PERSONAL DATA PROTECTION POLICY
Inter Expo Center Ltd.
Personal data protection policy
May 2018
CONTENTS
1. Introduction
2. What is personal data?
3. Data controller
4. Personal data processor
5. Records
6. Organizational and technical protection measures
7. Sanctions and liability
8. Additional provisions
PERSONAL DATA PROTECTION POLICY
In force since 25.05.2018
INTRODUCTION
In carrying out its activity, Inter Expo Center Ltd., UIC 121122275, with headquarters and address of management in Sofia , processes information, which is personal data.
Privacy is of utmost importance to us.
This Policy aims to lay down rules relating to:
• Mechanisms of data protection processed by Inter Expo Center Ltd. (data controller)
• Designation of processors and persons who have access to personal data and work under the guidance of personal data processors, as well as their responsibility for non-fulfillment of these obligations relating to the processing and protection of personal data, their rights and obligations.
• The necessary technical and organizational measures to protect personal data from unauthorized processing (accidental or unlawful destruction, accidental loss, unauthorized access, alteration or dissemination) and any other illegal processing of personal data.
• Actions to protect against accidents, industrial and natural disasters.
• The rules on the provision of personal data to the data subject and to third parties.
• Time limits for periodic reviews regarding the necessity for data processing and erasure.
• The rules for data destruction or providing data to another controller
• The Procedure for notifying the personal data protection Commission for personal data breach.
WHAT IS PERSONAL DATA?
Personal data means any information relating to an identified or identifiable natural person
(full name, age, personal ID number, date of birth, electronic address, telephone, gender, religion, etc.).
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be considered sensitive personal data.
DATA CONTROLLER
Individualization of the Personal Data Controller.
• Name: Inter Expo Center Ltd., referred to as “ Data Controller “
• UIC: 121122275
• Headquarters and address of management: Sofia, 147, Tsarigradsko shose Blvd
• Phone: 02/9655 220
• E-mail: [email protected]
• Manager: Ivaylo Ivanov
• The Personal Data Controller (PDC) processes the personal data alone and/or assigns the task to a processor.
A controller may provide for one or more persons with personal data access rights to be responsible for coordinating and implementing the protection measures.
PERSONAL DATA PROCESSORS
Access to personal data is only available to persons whose duties or specific tasks require such access.
All personal data processors are responsible for complying with personal data access restrictions and are personally responsible for violating the privacy, integrity and availability of personal data, except in cases of force majeure.
The controller and / or the persons authorized by him / her shall have the following powers:
To provide the organization of keeping the records according to the provided measures to ensure adequate protection.
To monitor the observance of the specific measures for access protection and control according to the specificity and the level of protection of the kept records.
To perform control over compliance with the requirements for the records protection.
To keep in touch with the Personal Data Protection Commission on the measures taken and the means of protection of the records and the submitted applications for personal data access. This power is granted exclusively to the Manager of Inter Expo Center Ltd..
To specify the technical resources applied to the processing of personal data.
To observe the organizational procedures for the processing of personal data and the observance of controlled access to the personal data carriers.
To conduct periodic monitoring of compliance with data protection requirements and, in case of detected irregularities, shall take measures to eliminate them.
Access to the personal data stored in the Records shall be restricted to those employees whom such access is necessary for the performance of their duties.
Personal data is protected by disclosure to third parties. Third parties may only have access to such information if they have such a statutory right or otherwise entitle them to do so.
These Internal Rules shall be compulsory for all Controller employees as long as they are involved in the processing of personal data in records and for other persons who have permanent or temporary access to personal data from all records.
Authorized employees entrusted with the processing of personal data from the Records shall:
• process the personal data in a lawful and fair manner;
• use personal data accessed by them in accordance with the purposes for which they are collected and shall not to further process them in a manner that is incompatible with those purposes;
• update the personal data records (if necessary);
• erase or rectify personal data when it is found to be inaccurate or disproportionate to the purposes for which it is being processed;
• keep personal data in a form that permits identification of the natural persons concerned for no longer than is necessary for the purposes for which such data are being processed;
• observe the present Policy.
Any subject whose personal data will be processed by the controller should be notified of:
• the data identified by the controller;
• the purposes of processing of the personal data and legal bases for the processing of personal data;
• the categories of personal data relating to the relevant natural person that is a data subject;
• the recipients or categories of recipients to whom the data may be disclosed;
• information on the rights under Art. 15-22 of Regulation 2016/679, including the right of access and the right to rectify the collected data
RECORDS
Inter Expo Center Ltd.. shall maintained the following records with personal data:
1. Staff Record;
2. Counterparts Record;
3. Visitors Record;
4. Video Surveillance Record;
5. Job Applicants Record
Inter Expo Center Ltd. can store the categories of personal data contained in the records in paper and / or electronic media in compliance with the applicable legislation and the necessary protection measures.
The personal data in the Records shall be kept for the period necessary for the performance of the duties of Inter Expo Center Ltd., depending on the respective record, the personal data category and the purposes for processing them. Personal data shall not be kept longer than is necessary to protect the legitimate interests of the Administrator or for accounting purposes or in accordance with the requirements of the applicable law. The processed data shall be destroyed after expiration of the storage period in accordance with the requirements set out in this Policy.
The storage periods for each record are defined as follows:
1. Staff Record – 50 years;
2. Counterparts Record – for the period required to manage the relationship with the provider, as long as necessary for the accounting purposes of the Personal Data Controller and / or for the performance of legal obligations of the Manager of Inter Expo Center Ltd. but for no longer than 10 years;
3. Visitors Record – for the period required to manage the relationship with the Visitor, as long as necessary for the purposes of the Personal Data Controller and / or for the performance of legal obligations of the Manager of Inter Expo Center Ltd. but for no longer than 10 years;
4. Video Surveillance Registry – 30 days, except when video surveillance records need to be kept beyond the specified period for the purposes of investigating crimes or violations for which Inter Expo Center Ltd. shall notify the investigative body – the police, the prosecutor’s office, the Personal Data Protection Commission and others.
5. Job Applicants Record – 45 days.
The manager of Inter Expo Center Ltd. issues an order to determine the persons handling personal data, their powers in relation to the protection of the processed personal data, their rights and duties.
The manager of Inter Expo Center Ltd. and / or the persons authorized by him shall have the following powers:
Provide the record keeping organization, according to the envisaged measures to ensure adequate protection;
Monitor the observance of specific measures for protection and access control according to the specificity and level of protection of the maintained records;
Perform control over compliance with the requirements for protection of records;
Keep in contact with the Personal Data Protection Commission on the measures taken and the means of protection of the records and the submitted personal data applications. This power is granted exclusively to the Manager of Inter Expo Center Ltd.;
Specify the technical resources applied to the processing of personal data;
Ensure compliance with the organizational procedures for the processing of personal data and for the observation of controlled access to the data carriers;
They perform periodic monitoring of compliance with data protection requirements and, in case of detected irregularities, they take corrective actions.
Access to the personal data stored in the Records shall be restricted only to the employees of Inter Expo Center Ltd., where such access is necessary for the fulfillment of their official duties, as well as for the fulfillment of business purposes, strictly observing the need-to-know principle, i.e. in accordance with his rights and duties under a job description and / or a contract for the relevant legal relationship with Inter Expo Center Ltd.). In particular, these officers shall be authorized on the need-to-know principle by an order.
Access to the processing of personal data to other employees is limited to cases where they are explicitly granted such access rights and in accordance with the need-to-know principle. In that case, the right of access shall be granted on a case-by-case basis by the department where the authorized employee is involved, with explicit authorization specifying the personal data and purposes for which the access is granted, as well as the period for which it is provided.
Personal data processed by Inter Expo Center Ltd. is protected against disclosure to third parties. Third parties may have access to such information only if they have such statutory powers or such a right is given to them on other grounds.
Disclosure of such information must be expressly authorized by the Inter Expo Center Ltd Manager, by taking appropriate measures to ensure compliance with the personal data legislation as well as compliance with the obligation of confidentiality and security of transmission of any data exchange.
This Policy is mandatory for all employees of Inter Expo Center Ltd. insofar as they are involved in the processing of personal data in the above records, and for other persons who have permanent or temporary access to personal data from all records.
Authorized employees entrusted with the processing of personal data by the Records shall:
• process the personal data in a lawful and fair manner;
• use personal data accessed by them in accordance with the purposes for which they are collected and shall not to further process them in a manner that is incompatible with those purposes;
• update the personal data records (if necessary);
• erase or rectify personal data when it is found to be inaccurate or disproportionate to the purposes for which it is being processed;
• keep personal data in a form that permits identification of the natural persons concerned for no longer than is necessary for the purposes for which such data are being processed; observe the present Policy.
Organizational and technical protection measures
Physical protection of personal data contained in the Records.
Organizational measures:
Defining Controlled Access Areas; All physical areas with paper and electronic records are kept and restricted only to employees who need access through the „need to know“ principle in order to perform their duties. All records and documents in paper form containing personal data are locked in lockers that are locked in a restricted room accessible only by authorized personnel.
Data is protected by the use of physical access control tools such as access control through smart cards. All premises where paper data is stored are located in restricted areas and are protected by access control, smart cards, lockers, or the like. Electronic media, including servers, are similarly protected in controlled areas.
Personal data shall be processed in a non-public part of the premises which is physically restricted and accessible only by staff for whom access is necessary for the performance of their duties.
Communication and information systems used for the processing of personal data are separated from the areas accessible to outside persons and are physically protected, as access is limited to those employees who require such data access for the performance of their duties.
Physical access to restricted areas, including those with information systems (computers, servers), is only possible through access control doors via smart cards. Access shall be granted only to staff that is directly entrusted with the task, in order to perform their duties.
Technical measures
Access control system, with smart cards, restricted cabinets, individual password on each computer, individual password for access to Office 365, individual password for access to mail, fire alarm and fire extinguishing systems, live security and security alarm systems.
Personal protection
Knowledge of the legal framework in the field of personal data protection shall be provided in the training program, which has to be passed by the employees and shall be organized by Inter Expo Center Ltd. They are required to read and understand these internal rules upon engagement and to update their knowledge of data protection at least once a year. Familiarization with these internal rules shall be done upon signed acknowledgement.
Sharing critical information between staff (e.g., identifiers, access passwords, etc.) is prohibited except in cases of force majeure.
Training. Employees must undergo personal data protection training immediately after recruitment and at least once a year.
Personnel training for events threatening the data security shall be provided in a training program that the employees must get through immediately after recruitment and at least once a year.
The employees are instructed to immediately notify their supervisor if they have any doubts or are aware of a threat to the security of their personal data.
Documentary protection
Defining the conditions for personal data processing
Personal data shall be collected only for a specific purpose in order to support the legitimate interests of the data controller or, to the extent necessary, to comply with the legal obligations of the data controller. Each type of data is classified according to its purpose and nature and is protected in accordance with the requirements set forth above.
Regulation of access to records
Access to records is limited and is only available to authorized personnel, in accordance with the Need to Know principle.
Control of access to records
Access to data shall be limited only to the specific, minimum necessary data required for the employee to perform his / her duties.
Setting periods for storing personal data
Data storage is in line with the purposes for which the data were collected and the statutory time limit.
Personal data shall be stored as long as is necessary to achieve the purpose for which they were collected or as required by the applicable law. For example, data from the Staff Records is processed for 50 years after the termination of the legal relationship, in accordance with Bulgarian legislation. After the expiration of the set period or in case of elimination of the legal basis, the data must be destroyed following a procedure and in a safe manner.
Rules for the reproduction and dissemination of personal data
Personal data can only be copied and disseminated by authorized personnel only if it is necessary for juridical purposes, and only be made available to persons that are in need of them in order to fulfill an assignment.
Unauthorized copying and dissemination is the subject of official sanctions, depending on the seriousness of the offense, including termination of employment / civil relationships.
Destruction procedures
Paper-based documents containing personal data must be destroyed in a safe way when they are no longer needed, by shredding or by incineration. Every employee and head of department who is in possession of such documents is responsible for the safe destruction of the documents. For each destruction a special order is issued to the Manager of Inter Expo Center Ltd. and a proper protocol for destruction is drawn up.
Protection of automated information systems and / or networks
Identification and authentication
In order to introduce a „Need to Know“ approach, Inter Expo Center Ltd. requires its employees to apply unique user accounts and personal passwords for each user with a network access account.
Employees are personally responsible for the proper use of their user accounts and passwords.
Records management.
The Manager of Inter Expo Center Ltd. Shall issue an order nominating the units of the administration responsible for the management of the records and only a limited number of employees may have access to the data contained in the records according to the need-to-know principle.
Employees with access to records are appointed by the Manager when necessary.
Virus protection
Inter Expo Center Ltd.. creates and maintains standard and secure configurations for each computer and network platform with which it operates. The system software is controlled and maintained by authorized persons. Inter Expo Center Ltd. works with versions of approved antivirus software. Users should not refuse automated software processes that update virus signature. Antivirus software screening should be used to scan all software and data files coming from or to third parties or other employees of Inter Expo Center Ltd. Employees should not avoid or exclude scanning of processes that could prevent the transmission of computer viruses.
Hard disks, flash drives and other magnetic media used by an infected computer should not be used on another computer until the virus has been successfully removed.
The infected computer must be immediately isolated from the internal networks.
Antivirus logs should be kept for at least seven 7 days.
Sanctions and liability
Any intentional violation of the rules and limitations of access to personal data by employees of Inter Expo Center LTD. may be grounds for imposing disciplinary sanctions, including dismissal.
ADDITIONAL PROVISIONS
§ 1. For the purposes of this instruction:
1.“Personal data“ means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This person is called data subject.
2.‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
4. „Personal data record“ means any structured set of personal data accessed according to specific criteria, whether centralized, decentralized or distributed according to a functional or geographic basis.
5. „Counterpart“ is a commercial company that has entered into a contract with Inter Expo Center Ltd. for carrying out a particular activity.
6. “Data subject “ shall be any person acting under the supervision of the Manager of Inter Expo Center Ltd. or of the processor who has access to personal data, he may process them only at the instruction of the Manager, unless otherwise provided the law.
TRANSITIONAL AND FINAL PROVISIONS
§ 2. As far as processing and protection of personal data is concerned, all internal procedures of the document flow of Inter Expo Center Ltd. shall be in accordance with the provisions of the PDPA and the current internal rules.
§ 3. This Policy is obligatory for all employees and other persons employed under civil contracts by Inter Expo Center Ltd. and they are obliged to observe it.
§ 4. The control over the implementation of this Policy is exercised by the Manager of Inter Expo Center Ltd. and / or by the officials authorized by him.
§ 5. Amendments to this Policy shall be made in the order of issuance and approval.
§ 6. This Policy repeals the instruction on the measures and means of protection of personal data collected, processed, stored and provided by Inter Expo Center Ltd. and shall enter into force since 25.05.2018.
