RULES

ON PROCESSING AND STORAGE OF PERSONAL DATA AND PROTECTION AGAINST ILLEGAL FORMS OF PROCESSING AT UNION BALKAN BUSINESS OOD AND THE RELATED ENTERPRISES IN THE UNION BALKAN BUSINESS GROUP

 

Chapter one

GENERAL PROVISIONS

 

Art. 1. These internal rules on technical and organizational measures and the permissible type of personal data defense settle the processing and protection of personal data of the employees, the persons hired under civil agreements and customers, hereinafter referred to as the Rules.

 

Art. 2. (1) Personal data processing means any operation or a set of operations performed on personal data and sets of personal data whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.

 

(2)    The personal data processing also consists of providing access to certain information only to persons whose duties or specific tasks assigned require such access.

 

Art. 3. The company is a personal data Controller and as such it shall keep the following registers:

1.        Employees and persons under civil agreements Register

2.        Clients Registers

 

Art. 4. (1) Personal data is any information related to an identifiable individuals who can be directly or indirectly identified through it (i.e. Personal Identification Number, location data, online identifier) or by one or more factors specific for the physical, physiological, genetic, mental, economic, cultural and social identity of that person (gender, race, ethnical origin, political convictions, trade union organizations membership, sexual orientation, etc.).

 

(2) The personal data is processed based on the following principles:

 (ΰ) lawfulness, fairness and transparency;

(b) purpose limitation – the personal data is collected for specified, explicit and legitimate purposes and is not further processed in a manner that is incompatible with these purposes; the further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes;

 (c) data miniminisation – only personal data limited to the necessary in relation with the purposes for which the processing is needed;

 (d) storage limitation – the personal data are kept in a form that permits the identification of data subjects for a period not longer than it is necessary for the purposes for which the personal data are processed; the personal data may be stored for longer periods as far as the personal data will be processed solely for archiving purposes in the public interest, for scientific or historic research purposes or statistical purposes provided that proper technical and organizational measures are provided in order to safeguard the rights and freedoms of the individuals whose date is being processed.

 (e) integrity and confidentiality – the personal data are processed in a manner that ensures appropriate security of the personal data including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage using appropriate technical and/or organizational measures.

 

Art. 5. The personal data are collected for specific, well-defined purposes. It is processed in lawful and fair manner and cannot be further processed in a manner that is incompatible with these purposes.

 

Chapter two

TYPES OF REGISTERS

 

Art. 6. Types of registers kept by the Company. Purposes for which the personal data stored in the individual registers is used:

 (1) In the Employees and Persons under Civil Agreements Register the data of the employees and civil agreements executors is stored and collected in the Company for the purpose of:

1.  Individualization of employment and labour relations.

2.  Implementation of the statutory requirements of the Labour Code, the Social Security Code, the Accountancy Code, the State Archives Act, etc.

3.  Use of the data collected for the respected persons for business purposes.

4.  For all activities related to existence, modification and termination of employment and civil relations – for preparation of any kind of documents for the persons in this regard (agreements, supplementary agreements, length of service certifying documents, official certificates, references, certificates, etc.).

5.     For establishing a contact with a person by phone, for sending of correspondence concerning the fulfillment of his/her obligations under employment or civil agreements.

6.    For book-keeping about the remuneration of the above-mentioned persons under employment and civil agreements.

(2) In the Clients Register the personal data of the clients of the Company is collected and stored for:

1. Individualization of the relevant counterparties.

2. Implementation of the statutory requirements of the Accountancy Act and other relevant normative acts.

3.  Use of the data collected for the persons concerned for business purposes only after obtaining the duly consent of the persons for processing of their personal data for the following purposes:

 (a)  for all activities related to the existence, modification and termination of the contractual relations, as well as the collection of receivables arising of the latter – for preparation of all documents in this regard (contracts, additional agreements, any commercial, accounting and other documents);

 (b)   to make contact with the persons by phone, address and/or e-mail, to send correspondence concerning the fulfillment of their obligations under the contracts concluded with the Company;

       (c)    for accounting and tax reporting;

Art. 7. Data groups in the registers:

     (1) In the Employees and persons under civil agreements the following personal data types are kept:

       1.1. Regarding the Physical identity of the persons: (given names, Personal Identification Number, gender, permanent address and place of birth for the employment agreements, and for the civil agreements also the number of the ID card, data and place of issue, expiry date, and authority that issued it), telephone numbers, e-mail, etc. These data are provided based on statutory obligation and the execution of the agreement;

          (a) type and degree of education, place, number and date of issue of the diploma and name of the education institution – the data necessary for the observing of the statutory or established requirement for occupying the position, respectively for dismissal of the persons occupying the position, as well as for accessing the competency of persons whom the Company intends to assign the performance of activities under civil or employment agreements. These data are provided by the employees/contractors at the conclusion of employment or civil agreements with them;

          (b) additional qualification - these data are necessary for the observing of the statutory or established requirement for occupying the position, respectively for dismissal of the persons occupying the position. These data are provided by the persons based on the statutory obligation in all cases where needed. If necessary, data on the additional qualification are also required by the persons whom the Company intends to assign the performance of activities under civil or employment agreements.

          (c) personal data on the civil and legal status of the persons, which is necessary for all the employees recruited under employment relations including for the positions related to material responsibility. These data are provided by the persons based on the statutory obligation.

       1.4 Data on the health status of employees when processing of sick leave notes am documents related to accident at work, vocational rehabilitation of workers, etc. is needed.

 (2) In the Clients Register are kept the following types of personal data of the persons related to the Physical Identity: given names and data from the ID card (Personal Identification Number, gender, number of the ID card, data and place of issue, expiry date, and authority that issued it – when this is necessary and applicable), telephone numbers, e-mail, etc. These data are provided based on the conclusion and the execution of the agreement (We do not collect more personal data than necessary for the particular purpose we process this personal data for).

 

Art. 8. Forms of registry keeping.

(1) Registers kept on paper:

1.1. Form of organization and storage of personal data – written (documentary) stored in folders (personnel files, files for contractors and clients) for each employee or a person hired under a civil agreement, as well as for each client with whom a contract is signed. The ways to restrict the access to these files is limited access by a locking mechanism an alarm system and a security system, and arrangement of the files. The files are available only to the employees who process them.

           1.2. Location of the filling cabinet/s; Company’s office.

(2) Registers kept on a technical medium:

       2.1. Form of organization and storage of personal data – the technical means by which we restrict the access to this information are limited access, regulated location of the servers in a secure office of the Company. A specialized company providing professional cyber protection is hired.

2.2. Location of the computers: offices of the Company

2.3. Access: limited

2.4. Software and device measures to ensure the level of security:

2.4.1. The network built in the Company’s offices is exclusively based on communication devices that provide a wide range of possibilities related to the security of access to information;

2.4.2. The workstations related to this internal network have undergone additional processing – deleting the data that is not needed by respective employees who process personal data and limiting the possibility for placing and USB flash drive,  downloading of information on other type of data carriers, software installation, etc., which minimizes the risk of information leak.

 

 

Chapter three

PERSONAL DATA PROCESSING

 

Art. 9. Personal data collection:

(1)   The personal data in the Employees and Persons under Civil Agreements Register shall be collected upon starting/assigning of work under employment or civil relation of a person through an interview and on paper or electronic medium provided by the person in question.

 (2) The personal data in the Clients register are collected during the negotiations the relevant assigning of orders from the respective clients and signing of a contract.

 (3) The Controller/the person who process personal data must inform the person whose data are collected for the need of personal data collecting and the purposes for which they shall be used, to whom they shall be provided and the time for their processing.

 (4) Upon approval of the request for starting work/assignment of work to the person or the relevant contact conclusion as a main paper personal data carrier, these documents together with the other documents enclosed thereto shall be handed to the person processing personal data for completion of the occurrence of a valid employment or civil relation through the preparation of an employment or civil agreement on a technical or paper bearer. The contract prepared on a technical medium remains in a separate file on the computer and only the persons who persons who process personal data and the persons who have access to the personal data of the employees of the Company-Controller have access to it. The personal data shall be stored on a server.

 (5) Based on the principle of accuracy of personal data processing when a rectification of the personal data is need, the persons provide the Controller and/or the person processing the personal data their corrected personal data by his/her request. The rectification of the personal data of the person can also be made by his/her request by submitting a declaration in free text to the Controller /the person processing the personal data.

 

Art. 10. (1) The Company assigns the personal data processing to persons who process them. The processing shall be assigned to more than one person according to the specifics of their functions and in order to distinguish their specific duties.

 (2) The persons who shall process the personal data shall be determined by this instructions, the internal rules, the establishment plan of the Company and the job descriptions of the Company employees. In case of reassignment of the personal data processing to a third person – in the respective contract concluded between the latter and the Controller.

 (3) The persons who process personal data shall act only under the instructions of the Controller, unless otherwise provided by law.

 

Art. 11. The persons who process personal data in the registers kept  by the Controller are:

 (1) For the Employees and Persons under Civil Agreements Register:

1.1. The persons who are directly engaged with the preparation and the legality of the documents in connection with the employment and civil relations between the Company and the respective persons;

1.2. The persons engaged with the payment of the remunerations due to the persons in employment or civil relations with the Company.

 (2) For the Clients Register:

2.1. The persons – employees of the Company to whom the actions for servicing clients, drafting of contracts, checking of contracts and written correspondence with clients have been assigned;

2.2. The persons to whom the Company has assigned the personal data processing for other organizational reason than those specified in 2.1;

 (3) When the activities under par. 1 and par. 2 of this article are assigned to an individual or a legal entity outside the Company then they represent a person who process personal data and their obligations in this regard are settled by the contract signed between them and the Company.

 

Chapter four

PERSONAL DATA PROTECTION. OBLIGATIONS OF THE CONTROLLER.

 

Art. 12. Providing individuals with access to their personal data:

       (1) An individual shall have the right to access to the personal data concerning him or her. In cases where the personal data may also be disclosed to a third party when exercising the right to access, the Controller shall be obliged to provide the individual concerned with access to the part of personal data concerning only him/her.

            (2) The employees under employment and civil relations, as well as the clients, shall have the right to access their personal data that are stored in the Company. For this purpose, the persons shall submit a written application to the Company, including electronically, under the Electronic Document and Electronic Signature Act.

       (3) The application shall contain names of the person, address and other contact details that identify him/her – given names, Personal Identification Number, position and place of work (when applicable), description of the request, preferred form for granting the access to the personal data, signature, data and correspondence address, and when the application is submitted by an authorized person a power of attorney with notarial attestation is also needed. The application shall be filed in the General Incoming Register of the Company.

       (4) Upon receipt of an application for access to personal data of the applicant, the representative of the Company or a person authorized by it shall consider the application for access. The time for considering and adjudicate on the application is 1 to 3 months from the date of submitting. The Controller shall take the necessary measures to provide the information related to the personal data processing to the applicant in short, transparent, comprehensible and easily accessible form using plain and simple language. The information shall be provided in written form or in other way including electronic means, where appropriate. If this is requested by the data subject, the information may provide verbally provided that the identity of the subject is proven by other means.

       (5) When the data do not exist or they cannot be provided on a specific legal basis, the applicant shall be denied access by a reasoned decision, which shall be announced to the applicant under the provisions of the preceding sentence.

       (6) The Controller shall provide the applicant with following information:

  6.1. the data identifying the Controller and the contact details of the Controller and those of the Controller’s representative, where applicable;

   6.2. the contact details of the official for the personal data protection, where applicable;

   6.3. the purposes of the processing for which the personal data are intended for and the legal basis for their processing;

   6.4. the relevant categories of personal data of the applicant that are processed by the Controller;

   6.5. the recipients or the categories of recipients to whom the personal data are or will be disclosed, in particular the recipients in third countries within the meaning of the Regulation or international organizations, as well as their protection guarantees;

   6.6. the time period provided for the storage of the personal data, where applicable, and when this is not possible, the criteria used for the determination of this period;

   6.7. the existence of a right the Controller to be requested a rectification or erasure of the personal data or limitation of the personal data processing related to the applicant, as well as the right to object to such processing;

   6.8. the right to lodge a complaint to the Personal Data Protection Commission;

   6.9. the existence of an automated decision-making regarding the data subject, including profiling and the meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;

   6.10. The processing related to the registration of companies shall be done based on the legitimate interest in relation to the requirements of the Commerce Act of Republic of Bulgaria.

6.11. when the personal data is not collected by the data subject, any available information about their source.

(7) The Controller shall be obliged to communicate  any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed unless this is impossible or involves disproportioned effort. The Controller shall inform the data subject about those recipients, if the data subject requires it.

Art. 13. Access of third parties to personal data of the employees, persons under civil relations with the Company and/or clients of the Company.

(1)      The personal data carriers shall not be carried outside the Company building and shall not be provided to third parties except in the cases provided for by the law and these rules.

(2)      No third party shall have access to the personal data of the employees, the persons under civil relations with the Company and/or clients of the Company unless properly requested by the competent state and municipal authorities (judicial authorities, revising state bodies, etc.) in the cases provided for by the law. The competent authorities shall be granted access to the personal data according to the statutory requirements depending on the particular case.

(4)      The decision for granting or denying access to personal data for the person concerned shall be announced by the Controller to the third parties within the appropriate deadline from the time of submitting the application without any undue delay.

(5)      The decision for granting or denying access to personal data for the person concerned shall be communicated by the Controller to the third persons within reasonable period of time form the submitting of the application without any undue delay.

 

Art. 14. (1) The provision of personal data in a Member State of the European union, as well as is in other Member State of the European Economic Area shall be carried out by observing the requirements of the applicable European and national legislation.

 (2) The providing of personal data in third country other than those under par. 1 is only allowed if it provides an adequate level of protection of the personal data on its territory.

 

Art. 15. Personal data storage term:

(1)    Employees and Persons under Civil Agreements Register:

1.1.      The different types of accounting information containing personal data from the Employees and Persons under Civil Agreements Register shall be stored within the terms stipulated in the Accountancy Act (AA) as follows:

 (a) payroll records and employment records (documents related to the occurrence, existence, modification and termination of the employment relation) – 50 years as of January 1 of the reporting period following the reporting period to which they relate to (art. 12, par. 1, it. 1 of the AA);

 (b) accounting registers and financial reports including documents for tax control, audit and subsequent financial inspections – 10 years as of January 1 of the reporting period following the reporting period to which they relate to (art. 12, par. 1, it. 2 of the AA);

 (c) all other carriers of accounting information – 3 years as of January 1 of the reporting period following the reporting period to which they relate to (art. 12, par. 1, it. 3 of the AA);

Reporting period shall have the definition given in par. 1, it. 14 of the Additional Provisions of the Accountancy Act, namely: the calendar year ( January 1 – December 31).

1.2.      Types of personal data of the employees and persons under civil agreements that are not contained in the data carriers under the preceding paragraph shall be stored for 1 month as of the date when the reason for their processing ceased to exist, including after the expiration of all contractual obligations such as possible court claims, warranty responsibility, etc. (Please specify all possible reasons).

Within 30 days after the expiry of the above deadlines, the personal data shall be destroyed.

(2)   Clients Register:

2.1. The different carriers of accounting and tax information containing personal data from the Clients Register of the Company clients with whom a contract is concluded shall be stored for the time periods provided in the Accountancy Act (AA) and the Tax and Social Security Procedure Code (TSSPC) as follows:

 (a) accounting registers and financial reports including documents for tax control, audit and subsequent financial inspections – 10 years as of January 1 of the reporting period following the reporting period to which they relate to (art. 12, par. 1, it. 2 of the AA);

 (b) all other carriers of accounting information except payrolls and employment records – 3 years as of January 1 of the reporting period following the reporting period to which they relate to (art. 12, par. 1, it. 3 of the AA);

 (c) documents for tax and social security control – they shall be stored for 5 years after the expiry of the limitation period for repayment of possible tax liabilities of the Company for the year when the contract is terminated/dissolved as of the year when the respective contract is terminated/dissolved and in case during the termination/dissolving of the contract there are no disputes about its execution.

2.2. The personal data of the clients whom the contract has been concluded with and which are not included in the date carriers of the preceding paragraph shall be stored for a period of 30 days from the date of expiration of the reason for their processing (from the termination of the contract – early or on any other grounds provided therein, incl. after the expiration of all obligations under the contract such as possible court claims, warranty responsibility, etc. If within the indicated period the respective customer expressly requires his/her personal data to be erased (forgotten) or their processing to be limited then the storage of the relevant data shall be suspended and they shall be destroyed as soon as possible after the receipt of the client’s request unless there is an explicit legal basis for their processing to continue.

 

Art. 16. Regular archiving – the archiving of the personal data on a technical medium shall be performed regularly every month by the person processing the personal data in order to preserve the data of the respective persons up-to-date. This shall be dome on reliable optical storage media (CDs, USB flash drives, etc.) which can be accessed only by the person who process them.           

Art. 17. (1) In case of an application filed by an individual whose personal data is being processed by the Controller, the Company undertakes to delete without any undue delay the personal data where any of the following grounds apply:

1.   the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

2.   the person withdraws his/her consent on which the processing of the data is based and there is no other legal basis for the processing;

3.   the person objects to the automatic decision making applied by the Controller on his/her personal data there is no other legal basis for the processing, or the person explicitly objects to the processing;

4.   the personal data have been processed unlawfully;

5.   the personal data must be erased in order to comply with an obligation under European or national law;

6.   the personal data have been collected in connection with the provision of information society services to children.

 

(2) The Controller has the right to refuse to perform the actions under par. 1 if the processing is necessary:

1.   for exercising the right of freedom of expression and information;

2.   for compliance with a legal obligation which requires processing provided for by the Union or Member State law to which the Controller is a subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

3.   for reasons of public interest in the area of public health

4.    for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right referred to in the national legislation is likely to render impossible or seriously impair the achievement of the objectives of that processing; 

5.   for the establishment, exercise or defence of legal claims.

 

Art. 18. (1) Data portability: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided, where:

 (a) the processing is based on consent of the data subject or on a contractual obligation;

 (b) the processing is carried out by automated means.

(2)   In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

 

Art. 19. (1) In the case of a personal data breach, the Controller shall without undue delay and not later than 72 hours after having become aware of it, notify the personal data breach to the Personal Data Protection Commission (PDPC) unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. Where the notification to the supervisory authority is not made within 72 hours, the Controller shall notify reasons for the delay.

 

(2) The notification shall at least:

     1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

     2.  communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

     3.  describe the likely consequences of the personal data breach;

     4. describe the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

 

(3)   When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the Controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and shall at least:

     1.  communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

     2.  describe the likely consequences of the personal data breach;

3. describe the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

 

(4) The communication to the data subject referred to in paragraph 3 shall not be required if any of the following conditions are met:  

1.  the Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

2. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

3.  it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

 

Art. 20. The Controller is obliged to carry out an impact assessment as required by EU Regulation 679/2016 in case the personal data processed by him/her could pose a high risk to the rights and freedoms of individuals. The impact assessment is a process for determining the levels of impact on a particular individual or a group of individuals depending on the nature of the personal data being processed and the number of individuals affected in case of breach of privacy, integrity or availability of personal data. The impact assessment shall be carried regularly in every two years and if the nature of the data processed or the number of individuals affected changes, the impact assessment may be carried out early.

 

Art. 21. (1) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of individuals.

 

 (2) When implementing a new software for personal data processing, the Management of the Company shall appoint a commission to test and verify the capabilities of the product in order to meet the requirements of European and national legislation in this regard and to ensure maximum protection against unauthorized access, loss, damage or destruction of personal data.

 

Art. 22. This instruction shall be notified to all employees of the Company, as well as the persons hired under a civil agreement. For failure to fulfill the obligations under this instruction and the national and European legislation on personal data protection in force at the relevant time, the persons concerned shall be liable to disciplinary action and payment of compensation.

 

 

 

 

 

 

Prepared by: Ivelina Tserovska, Chief Accountant

      Approved by : Savvas Karafilidis, Manager

 

 

 

 

Information on Our Policy for Collecting, Processing and Storing Personal Data of Individuals

 

Please read this document carefully. It will inform you about our policy of collecting, processing and storing personal data of individuals pursuant to

 

 

Data under art. 13 and art. 14 of  REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND THE COUNCIL

 

In case you disagree with this document, you cannot use our services offered through our site.

 

In order to provide our accounting, legal, translation and mediation services through our site www.unionbalkansbusiness.com (hereinafter referred to as the Site), as well as the mobile versions to it, we process personal data.

When processing personal data we comply with all personal data protection legislative acts applicable, including but not limited to Regulation (EU) 2016/679 (hereinafter referred to as the Regulation).

According to the Regulation, personal data is any information that relates to you and through which you can be identified. The personal data processing (hereinafter referred as the Processing) is any action or a set of actions that can be performed on personal data by automatic or other means.

The personal data subject to processing shall be collected by the collector and holder of personal data Union Balkan Business OOD and its affiliated persons in the Union Balkan Business group, which represents a group of specialized accounting enterprises representing accounting, legal and consultancy companies (WE). Our services are provided in the Union Balkan Business located at 145 G.S. Rakovski Str., entr. G, fl. 1, ap. 6 ant at 157A G.S. Rakovski Str., fl. 1, 1000 Sofia. We perform the services we provide through our contact form on our company website, Contacts section and via office@ubb-gr.com.

Personal data of individuals  processed by the employees of the Controller are: given names, place and date of birth, number of ID document, date of issue of the ID document, contact details such as telephone number, e-mail and postal address.

 

You decide what and how much personal data to provide by contacting us. The forms through which the personal data is entered clearly indicate the mandatory or the voluntary nature of data provision. The data required to fill in are those without which we cannot provide the service or any part of it.

 

The purpose/s of personal data processing: The personal data that are collected and processed are necessary for the registration of new legal entities in accordance with the legal provisions of the Bulagarian Commerce Act and other normative acts.

They are also necessary for the registration of employment and civil agreements pursuant to the requirements of the Bulgarian tax and social security provisions, as well as in case of conclusion of commercial contracts and powers of attorney necessary for the activities of the commercial companies pursuant to the Bulgarian and European legislation.

 

The data shall be processed in accordance with Regulation (EU) No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data protection Regulation).

The personal data provided to third parties: You personal data shall not be provided to third parties in any other way except those described in this Policy, Terms and Conditions and the cases provided for by the law.

Third parties to whom the data will be provided in connection with the provision of our services under the policy are:

Officials – lawyers and notaries;

Officials in state institutions – Registry Agency – Commerce Register, Nationa Revenue Agency, National Social Security Institute and other state institutions when needed, banks.

 

Personal data storage term:

Below you can find information about the storage term of the different types of personal data. When storing personal data, we apply the general principles of storage in a minimal volume and for a time-limit not longer than it is necessary for the provision of services, ensuring their security and reliability and the requirements of the law.

 

The storage time determined by us:

 

Type of data and/or documents

Time periods

Explanations

Correspondence, offers, orders, requests, applications, incoming phone calls

Correspondence, orders and offers shall be stored for up to 5 (five) years in order to ensure the reliability of the service

In order to permit the submission of orders for company registration, requests, applications, complaints, signals, disputes, inquiries, or other questions made in communication with us through the electronic form on the website, through phone calls via mobile or landline phones, through regular or electronic mail, we store and process this data, as well as the results of such processing. In view of the time periods pursuant to the Bulgarian legislation in order to resolve disputes this data shall be stored for a period up to 5 /five/ years.

 

 

Legal and limitation periods of storage:

 

Type of documents

Time periods

Legal basis

Payrolls

50 years as of January 1 of the reporting period following the reporting period to which they relate to

Art. 12 of the AA, art. 38 of the TSSPC

 

Accounting registers and financial reports, tax control documents, audit and subsequent financial inspections

10 years as of January 1 of the reporting period following the reporting period to which they relate to

Art. 12 of the AA, art. 38 of the TSSPC

 

All other carriers of accounting information

3 years as of January 1 of the reporting period following the reporting period to which they relate to

Art. 12 of the AA

 

Documents of tax and social security control

5 years after expiration of the limitation period for repayment of public debt

art. 38 of the TSSPC

 

After the expiration of the storage period, the data carries (paper or technical) that are not subject to submission to the National Archives Fund can be destroyed

 

Art. 13 of the AA, art. 38 of the TSSPC

 

Tax documents, sales reports under art. 119 and art. 120 of the VACA, registers under art. 123, par. 2 and 3, customs import documents

5 years after expiration of the limitation period for repayment of public debt, which these documents certify in their original form.

 

Art. 121 of the VATA

Reporting documents, including books for the daily financial statements and control strips on an electronic medium

5 years

Art. 42, par. 6 of the RRRSTEFD (for the fiscal devices)

 

Public receivables

5 years from January 1 of the year following the year when the public debt should be paid

 

Art. 171, par. 1  of the TSSPC

10  years from January 1 of the year following the year when the public debt should be paid regardless of the termination or the suspension period of the limitation period

Art. 171, par. 2  of the TSSPC

Receivables from the NSSI for improper or unjustified social security payments

5 years as of January 1 of the year following the year which it is related to

10  years as of January 1 of the year following the year which it is related to regardless of the  suspension period of the limitation period

 

 

Art. 115, par. 1 SSC

Receivables from the NSSI

3  years as of January 1 of the year following the year which it is related to

Art. 115, par. 2 SSC

Other receivables

5 years general limitation period

3 years for receivables for:

labour remunerations

compensations and penalties for an unexecuted contract

rents, for interest and other periodical payments

Art. 110 OCA,

Art. 111 OCA

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Will the personal data be used for profiling:  NO

Will the personal data be used for direct marketing: NO

 

The website does not use cookies and other hidden or unregulated technical means for collecting of information.

 

In accordance with REGULATION (EU) 2016/679, the personal data subject has the following rights:

·         right to awareness – By this policy we aim to inform you in detail about the processing of your personal data in connection with the services we provide.

·         right to withdraw consent – You have the right at any time to withdraw your consent for personal data processing based on your consent. Such withdrawal shall not affect the lawfulness of the processing based on the given consent at the moment of its withdrawal.

 

The will to exercise one’s rights should be expressed in written and addressed to the data protection office to one of the following contacts:

1.       e-mail:  office@ubb-gr.com

2.       via the website inquiry form

3.       to Company address: 145 G.S.Rakovksi Str., entr. G, fl.1, ap. 6, 1000 Sofia

 

Representative: Ivelina Tserovska, Chief Accountant

 

Respectively, the personal data controller intends to store ypur personal data for the validity term of the above mentioned purposes for personal data processing, to guarantee that each person who process personal data is doing the same, and the personal data controller guarantees that neither he/she, nor any of the persons who process the personal data shall process or store the personal data for longer than necessary.

 

The personal data controller has internal regulations in force on the personal data processing and security and guarantees that the personal data processed is only accessible only for the authorized personnel of the personal data controller. Pursuant to the contracts signed by the personal data controller with the persons who process personal data mentioned herein, all you personal data shall be processed in accordance with the requirements of Regulation (EU) 2016/679 (General Data Protection regulation), and where this ins not applicable in other countries, measures equal to these required in the above mentioned regulation have been taken.

The personal data controller would like to inform you that a copy of and/or access to your personal data may be provided to as far as this access does not violate the rights of other data subjects, therefore the personal data carrier may grant you access to your personal data, rights and interest to the following extent.

The personal data carrier would like to inform you that he/she does not make automated decisions for you, nether he/she does profiling of your personal data.

No personal data security breach has been committed nor has such happed unconsciously, as far as the controller is aware.

 

The website and the e-mail address of Union Balkans Business do not use cookies and do not perform direct marketing.

 

Measures taken regarding the technical security and personal data security during their processing and storing:

We inform you that we have taken the strictest organizational measures in relation to the provision of technical, physical and programming protection of the personal data processed and stored by us.

We have provided controlled and monitored access to the office and server premises.

We have concluded long-term contracts with specialized security companies.

We have provided all measures mentioned for technical security mentioned in the Regulation, including:

According to the Regulation, the appropriate technical and organizational measures to protect the personal data processed are:

1.       personal data pseudonymisation ( ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person);

2.       personal data encrypting;

3.       ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

4.       keeping log files of the data processing activities in the automated processing systems;

5.       training of employees – we train our employees on a permanent basis;

6.       at the design stage: both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing.

7.       by default: implement appropriate technical and organizational measures in order to guarantee that only personal data necessary for each particular purpose of the processing are processed by default. This obligation refers to the volume of the personal data collected, the degree of processing, the period for their storage and their accessibility. In particular, such measures guarantee that by default without any interference by the individual, the personal data cannot be accessed by unlimited number of individuals.

 

In this regard, we have provided a long-term permanent maintenance and surveillance service by a specialized cyber protection company.