1. Purpose, scope and users

Sofia South Ring Mall EAD, hereinafter referred to as the "Organization" or the "Company", strives to comply with applicable laws and regulations relating to the protection of personal data in the countries in which the Company operates. This policy sets out the basic principles by which the Company processes the personal data of users, customers, suppliers, business partners, employees and others, and sets out the responsibilities of business departments and employees during the processing of personal data.
This policy applies to the Company and its directly or indirectly controlled wholly owned subsidiaries that operate within the European Economic Area (EEA) or process the personal data of data subjects in the EEA.
The users of this document are all employees, permanent or temporary, and all contractors working on behalf of the Organization.

2. Reference Documents

- EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
- Employee Privacy Policy
- Data storage policy
- Job description of the Data Protection Officer
- Guidelines for data inventory and data processing
- Procedure for requesting access to individuals
- Data protection impact assessment guidelines
- Procedure for Cross-Border Transfer of Personal Data
- Infringement notification procedure

3. Definitions

The following definitions of terms used in this document are defined in the EU General Data Protection Regulation:
'personal data' means any information relating to an identified natural person or an identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person
Sensitive personal data: personal data that are inherently particularly sensitive in relation to fundamental rights and freedoms deserve specific protection, as the context of their processing may pose significant risks to fundamental rights and freedoms. These personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual's gender, life or sexual orientation
Data controller: a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its determination may be laid down in Union or Member State law
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
processing: any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Pseudonymisation: the processing of personal data in such a way that the personal data can no longer be associated with a specific data subject, without the use of additional information, provided that it is kept separately and is subject to technical and organisational measures to ensure that the personal data are not linked to an identified or identifiable natural person
cross-border processing: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union, the controller or processor being established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which significantly affects or is likely to significantly affect a data subject
Supervisory authority: an independent public authority established by a Member State in accordance with Article 51 of the Regulation
Lead supervisory authority: the supervisory authority that has primary responsibility for carrying out cross-border data processing activity. For example, where a data subject lodges a complaint about the processing of his or her personal data, the authority is responsible for, inter alia, receiving data breach notifications, notifications of risky processing and has full authority over its obligations to ensure compliance with the provisions of the Regulation
Each 'local supervisory authority' will continue to maintain on its own territory and monitor all local data processing affecting data subjects or carried out by a controller or processor from the EU or outside the EU, where the processing is directed at data subjects residing on its territory. Their tasks and powers include conducting investigations and enforcing administrative measures and fines, promoting public awareness of the risks, rules, security and rights in relation to the processing of personal data, and access to the controller's and processor's premises , including data processing equipment and facilities
"(a) in relation to a controller established in more than one Member State, the place where its central administration is situated in the Union, except where the decisions as to the purposes and means of the processing of personal data are taken at another establishment of the controller in the Union and that establishment has the power to implement those decisions, in which case the establishment where those decisions are taken shall be deemed to be the main establishment
Group undertaking: controlling undertaking and undertakings controlled by it

4. Basic principles relating to the processing of personal data

The Data Protection Principles outline key responsibilities for organisations processing personal data. Article 5(2) of the EU GDPR states that "the controller shall be responsible for and be able to demonstrate compliance with the principles."
4.1. Legality, Integrity and Transparency

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
4.2. Purpose Limitation

Personal data must be collected for specified, explicit and legitimate purposes and not processed in a way that is incompatible with those purposes.
4.3. Data Minimization

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. The Company must apply anonymisation or pseudonymisation of personal data where possible to reduce the risks to the data subjects concerned.
4.4. Accuracy

Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.
4.5. Limitation of Storage Periods

Personal data must be kept no longer than is necessary for the purposes for which the personal data are processed.
4.6. Integrity and Confidentiality

Taking into account the state of technology and other available security measures, the cost of implementation, the likelihood, and the severity of the risks associated with personal data, the Company must use appropriate technical or organizational measures to process personal data in a manner that ensures adequate security of personal data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized access or disclosure.
4.7. Responsibility

Data controllers must comply and be able to demonstrate compliance with the principles set out above.

5. Building Data Protection into Business Processes

In order to demonstrate compliance with the Data Protection Principles, the Organization must build data protection into its business activities/processes.
5.1. Notification of the Data Subject

See below the Fair Processing Guidelines section
5.2. Choice and Consent of the Data Subject

See below the Fair Processing Guidelines section
5.3. Collection

The company should aim to collect the least amount of personal data possible. If personal data is collected by a third party, the solicitor/registered data controller must ensure that the personal data is collected lawfully.
5.4. Use, Storage and Removal

The purposes, methods, storage limitations and retention period of the personal data must be consistent with the information contained in the privacy notice. The company must maintain the accuracy, integrity, confidentiality and relevance of the personal data based on the purpose of the processing. Adequate safeguards designed to protect the personal data must be used to prevent the theft or misuse of the personal data, and to prevent the personal data from being breached. the solicitor/registered as data controller is responsible for complying with the requirements listed in this section.
5.5. Disclosure to Third Parties

Where a company uses the services of a supplier or business partner (third party) to process personal data on its behalf, the lawyer must ensure that this supplier will provide security measures to protect the personal data that are adequate to the risks involved. The GDPR compliance questionnaire for the processor should be used for this purpose.
The company must contractually require the supplier or business partner to provide the same level of data protection. The supplier or business partner must only process personal data necessary for it to perform its contractual obligations to the Company or on the Company's instructions and not for any other purpose. Where the Company processes personal data jointly with an independent third party, the Company must explicitly specify its respective responsibilities and the third party in the relevant contract or other legally binding document, such as the Supplier Data Processing Agreement.
5.6. Cross-border transfer of personal data

Adequate safeguards, including the signing of a data transfer agreement as required by the European Union, must be in place before personal data is transferred outside the European Economic Area (EEA) and, where necessary, authorisation must be obtained from the relevant data protection authority. The undertaking receiving the personal data must comply with the principles for the processing of personal data set out in the cross-border data transfer procedure.
5.7. Right of Access by Data Subjects

When acting as a data controller, the solicitor/registered data controller is responsible for providing data subjects with a mechanism that allows them to have reasonable access to their personal data, and must allow them to update, correct, erase or transmit their personal data if applicable or required by law. The access mechanism will be further described in the data subject access request procedure.
5.8. Data portability

Data subjects have the right to obtain, on request, a copy of the data they have provided to us in a structured format and to transmit this data to another controller free of charge. The lawyer/registered data controller is responsible for ensuring that these requests are processed within one month, are not excessive and do not affect the personal data rights of others.
5.9. The Right to be Forgotten

Upon request, data subjects have the right to obtain from the company the erasure of their personal data. Where the Company acts as Data Controller, the solicitor/registered data controller must take the necessary steps (including technical measures) to inform the third parties using or processing that data (the Data Processor) to comply with the request.

6. Fair Processing Guidelines

Personal data should only be processed with the express permission of the lawyer/ data controller
The company must decide whether to carry out a data protection impact assessment for each data processing activity in accordance with the Data Protection Impact Assessment Guidelines.
6.1. Notices to Data Subjects

At the time of collection or prior to the collection of personal data for any type of processing, including but not limited to the sale of products, services or marketing activities, the lawyer/registered as data controller is responsible for duly informing data subjects of the following: the types of personal data collected, the purposes of the processing, the processing methods, the rights of data subjects with respect to their personal data, the retention period, potential international data transfers, if data is shared with third parties and the measures h This information is provided through a Privacy Notice.
Where personal data is shared with a third party, the solicitor/registered data controller must ensure that data subjects have been notified of this via a Privacy Notice.
Where personal data is transferred to a third country in accordance with the Cross Border Data Transfer Policy, the privacy notice must reflect this and clearly state where and which personal data is being transferred.
Where sensitive personal data is collected, the Data Protection Officer must ensure that the privacy notice explicitly states the purpose for which that sensitive personal data is collected.

6.2. Obtaining Consent

Where the processing of personal data is based on the data subject's consent or on other lawful grounds, the lawyer/registered data controller is responsible for maintaining such consent. the lawyer/registered data controller is responsible for providing consent to data subjects who must give their consent, and must inform and ensure that their consent (where consent is used as a lawful basis for processing) may be withdrawn at any time.
Where the collection of personal data relates to a child under the age of 16, the solicitor/registered data controller must ensure that parental consent is given prior to collection using the parental consent form.
Where required to correct, amend or destroy records of personal data, the solicitor/registered data controller must ensure that these requirements are dealt with within a reasonable time. the solicitor/registered data controller must also record requests and keep a log of them.
Personal data must be processed only for the purposes for which they were originally collected. In the event that the Company wishes to process the Personal Data collected for another purpose, the Company must seek the consent of its data subjects in a clear and concise manner. Any such request must include the original purpose for which the data was collected as well as the new or additional purpose(s). The request must also include the reason for the change of purpose(s). The Data Protection Officer is responsible for ensuring compliance with the rules in this paragraph.
Now and in the future, the solicitor/registered data controller must ensure that collection methods are in accordance with relevant laws, good practice and industry standards.
The solicitor/registered data controller is responsible for creating and maintaining a register of privacy notices.

7. Organization and Responsibilities

The responsibility for ensuring appropriate processing of personal data rests with anyone who works for or with the Company and has access to the personal data processed by the Company.
The following organisational roles and positions are primarily responsible for processing personal data:
The board of directors or other equivalent body decides and approves the company's overall privacy strategies.
The Data Protection Officer (DPO) or other employee responsible for managing the privacy program and responsible for developing and promoting privacy policies as defined in the Data Protection Officer job description;
The Legal Department, together with the Data Protection Officer, monitors and analyses personal data laws and regulatory changes, develops compliance requirements and assists the business in achieving its personal data objectives.
The IT Manager is responsible for:
- Ensuring all systems, services and equipment used to store data meet acceptable security standards.
- Perform regular checks and scans to ensure that hardware and security software are functioning properly.
The Marketing Manager is responsible for:
- Approval of all data protection declarations attached to messages, emails and letters.
- Respond to any data protection queries from journalists or media.
- Where necessary, work with the Data Protection Officer to ensure that marketing initiatives comply with data protection principles.
The Human Resources Manager is responsible for:
- Improving staff awareness of consumer data protection.
- Organising data protection expertise and awareness training for staff working with personal data
- End-to-end employee data protection. This should ensure that employees' personal data is processed on the basis of the employer's legitimate business purpose and need

8. Actions in Response to Personal Data Breach Incidents

Where the Organisation becomes aware of a suspected or actual personal data breach, the solicitor/registered data controller must conduct an internal investigation and take appropriate remedial action in a timely manner, in accordance with the Data Breach Policy. Where there is a risk to the rights and freedoms of data subjects, the Firm must notify the relevant data protection authorities without undue delay and, where possible, within 72 hours.

9. Audit and Accountability

The Audit Department or other authorized department is responsible for verifying/auditing how well business departments are implementing this policy.
Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.

10. Conflict with the Law

This policy is designed to comply with the laws and regulations of the place of establishment and of the countries in which the Organization operates. In the event of a conflict between this Policy and applicable laws and regulations, the latter shall prevail.
11. Management and storage of records based on this document

Record name Place of storage Responsible for storage Controls to protect records Storage time
Data subject consent forms "LEGAL" The Data Protection Officer Only authorised staff have access to the forms 10 years
Data Subject Consent Waiver Form "LEGAL" The Data Protection Officer Only authorised staff have access to the forms 10 years
Parental consent form LEGAL" The Data Protection Officer Only authorised staff have access to the forms 10 years
Parental consent waiver form "LEGAL" The Data Protection Officer Only authorised staff have access to the forms 10 years
Supplier data processing contracts "LEGAL" The Data Protection Officer Only authorised staff have access to the forms 5 years after expiry of the contract
Register of privacy notices "LEGAL" The Data Protection Officer Only authorised staff have access to the forms Permanent

12. Validity and document management

This document is valid from 24.05.2017.
The owner of this document is the solicitor/registered data controller, they must check and if necessary - update the document at least annually.