PERSONAL DATA PRIVACY POLICY (PRIVACY NOTICE)
The right to privacy of personal data is a fundamental priority for “Idea Buildings” EOOD (the Company), which undertakes a serious commitment regarding the protection and secure storage of personal data of employees, contractors, partners, and other individuals in the course of its commercial activities. “Idea Buildings” EOOD processes personal data of individuals (the “data subjects”) in strict compliance with Regulation (EU) 2016/679 (General Data Protection Regulation), the Personal Data Protection Act and the Company’s policy for personal data protection.
According to the General Regulation, “personal data” means any information related to an individual that can be used to directly or indirectly identify the person.
Processing of personal data refers to any operation or set of operations which can be performed on personal data by automatic means or otherwise.
This policy provides information on:
Who is the personal data controller
Which individuals’ personal data is processed by the Company
For what purposes and on what legal basis personal data is processed
To whom the personal data is disclosed or transferred
The data retention periods
Measures to ensure data security
Who processes and is responsible for your personal data?
The data controller of personal data is the commercial company “Idea Buildings” EOOD with VAT BG131454702, with headquarters and management address at Sofia, blvd. “Tsar Boris III № 144, ground floor, email: idea.gdpr@gmail.com, phone: 02/9546556; 02/9545665.
Principles we follow and comply with:
Your personal data is not collected indiscriminately and without limitation. “Idea Buildings” EOOD strictly follows the fundamental principles mandatory for processing personal data: legality, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability.
Individuals whose personal data is processed by the company
“Idea Buildings” EOOD processes personal data of the following categories of individuals:
- Staff – current and former employees of the company, job applicants
- Contractors or potential contractors of the company and their employees
What personal data of yours do we process?
Depending on the specific purposes and grounds, “Idea Buildings” EOOD processes all or some of the personal data listed below independently or in combination with each other:
- Identification data: three names, ID number/other identifier, identity document data
- Contact data: address, email, telephone number
- Health data
- Data concerning education, professional qualifications and employment activity
- Data on marital status and family relations
- Financial information, including bank accounts
- Other data required by special laws that regulate labour relations, tax-insurance relations, accounting of activities, safe and healthy work conditions, as well as social issues
What are our objectives in using your personal data?
“Idea Buildings” EOOD collects personal data only for specific and legitimate purposes and does not further process them in a way that is incompatible with those purposes. The Company processes personal data for the following purposes:
- Conclusion of contracts and pre-contractual relations
- Compliance with orders from competent public authorities
- Compliance with obligations provided in the Accounting Act, the Tax Insurance Procedural Code and other related normative acts, in connection with proper and lawful accounting;
- Compliance with the requirements of labor and social security legislation in relation to employees
- Recruitment of employees under labor law
- Ensuring the security of employees, visitors, and the company’s property through video surveillance and access control.
- Ensuring the normal functioning, maintenance and security of the internet site and IT systems of “Idea Buildings” EOOD
Implementation and protection of the rights and legal interests of “Idea Buildings” EOOD, including through legal proceedings If we intend to process your personal data for purposes other than those listed above, you will be informed of the new purposes and necessary information will be provided before further processing of your personal data.
Legal grounds for processing
The Company processes personal data only when one of the alternative legal bases under the General Regulation is present, namely:
- Performance of a contract, including pre-contractual relations prior to its conclusion;
- Legal obligations applicable to the company;
- The legitimate interests of the company, provided that they outweigh the interests or fundamental rights and freedoms of the data subjects;
- In some cases, we process personal data only after the data subject’s prior consent. Consent is a separate basis for processing your personal data, with the processing purpose being stated therein and not covered by the purposes listed in this privacy policy. The consent already given may be withdrawn by the person at any time in the same way it was provided.
Obligatory nature of providing personal data
Personal data of data subjects is provided to the company directly by the individuals themselves or by their employers and is collected by the controller in performance of a legal obligation, in connection with labour relations, conclusion and performance of a contract, consideration of proposals, complaints and signals, staff recruitment, and others, according to the provisions of the current legislation of the Republic of Bulgaria. If the individual does not provide the requested information, including the necessary personal data, “Idea Buildings” EOOD will not be able to conclude a contract with him, respectively, will not be able to provide the requested service or information.
To whom is the personal data disclosed or transferred?
- Competent authorities that have the power under a normative act to request the company to provide information, including personal data – court, supervisory, regulatory or control bodies, authorities with powers to protect national security and public order.
- Other competent public authorities in performance of a duty provided in the law.
- Trade partners, contractors and suppliers for the purposes of performance of contracts or requests by the company.
- Personal data processors with regard to maintaining the IT systems of the company, delivery of services, etc. In these cases, the relationship between the company and the personal data processor is regulated by a contract or other legal act, which includes appropriate measures to ensure the security of personal data.
Your rights as personal data subjects:
Every individual whose data is processed by “Idea Buildings” EOOD has the following rights:
- Right of access to their personal data, including to receive a copy of them;
- Right to correction or completion of inaccurate or incomplete personal data;
- Right to erasure of personal data processed without a legal basis;
- Right to restriction of processing – in the event of a legal dispute between the company and the individual until its resolution or for establishing, exercising or defending legal claims;
- Right to object – at any time and on grounds related to the specific situation of the individual, provided that there are no compelling legal reasons for processing that take precedence over the interests, rights and freedoms of the data subject, or for legal proceedings;
- Right to data portability – only if personal data is processed by automatic means based on consent or contract;
- Right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects on the data subject or significantly affects them.
In accordance with the Personal Data Protection Act, the above rights may be exercised by submitting a written application in person at “Idea Buildings” EOOD. An application can also be made electronically in accordance with the Electronic Document and Electronic Certification Services Act. The application is made personally by the data subject or by an explicitly authorized person. The company will respond to the data subject’s request within a 30-day period from its submission. When the requests of a data subject in connection with the exercise of the rights mentioned above are obviously unfounded or excessive, “Idea Buildings” EOOD may impose the payment of a fee or refuse to take action on the request.
Security of personal data
The company applies all appropriate technical and organizational measures to ensure the security of personal data, including continuous training of employees and taking an explicit commitment from the employees for confidentiality.
Protection of the rights of data subjects
In accordance with the Personal Data Protection Act and Regulation (EU) 2016/679, every individual who believes that his right to personal data protection has been violated can file a complaint with the Personal Data Protection Commission at: Sofia 1592, blvd. “Prof. Tsvetan Lazarov” № 2, website: www.cpdp.bg.
How long do we store your personal data?
The duration of personal data storage depends on the purposes of processing for which they were collected. We retain your personal data for as long as is reasonably necessary to fulfil the purpose for which they were collected and to comply with applicable laws.
The company’s client personal data is stored for a period of 5 years from the conclusion of the respective contract in accordance with the general limitation period under the Obligations and Contracts Act, unless the law provides for a longer period for their storage.
Personal data contained in payroll records is stored for 50 years, starting from January 1 of the accounting period following the accounting period to which they relate.
Personal data contained in accounting documents are stored within the periods provided in Article 12 of the Accounting Act, respectively Article 38 of the Tax Insurance Procedural Code – up to 10 years, starting from January 1 of the accounting period following the accounting period to which they relate.
Personal data of job applicants will be deleted or destroyed within 6 months of the conclusion of the selection procedure, unless the candidate has expressly consented to their longer storage.
Currency and changes to the personal data privacy policy
In order to apply the most current protection measures and to comply with current legislation, we will regularly update the current Personal Data Privacy Policy. If the changes we make are significant, we may post a notice of the changes on our website or notify you in another appropriate way.
Newsletter – Advertising Messages
Newsletter data
If you wish to receive the Newsletter – advertising messages, we will request your email address. Additional data will only be collected on a random basis or not at all. These data are used exclusively for sending the requested information and will not be shared with third parties.
Data entered in the newsletter subscription is processed expressly with your consent (Art. 6(1)(a) GDPR). You can withdraw your consent to the storage of data, your email address and its use to send the newsletter by following the “unsubscribe” link in the newsletter. The legality of the data processing already carried out by the operator will not be affected by the withdrawal.
We will retain the data you provide to us in order to receive the newsletter until you cancel your subscription, and we will delete the data when you unsubscribe from the newsletter. Data that we store for other purposes (e.g. email addresses for the members’ area) will not be affected.
MailChimp
This website uses MailChimp’s services to send newsletters. The provider is Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. MailChimp is a service that, among other things, allows the organization and analysis of newsletter distribution. If you provide data (such as your email address) to subscribe to our newsletter, it will be stored on MailChimp’s servers in the USA.
MailChimp is certified under the “EU-US Privacy Shield”. The “Privacy Shield” is an agreement between the European Union (EU) and the USA that is supposed to ensure compliance with European data protection standards in the USA.
With MailChimp, we can analyze our newsletter campaigns. When you open an email sent with MailChimp, a file included in the email (so-called web beacon) will connect to MailChimp’s servers in the USA. This will determine whether the newsletter message has been opened and which links have been clicked on. Technical information will also be collected (such as time of retrieval, IP address, browser type and operating system). This information cannot be assigned to a specific newsletter recipient. It is used exclusively for the statistical analysis of newsletter campaigns. The results of these analyses can subsequently be used to tailor future newsletters to the interests of the recipients.
If you do not want your data to be analysed by MailChimp, you must unsubscribe from the newsletter. We provide a link to do this in every newsletter message. You can also unsubscribe from the newsletter directly on the website.
Data processed in this way will be processed based on your consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time by unsubscribing from the newsletter. The legality of the data processing operations already completed by the operator will not be affected by the withdrawal.
We will store the data you provide to us for the purpose of subscribing to the newsletter until you unsubscribe from the newsletter and after you unsubscribe, we will delete the data both from our servers and from MailChimp’s servers. Data stored for other purposes with us (e.g. email addresses for the member’s area) will not be affected.
You can find more details about MailChimp’s data protection at: https://mailchimp.com/legal/terms/.
Data Processing Agreement
We have concluded what is known as a “Data Processing Agreement” with MailChimp, in which we require MailChimp to protect the data of our customers and not to disclose it to third parties. This agreement can be seen at the following link: https://mailchimp.com/legal/forms/data-processing-agreement/sample-agreement/.