, permanent and/ or mailing address, telephone, e-mail.

The personal data shall be collected and processed for the purpose of entering into and performing contracts with contractors, keeping accounts, as well as for tax purposes and for the purpose of carrying out extrajudicial and/ or judicial collection of amounts due and protecting the interests of the Data Controller as a subject of private law, as well as for the exercise of its contractual rights and obligations.

If contracts are concluded by a proxy and a notarized power of attorney is submitted, the following data of the principal and the proxy shall be collected: name, surname and last name, personal identification number (date of birth), ID Card number, date of issue.

The Data Controller shall collect, process and store the personal data of its contractors on the following grounds:

  • Processing is necessary for the performance of a contract, to which the Data Subject/ company represented by it is party, or to take steps at the request of the Data Subject prior to entering into a contract – Article 6, Paragraph 1, Subparagraph ‘b’ of the Regulation;

  • Processing is necessary for compliance with a legal obligation, to which the Data Controller is subject, since the Company is obliged to collect certain data in compliance with the requirements of the Accountancy Act, the Obligations and Contracts Act, the Commercial Act, the Public Procurement Act, etc. – Article 6, Paragraph 1, Subparagraph ‘c’ of the Regulation;

Personal data in the Register shall be collected from the persons who are party to the contract. The personal data shall be transferred by Data Subject to the Data Controller and/ or to an external accounting firm that is a Data Processor.

5. If CCTV is introduced, the Company shall collect and process data of the physical identity (physical appearance, characteristic external features and human speech) of the natural persons, who visit the premises of the Data Controller, through video surveillance carried out directly by the Data Controller within the Company’s premises.

The personal data shall be collected for the purpose of: ensuring the security of the staff and property of the Data Controller; observing the public order by all persons who are in the premises of the Company; controlling the work process and ensuring the network and information security; providing assistance to the competent public authorities, if necessary.

The Company shall collect, process and store data of the physical identity of the natural persons who visit the Company’s premises, based on Article 6, Paragraph 1, Subparagraph ‘f’ of Regulation (EU) 2016/679 – ‘Processing is necessary for the purposes of the legitimate interests of the controller’, namely:

  • ensuring the security of the employees and the protection of the property of the Company, including the prevention of possible criminal acts or the notification by the Data Controller of such to the competent authorities;

  • ensuring network and information security in the enterprise;

  • achieving control over the work process and access to the work place.

Pursuant to the requirements of the law, warning signs shall be installed to indicate that permanent video surveillance is carried out.

The Data Controller shall not install cameras or other CCTV equipment in rest rooms, sanitary and service rooms.

6. If a contact form is available on the website, the Company shall collect and process personal data of natural persons, making correspondence with the Data Controller, through the contact form on the Company’s website.

The personal data that is collected are: name, surname and last name, e-mail.

The personal data shall be collected for the purpose of:

  • Making full correspondence and addressing a reply to the message author;

  • Taking steps for entering into a contract.

The Company shall collect, process and store personal data of natural persons who wish to contact the Company through the contact form for the purpose of entering into a contract, on the grounds of Article 6, Paragraph 1, Subparagraph ‘b’ of the Regulation, namely: ‘Processing is necessary to take steps at the request of the data subject prior to entering into a contract.’

The Company shall collect, process and store personal data of natural persons who wish to contact the Company through the contact form, not for the purpose of entering into a contract, on the grounds of Article 6, Paragraph 1, Subparagraph ‘е’ of Regulation (EU) 2016/679, namely: ‘Processing is necessary for the purpose of the legitimate interest of the controller’. In this case, the legitimate interests of the Data Controller can be determined in the following way:

  1. Providing feedback;

  2. Improving the service of visitors to the Company’s website.

  1. Principles for collecting and storing your personal data

When processing your personal data, the Company shall adhere to the following principles:

  • Lawfulness, fairness and transparency;

  • Limitation of the purposes of processing;

  • Adequacy and relevance to the purposes of processing and data minimization;

  • Accurate and up-to-date data;

  • Storage limitation for periods no longer than is necessary to achieve the purposes;

  • Integrity and confidentiality of processing and ensuring appropriate security of the personal data.

  1. Periods for storing your personal data

The periods for storing personal data collected by the Data Controller shall be determined as follows:

  • The personal data of natural persons with whom an employment contract for part-time work has been concluded and the personal data of contractors, who are natural persons, as well as of the representatives or proxies of representatives of the contractors, who are legal persons, shall be stored by the Data Controller for a period of 5 years from the time of termination of the contract.

  • The personal data of the employees of the Data Controller shall be stored as follows: for payroll records – 50 years, for lists of permanent positions – 10 years; for employment dossiers of employees – 5 years after termination of the employment relations; for the dossier registration log – 5 years after completion; for applications and certificates of length of service and contributory service – 5 years, for the register of newly issued employment record books – 50 years after completion, for correspondence on personnel matters and remuneration – 10 years after evaluation by an expert committee; for health records – 50 years;

  • The personal data of natural persons who applied for a job with the Data Controller shall be stored for the duration of the recruitment process and up to 30 days after its completion, unless the applicant has agreed his or her data to be stored for applying for future or other open positions. After the recruitment process has been completed, the application for a job of a person, with whom no employment contract has been concluded, shall not be stored.

Where, in a selection procedure, the Company has requested the submission of certified or notarized copies of documents certifying the applicant’s physical and mental fitness for work and the required qualification and professional experience for the position held, the Data Subject who has not been approved for appointment may request, within 30 days of the final completion of the selection procedure, to receive back the documents submitted. In this case, the Company shall return the documents in the manner in which they were submitted.

 

  • The personal data about the physical identity of natural persons (physical appearance, characteristic external features and human speech) shall be stored for a period of 60 days from the date of receipt of the data by video recording.

  • The personal data of natural persons collected and processed in connection with the electronic messages they have received through the contact form on the Company’s website shall be stored until the purposes for which they were collected are achieved, but in any case for a period not exceeding 3 months from receipt of the personal data.

Upon expiration of the periods of storage the Data Controller shall take all necessary actions without undue delay to properly destroy the collected personal data.

  1. Your rights in the collection, processing and storage of your personal data.

At any time while we process your personal data, you as a Data Subject have following rights:

1. Right of access – You have the right to know what your personal data is processed by the The Company. Upon request, the Data Controller shall provide you a free copy of the processed personal data concerning you. When you submit a request by electronic means, the Data Controller shall provide the information in the widely used electronic form.

2. Right to rectification – You have the right to request the rectification of data concerning you, stored by the Data Controller, if such is inaccurate or incomplete.

3. Right to object – With respect to data processed on the basis of ‘legitimate interest’, you have the right, at any time and on the grounds related to your particular situation, to object to the processing. In the event of such objection, the Data Controller shall suspend the processing of your personal data, unless it demonstrates compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or if the data is processed for the establishment, exercise or defense of legal claims.

4. Right to erasure (‘right to be forgotten’) – You have the right to obtain from the Data Controller the erasure of personal data concerning you in the following cases:

  • if the personal data are no longer necessary in relation to the purposes for which they were collected;

  • if the data subject exercises his or her right to object to the processing and there are no overriding legitimate grounds for the processing;

  • if the personal data have been unlawfully processed;

  • if the personal data have to be erased for compliance with a legal obligation of the Data Controller.

However, the right of erasure shall not apply where the data is being processed:

  • for exercising the right of freedom of expression and information;

  • for compliance with a legal obligation which requires processing by Union or Member State law, to which the Data Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;

  • for reasons of public interest in the area of public health;

  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89, Paragraph 1 of Regulation (EU) 2016/679 in so far the right of erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing;

  • for the establishment, exercise or defense of legal claims.

5. Right to restriction of processing – In certain cases, you have the right to obtain from the Data Controller restriction (suspension) of processing of your data. Such cases are the need to verify the accuracy of the data, the grounds for the processing of the data or the lawfulness of their processing.

You can exercise the rights specified in paragraphs 1 – 5 by submitting a request/ objection to the Company in any form. The request/ objection should include a statement of what right you want to exercise and should identify you as the data subject. For convenience, you can use the request forms for providing access, rectification, erasure, etc., posted on the Company’s website

6. Right to complain – If you believe that your data is being processed unlawfully by the Data Controller, you have the right to lodge a complaint with the Commission for Personal Data Protection, which is the supervisory body responsible for the implementation of Regulation (EU) 2016/679 and Personal Data Protection Act.

Name: Commission for Personal Data Protection

Headquarters and registered office: No: 2 Prof. Tsvetan Lazarov Blvd.,1592 Sofia

Mailing address: No: 2 Prof. Tsvetan Lazarov Blvd.,1592 Sofia

Telephone: 02 / 915 3 518

Website: www.cpdp.bg

E-mail: kzld@cpdp.bg

  1. Information security and privacy measures

The Data Controller has taken appropriate technical and organizational measures to protect personal data, as follows:

  • Software and technical measures: ensuring protection for each employee by user profiles with access passwords and policies for their maintaining, as well as other means of protection when transmitting information, including reliable and secure identification and authentication of the sender and the recipient of the information; ensuring confidentiality; integrity of the information transmitted; virus protection; backup copies for the period set for the storage of data for each individual register; standard protection of the operating systems; denied access to server information through remote access via the Internet, etc.;

  • Physical measures: a system of measures for protection of the buildings, premises and facilities, in which personal data are processed and stored, and control of access to them, locks, separate cabinets, including lockers, video surveillance, equipment in the premises that meets the needs, purposes and level of impact of the processing of personal data;

  • Organizational and administrative (documentary) measures: determining the registers also to be maintained electronically; regulating access to the registers; setting the periods for storage and the procedures for destruction of personal data; defining rules for archiving documents both on paper and on electronic media; organizing regular training of the responsible persons – employees of the Company who are responsible for the issues of personal data protection, in compliance with the legislation and practice in the field;

  • Regulatory measures: provided for by the laws and the regulations, including the existence of consent to the commitment not to disseminate personal data by the persons who process them;

  • Following the principle of Privacybydesign: The Company shall introduce, both at the time of determining the means of processing, including in particular when developing new business models/ business processes/ products/ work systems, and at the time of the processing itself, appropriate technical and organizational measures to protect personal data, including pseudonymisation;

  • Following the principle of deminimis: The Company shall limit the processing of personal data to such as are reasonably adequate and relevant to the specific applicable basis on which the processing is carried out and which corresponds to the business purposes of such processing. Insofar as personal data are not necessary for the basis and business purposes applicable to the specific processing, i.e. exceed them, the Company shall do its best to destroy this personal data.

  1. Notification of changes to this Privacy Policy

The Data Controller reserves the right to amend and supplement this Privacy Policy. When amending the Privacy Policy, amendments shall be timely reflected in it and made available to all interested parties on the official website – http://www.buldoc.eu.

  1. Use of cookies on the Data Controller’s website

The Data Controller’s website may use cookies. Cookies are small text files that are placed on the user’s personal computer by the website that is visited and are used to make the website function more efficiently.

The Data Controller’s website may use cookies to improve the functionality of the site and adapt it to the specific needs of users.

The Data Controller may use the following cookies:

  • Session cookies – temporary files with cookies that are deleted when the browser is closed. When the browser is restarted and the user returns to the website that created the cookie, the website will treat the user as a new user.

  • Permanent cookies – they remain in the browser until they are manually deleted or until the user’s browser deletes them, based on the period of duration set in the cookie. These cookies recognize the user as a returning visitor.

  • Necessary cookies – cookies necessary for the operation of the website of the Data Controller, which allow the user to navigate through the website and use its functions.

The browsers that open the website of the Data Controller allow all cookies to be deleted at any time. To do this, each user can refer to the help functions of the respective browser. These actions may make certain features of the website of the Data Controller not to be accessible to the user any longer.