Personal Data Protection Policy - Ficosota
FICOSOTA ("the Company" or "We") treats its obligations under the General Data Protection Regulation (Regulation (EU) 2016/679) and, respectively, the Bulgarian legislation, quite seriously and puts in a great deal of effort to meet the applicable standards and establish good practices for personal data processing. The competent leading regulatory body regarding personal data protection, processed by FICOSOTA is the Commission for Personal Data Protection of the Republic of Bulgaria.
- Controller: The organization or the natural person setting the purposes and means for personal data processing.
- Processor: The organization or the natural person processing personal data on the part of the controller.
- Data subject: An identified or identifiable living natural person.
- Personal data: Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person shall mean a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Special categories of personal data: Any personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
- Processing: Any operation or set of operations which is performed on personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- Third party shall mean a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct guidance of the controller or processor, are authorised to process personal data.
- Personal data breach shall mean an action/ circumstance, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Personal data protection
The General Data Protection Regulation ("GDPR")will be applied in the EU Member States from 25 May 2018. FICOSOTA is making its business activity compliant with GDPR and the data protection principles outlined in the European and national legislation.
FICOSOTA ensures that the personal data processed by it will be:
- processed legally, in good faith and transparently, regarding natural persons
- collected for specific, expressly stated and legitimate purposes and will not be further processed in a way inconsistent with these purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and if required maintained up-to-date
- stored in a form enabling data subject identification, for a period not longer than the one relevant to the purposes for which the personal data are processed
- processed in a way ensuring an adequate level of personal data security
The natural persons – data subjects have the following rights regarding their personal data:
- right to information (this right is established through provision of explicit and easily comprehensible privacy notices, explaining the purposes for which we use your personal data, as well as your rights related to the processing of personal data)
- right of access to the personal data being processed and to information concerning their processing
- right to have personal data rectified, where they are inaccurate or incomplete
- right to restriction of processing under the conditions stipulated in the law
- right to erasure of personal data, where there is no ground for proceeding of the data processing
- right to data portability of your data between different controllers (such as between different service providers)
- right to object to certain personal data operations, such as direct marketing
- the right not to be subject to decisions having considerable influence on you, which have been taken solely using automated means
- right to separation of the personal data processing consent
- right to complaint lodging to the to the competent supervisory authority
Six lawful bases for personal data processing are set out in the GDPR:
- the data subject has provided his/ her informed consent for personal data processing for a specific purpose
- processing is required for entering into or execution of a contract with the data subject
- data processing is required for the fulfilment of a legal obligation
- processing is required for the protection of vitally important interests of the data subjects or another natural person
- processing is required for the performance of a task carried out in the public interest
- processing is required for purposes related to the legitimate interests of the controller or a third party, except in the cases where this interest is dominated by the basic rights and freedoms of the data subject
Personal data processed by FICOSOTA
Personal data include not only facts but also opinions/ assessments expressed in relation to a specific natural person. Personal data processed by FICOSOTA may be conditionally divided into four categories:
- Staff and associates of FICOSOTA, job applicants and former employees;
- Natural persons (such as lawyers, auditors, other independent consultants) and representatives, contact persons, employees of customers, partners and goods suppliers / service providers, with which FICOSOTA has or is considering beginning contractual or factual relationships (such as a customers’ legal representative – legal persons, providers of transport and freight forwarding services, providers of telecommunication services, software and/or hardware solutions and infrastructure).
- Visitors to the website of FICOSOTA and the official websites in the social networks, for instance Facebook and Instagram
- Participants in games/ raffles/ campaigns organized by FICOSOTA on our websites, on official websites of FICOSOTA on Facebook and Instagram or through partners – marketing agencies
- Visitors to facilities owned or rented by FICOSOTA
Employees, associates, job applicants: FICOSOTA processes personal data, including special categories of personal data related to an employment contract or a contract for services, data of job applicants. Generally, FICOSOTA processes such data for the purpose of preparing and carrying out of employment or other type of contracts, as well as to fulfil its legal obligations as an employer.
Representatives, contact persons and employees of customers, partners and suppliers of FICOSOTA– usually we receive your personal data from your employer or from you personally, whenever we need to prepare, conclude or execute a contract with it or establish a commercial relationship. For instance, you might be appointed as a legal representative or a contact person in a contract or business correspondence in relation to the conclusion, execution or termination of a contract, making an offer, settlement of commercial disputes which have arisen and other.
Visitors in the buildings of FICOSOTA– in case of visits to the office spaces, production facilities and common areas of the company, for the purpose of ensuring the security of our property and the bodily integrity of our employees, as well as access control, there are technical devices in place, which will register your visit.
Sharing of personal data
Usually FICOSOTA maintains complete confidentiality regarding your personal data and does not disclose them to any third parties.
Occasionally „FICOSOTA “ may share the personal data of its employees or the representatives of its customers, partners, couriers, carriers, contractors or suppliers with state authorities, as well as with other natural or legal persons – such as providers of software and/ or hardware solutions or infrastructure, with outside consultants in relation to the establishing and exercising of rights, based on a legal obligation or with regard to its legitimate interest, depending on the particular situation. Such disclosure of data is possible only if there is a justifiable reason therefor and if an adequate level of protection is ensured, including through written arrangements with third parties, to which the personal data are disclosed, whenever possible.
Special categories of personal data
FICOSOTA does not process any sensitive personal data of its customers – natural persons or of employees/ representatives of customers, partners and suppliers, visitors to the websites and the social network websites.
Personal data storage
FICOSOTA stores different types of personal data both electronically and on hard copies, which data are contained in different documents, for a firmly fixed period of time. The set periods for data storage always comply with the purposes for which the personal data are processed. These periods are set out in the Policy for document storage and destruction of FICOSOTA.
Exercising of the rights of the data subjects
If requests for the exercising of the rights of the data subjects have been submitted, FICOSOTA establishes communication with the natural person in a short, transparent, comprehensible and easily accessible form, using intelligible and plain language, especially where underage persons are concerned.
Where the rights of the data subjects are being exercised FICOSOTA is obligated to duly identify the natural person in order to avoid the risk of unauthorized access to personal data.
Information concerning the actions taken by FICOSOTA in response to the request submitted for the exercise of rights, shall be provided to the natural persons, without any undue delay and usually within one month from receipt of the request.
All the information related to the exercise of the rights of the data subjects is provided by FICOSOTA free of charge, except in the cases where the requests are apparently unfounded or excessive.
Further information concerning your rights related to the processing of personal data by FICOSOTA is provided in our Data Subjects Rights Policy.
Personal data security
Personal data breach
FICOSOTA has adopted procedures for effective establishing, reporting and investigating personal data breaches. In case of personal data breach FICOSOTA will take immediate measures to limit the effect of the breach and to inform the affected data subjects and the regulatory body in charge of personal data protection.
FICOSOTA will update, in a timely manner, by changing and complementing this policy, at all times in the future, whenever necessitated by the statutory provisions or other circumstances.
If you wish to receive further information concerning the processing of personal data carried out by FICOSOTA or if you have any questions or complaints regarding this privacy notice, or regarding the ways in which and purposes for which we use your personal data, please contact us or our data protection officer at:
For FICOSOTA: Bulgaria, the town of Shumen 48, Madara Blvd., email: email@example.com
You may contact our data protection officer at: firstname.lastname@example.org