Privacy Policy 2018-11-13T10:34:04+00:00

POLICY FOR PROTECTION AND CONVERTIBILITY IN THE PROCESSING OF PERSONAL DATA IN THE COMPANIES OF GROUP LIFE

Purpose: Protection of individuals in relation to the processing of personal data of clients, staff and other counterparts of Green LIFE companies.

Applicable law: Green Life’s duties as an administrator are based on the following regulatory documents:

General Regulation on the Protection of Personal Data (Regulation (EC) 2016/679) and the Constitution of the Republic of Bulgaria; Personal Data Protection Act; Electronic Communications Act; Rules of Procedure of the Commission for the Protection of Personal Data and its Administration; Ordinance No 1 of 30 January 2013 on the minimum level of technical and organizational measures and the permissible type of protection of personal data; Instruction No. 1 of 21 December 2016 on the circumstances under which undertakings providing public electronic communications services notify consumers of personal data breaches, the format and manner of notification at national level.

Definitions (under the General Regulation):

Personal data means any information relating to an identifiable natural person or a natural person that can be identified (“data subject”). This is most often the name, ID, PIN, address, phone number, e-mail, etc. Processing of personal data means any operation or set of operations performed with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission , dissemination, or other means by which data becomes available, arranged or combined, restricted, deleted or destroyed. Administrator means a natural or legal person, a public authority, an agency or other entity which, alone or jointly with others, defines the purposes and means of processing personal data; where the objectives and means of such processing are determined by Union law or the law of a Member State, the administrator or the specific criteria for determining it may be established in Union law or in the law of a Member State.

Personal data processor means a natural or legal person, a public authority, an agency or other entity that processes personal data on behalf of the controller.

Legality of processing
Processing is lawful if at least one of the following conditions is met:

– the data subject has consented to the processing of his or her personal data for one or more specific purposes;

– processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to the conclusion of a contract;

– processing is necessary to comply with a legal obligation that applies to the controller;

– processing is necessary to protect the vital interests of the data subject or another individual;

– processing is necessary for the performance of a task of public interest or in the exercise of official authority conferred on the controller,

– processing is necessary for the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject that require the protection of personal data are of particular interest to such interests, in particular where the data subject is a child .

Good faith and transparency
The principles of bona fide and transparent processing require the data subject to be informed of the existence of a processing operation and its purposes. The principles of bona fide and transparent processing are related to Green Life’s duty as an information provider.

III. Goal limitation

Green Life undertakes to collect personal data for specific, explicit and legitimate purposes, and personal data should not be further processed in a manner incompatible with those purposes.

Minimize data
Personal data must be appropriate, relevant and limited to what is necessary in connection with the purposes for which it is being processed.

Accuracy
Ensuring the accuracy of personal data and keeping it up-to-date is monitored. They shall take all reasonable steps to ensure the timely erasure or correction of inaccurate personal data, taking into account the purposes for which they are processed.

VI. Restriction of storage

Green Life stores the personal data in a form that allows the data subject to be identified for a period no longer than is necessary for the purposes for which the personal data are processed. Personal data may also be retained for longer periods as far as they are processed solely for the purposes of archiving for statistical purposes while taking appropriate technical and organizational measures provided for by the Regulation in order to guarantee the rights and freedoms of the subject of the data.

VII. Accountability

Green Life guarantees compliance with the basic principles of the Regulation and processes personal data in accordance with the Regulation.

VIII. Integrity and confidentiality

Green LIFE processes the personal data in a way that ensures an adequate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by applying appropriate technical or organizational measures.

Providing information in writing on the collection of personal data by the data subject
Green Life provides the data subject with information including administrator identification, processing goals, recipients of personal data, storage life, etc., in a concise, easily understandable and easily accessible form in clear and simple language. The information shall be provided in writing or otherwise, including, where appropriate, by electronic means. If the data subject has requested this, the information may be given orally, provided that the identity of the data subject is proven by other means. The information is provided free of charge.

In the case that it intends to further process the personal data for a purpose other than the one for which it is collected, Green Life provides the data subject with further information before this further processing.

Providing information in writing when personal data comes from the data subject.
When personal data associated with a data subject is not obtained from the data subject, Green Life provides the data subject with information including administrator identification, processing goals, recipients of personal data, storage life, etc., in a concise, understandable and easily accessible form, in clear and simple language. The information shall be provided in writing or otherwise, including, where appropriate, by electronic means. If the data subject has requested this, the information may be given orally, provided that the identity of the data subject is proven by other means. Green Life provides the information:

– within a reasonable time after the receipt of the personal data but at the latest within one month, taking into account the particular circumstances in which the personal data are processed;

– if the data is used to communicate with the data subject, at the latest on making the first contact with that data subject; or

– if disclosure is foreseen to another recipient, at the latest when disclosure of the personal data is first. The information is provided free of charge.

When Green Life intends to further process the personal data for a purpose other than that for which it is collected, it shall provide the data subject with prior information further processing for that other purpose.

Green Life, in its capacity as administrator, provides individuals with access to data relating to them
Green Life shall, within one month of receiving a request from the data subject, provide confirmation of the processing of personal data relating to the data subject.

Where personal data is transferred to a third country or an international organization, the data subject shall have the right to be informed of the appropriate safeguards under Article 46 of the Regulation in relation to the transmission.

Green Life provides a copy of the personal data that is being processed. For additional copies requested by the data subject, the administrator may charge a reasonable fee based on administrative costs. Where the data subject submits a request by electronic means, the information shall, if possible, be provided in widely used electronic form, unless the data subject has requested otherwise.

The deadline for submitting the above information is one month from the receipt of the request by the data subject but may be extended by two months. Green LIFE shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If the controller fails to act on the data subject’s request, the controller shall notify the data subject without delay and at the latest within one month of receipt of the request for the reasons not to take action and the possibility of filing a complaint to a supervisory authority and seeking of judicial protection. The information is provided free of charge.

XII. Correction

Green Life corrects without undue delay (within one month) inaccurate personal data associated with

XIII. Delete

Green Life shall issue personal data related to the data subject without undue delay (within one month) at the request of the data subject. The period may be extended by two months. Green LIFE shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If Green Life does not act upon the data subject’s request, the controller shall notify the data subject without delay and at the latest within one month of receipt of the request for reasons not to act and of the possibility of filing a complaint to the supervisory authority authority and seeking legal protection. Deletion is free of charge.

“Green Life” deletes the data only if one of the following reasons is applicable:

– personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

– the data subject withdraws his / her consent on which the processing of the data is based;

– the data subject objects to the processing under Article 21 (1) of the Regu- lation and there are no legitimate grounds for the processing that prevail or the data subject objects to the processing of personal data for the purposes of direct marketing;

– personal data has been tampered with;

– personal data must be deleted in order to comply with a legal obligation under Union law or the law of a Member State applicable to the controller; – personal data were collected in connection with the provision of information society services to a child.

XIV. Restrict processing

Restriction of processing means marking of stored personal data in order to limit its processing in the future. Green Life undertakes to limit the processing of data within one month at the request of the data subject. The period may be extended by two months. Green LIFE shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If Green Life does not act upon the data subject’s request, the controller shall notify the data subject without delay and at the latest within one month of receipt of the request for reasons not to act and of the possibility of filing a complaint to the supervisory authority authority and seeking legal protection. Restrictions are free of charge.

The limitation should be made when one of the following conditions applies:

– the accuracy of the personal data is disputed by the data subject for a period which allows the controller to verify the accuracy of the personal data;

– processing is illegal, but the data subject does not want to delete the personal data but instead requires a limitation of its use; – the controller no longer needs personal data for the purpose of processing, but the data subject requires them to identify, exercise or protect legal claims;

– the data subject has objected to the processing under Article 21 (1) of the Regulation pending the verification of whether the controller’s legal grounds take precedence over the interests of the data subject.

When a processing restriction is made, such data is processed, except for its storage, only with the consent of the data subject or for the establishment, exercise or protection of legal claims or for the protection of the rights of another individual or for important reasons of public interest to the Union or a Member State. When a data subject has requested a limitation of the processing, the administrator shall inform him / her prior to the revocation of the processing limitation.

Notification when correcting or deleting personal data or restricting processing
Green Life is obliged to report any correction, deletion, or limitation of processing to any recipient to whom the personal data has been disclosed, unless this is impracticable or requires disproportionate effort. Green Life informs the data subject about these recipients if the data subject so requests.

XVI. Ensuring data portability

Green Life undertakes to provide the data subject with data relating to him and which has been provided to him by the data subject in a structured, widely used and machine readable format when the processing is based on consent in accordance with or of a contractual obligation and the processing is carried out in an automated manner.

Green Life shall be obliged to transfer the data within one month at the request of the data subject. The period may be extended by two months. Green LIFE shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If Green Life does not act upon the data subject’s request, the administrator shall notify the entity of the

XVI. Ensuring data portability

Green Life undertakes to provide the data subject with data relating to him and which has been provided to him by the data subject in a structured, widely used and machine readable format when the processing is based on consent in accordance with or of a contractual obligation and the processing is carried out in an automated manner.

Green Life shall be obliged to transfer the data within one month at the request of the data subject. The period may be extended by two months. Green LIFE shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If Green Life does not act upon the data subject’s request, the controller shall notify the data subject without delay and at the latest within one month of receipt of the request for reasons not to act and of the possibility of filing a complaint to the supervisory authority authority and seeking legal protection. The transfer is free of charge.

XVII. Termination of data processing

Green Life undertakes to discontinue the processing of personal data in the following cases, unless it proves that there are convincing legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject, or for the establishment, exercise or protection of legal claims.

– processing is necessary for the performance of a task of public interest or in the exercise of official authority conferred on the controller,

or

– processing is necessary for the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject that require the protection of personal data are of particular interest to such interests, in particular where the data subject is a child .

Green Life undertakes to discontinue the processing of personal data for the purposes of direct marketing when the data subject opposes processing for direct marketing purposes.

XVIII. Providing information on the right to object to the processing of personal data

Green LIFE provides information to the data subject on the right of the entity to object to the processing of personal data at the latest at the time of first contact with the data subject, which information is provided by notification in a clear and separate way from any other information.

XIX. Providing information on the right to object to the processing of personal data for the purposes of direct marketing

Green Life notifies the data subject about the existence of a right of objection to the processing of personal data for direct marketing purposes. Green Life undertakes to provide information about the right of the entity to object to the processing of personal data for the purposes of direct marketing at the latest at the time of first contact with the data subject that information is provided by means of a clear notification and separate from any other information. Green Life undertakes to discontinue the processing of personal data for the purposes of direct marketing when the data subject opposes processing for direct marketing purposes.

  1. Ensure security of processing by introducing technical and organizational measures
    Green Life shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing of personal data is carried out in accordance with the Regulation. These measures shall be reviewed and, if necessary, updated.Such measures are:- pseudonymization and encryption of personal data;

    – ability to ensure continued confidentiality, integrity, availability and sustainability of processing systems and services;

    – Ability to promptly restore availability and access to personal data in the event of a physical or technical incident;

    – the process of regular testing, assessment and evaluation of the effectiveness of technical and organizational measures in order to ensure the security of the processing;

    – minimizing data: Only processing personal data that is required for each particular purpose of the processing is processed. This obligation relates to the volume of personal data collected, the level of processing, the storage period and their availability. In particular, such measures shall ensure that, by default, personal data are not accessible to an unlimited number of individuals by default without the intervention of the individual;

    – cooperation with the Data Protection Supervisor in fulfilling the obligations arising from the Regulation;

    – limiting the number of persons who have access to the data.

    XXI. Processing data on behalf of Green Life

    When processing is done on behalf of Green Life, Green Life undertakes to use only personal data processing that provides sufficient guarantees for the application of appropriate technical and organizational measures in such a way that the processing proceeds in accordance with the requirements of Regulation and to protect the rights of data subjects. The data processor may not include any other processor without the prior written permission of the administrator. In the case of a general written authorization, the processor always informs the controller of any planned changes to include or replace other data processors, thereby enabling the administrator to challenge those changes.

    Processing by the processor of personal data is governed by a contract or other legal act which is binding on the data controller for the controller and which regulates the subject matter and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of subjects the data and obligations and the rights of the controller.

    XXII. Cooperation with the Supervisory Authority

    Green Life and the personal data processor are required to cooperate with the supervisory authority in the performance of its duties.

    XXIII. Notification to the supervisory authority of a breach of personal data security

    In the event of a personal data breach, “Green Life”, without undue delay and where feasible – no later than 72 hours after he / she understands it, undertakes to notify the breach of personal data security the supervisory authority unless the personal data breach is likely to pose a risk to the rights and freedoms of individuals. The notification to the supervisory authority shall state the reasons for the delay where it is not filed within 72 hours. The personal data processor shall notify the controller without undue delay after he becomes aware of a personal data breach.

    Green Life is required to document any violation of personal data security, including facts relating to the personal data breach, its consequences, and the action taken to address it.

    XXIV. Incorporating the data subject privacy violation

    When the personal data breach is likely to pose a high risk to the rights and freedoms of individuals, Green Life shall without undue delay notify the data subject of the personal data breach.

    XXV. Compensation for damages suffered

    Green Life or the personal data processor are required to compensate for any damage that a person may suffer as a result of data processing that violates the Regulation.

XXVI. Perform an impact assessment

Where there is a likelihood that a particular type of processing, particularly where new technologies are used, and given the nature, scope, context and purpose of the processing, would pose a high risk to the rights and freedoms of individuals before the processing, Green Life “Shall assess the impact of the processing operations envisaged on the protection of personal data. One set of similar processing operations, which represent similar high risks, can be considered in one assessment. When performing an impact assessment on data protection, the administrator requests the opinion of the designated Data Protection Officer.

XXVII. Pre-consultation

Green LIFE consults the Supervisory Authority prior to processing when the impact assessment on data protection shows that processing will pose a high risk if the controller does not take risk mitigation measures.

XXVIII. Data Protection Officer

In view of the core activities of the Green Lift, consisting of processing operations that, due to their nature, scope and / or purposes, require regular and systematic large-scale monitoring of data subjects, Green Life designates a Data Protection Officer.

Green Life, in its capacity as administrator, or the personal data processor shall ensure that the Data Protection Officer takes an appropriate and timely role in all matters relating to the protection of personal data. The controller and the personal data processor shall assist the Data Protection Officer in the performance of his tasks exhaustively listed in Article 39 of the Regulation by providing the resources necessary for the performance of these tasks and access to personal data and processing operations, maintain its expertise. The controller and the personal data processor shall ensure that the Data Protection Officer does not receive any instructions in connection with the performance of these tasks. The Data Protection Officer may not be relieved of office or sanctioned by the controller or the personal data processor for the performance of his or her tasks. The Data Protection Officer shall report directly to the highest management level of the controller or the personal data processor.

XXIX. Conducting training sessions for staff to respond to events that threaten the security of personal data

Green Life is committed to training staff to respond to events that threaten the security of personal data.

XXX. Conducting staff training for the mechanism of processing personal data and protecting them in the maintained registers containing personal data

Green Life undertakes to train personnel on the mechanism of processing personal data and protecting them in the maintained registers containing personal data.

Green Life or the personal data processor are required to compensate for any damage that a person may suffer as a result of data processing that violates the Regulation.

Download Documents

Declaration – consent

Download

Agreement

Download

Annex 1

Download