Privacy Policy

PRIVACY POLICY – EU DATA SUBJECTS

1. Introduction

This Privacy Policy – EU Data Subjects (the `Privacy Policy`) sets out how Socotab and its subsidiaries and affiliates (each and together hereinafter referred to as “Socotab”, “we”, “our” or “us”) handle the Personal Data of our customers, suppliers, employees, workers, third parties and other persons located in the EU or otherwise whose Personal Data is subject to EU data protection laws.

Definitions of capitalized terms are set out in Appendix A to this Privacy Policy.

The present Privacy Policy applies to the use of any and all Personal Data processed by us, regardless of a data storage medium and whether the data relate to former or current employees, job applicants, contractors, third parties or other Data Subjects.

2. Scope

We are convinced that the correct and legal treatment of Personal Data maintains the trust in the organization and provides the basis for successful business activity. Protecting the confidentiality and integrity of Personal Data is an important responsibility that we take very seriously at all times.

The management of Socotab undertakes to ensure compliance with the EU and member states legislation regarding the processing of Personal Data and the protection of the rights and freedoms of the individuals whose personal data the Socotab collects and processes in accordance with the General Data Protection Regulation.

In accordance with the GDPR, other relevant documents as well as related processes and procedures are described in this Policy.

The Regulation (EU) 2016/679  and this Policy apply to all personal data processing functions, including those performed concerning customers, employees, suppliers and partners, as well as to any other Personal data that the company processes from various sources.

The Data Protection Officer is responsible for reviewing the processing activities annually in the light of any changes in the Socotab’s activities, as well as any additional requirements and data protection impact assessments.

This Policy applies to all employees and external contractors and suppliers of the Socotab. Any breach of the GDPR will be considered as a violation of labour discipline, and in case of a suspicion of a crime committed, the matter will be referred to the relevant state authorities as soon as possible.

Partners and third parties who work with or for Socotab, as well as persons who have or may have access to Personal Data, will be expected to know, understand and comply with this Policy. No third party may have access to Personal Data held by Socotab without entering into a data confidentiality agreement, which imposes on the third party obligations no less burdensome than those undertaken by Socotab and which gives us the right to carry out inspections for compliance with the obligations imposed by the agreement.

Socotab provides detailed information to the Data Subjects, depending on whether the Personal Data are collected directly from Data Subjects or otherwise, in a clear, easy-to-understand language, through appropriate Privacy Notices in a concise, understandable and transparent manner and easily accessible form.

The Data Protection Officer is responsible for the compliance with this Privacy Policy. You can contact the DPO at datasecurity@socotab.com and ask any questions regarding the application of this Privacy Policy, as well as any concerns about the use of or compliance with the Policy.

3. Principles of Personal Data Protection

We observe the following principles related to the processing of Personal Data:

  • to be processed lawfully, in good faith and in a transparent manner (Lawfulness, Fairness and Transparency),
  • to be collected only for specified, explicit and legitimate purposes (Purpose limitation),
  • to be adequate, related to the purpose for which they are collected and limited to what is necessary in relation to the purposes for which they are processed (Data minimisation),
  • to be accurate and, where necessary, kept up to date (Accuracy),
  • to be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed (Storage limitation),
  • to be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Integrity, Confidentiality and Security),
  • not to be transferred to another country without the implementation of appropriate safety measures (Data transfers limitation),
  • to be provided to Data Subjects considering that the Data Subjects may exercise certain rights with respect to their Personal Data (Data Subjects Rights and Requests).

Socotab identifies the legal ground for personal data processing before we begin processing the data. We are responsible for complying with all data protection principles set out above and we are able to demonstrate this compliance (Accountability). All data collection methods are subject to once-a-year review by internal audit / external experts to ensure that the data collected continue to be adequate, relevant and not excessive and, if necessary, a data protection impact assessment is carried out.

Personal Data processing is carried out only if any of the following legal grounds applies:

  • The Processing is necessary for the performance of contract to which the Data Subject is party.
    • The Processing is necessary for compliance with a legal obligation to which the controller is subject.
    • The Processing is necessary for the purposes of our legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.
    • The Data Subject has given his / her consent.

Sensitive Personal Data may be processed only if the following conditions are met:

  • There is any of the legal grounds for processing set out above, and
    • One of the specific conditions for the Sensitive Personal Data Processing, some of which are listed below, has been met:
      • The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of Socotab or of the Data Subject in the field of employment,
      • The processing is necessary to protect the vital interests of the Data Subject,
      • The processing relates to Personal Data which are made public by the Data Subject,
      • The Data Subject has given an Explicit consent.

The Sensitive Personal Data Processing is carried out by the employees only after obtaining the prior written approval of the Data Protection Officer.

The specific information to be provided to the Data Subject must include at least:

  • the identity and the contact details of the Controller,
    • the contact details of the Data Protection Officer,
    • the purposes of the processing as well as the legal basis for the processing,
    • the period for which the Personal Data will be stored;
    • the rights of the Data Subject – the right to request access to and rectification or erasure of Personal Data (`right to be forgotten`) or restriction of processing, as well as the right to object to the conditions (or lack thereof) in connection with the exercise of these rights,
    • the categories of Personal Data,
    • the recipients or categories of recipients of the Personal Data,
    • whether the controller intends to transfer Personal Data to recipient located in a third country and the existence of appropriate or suitable safeguards,
    • any additional information necessary to ensure fair and transparent processing.

Personal Data held are accurate and kept up-to-date at all times, and reasonable steps have been taken (within possible technical solutions) to ensure that inaccurate Personal Data are erased or rectified without delay.

The Personal Data are reviewed, and where necessary, updated. Data are not stored when they are likely to be inaccurate. All employees are trained in the importance of collecting and maintaining accurate data.

The Data Subject is responsible to ensure that the data he / she provides for processing and storage by Socotab are accurate and up-to-date. Employees, customers, contractors, tobacco farmers and suppliers are required to notify Socotab of any changes in circumstances so that Personal Data records can be updated. Socotab has a responsibility to ensure that any data change notification is recorded and appropriate action is taken.

The Controller shall review the retention periods of all Personal Data processed by Socotab at least once a year and shall identify any data that is no longer required in the context of the registered purpose. These data will be reliably destroyed in accordance with the Controller’s procedures and rules.

The Data Protection Officer shall respond within one month to an individual’s request to correct personal information. This period can be extended by a further two months if the request is complex. If Socotab decides not to comply with the request, the Data Protection Officer shall give a written notice to an individual, including the reasons for the refusal and the Data Subject’s right to lodge a complaint with the supervisory authority and seek legal redress.

In case where third party organizations have inaccurate or outdated Personal Data, the Data Protection Officer shall take any reasonable steps to inform them that the information is inaccurate or out-of-date and, where necessary, forward any request for rectification of Personal Data to third parties.

The Data Protection Officer shall approve in writing any retention of Personal Data that exceeds the specified retention period and shall ensure that the reason is clearly defined and complies with the requirements of Data Protection Legislation.

4. Categories of Data Subjects. Types of Personal Data

Personal Data are collected only for specific, explicit and lawful purposes. The Personal Data processing for new or different purposes or for purposes incompatible with those disclosed at the time of the initial data collection is not permitted, except in cases where we have notified the Data Subject of the new purposes and, where necessary, the Data Subject has given his / her Consent.

Personal Data shall not be kept in a form which permits identification of Data Subject for no longer than is necessary for the purposes for which the Personal Data are processed.

Personal Data shall not be kept in a form which permits identification of Data Subject for no longer than is necessary for the legitimate purposes or for the purposes for which the data were originally collected, including to satisfy legal, accounting and reporting requirements.

We comply with certain data retention policies and procedures to ensure that Personal Data will be deleted after a period that is reasonable for the purposes for which they are stored, unless a law requires the data to be retained for a specified minimum period. Once the retention period has expired, all Personal Data will be deleted/destroyed.

Socotab processes Personal Data about the following categories of Data Subjects:

  1. current and former employees under employment relationship – names, PIN, date of birth, place of birth, identity card’s number and date of issue, permanent address, contact address (if different from the permanent one), information about a professional qualification and education, phone number and e-mail, medical data (preliminary medical examination card, sick notes, Territorial Medical Expert Board (TMEB) decisions), criminal record data (if a criminal record certificate is required for the position), marital status data, incl. spouse and children (if the employee, the employee’s spouse or the employee’s ascendants request the respective type of leave under the Labour Code), employee’s identification number, job position, age, length of employment service, bank account number, amount and reason for employees` liabilities to third parties, driving license data, vehicle registration plate and other personal car data, information on the use of company’s information and communication systems,
  2. job applicants – names, date of birth, address, phone number, e-mail, photo, information about a professional qualification and education, biographical data, and others which the job applicant has indicated in a CV, cover letter, other personnel selection document or report under the Whistleblower Protection Act,
  3. customers, contractors and service providers – names, PIN/PNF, identity card’s number and date of issue, permanent address, contact address (if different from the permanent one), phone number, e-mail, bank account, IP address, operating system, browser, information on the use of company’s information and communication systems (if access is granted), consents to the company’s Privacy Policy and IT security policy,
  4. tobacco farmers – names, PIN/PNF, identity card’s number and date of issue, permanent address, contact address (if different from the permanent one), phone number, e-mail, social security status, bank account number, marital status, gender, age, number of family members, number and age of children, employment outside of tobacco production, consents to the company’s Privacy Policy,
  5. video surveillance personal data – video-surveillance images with time, date and location stamp imposed on images for the individuals listed in letters « a » – « d » above,
  6. other individuals’ personal data besides those listed in letters « a »-« d » above and covered by or protected under the Whistleblower Protection Act – name, address, telephone, email, place of work, signature, electronic signature or other identifying information.

5. Purpose, legal ground and retention period of the Processing

5.1. Processing of Current and Former Employees Personal Data:

  • Purposes – to conclude and execute an employment contract, to maintain employment records, to comply with the requirements of labour, social security and tax legislation, to pay salaries, wages and benefits, to calculate and withhold taxes and insurances due, for establishment, investigation, registration and reporting of occupational accidents, for conducting periodical preventive medical examinations, for lodging claims on behalf of the employee with insurance companies in the event of accidents and other insurance events, to provide employees with free transportation to work place, for ensuring the workplace access of the employees in accordance with the access security regime, for ensuring of staffs safety, protection of property, prevention and detection of criminal offences, for fulfilment of Socotab’s obligation as a jointly and severally liable third party liable under the Code of Civil Procedure, for receiving, registering and processing reports of breaches under the Whistleblower Protection Act and providing protection under that Act, for conducting salary level surveys in the country with a view to determining an adequate level of remuneration in relation to the market situation, for conducting trainings and for fulfilling Socotab’s obligations under Universal Corporation’ Compliance Program, for authorising employees to drive company’s vehicles, for ensuring the network and information security, for preventing unauthorized access to the computers and electronic communication systems of Socotab, as well as preventing the spread of malicious software.
  • Legal grounds for processing
  • Performance of a legal obligation: Labour Code; Social Insurance Code; Health Insurance Act; Income Taxes on Natural Persons Act; Health and Safety at Work Act; Code of Civil Procedure; Whistleblower Protection Act; Ordinance No 4 of 11.05.1993 on documents required for the conclusion of an employment contract; Ordinance No 5 of 29.12.2002 on the content and the procedure for submitting the notification under Art. 62, para. 5 of the Labour Code, Ordinance No N-8 of 29.12.2005 on the content, terms, manner and procedure for submission and storage of insured persons’ data by employers and social insurance contributors, as well as by self-insured persons, Ordinance on work book and length of employment service, Ordinance on cash benefits and allowances from public social insurance funds, Ordinance on medical expertise, Ordinance on the establishment, investigation, registration and reporting of occupational accidents, Ordinance No 3 of 18.04.2018 on the conditions and procedure for opening of payment accounts, for execution of payment transactions and for use of payment instruments, Ordinance No 3 of 28.02.1987 on the obligatory preliminary and periodical medical examinations of the workers, Ordinance No RD-07-2 on the terms and conditions for conducting periodical training and instruction of employees on the rules for ensuring healthy and safe working conditions, Ordinance No 33 of 1999 on the public carriage of passengers and goods on the territory of the Republic of Bulgaria
  • Performance of a contract: Employment contracts with personnel, the conclusion and execution of contracts for the use of personal vehicles
  • Socotabs legitimate interest: Ensuring the workplace access of the employees in accordance with the access security regime. Monitoring the use of Socotab’s information and communication systems. Ensuring of staffs safety, protection of property, prevention and detection of criminal offences
  • Data Subjects Consent: To receive remuneration and benefits payments via bank transfer, to apply for a job or to be hired another type of contract, for lodging claims on behalf of the employee with insurance companies in the event of accidents and other insurance events, for conducting salary level surveys in the country with a view to determining an adequate level of remuneration in relation to the market situation, for conducting trainings to improve employees professional qualification and for fulfilling Socotab’s obligations under Universal Corporation’ Compliance Program
  • Retention periods – employment contract, orders for appointment, re-appointment and termination of the employment contract, orders for use of unpaid leave of up to 30 working days per year, payrolls, as well as other documents on the basis of which the length of employment service / contributory service can be established – 50 years from 1 January of the reporting period, following the accounting period to which they refer; sick notes и other documents – 5 years, reckoned from the 1st day of January of the year next succeeding the year they were presented; accounting records and financial statements, including documents for tax control, audit and subsequent financial inspections – 10 years from 1 January of the reporting period, following the accounting period to which they refer; data regarding to registration of occupational accidents – 5 years from the registration date; the documentation related to the conduct of training and instruction on safety and health in the workplace – 5 years; insurance contracts and related documents – 6 years, reckoned from the 1st day of January of the year next succeeding the year during which the contract is terminated; health records – 50 years; data relating to transport and access to the workplace – 2 months or 6 years, reckoned from the 1st day of January of the year next succeeding the year during which the contract for the use of personal vehicles is terminated; information on the use of information and communication systems – 12 months; video-surveillance images with time, date and location stamp imposed on images – 2 months; reports on breaches – 5 years, reckoned from the 1st day of January of the year next succeeding the year in which the report was filed. Where personal data are processed on the ground of consent, the processing ceases from the date of its withdrawal.

5.2. Processing of Job Applicants Personal Data:

  • Purposes for selection and recruitment of employees to certain positions, staffing of the Company’s activities; for receiving, registering and processing reports of breaches under the Whistleblower Protection Act and providing protection under that Act.
  • Legal grounds for processing
  • Performance of a legal obligation: Whistleblower Protection Ac
  • Data Subject’s Consent given explicitly or by implied actions (submission of job application documents)
  • Retention periods 6 months according to Art. 25k of Personal Data Protection Act or until the consent is withdrawn where the withdrawal is made before the expiration of the retention period; video-surveillance images with time, date and location stamp imposed on images – 2 months; reports on breaches – 5 years, reckoned from the 1st day of January of the year next succeeding the year in which the report was filed.

5.3. Processing of Customers, Contractors and Service Providers Personal Data:

  • Purposes –  to verify the identity of the contracted parties, their representatives and contact persons; to conclude and fulfil the obligations under the contracts, for receiving, registering and processing reports of breaches under the Whistleblower Protection Act and providing protection under that Act, to provide access in accordance with the access security regime established for the Company, to ensure staffs and visitors safety, to protect property and to prevent and detect criminal offences, to ensure the Company’s network and information security, to prevent unauthorized access to Socotab’s computers and electronic communication systems, as well as to prevent the spread of malicious software.
  • Legal grounds for processing
  • Performance of a contract – the concluded contract
  • Performance of a legal obligation – Accountancy Act, Value Added Tax Act, Corporate Income Tax Act, Whistleblower Protection Act
  • Socotabs legitimate interest – for providing access in accordance with the access security regime established for the Company, ensuring of staffs and visitors safety, protection of property, prevention and detection of criminal offences, monitoring the use of Socotab’s information and communication systems (if access is granted)
  • Retention periods – 10 years effective from 1 January of the year next succeeding the year during which the public obligation became payable; documents for tax control, audit and subsequent financial inspections – 10 years from 1 January of the reporting period, following the accounting period to which they refer; data relating to access to the workplace – 2 months; information on the use of information and communication systems – 12 months; video-surveillance images with time, date and location stamp imposed on images – 2 months, reports on breaches – 5 years, reckoned from the 1st day of January of the year next succeeding the year in which the report was filed..

5.4. Processing of Tobacco Farmers Personal Data:

  • Purposes to verify their identity and to conclude and fulfil the obligations under the contracts for production, grading and buying out of oriental tobacco, for payment of due amounts, for calculation and deduction of the correct amount of due taxes and social security contributions; for executing Socotab’s duties under the Good Agricultural Practices Program (the GAP principles) and the Agricultural Labour Practices Program (the ALP program), according to which the company need to maintain databases for tobacco farmers who have entered into a contract with Socotab; for the provision of advances in kind; to ensure staffs and visitors safety, to protect property and to prevent and detect criminal offences, to ensure incoming control upon receipt of tobacco purchased by you in Socotab’s warehouses; for receiving, registering and processing reports of breaches under the Whistleblower Protection Act and providing protection under that Act
  • Legal grounds for processing
  • Performance of a contract – the concluded contract for production, grading and buying out of oriental tobacco
  • Performance of a legal obligation – Act on Tobacco and on Tobacco and Related Products, Obligations and Contracts Act, Whistleblower Protection Act, Ordinance No 3 of 18.04.2018 on the conditions and procedure for opening of payment accounts, for execution of payment transactions and for use of payment instruments, Income Taxes on Natural Persons Act, Accountancy Act, Corporate Income Tax Act   
  • Socotabs legitimate interest – to perform video surveillance
  • Data Subject’s Consent – for incoming control upon receipt of tobacco purchased by you in our warehouses, for the provision of advances in kind, for maintaining databases for tobacco farmers who have entered into a contract with Socotab according to the Good Agricultural Practices Program (the GAP principles) and the Agricultural Labour Practices Program (the ALP program)
  • Retention periods – 6 years, reckoned from the 1st day of January of the year next succeeding the year during which the contract is terminated – Art. 110 of the Obligations and Contracts Act in connection with the protection of the company’s rights and interests in the event of disputes; documents for tax control, audit and subsequent financial inspections – 10 years from 1 January of the reporting period, following the accounting period to which they refer. Data relating to access to the workplace – 2 months. Video-surveillance images with time, date and location stamp imposed on images – 2 months. Reports on breaches – 5 years, reckoned from the 1st day of January of the year next succeeding the year in which the report was filed. Where personal data are processed on the ground of consent, the processing ceases from the date of its withdrawal.

5.5. Processing of Video Surveillance Personal Data

  • Purposes for providing surveillance and perimeter security of the site; for controlling access at the entry / exit points of the site, as well as at the internal administrative premises, except the staff restrooms; for protection of the Company’s property, as well as the property of third parties temporarily located on the territory of Socotab.
  •  Legal grounds for processingSocotabs legitimate interest
  • Retention periods2 months according to Art. 56, para. 4 of Private Security Business Act. The records may be kept for a longer period in cases where it is necessary for the purposes of investigation of criminal offences or breaches, for which Socotab notifies the relevant investigating body – police, prosecutor’s office, Commission for Personal Data Protection, etc.

Only Socotab has access to video surveillance data. Such access shall also be granted to the competent state authorities in the cases provided by law. Individuals have the right to access these data only insofar as they relate to them. In cases where the exercise of the natural person’s right of access may disclose third party’s personal data, but there is no technical possibility to erase or mask the images of other persons subject to video surveillance, access to video recordings / images may be granted only with the consent of all individuals subject to video surveillance.

5.6. Processing of Other Individuals’ Personal Data covered by or protected under the Whistleblower Protection Act

  • Purposes for receiving, registering and processing reports of breaches under the Whistleblower Protection Act and providing protection under that Act.
  •  Legal grounds for processingPerformance of a legal obligation – Whistleblower Protection Act
  • Retention period5 years, reckoned from the 1st day of January of the year next succeeding the year in which the report was filed. The records may be kept for a longer period in cases where it is necessary for the purposes of investigation of criminal offences or breaches which are within the competence of the authorities referred to in the Whistleblower Protection Act.

Socotab is a Controller and in some cases a Processor in accordance with Regulation (EU) 2016/679. Where Socotab processes Personal Data in its capacity as Processor, the categories of data subjects, the types of Personal Data, the purposes, the grounds and the period of processing are determined by the Controller who has assigned the processing.

6. Personal Data Security and Protection

The Personal Data security is our priority that we never compromise on.

Personal Data should be protected by appropriate technical and organizational measures against unauthorized or unlawful processing and against accidental or unlawful loss, destruction, alteration, disclosure or damage.

All employees shall ensure the security of the data storage for which data they are responsible for and which Socotab holds, as well as that the data are stored securely and are not disclosed under any circumstances to third parties, except where Socotab has granted such rights to this third party and has a contract/confidentiality clause with it. Personal Data transfer to third parties – service providers is allowed, if they have made a contractual commitment to comply with our policies and procedures, and have committed to implement adequate measures for Personal Data protection.

Socotab has implemented reasonable and appropriate security measures against unlawful or unauthorized Personal Data processing, as well as against accidental loss or damage of Personal Data. Socotab gives special attention to Sensitive Personal Data protection from loss or unauthorized access, use or disclosure.

Employees are obliged to comply with all policies, procedures and technologies in place to maintain the security of all Personal Data from the time they are collected until they are destroyed.

Employees have access only to the information that their job function requires in accordance with the need-to-know principle and the access can only be granted in accordance with the rules for access control. All Personal Data are treated with extra security and stored:

  • in a separate room with controlled access and / or in lockable containers or in filling cabinets, and / or
  • if they are computerized they are password protected in accordance with the internal requirements specified in the relevant IT security policies.

All employees are required to be trained and to accept the relevant contractual clauses / Privacy and IT security policies compliance Statement, as well as the rules for locking workstations, before they are granted access to information of any kind.

Paper-based records should not be left where they can be accessed by unauthorized persons and cannot be removed from designated office premises without express permission. As soon as the paper documents are no longer needed for the current work, they must be destroyed in accordance with the implemented procedure / rules and appropriate protocol.

Personal Data may be erased or destroyed only in accordance with the Personal Data Storage and Disposal Policy. Paper-based records that have reached its retention date should be shredded and disposed of as confidential waste. The data on the hard disks of the redundant personal computers must be erased or the disks destroyed according to the implemented rules / procedures.

The Personal Data processing off office poses a potentially higher risk of loss, theft or breach of personal data. Staff members must be explicitly authorized to process data off the Controller’s premises

In determining the appropriateness of the processing, shall be taken into account the degree of possible damage or loss that may be caused to individuals if a security breach occurs, as well as any likely types of damage to the Controller’s reputation, including any loss of customers / contractors confidence.

Upon evaluating the appropriate technical measures the following shall be taken into account:

  • password protection,
  • automatic lock of workstations in the network after a period of inactivity,
  • removal of access rights for USB and other removable storage media,
  • antivirus software and firewalls,
  • role-based user access,
  • protection of devices leaving the Company’s premises (e.g. laptops, tablets, etc.),
  • security of local and wide area networks,
  • confidentiality enhancement technologies, such as pseudonymization and anonymization,
  • identification of appropriate international security standards appropriate for Socotab.

Upon evaluating the appropriate organizational measures the following shall be taken into account:

  • the levels of the relevant training in Socotab,
  • employees’ reliability measures (e.g. attestations, recommendations, etc.),
  • inclusion of data protection clauses in the employment contracts,
  • identification of disciplinary measures for the breaches of Personal Data processing,
  • regular inspection of personnel for compliance with the relevant security standards,
  • physical access control to electronic and paper-based records,
  • implementation of Clean Desk Policy[1],
  • storage of paper-based data in lockable cabinets,
  • restriction of use of portable electronic devices outside the workplace,
  • restriction of use of employees` portable devices in the workplace,
  • adoption of clear rules for creating and using passwords,
  • regular backup of personal data and physical storage of media copies outside the office,
  • imposition of contractual obligations on counterparty organizations to take appropriate security measures when transferring data.

7. Disclosure of Personal Data

Socotab provides conditions under which Personal Data shall not be disclosed to unauthorized third parties, including family members, friends, government agencies, even investigators, if there is reasonable doubt that the Personal Data are not requested in the prescribed manner. All employees must be careful when they are asked to disclose Personal Data of another person to the third party. It is important to consider whether or not the disclosure is related to the activity carried out by the institution.

Employees should receive special training and periodic briefings in order to avoid the risk of such a breach.

All Personal Data disclosure requests from third parties shall be supported by appropriate documentation, as well as all such disclosure requests must be specifically authorized by the Data Protection Officer.

8. Data Retention and Destruction

Socotab does not store Personal Data in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are collected.

Personal Data are kept only for no longer than is necessary to fulfil the purposes for which the data were obtained, including to satisfy legal, accounting and reporting requirements.

Socotab may keep Personal Data for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes and if an appropriate technical and organisational measures are implemented in order to safeguard the rights and freedoms of the Data Subject.

The retention period for each type of Personal Data is determined in accordance with the legal requirements. Where no explicitly regulated legal deadlines are set out, clear criteria are used to determine this period.

Personal Data must be destroyed securely in accordance with the principle of ensuring an adequate level of security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage, by applying appropriate technical or organizational measures.

9. Data Transfer Restrictions

Personal Data are considered to be transferred when they originate in one country and are transmitted, sent, viewed or accessed (including remotely) in another country.

In order to ensure that the level of data protection is not compromised, Personal Data should not be transferred outside the EEA, unless appropriate protection measures are in place (e.g. a data transfer agreement based on standard contractual clauses). Any transfer of Personal Data outside the EEA is subject to prior written approval by the Data Protection Officer.

Exceptionally, Socotab may transfer Personal Data to EU Member States or to a third country or international organization only under one of the following conditions:

  • the Data Subject has explicitly requested a transfer after being informed of the possible risks of such transfers,
  • the transfer is necessary for the performance of a contract between the Data Subject and the Controller / Processor or the implementation of pre-contractual measures taken at the Data Subject’s request,
  • the transfer is necessary for important reasons of public interest,
  • the transfer is necessary for the establishment, exercise or defence of legal claims,
  • the transfer is necessary in order to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent.

In order to ensure that Personal Data have an adequate level of protection, we have or will implement data transfer agreements, corresponding to a model adopted by the European Commission or other instrument to ensure an adequate level of protection, so that you can be sure that Personal Data are processed by these third parties in a way that is in line with applicable European data protection legislation.

10. Personal Data Breach Notification

In certain circumstances, Socotab is obliged to report Personal Data breaches to the supervisory authority and, in some cases, to the Data Subject.

The GDPR introduces a duty on the Controller to report Personal Data breaches to the relevant supervisory authority, unless the personal data breach is unlikely to result in a risk of adverse effects occurring. Where there is a high probability and risk of adverse effects occurring, the GDPR obliges the Controller to notify the affected individuals without undue delay.

We have implemented a special Incident Response Policy to deal with any suspected breaches of personal data security and will notify the Data Subjects and / or the relevant supervisory authority in cases where we have a legal obligation to do so.

  1. Data Subject’s Rights and Requests

All Data Subjects located in the EU have certain rights with regard to the processing of their Personal Data. These rights include:

  • to demand information on whether we store their personal data, and if so, what data we collected, what are our legal grounds for processing them and for what purpose we process and store their data,
  • to request access to their Personal Data (the so-called `Data Subject access request`). This allows them to obtain a copy of the Personal Data and to check whether we are processing them in the manner prescribed by law,
  • to request the rectification of incomplete or inaccurate their Personal Data held by us,
  • to request the erasure of their Personal Data (the so-called `right to be forgotten`), i.e. to delete or remove without undue delay all or part of their Personal Data, if the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. Socotab does not erase the data where the processing is necessary for compliance with a legal obligation, including for the establishment, exercise or defence of legal claims,;
  • to object to the processing of their Personal Data if we invoke a our legitimate interest (or the interests of a third party) or where the Personal Data are processed for direct marketing purposes,
  • to request the erasure or removal of their Personal Data if they have exercised their right to object to the processing in accordance with the preceding letter (e),
  • to object to any decision-making based solely on automated processing, if any, including profiling, i.e. not to be subject to any automated decision-making by us through their Personal Data or profiling,
  • to request a restriction of the processing of their Personal Data, i.e. to suspend their processing if, for example, the Data Subject wishes to verify their accuracy or the purposes of their processing,
  • to receive their Personal Data in a structured, commonly used and machine-readable format (the so-called `right to data portability`). This allows them to take their data from Socotab and to transmit those data to another controller;
  • to withdraw their Consent. The Consent may be withdrawn for all or part of the Personal data, as well as for all or specific purposes of processing. Where the Data Subject has given his / her Consent for the collection, processing and storage of his / her Personal data for a specific purpose, he /her has the right to withdraw it at any time in respect of that particular type of processing. Once we have been notified of the withdrawal of Consent, we will suspend their processing for the purpose or purposes for which the consent was granted, unless there is another legal basis for continuing to process them,
  • to be notified in the case of a Personal Data Breach, which may result in a high risk to their rights and freedoms. After having become aware of a Personal Data Breach, Socotab will inform the individuals without undue delay and in an appropriate manner, as well as the measures that have been taken or the measures that will be taken.

Socotab ensures conditions that guarantee the exercise of the Data Subject Rights. These conditions are described in detail in our Data Subjects Access Request Policy.

In order to exercise any of the above rights, the Data Subject should send a free text request or notification by post at e-mail: datasecurity@socotab.com.

Socotab may request specific information from the Data Subject in order to verify his / her identity and to satisfy his / her right to access information or any of his / her other rights. The purpose of this additional security measure is to ensure that the Data Subject’s Personal Data shall not be disclosed to persons who are not entitled to receive them.

The exercise of the above rights is free of charge. However, we may ask a reasonable amount of administrative fee if the access request is manifestly unfounded or if the requests are repeated or excessive. In this cases, it is also possible to refuse the execution of the request.

If the Data Subject considers that his / her data protection rights have been breached, he / she has the right to lodge a complaint with the Commission for Personal Data Protection at the following address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592 or via e-mail kzld@cpdp.bg.

12. Consent of the Data Subject. Consent for direct marketing

Socotab considers that there is « а consent » only in cases where the Data Subject has been fully informed of the intended processing and has freely expressed his / her consent without being pressured. Consent obtained under duress or on the basis of misleading information will not be a valid basis for the Personal Data Processing.

The Consent cannot be inferred from a lack of response to a message to the Data Subject. There must be active communication between the Controller and the Data Subject to assume that there is consent. In case where the legal ground for data processing is the consent of the Data Subject, the Controller shall require a consent form.

In case where an explicit consent has been obtained from the Data Subject, Socotab may use the information provided to offer its products and services that it believes would be of interest to the Data Subject, e.g. new products, discounts, promotions and the like. This consent for direct marketing is voluntary and Socotab will not refuse the Data Subject its products and services if such consent is not provided. The Data Subject may withdraw consent to receive such promotional and advertising communications at any time by contacting Socotab and notifying it in the manner chosen by the Data Subject. Furthermore, each marketing email contains an « unsubscribe link » through which the Data Subject may opt-out of receiving such communications. In the event that the Data Subject opts-out of receiving such messages, Socotab shall promptly delete the Data Subject’s contact details from the list of persons who have consented to receive promotional and advertising communications.

13. Privacy Policy Changes

This Privacy Policy will be reviewed and updated regularly in accordance with our data protection obligations, and we reserve the right to periodically amend or supplement it. Each new Policy or change of this Policy will be circulated to all Staff Members as soon as it is adopted.

Receipt and Review Declaration

I, _____________________________________________________________________________ (name) hereby declare that on this date of………….I received and read a copy of the Privacy Policy of Socotab, and I am aware of my responsibility for knowing and complying with its terms.

Signature………………………………………………………………………………………………….

Name ………………………………………………………………………………………………….

Appendix A

Definitions

Data Controller: any natural person or legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Recipient: any natural person or legal entity, public authority, agency or other body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third party: any natural person or legal entity, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Staff members: all managers, officials, employees, workers and providers of Socotab.

Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data Subject: a living identified or identifiable individual about whom we process Personal Data and who is located within EU, or whose Personal Data is otherwise subject to protection by EU data protection legislation. A Data subject is a natural person who can be identified in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, intellectual, economic, cultural or social identity of that natural person.

EEA: 27 Member States of the EU, as well as Iceland, Liechtenstein, and Norway.

Explicit consent: an express written statement (not just an affirmative action).

Personal data: any information which identifies a Data Subject, or information relating to a Data Subject who can be identified, directly or indirectly, from that data or from that data and other identifiers in our possession or that we could reasonably access. Personal data include Sensitive personal Data but do not include anonymised data or data in which the identity of the individual has been irreversibly removed. Personal data can be factual information about an individual (such as a name, email address, location data, or date of birth) or an opinion about an individual’s actions or behavior.

Personal data breach: any action or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organizational security measures that we or third party service providers have implemented to protect data. The loss or unauthorized access, disclosure or acquisition of Personal Data also constitutes a Personal Data Breach.

Privacy Notices: separate notices setting out information that shall be provided to Data Subjects when Socotab collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, privacy notices to employees or a privacy policy published on a website) or they may be stand-alone, one-time privacy statements covering processing related to a specific purpose.

Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transmitting or transferring Personal Data to third parties.

Special categories of personal data (sensitive personal data): personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, physical and mental health data, data concerning a natural person’s sex life or sexual orientation, biometric and genetic data, as well as personal data relating to criminal convictions and offences.

[1] Upon leaving the working place, all documents and notes, including any post-it notes, businesses cards, and removable media (e.g. USB memory sticks) are removed or stored in places with limited access – lockable storage boxes, locked rooms, destruction of unnecessary documents, etc.