Personal Data Administrator Information:
Head office: Plovdiv, 145 Brezovsko Shosse Str., Tel: 032 511 564
As an administrator of personal data, SOLARITY BG Ltd. respects your right to maintain the confidentiality of your information and data. This policy is intended to inform you of the purpose, grounds and manner in which we collect, process, store and disclose your personal data in order to preserve the privacy of your person. That is why we ask you to read its contents carefully.
Information on the competent supervisory authority:
- Title: Data Protection Commission
- Headquarters and address of management: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
- Correspondence data: Sofia 1592, Prof. Tsvetan Lazarov ”№ 2
- Phone: 02 915 3 518
- Email: firstname.lastname@example.org , email@example.com a>
- Website: cpdp.bg
I. Our main goal when working with personal data
SOLARITY BG Ltd. processes your personal data with maximum security, in connection with the existing between the company and you regulatory obligations and contractual relations arising from the consulting and legal activities.
The security of the data you entrust to us is very important to us. It is of great importance for our success and for our public image, which is why we protect your data by applying all appropriate technical and organizational means at our disposal and keeping it up to date with the requirements of Regulation (EU) 2016/679. Through them, we will not allow unauthorized access, unauthorized or malicious use, loss or premature deletion of information.
We collect and process personal data only in compliance with the requirements of local and European legislation. We are aware that the processing of your data is for a specific reason and cannot be performed without restriction.
II. Objectives and scope of the data protection policy:
This policy follows the territorial and material scope of Regulation (EU) 2016/679 and adopts its main objectives. It is applied by the Administrator and all his employees.
SOLARITY BG Ltd. needs the collection and processing of personal data and does so in order to carry out its activities legally, expediently and fully. This applies to personal data of employees, customers and other entities with whom we have a relationship or would like to contact.
III. Categories of personal data and purposes of processing.
“SOLARITY BG” Ltd. processes personal data of various entities on specific grounds, according to the objectives. In compliance with the principles of legality, good faith, transparency and information and to facilitate personal data subjects, the company has integrated separate notifications to each specific subject and purpose of processing. In them is detailed and specific information under Art. 13 and Art. 14 of Regulation (EU) 2016/679. They are:
Notice for processing personal data of employees – you can read this document at the company’s office.
Customer Personal Information Notice – You can view this document at the company’s office.
Notice of processing personal data when visiting the site https://solaritybg.com/ – You can read this document in electronic form on the company’s website.
“SOLARITY BG” Ltd. does not collect or process for the sole purpose identification of the subject personal data relating to the following:
- reveal racial or ethnic origin;
- disclose political, religious or philosophical beliefs, or trade union membership;
- genetic data, data on sexual life or sexual orientation.
The administrator did not collect and personal data of persons under 14 years of age without the express consent of a parent.
The administrator does not apply “automated decision-making individual decisions, including profiling”
The policy does not apply to the processing of personal data of a data subject – an individual, in the context of his or her purely personal or household activities.
IV. Grounds for personal data processing
“SOLARITY BG” Ltd. collects and processes personal data only for specific purposes, described in detail and explicitly in the documents under item III. The reason is specific and different according to the pursued goal and can be:
- For fulfillment of normative obligations under art. 6, para. 1, letter (C) of Regulation (EU) 2016/679 we process your personal data in order to comply with obligations provided for in laws and regulations governing the activities we carry out, such as: LC, CSR, PIT, VAT, EA , ZEVI, ZUT, ORDINANCE № 6 of 02.2014, etc .;
- For performance of a contract – labor, civil, rental or other type of contractual relationship; to take steps at the request of the data subject before concluding a contract; protection of legitimate interest, under Art. 6, para. 1, points (B) and (E) of Regulation (EU) 2016/679;
- If necessary, when the purpose or regulatory obligation imposes this – “SOLARITY BG” Ltd. will require your explicit and free consent for the processing of personal data.
V. How we protect your personal information
To ensure adequate data protection of our employees, customers and partners, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act and Regulation (EU) 2016/679 of 27 April 2016, as well as the protection of personal data at the design stage and the protection of personal data by default.
The protection of personal data at the design stage is expressed in the appropriate technical and organizational measures introduced by us before the start of personal data processing (at the stage of determining the purposes and means of processing), ensuring their implementation throughout the data life cycle. Our appropriate measures are encryption of data, setting of functionalities for automated accounting of storage terms and their automatic deletion after their expiration, etc.
We protect personal data by applying mechanisms that by default ensure compliance with the following requirements:
- Only the minimum amount of personal data – absolutely necessary to achieve our specific goal, are processed and processing operations are carried out;
- The personal data contained in electronic documents and in the electronic system for optimizing the work processes in the company are encrypted and stored on a local file server, accessible with an individual username and password;
- Licensed software and certificates for electronic protection of systems and the website are used;
- Documents containing personal data are stored in drawers and files with limited access;
- Employees do not leave documents unattended;
- Only employees who need relevant information to perform their duties have access to personal data;
- Personal data is not shared with other employees unless required to perform their duties;
- Employees are trained in the proper implementation of Regulation (EU) 2016/679;
- The data is stored for the minimum period absolutely necessary to achieve the purposes of processing, and then deleted in accordance with the relevant rules and procedures;
- Data whose basis for collection has been dropped shall be irreversibly destroyed by a deletion protocol;
- Any access, transmission or sharing of data is permissible only if there is a valid legal basis for it (for example, the consent of the data subject or our legal obligations).
“SOLARITY BG” Ltd. has the opportunity for security reasons to introduce, if necessary, an additional key in the work of individual employees.
For maximum security in the processing, transmission and storage of your data, we may use additional security mechanisms.
VI. When we delete your personal data
We delete your personal data after the need for processing ceases to exist or after the expiration of the period for their storage.
More detailed information on the different deadlines can be found in the Notices under Section III.
VII. When and why we share personal information with third parties
We may provide your personal data to third parties, and our main goal is to offer protection of your interests and security in connection with the performance of specific tasks and contractual obligations. Not ave We provide your personal data to third parties before we make sure that all technical and organizational measures have been taken to protect this data, and we strive to exercise strict control over the implementation of this goal. We observe, when applicable, that your data be processed only according to the instructions given on behalf of the administrator – “SOLARITY BG” Ltd. In this case, we remain responsible for the confidentiality and security of your data.
We provide personal data to the following categories of recipients:
– Data processors on behalf of:
- persons involved in the accounting of all company documentation;
- persons who, on assignment, maintain equipment, software and hardware used for the processing of personal data and necessary for the implementation of the company’s activities and for carrying out various reporting, payment, etc .;
- banking institutions, with a view to paying amounts due when you need to verify your identity;
- bodies, institutions and persons to whom we are obliged to provide personal data under applicable law or in connection with the implementation of our contractual relations (notaries, PEA, DUI, experts, lawyers – representatives of the other party).
– Data processors on their own behalf:
Competent authorities that have the power to require the provision of information, including personal data, such as courts, prosecutors, embassies, various regulatory bodies such as the National Revenue Agency (NRA), the Regional Health Inspectorate (RHI) , Labor Inspectorate, Consumer Protection Commission (CPC), Competition Protection Commission (CPC), Personal Data Protection Commission (CPDP), Registry Agency, Energy and Water Regulatory Commission (EWRC), Regional Directorate for Competition National Construction Control (RDNCC), bodies with powers to protect national security and public order;
The controller shall take the necessary measures to ensure that the processor of personal data and any natural person, acting under the direction of the administrator, process this data only on his instructions.
In the event of a breach of personal data security the administrator will notify the competent supervisory body – CPDP.
VIII. Your rights regarding the processing of your personal data:
1. Right to information and access:
You have the right to request:
- information on whether data relating to you are processed, information on the purposes of such processing, on the categories of data and on the recipients or categories of recipients to whom the data are disclosed;
- message in an understandable form containing your personal data being processed and any available information about their source;
- information on the logic of any automated processing of personal data concerning you, at least in the case of automated decisions.
2. Right of correction:
In the event that we process incomplete or erroneous / erroneous data, you have the right, at any time, to request:
- delete, correct or block your personal data, the processing of which does not meet the requirements of the law;
- to inform third parties to whom his personal data have been disclosed of any deletion, correction or blocking, except where this is not possible or involves excessive effort.
3. The right to be forgotten:
The right to be erased (or “the right to be forgotten”) allows you, when you do not wish your data to be processed and there are no legal grounds for its storage, to request that it be deleted on one of the following grounds:
- personal data are no longer needed for the purposes for which they were collected or otherwise processed;
- You withdraw your consent on which the data processing is based;
- You object to the processing and there is no overriding legal basis for continuing the processing;
- personal data have been processed unlawfully;
- personal data must be deleted in order to comply with a legal obligation;
The “right to be forgotten” is not an absolute right. There are situations in which the controller has the option to refuse to delete the data, namely when the processing of specific data is necessary for any of the following purposes:
- to exercise the right to freedom of expression and information;
- archiving for public interest purposes, historical research or statistical purposes;
- to establish, exercise or the protection of legal claims.
4. Right to object:
You have the right to object at any time to the processing of your personal data if there is a legal basis for doing so; where the objection is justified, the personal data of the natural person concerned may no longer be processed;
5. Right to limit processing:
You can request a restriction on the personalized data being processed if:
- you dispute the accuracy of the data, for the period in which we have to check its accuracy; or
- the processing of data is without legal basis, but instead of deleting it, you want its limited processing; or
- we no longer need this data (for the specified purpose), but you need it to establish, exercise or defend legal claims; or
- You have objected to the processing of the data pending verification that the controller’s grounds are lawful.
6. Right to data portability:
You can ask us to provide the personal data you have entrusted to our care to another Administrator in an organized, orderly, structured, generally accepted electronic format if:
- we process the data in accordance with the contract and based on the declaration of consent, which may be withdrawn or on a contractual obligation, and
- Processing is done automatically.
7. Right of appeal:
In case you believe that we are violating the applicable regulations, please contact us to clarify the issue. Of course, you have the right to file a complaint to the Commission for Personal Data Protection or to a relevant court under the Administrative Procedure Code. From 25 May 2018, you can also lodge a complaint with a regulatory body within the EU.
8. Entitlement to compensation:
According to Art. 39, para. 2 of LPPD and Art. 82, para. 1 of Regulation (EU) 2016/679, any person who has suffered damage as a result of a breach of the provisions of Regulation (EU) 2016/679 is entitled to receive compensation by way of a claim before the competent judicial authority.
9. Exercising your rights
Requests for access to information or for correction shall be submitted in person. We will rule on your request within one month of its submission. If a longer period is objectively necessary – in order to collect all the requested data and when this seriously hinders our activities, this period can be extended to 30 days. By our decision, we grant or deny access and / or the information requested by the applicant, but we always motivate our response.
The minimum information contained in the application (according to Article 37c of LPPD) should be the following: name, address, PIN / PIN / passport, description of the request, signature and date of submission, address for correspondence / email (depending of the preferred form for obtaining information), power of attorney.
In connection with the rights described above: information, correction, the “right to be forgotten”, objection, restriction of processing, complaint, as well as in view of the actions of the administrator in relation to these rights, a special register is created , in which all performed actions will be entered.
The initial response to a request is free of charge. In case of excessive (repeatability – more than 2 / two / essentially identical applications for a period of 12 / twelve / months) or obvious unfoundedness of the requests received from the same subject, the Administrator may charge a reasonable fee for the execution of the request, or refuse to act on the application.
IX. Principles of personal data processing according to Regulation (EU) 2016/679
- “Legality, good faith and transparency” – Your data is processed in accordance with applicable law, in good faith and in a transparent manner with regard to the data subject;
- “purpose limitation” – your data is collected for specific, explicit and legitimate purposes and is not further processed in a way incompatible with those purposes;
- “data minimization” – the types of data we collect are appropriate, related to and limited to the minimum necessary in relation to the purposes for which they are processed;
- ‘accuracy’ means accurate and, where necessary, kept up to date, taking all reasonable steps to ensure the timely erasure or correction of inaccurate personal data, taking into account the purposes for which it is processed;
- “storage restriction” – your data is stored in a form that allows the identification of the data subject for a period not longer than necessary for the purposes for which the personal data are processed;
- “integrity and confidentiality” – processed in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, applied in accordance with appropriate technical or organizational measures.
- “personal data” – any information relating to an identified or identifiable individual;
- “data subject” – a person who can be identified directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more characteristics specific to the physical, physiological, genetic, mental, intellectual, economic, cultural or social identity of that individual;
- “processing” – any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring , storing, adapting or modifying, retrieving, consulting, using, disclosing, transmitting, distributing or otherwise making data available, arranging or combining, restricting, deleting or destroying;
- “Restriction of processing” – Marking of stored personal data in order to limit their processing in the future;
- “pseudonymisation” – the processing of personal data in such a way that personal data can no longer be linked to a specific data subject without the use of additional information , provided that it is kept separate and subject to technical and organizational measures to ensure that personal data do not relate to an identified or identifiable individual;
- “controller” – a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for determining it may be laid down in Union law or in the law of the Member State;
- “processor” – a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller;
- “data subject’s consent” – any freely expressed, specific, informed and unambiguous indication of the data subject’s will, by means of a statement or clear affirmative action which agrees to the processing of personal data relating to him;
- “personal data breach” – a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data, which are transmitted, stored or otherwise processed.
XI. Updates and policy changes