1. Purpose, scope and users

Sofia South Ring Mall EAD, hereinafter referred to as "the Organization" or "the Company", strives to comply with applicable laws and regulations related to the protection of personal data in the countries in which the Company operates. This policy sets out the basic principles by which the company processes the personal data of users, customers, suppliers, business partners, employees and others, and specifies the responsibilities of business departments and employees during the processing of personal data.
This policy applies to the company and its directly or indirectly controlled wholly-owned subsidiaries that operate within the European Economic Area (EEA) or process the personal data of data subjects in the EEA.
The users of this document are all employees, permanent or temporary, and all contractors who work on behalf of the Organization.

2. Reference Documents

• EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EEC). XNUMX / EC)
• Employee data protection policy
• Data storage policy
• Description of the position of the data protection officer
• Guidelines for data inventory and data processing
• Procedure for requesting access to individuals
• Guidelines for assessing the impact of data protection
• Cross-border transfer of personal data procedure
• Infringement notification procedure

3. Definitions

The following definitions of the terms used in this document are defined in the General Data Protection Regulation of the European Union:
'Personal data' means any information relating to an identified or identifiable natural person ('data subject'); a person who can be identified is a person who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more features specific to the natural person, the physiological, genetic, mental, intellectual, economic, cultural or social identity of that individual
Sensitive personal data: Personal data, which are inherently particularly sensitive to fundamental rights and freedoms, deserve specific protection, as the context of their processing may create significant risks to fundamental rights and freedoms. These personal data include personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of uniquely identifying an individual, health data or gender-related data. natural person, life or sexual orientation
Data controller: a natural or legal person, public body, agency or other structure which alone or jointly with others determines the purposes and means for the processing of personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for determining it may be laid down in Union law or in the law of a Member State.
Data processor: a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller
Processing: any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission, distribution or other way in which data becomes available, sorting or combining, restricting, deleting or destroying
Alias: the processing of personal data in such a way that personal data can no longer be linked to a specific data subject without the use of additional information, provided that it is stored separately and is subject to technical and organizational measures in order to ensure that personal data do not relate to an identified natural person or an identifiable natural person
Cross-border processing: (a) the processing of personal data which takes place in the context of the activities of the places of establishment in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State ; or (b) the processing of personal data which takes place in the context of the activities of a single place of establishment of a controller or processor in the Union but which significantly affects or is likely to significantly affect data subjects in more than one Member State
Supervisory body: an independent public body set up by a Member State in accordance with Article 51 of the Regulation
Leading supervisory authority: the supervisory authority with primary responsibility for carrying out cross-border data processing activities. For example, when a data subject lodges a complaint concerning the processing of his or her personal data, the authority is responsible, inter alia, for receiving notifications of data breaches, notification of risky processing and has full authority over its obligations to ensure compliance. of the provisions of the Regulation
Each "local supervisory authority" will continue to maintain in its own territory and will monitor all local data processing that affects data subjects or that is carried out by a controller, or processor from the EU or outside the EU, when the processing is directed to data subjects residing in its territory. Their tasks and powers include conducting investigations and enforcing administrative measures and fines, promoting public awareness of the risks, rules, security and rights related to the processing of personal data, and access to the premises of the controller and the processor, including equipment and facilities. for data processing
"Principal place of establishment" means: (a) in the case of an administrator established in more than one Member State, the place where its headquarters are located in the Union, except where decisions concerning the purposes and means of processing personal data are data shall be taken at another place of establishment of the controller in the Union and that place of establishment shall have the power to apply those decisions, in which case the place of establishment where those decisions were taken shall be considered as the principal place of establishment; (b) in the case of a processor established in more than one Member State, the place where its head office is located in the Union or, if the processor does not have a head office in the Union, the place where the processor is established in the Union, where the main processing activities are carried out in the context of the activities at a given place of establishment of the processor, in so far as the processor has specific obligations under the Regulation
Group company: the controlling company and the companies controlled by it

4. Basic principles concerning the processing of personal data

The data protection principles outline the main responsibilities for data processing organizations. Article 5 (2) of the EU GDPR states that "the administrator shall be responsible and able to demonstrate compliance with the principles."
4.1. Legality, Honesty and Transparency

Personal data must be processed lawfully, fairly and transparently in relation to the data subject.
4.2. Restriction of Purpose

Personal data must be collected for specific, explicit and lawful purposes and not processed in a way that is incompatible with those purposes.
4.3. Data Minimization

Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. The company should apply anonymity or pseudonymation of personal data, if possible, to reduce the risks for the data subjects concerned.
4.4. Accuracy

Personal data must be accurate and, if necessary, updated; reasonable steps must be taken to ensure that inaccurate personal data, taking into account the purposes for which they are processed, are deleted or corrected in a timely manner.
4.5. Limitation of Storage Periods

Personal data must be stored no longer than the time required for the purposes for which the personal data are processed.
4.6. Integrity and Confidentiality

Taking into account the state of technology and other available security measures, the costs of implementation, the likelihood and severity of risks associated with personal data, the Company must use appropriate technical or organizational measures to process personal data in a way that ensures adequate security of personal data. personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access or disclosure.
4.7. Responsibility

Data controllers must be accountable and able to demonstrate compliance with the principles set out above.

5. Building Data Protection in Business Processes

In order to demonstrate compliance with data protection principles, the Organization must build data protection in its business activities / processes.
5.1. Notification of the Data Subject

See the Guidelines for Conscientious Processing section below
5.2. Choice and Consent of the Data Subject

See the Guidelines for Conscientious Processing section below
5.3. Collection

The company should strive to collect as little personal data as possible. If the personal data is collected by a third party, the lawyer / registered as a personal data controller must ensure that the personal data is collected legally.
5.4. Use, Store and Remove

The purposes, methods, limitation of storage and retention period of personal data must correspond to the information contained in the privacy notice. The company must maintain the accuracy, integrity, confidentiality and relevance of personal data based on the purpose of the processing. Adequate safeguards designed to protect personal data must be used to prevent theft or misuse of personal data and to prevent the breakage of personal data. the lawyer / registered as a personal data controller is responsible for compliance with the requirements listed in this section.
5.5. Disclosure to Third Parties

When a company uses the services of a provider or business partner (third party) to process personal data on its behalf, the lawyer must ensure that that provider provides security measures to protect personal data that is adequate to the data relating to them. risks. For this purpose, the GDPR compliance questionnaire for the processor should be used.
The company must contractually require the provider or business partner to provide the same level of data protection. The Provider or the business partner must process only personal data necessary for him to fulfill his contractual obligations to the Company or by order of the Company, and not for other purposes. When the Company processes personal data together with an independent third party, the Company must explicitly specify its respective responsibilities and the third party in the relevant contract or other legally binding document, such as the Agreement on data processing by suppliers.
5.6. Cross-border transfer of personal data

Before transferring personal data outside the European Economic Area (EEA), adequate safeguards must be used, including the signing of a data transfer agreement as required by the European Union, and, if necessary, permission from the relevant authority. data protection. The undertaking receiving the personal data must comply with the principles for the processing of personal data set out in the cross-border data transfer procedure.
5.7. Right of Access by Data Subjects

When acting as a data controller, the lawyer / registered as a data controller is responsible for providing data subjects with a mechanism that allows them to have reasonable access to their personal data and must allow them to update, correct, delete or transmit their personal data, if applicable or required by law. The access mechanism will be further described in the procedure for requesting access to the data subject.
5.8. Data portability

Data subjects have the right to receive on request a copy of the data they have provided to us in a structured format and to transmit this data to another controller free of charge. the lawyer / registered as a controller of personal data is responsible for ensuring that these requests are processed within one month, are not excessive and do not affect the personal data rights of others.
5.9. The right to be Forgotten

Upon request, data subjects have the right to receive from the company the deletion of their personal data. When the Company acts as a Data Administrator, the lawyer / registered as a personal data controller must take the necessary actions (including technical measures) to inform the third parties who use or process this data (the Data Processor) to comply with the request.

6. Guidelines for Conscientious Processing

Personal data should only be processed with the express permission of the lawyer / controller
The company must decide whether to perform a data protection impact assessment for each data processing activity in accordance with the Data Protection Impact Assessment guidelines.
6.1. Notices to Data Subjects

During the collection or prior to the collection of personal data for any type of processing, including, but not limited to, the sale of products, services or marketing activities, the lawyer / registered as personal data controller is responsible for properly informing data subjects of the following: personal data the data collected, the purposes of the processing, the processing methods, the rights of the data subjects with regard to their personal data, the retention period, the potential international data transfers if the data are shared with third parties and the security measures of the protection company of personal data. This information is provided through a Privacy Notice.
When sharing personal data with a third party, the lawyer / registered as a data controller must ensure that the data subjects have been notified through a Privacy Notice.
When personal data are transferred to a third country, in accordance with the Cross-Border Data Transfer Policy, the privacy notice must reflect this and clearly indicate where and which personal data are transferred.
When sensitive personal data is collected, the Data Protection Officer must ensure that the privacy notice explicitly states the purpose for which this sensitive personal data is collected.

6.2. Obtaining Consent

Where the processing of personal data is based on the consent of the data subject or on other legal grounds, the lawyer / registered as controller of personal data is responsible for maintaining such consent. the lawyer / registrar is responsible for giving consent to the data subjects who have to give their consent and must inform and ensure that their consent (when the consent is used as a legal basis for processing) can be withdrawn at any time.
When the collection of personal data relates to a child under the age of 16, the lawyer / registered as a data controller must ensure that parental consent is given prior to the collection, using the parental consent form.
Where personal data records are required to be corrected, amended or destroyed, the lawyer / registrar must ensure that these requests are processed within a reasonable time. the lawyer / registered as a data controller must also record the requests and keep a diary of them.
Personal data should only be processed for the purposes for which they were originally collected. In case the Company wants to process the collected personal data for another purpose, the Company must seek the consent of its data subjects in a clear and short time. Each such request must include the original purpose for which the data were collected, as well as the new or additional purpose (s). The request must also include the reason for the change of purpose (s). The Data Protection Officer shall be responsible for compliance with the rules in this paragraph.
Now and in the future, the lawyer / registered as a controller of personal data must ensure that the collection methods comply with relevant laws, good practices and industry standards.
the lawyer / registered as a personal data controller is responsible for creating and maintaining a register of confidentiality notices.

7. Organization and Responsibilities

The responsibility for ensuring proper processing of personal data is borne by anyone who works for or with the Company and has access to the personal data processed by the company.
The main responsibilities in the processing of personal data are the following organizational roles and positions:
The board of directors or other equivalent body makes decisions and approves the company's overall data protection strategies.
The Data Protection Officer (DPO) or another employee responsible for the management of the personal data protection program and responsible for the development and promotion of personal data protection policies, as defined in the job description of the Data Protection Officer ;
The Legal Department, together with the Data Protection Officer, monitors and analyzes personal data laws and regulatory changes, develops compliance requirements, and assists businesses in achieving their personal data goals.
The IT Manager is responsible for:
• Ensuring that all systems, services and equipment used for data storage meet acceptable security standards.
• Perform regular inspections and scans to ensure that security hardware and software function properly.
The Marketing Manager is responsible for:
• Approval of all data protection declarations attached to messages, emails and letters.
• Answer any data protection inquiries from journalists or the media.
• Work with the data protection officer when necessary to ensure that marketing initiatives adhere to data protection principles.
The Human Resources Manager is responsible for:
• Improving the awareness of employees about the protection of personal data of users.
• Organizing expertise for personal data protection and training to raise awareness of employees working with personal data
• Protection of personal data of employees from end to end. This should ensure that employees' personal data is processed based on the legitimate business objectives and needs of the employer.

8. Actions in response to Incidents of Personal Data Violation

When the Organization becomes aware of an alleged or actual breach of personal data, the lawyer / registrar must conduct an internal investigation and take appropriate remedial action in a timely manner, in accordance with the data breach policy. Where there is a risk to the rights and freedoms of data subjects, the Company must notify the relevant data protection authorities without undue delay and, where possible, within 72 hours.

9. Audit and Accountability

The audit department or other authorized department is responsible for verifying / auditing how well the business departments are implementing this policy.
Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal obligations if his or her conduct violates laws or regulations.

10. Conflict with the Law

This policy is designed to comply with the laws and regulations of the place of establishment and the countries in which the Organization operates. In the event of a conflict between this Policy and applicable laws and regulations, the latter shall prevail.
11. Management and storage of records based on this document

Record name Storage location Storage manager Record protection controls Storage time
Forms of consent of the data subject “LEGAL” The Data Protection Officer Only authorized employees have access to the forms 10 years
Form for refusal of consent of the Data Subject “LEGAL” The Data Protection Officer Only authorized employees have access to the forms 10 years
Parental consent form LEGAL ” The Data Protection Officer Only authorized employees have access to the forms 10 years
Form for refusing parental consent “LEGAL” The Data Protection Officer Only authorized employees have access to the forms 10 years
Contracts for data processing of suppliers “LEGAL” The Data Protection Officer Only authorized employees have access to the forms 5 years after the expiration of the contract
Register of privacy messages “LEGAL” The Data Protection Officer Only authorized employees have access to the forms Constantly

12. Validity and document management

This document is valid from 24.05.2017.
The owner of this document is the lawyer / registered as a controller of personal data, he must check and if necessary to - update the document at least once a year.