DATA PROTECTION POLICY
of Glatec EOOD
Glatec EOOD, UIC: 131407283, with residence and head office in: Kostievo 4205, 1 Kapitan Burago Str., tel.: +359 32 500 424 email: firstname.lastname@example.org (The Controller or Glatec EOOD), while performing its activities, shall apply in its relations with third parties this Data Protection Policy (“Policy”),
Glatec EOOD, as a data controller, collects and processes a certain amount of natural persons data.
Such data may refer to managers, clients, suppliers, counterparties, business contacts and other natural persons (Data subject) in contact with the Controller or with whom the latter is planning to establish business contacts.
This data protection policy of Glatec EOOD provides information to data subjects on purposes and methods of processing of personal data, which the Controller collects in compliance with legal requirements.
This rules shall be applied by the Controller regarding all personal data, irrespective of whether the data are processed electronically, on hard copy or on other media
This Data Protection Policy is issued on the grounds of the Data Protection Act and its regulations, in compliance with Bulgarian domestic legislation, and the General Data Protection Regulation (EU) 2016/679 (“GDPR”) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
To ensure that data processing is in compliance with legal requirements, personal data are collected and used on the relevant grounds, safely stored and the Controller undertakes all necessary measures to prevent unlawful disclosure of processed personal data.
The Controller is aware of the principles set out in GDPR and acts in compliance with them:
Purposes of this Policy
This Policy ensures that the Controller shall:
Categories of data and subjects:
Personal data means any information relating to an identified or identifiable natural person or natural person who can be identified. In the usual course of its activities, as well as when recruiting employees, the Controller collects data for the following categories of subjects, as follows:
The Controller collects data for the following categories of subjects – Data subjects:
Purposes of data collection:
The Controller collects personal data for the following purposes:
Collection of data:
Personal data of any subject are given voluntarily by that subject and such data are collected by the Controller in compliance with statutory obligations, for entering into contracts and/or performance of obligations under existing contracts pursuant to the provisions of the relevant applicable legislation and the conditions specified in commercial contracts with the relevant client on: hard copy – written documents (including powers of attorney contracts, notices of distraint, bank information, official documents, etc.), by email – given for the performance of commercial contracts and/or by completing a registration form of the Controller. The subjects shall be notified of the provisions of this Policy beforehand or at the moment of receiving their data
Such data are collected for security purposes and for the optimization and improvement of Glatec EOODonline services. It is in Glatec EOODlegitimate interests to protect its website and improve its services. Any other processing of data, except for statistical purposes in anonymous form, shall be performed only within the scope of this data protection notice. In addition, personal data shall be stored only if the data subject provides it voluntarily, plainly and explicitly, e.g. in the context of registrations, polls, competitions, online application or contract performance. Adequate security measures have been taken to ensure data encryption during the registration process, i.e. their protection from unauthorized access. Additional information, particularly of the technology used, is presented below. If data are transmitted to third parties, Glatec EOOD guarantees by contractual arrangements that such service providers process personal data in compliance with European data privacy law to guarantee a high level of protection. Personal data shared with Glatec EOOD on this website are stored only for the purpose they have been given for.
You can use the contact form in the “Request” section of our website www.glatec.bg to contact us for any reason. The personal data entered by you in the contact form will be processed only for the purposes of giving reply to your request.
You may use the application form in the “Careers” section of our website www.glatec.bg to apply for vacant positions. Any personal data and files attached, will be used only for the processing of your application.
“Cookies” and tracking
To make your visits to our website more pleasant and to ensure the use of certain functionalities, we use “cookies” for different pages. These are small text files that are stored on the client device from which you visit our website. Some “cookies” we use are deleted after the end of the browser session i.e. after you close the browser (so called “session cookies”). Other “cookies” are stored on your client device and allow us or our partner companies to recognize your browser for future visits (“persistent cookies”). You can set your browser to inform you of the “cookies” settings and to individually decide whether to accept them or forbid acceptance of “cookies” for specific cases or in general. Additional information is available in the help section of your web browser. Rejecting “cookies” can potentially limit the functionality of our website. We will discuss specific types of “cookies” below
There are system “cookies” and promotional “cookies”. System “cookies” are necessary for the correct functioning of our website. Rejecting these “cookies” will change user experience while surfing on our website and some of our website services will be unavailable
Promotional “cookies” are described below. They are stored when downloading the website and help us analyze general data of our visitors – e.g. how they get to our website, how much time they spend on it, whether they visit us for the first time, how they view the content of our website as well as to calculate the degree of success of our marketing campaigns.
We use Google Analytics, a web analysis service offered by Google LLC. The information generated by “cookies” for your use of this website is usually sent to Google servers in the USA and stored there. Google shortens beforehand your IP addresses within the member-states of the European Union or in other member-states included in the Agreement on the European Economic Area. On behalf of the operator of this website, Google uses this information to assess the use of this website, to prepare accounts for the activity of this website and for provision of other services related to the website and Internet use, to the website operator. The IP address sent through your browser in the context of Google Analytics does not connect with other data Google has available. You can refuse to use “cookies” by selecting the relevant settings on your browser. You can also prevent the collection of data from Google by “cookies” and their connection to the use of this website (including IP address) as well as their processing by Google by downloading and installing plug-ins for your browser here:
Links to social media
Our website contains links to LinkedIn. In this case, transfer of data to the social media operators is carried out only when the relevant button on the icon illustrating the link is clicked. If you click such a button, the page to the relevant social network opens. There, you can publish information on our products according to the the rules of the social media operator.
Our LinkedIn page https://www.linkedin.com/company/glatec/.
The personal data sent by you in personal messages will be processed only for the purpose of replying to your inquiry. We are not responsible for the information voluntarily shared by you on our official accounts without our explicit request.
III. Transparency. Rights of the subjects whose data are processed by the Controller
Transparency and conditions for the exercise of the rights of subjects:
The Controller presents information to the subjects in concise, transparent, understandable and easily accessible form, in clear and simple language.
The Controller presents the information to the subjects in written form or in other way, including, if relevant, by electronic means. If the subject requests so, the information may be presented orally, provided that the subject has been identified before the Controller by other means.
The Controller gives the subjects free information on the activities undertaken with regard to requests to exercise their right to access, rectification, deletion, restriction of processing, portability, objections and automated decision-making, without unnecessary delay and in any case within one month after receiving the request in writing.
If necessary, this period may be extended for another two months depending on the complexity and number of requests. The Controller shall inform the subjects of any such extension of the period within one month after receiving the request, stating the reasons for delay. If the subjects submit requests by electronic means, if possible, the information shall be presented by electronic means unless otherwise requested by the person.
If the Controller fails to act on the request, the Controller shall notify the person without delay and at the latest within one month of receipt of the request for reasons not to act and of the possibility of filing a complaint to a supervisor and seeking legal protection.
If the requests of the subject are clearly ungrounded or exaggerated, more specifically due to their repetition, the Controller can:
Right of access of the subjects:
Any subject may receive from the Controller confirmation whether his/her personal data is being processed and if so, to receive access to the data and the following information:
When personal data are transferred to a third country or to an international organization, the subjects have the right to be informed of the guarantees relevant to the transfer.
The Controller will give to the subject a copy of the personal data that are being processed. For additional copies requested by the subjects, the Controller may charge a reasonable fee according to administrative costs. Where the data subject makes the request by electronic means, if possible, the information will be provided in a widely used electronic form unless otherwise requested.
Right to rectification:
Any subject whose data are processed by the Controller may request the Controller to rectify without undue delay the inaccurate personal data related to that subject. In view of the purpose of processing, the person may make additions to incomplete personal data.
Right to erasure (Right “to be forgotten”):
The data subject shall have the right to request from the controller the erasure of personal data concerning him or her without undue delay and the Controller is obliged to erase personal data without undue delay where:
Right to restriction of processing:
The data subject whose data are processed by the Controller shall have the right to request from the Controller restriction of processing where one of the following applies:
Where processing has been restricted under the foregoing paragraph, such personal data, with the exception of storage, shall only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural person or for reasons of important public interest.
A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is withdrawn.
Notification obligation regarding rectification or erasure of personal data or restriction of processing:
The controller shall communicate any rectification, erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject so requests.
Right to data portability:
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where (i) the processing is based on consent for specific purposes or on a contractual obligation of the data subject or on undertaking steps before entering into a contract; and (ii) the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Right to object:
The data subject shall have the right to object at any time, on grounds relating to his or her specific situation, to processing of personal data concerning him or her (when processing is necessary for performance of tasks of public interest or exercise of official powers of the controller or processing is for the purpose of the lawful interests of the controller or third parties), including profiling. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are being processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
At the time of the first communication with the data subject, at the latest, the right referred to in the foregoing paragraphs shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
The aforementioned rights shall be exercised by the data subjects by sending to Glatec EOOD a written request to the following address: Kostievo 4205, 1 Kapitan Burago Str., or by email – at: email@example.com
Protection of data stored on a hard copy or on electronic media from unauthorized access, damage, loss or destruction shall be performed with a number of internally regulated technical and organizational measures.
The controller does not perform and shall not perform transfer of personal data to countries outside the European Union or international organizations. When such transfer of personal data is necessary, the Controller duly notifies the data subject of the transfer, as well as of the appropriate data protection safeguards, in compliance with the requirements of the Regulation.
Breach of data security occurs when personal data for which Glatec EOOD is responsible are affected by a security accident resulting in breach of confidentiality, existence or integrity of personal data. In this sense, data breach occurs in case of breach of security leading to accidental or illegal destruction, loss, change, unauthorized disclosure of data which are transmitted, stored or otherwise processed.
In case of personal data security breach, please inform immediately the personal data protection officer at firstname.lastname@example.org.
Assessment of breach:
After the relevant Glatec EOOD employee receives information of the data breach, he or she shall assess whether that specific event is a breach of personal data and respectively inform the Controller’s managers of the event (in case they are not informed).
In case of personal data security breach resulting in possible risk for the rights and freedoms of natural persons, the Controller (through the relevant employee), without delay and if possible — not later than 72 hours after being informed of it, shall inform the Commission for Personal Data Protection of the violation.
When and as far as it is impossible to transmit information simultaneously, the information may be submitted gradually without further undue delay.
When the breach of personal data security could lead to a high risk for the rights and freedoms of natural persons the Controller shall promptly inform the subject of violation.
The Controller shall document any breach of personal data security, including the facts related to the breach, the consequences and the measures undertaken for coping with it.
Accounting and commercial information as well as any other information and documents related to taxation and compulsory tax insurance installments shall be stored by the Controller for the following periods:
After expiry of the period of storage, information carriers (hard copy or technical) which shall not be transferred to the National Archives can be destroyed.
After expiry of the period of storage, data shall be destroyed as fast as possible by the destruction of hard copies with shredding and of technical carriers-by erasure and deletion of the relevant files from Company computers.
Pursuant to this internal rules: