1.2. The policy aims to regulate and cover in particular the following issues:
the data processing activities, the categories of data subjects to which the Policy applies, the principles and responsibilities related to the processing;
the obligations of the persons acting under the direction of the Company in the processing of personal data and their liability in case of non-compliance;
rights of data subjects and procedure for their exercise;
procedure for processing personal data based on the consent of the data subjects;
rules for responding to breaches of personal data security;
the applied technical and organizational measures for personal data protection.
1.3. Information about the Company
Street Chefs Ltd.
Entered in the Commercial Register with UIC 203516223
Headquarters and address of management Sofia, Lozenets district, 55 Korab Planina Str.
Contact address: Sofia, Lozenets district, 55 Korab Planina Str
Subject of activity: import, export, re-export, wholesale and retail trade and distribution of goods; restaurant, shop, catering, aperitif, confectionery, production, wholesale and retail of all kinds of goods, purchase of goods and other items for resale in original, processed or processed form, including wholesale and retail, sale of goods of own production, commissions, construction, construction and repair and installation works, import-export transactions, forwarding and transport transactions, hotel, tourist, tour operator and travel agency, advertising, car rental (rent a car), information , software, impresario or other services, commercial representation and mediation (including real estate), purchase, construction or furnishing of real estate for sale, intellectual property transactions, marketing, engineering, investment, warehousing, leasing, innovation services , consulting services, as well as any other activities, services and transactions not prohibited by law.
Contact email: email@example.com
2. Terms and abbreviations used
All terms and abbreviations that are not explicitly defined in the Policy have the meaning defined in the Regulation.
3. Activities for personal data processing
3.1. Principles of personal data processing
The processing of personal data by the Company is subject to the principles of legality, good faith and transparency and to minimize data. The personal data processed are limited to what is necessary in relation to the purposes for which they are processed. Personal data is collected for specific, explicit and legitimate purposes and is not further processed in a way incompatible with those purposes. Personal data is accurate and, if necessary, kept up to date. Personal data shall be stored in a form that allows the identification of the data subject for a period not longer than necessary for the purposes for which the personal data are processed. Personal data shall be processed in a way that ensures an adequate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, disclosure, destruction or damage, applying appropriate technical or organizational measures, in accordance with the principles of permanent confidentiality, integrity, availability and sustainability of processing systems and services.
3.2. Categories of data subjects. Categories of personal data and purposes of processing.
3.2.1. The Company has the right to process personal data about its customers, employees and other data subjects as follows:
clients (individuals) of the Company in its main activity of offering and trading in cosmetic products, in respect of which personal data may be processed such as IP address, e-mail address, telephone number, MAC address, address, postal and delivery ), information on invoicing and acceptance of bank payments, etc. The processing purposes for this category of entities include:. acceptance, processing and execution of orders for order of the products and / or services offered by the Company, including the use of the website of the Company; (II). storage of tax and accounting records; (III). compliance with legislative requirements; (IV). goals related to the legitimate interests of the Company; (v). purposes for which the data subject has consented to the processing of his data;
potential, current and / or former employees of the Company, and natural persons who are or have been in a contractual relationship with the Company under civil contracts; candidates for work or for concluding a civil contract as external contractors - natural persons who are not in employment or contractual relations with the Company, but wish to enter into such, in respect of which personal data such as three names can be processed, PIN / LNC / Official number, date of birth; address, data on previous work or professional experience, education and qualification, exercised disciplinary responsibility; information on bank accounts (IBAN, when paying by bank transfer), contact details: phone number; e-mail address; other data required by the applicable legislation for the conclusion and execution of an employment or civil contract; data directly related to the activity of execution of the contracts concluded with these persons (eg: data from logs or activity of the persons in the systems maintained by the Company, with a view to performing the functions assigned to the persons) (eg order entry systems), IP address, etc. The purposes of processing in relation to this category of entities include: (i) exploring the possibility of concluding and concluding an employment or civil contract with data subjects, (ii) maintaining a tax and accounting register (iii) compliance with legal requirements, (iv) purposes related to the legitimate interests of the Company, (v) purposes for which the data subject has consented to the processing of his data.
co-contractors and partners - individuals, under contracts for advertising and promotion of products offered by the Company, for which the Company may collect personal data in the form of photographic images. The purposes of processing in respect of this category of entities include:. execution of contracts for advertising or promotion; ; (ii). goals related to the legitimate interests of the Company; (iii). purposes for which the data subject has consented to the processing of his data;
other natural persons and natural persons-representatives or contact persons of legal entities that have contact with the Company (including, but not limited to suppliers, business contacts, subcontractors, business partners, etc.) for the purposes of implementation and / or management the activity of the Company;
other natural persons, representatives by law or power of attorney, of natural persons - clients of the Company.
3.2.2. The Company retains personal data for the longer of the periods required either to comply with applicable laws and regulations or another period in accordance with the requirements applicable to the Company's business or its activities as an employer or contracting authority. The processing of personal data is based on the principle of minimizing data, depending on and for the purposes of providing the services used by the client.
4. Categories of data recipients
The company may disclose personal data of the following persons:
service providers - consultants, lawyers, accountants, IT specialists, etc., in connection with the conclusion of contracts from the main activity of the Company, compliance with legal requirements, technical support, etc .;
subcontractors - in providing services on behalf of the Company (distributors, etc.), in connection with the conclusion and execution of contracts for trade in the products offered by the Company;
persons providing services for the provision and maintenance of equipment, software and hardware used for processing (including storage) of personal data, for reporting payments, etc .;
banks, to service payments by data subjects;
public and / or judicial bodies, in and to the extent permitted and / or required by law.
5. Obligations of the Company
The company has the following obligations:
determines the policies and procedures for protection of the processed personal data according to the applicable legislation;
introduce appropriate technical and organizational measures with a view to the effective application of data protection principles and to ensure that, by default, only personal data which are necessary for the relevant purpose of the processing are processed;
ensures the exercise of the rights of the subjects of personal data protection;
updates the maintained databases and monitors compliance with the requirements for protection, establishes circumstances related to the breach of protection, and takes measures for their elimination;
maintains personal data in a form that allows the identification of the relevant subjects for a period not longer than necessary for the purposes for which the data are processed;
inform the data protection officers as appropriate;
assists in the implementation of the control functions of the Commission for Personal Data Protection (hereinafter referred to as the "CPDP");
determines the rights of employees to access personal data in information systems in accordance with the purposes of processing;
uses personal data processors that provide sufficient guarantees through the application of appropriate technical and organizational protection measures;
observes certain rules in case of breach of personal data security;
document breaches of personal data security in accordance with applicable law;
performs a risk assessment in accordance with the requirements of the Regulation, respectively an impact assessment, if according to the Regulation the conditions for this are met.
6. Obligations of the employees of the Company. Responsibility. Privacy
6.1. The employees of the Company start processing personal data after getting acquainted with:
the legislation in the field of personal data protection;
The policy and other internal acts of the Company related to the protection of personal data;
the dangers for the personal data processed by the Company.
The employees of the Company are obliged to:
to comply with the requirements of the Regulation, other applicable legislation in the field of personal data protection, the Policy and other internal acts of the Company related to personal data protection;
to process personal data only in the presence of a condition for lawful processing, namely: legal grounds for processing; or grounds for processing arising from the contractual relationship with the person or necessary for the possible conclusion of a contractual relationship with the person; or grounds for processing resulting from the express consent of the person; or grounds for processing arising from the legitimate interest of the Company or a third party in accordance with the requirements of the Regulation;
to use personal data in accordance with the purposes for which they are collected and not to further process them in a manner incompatible with those purposes;
not to use the personal data to which they have access in their capacity as employees of the Company, for any personal purposes;
to comply with the rule to avoid the possibility of unregulated access to personal data and to leave accessible personal data unattended at the respective workplace. In premises accessible to outsiders, the staff concerned shall take steps to ensure that outsiders do not have any unauthorized access to documents containing personal data, including being able to view, copy or photograph them by technical means. ;
where the performance of the relevant activity allows, to limit the use of personal data to the maximum extent;
to ensure and guarantee the observance of the rights of the subjects in connection with the processing of personal data;
not to allow, assist or create conditions for security breaches in the processing of personal data;
not to share or provide to each other or to third parties information essential for data security (their usernames, passwords for access to the systems, etc.);
not to copy files with corporate information containing personal data on portable media in unencrypted (or not password-protected) form;
not to send by e-mail to e-mail addresses outside the Company information containing significant volumes of personal data, or any special categories of personal data or other personal data, unauthorized access to which may pose a high risk to the rights and interests of subjects of the data to which they relate, in password-free files or in unencrypted or otherwise pseudonymous form.
not to publish personal data about clients or employees of the Company on public websites, etc., without having an adequate legal basis for this;
6.2. Responsibility of employees
6.2.1. All actions that lead or may lead to unauthorized deletion, destruction or alteration of personal data received by the Company in electronic form or on paper, as well as unauthorized sharing / disclosure of personal data by employees of the Company is prohibited and may to lead to the realization of the responsibility of the respective employee (disciplinary, administrative-penal and / or criminal, and / or civil).
6.3. The company:
ensures the signing of a declaration of confidentiality and non-dissemination of personal data by all employees who process personal data about him.
inform the employees who process personal data of their obligations related to this processing.
7. Maintaining a Register of personal data processing activities as an administrator
According to the requirements of art. 30, para. 1 of the Regulation, the Company keeps a Register of processing activities as an administrator, which contains the name and contact details of the Company. The register includes a detailed description of all activities for processing personal data according to Art. 30, para. 1 of the Regulation, including the following characteristics: name of the activity (business process, function) for processing; processing purposes; the categories of natural persons for whom personal data are processed; the categories of personal data that are processed in the respective activity; third parties who receive or otherwise participate in the processing of personal data in the activity concerned; where applicable, the transfer of personal data to a third country outside the EU; the envisaged time limits for storage and deletion of the different categories of personal data, where possible; a general description of the technical and organizational security measures, where possible.
8. Maintaining a Register of personal data processing activities as a processor
In case, in view of the activities of the Company, the need arises for him to maintain a Register of activities for processing personal data as a processor within the meaning of Art. 30, para. 2 of the Regulation, the Company will create and maintain such a Register in the required type, volume and content required by the applicable legislation.
9. Data Protection Officer
The Company will designate a Data Protection Officer (hereinafter referred to as the DPO) in the event that such appointment is or becomes necessary in accordance with the applicable legal requirements for personal data protection.
10. Rights of data subjects
The company ensures the exercise of the following rights of data subjects:
right to information when collecting personal data from the data subject;
the right of access to the data subject's data, in particular: (i). confirmation of whether personal data of the data subject are processed by the Company; (ii). providing access to the data through a copy of the data that are being processed, as well as information about the purposes of the processing; the categories of personal data; the recipients or categories of recipients to whom the personal data are or will be disclosed; the terms for storage of personal data; the existence of a right to correct or delete personal data or to restrict the processing of personal data, or to object to the processing; the right to appeal to the CPDP; sources of personal data; the existence of automated decision making, including profiling.
right of correction - to require the correction or completion of his personal data, if they are inaccurate or incomplete;
the right to have personal data deleted where the grounds provided for in the Regulation are met;
right to limit processing;
right to data portability;
right to object;
the right of the data subject not to be the subject of a decision based solely on automated processing, including profiling, which gives rise to legal consequences or otherwise significantly affects him;
giving, changing or withdrawing consent for the processing of personal data, when the basis for the processing is the consent of the data subject.
Data subjects may exercise their rights by submitting a written application to the Company in one of the following ways:
by e-mail to the above e-mail address of the Company through a qualified electronic signature, in accordance with the Electronic Document and Electronic Certification Services Act (hereinafter referred to as "QES");
by mail to the contact address of the Company by sending a notarized application to ensure identification of the applicant, and in cases where the application is submitted by a legal representative of the applicant, or by a notarized representative of the applicant, the application should also contains a notarized signature of the signatory.
Applications shall be considered without undue delay. Within one month from the submission of the application, the Company notifies the data subject of the actions taken on the application, respectively the reasons for not taking action and the possibility of filing a complaint to a supervisory authority and seeking protection in court. If action is taken on the application, the time limit for notifying the data subject of such action may be extended to a total of three months, taking into account the complexity and number of applications. In this case, the Company notifies the data subject of the extension within the initial one-month period.
The information (which may vary depending on which right of the data subject is exercised) is provided on paper personally to the data subject or to his legal or authorized representative with an explicit notarized power of attorney. If the application is submitted by e-mail, the information is also provided by e-mail to the e-mail address from which the application originates, in password-protected files.
11. Consent of the data subject as a basis for processing
11.1. The basis
In cases where the basis for the processing of personal data is consent within the meaning of the Regulation, consent should be given in person by written declaration, in electronic form or other manner specified by the Company to ensure that consent is freely given, in particular , informed, and unambiguous.
11.2. Data subjects
The Company may collect consents for all categories of data subjects for which personal data is processed, including customers, employees and persons with whom the Company has entered into civil contracts for the provision of services or orders, etc.
The Company provides an opportunity for data subjects to easily change or withdraw their consent, without causing adverse legal consequences for them, when objectively there is a possibility for this. Changes or withdrawal of consent are made by the data subjects in the order of collection of consent. In case of partial or complete withdrawal of consent, when the processing of personal data is carried out on this basis, the Company may be unable to provide the service requested by the client or perform the activity for which it was necessary to provide personal data. The withdrawal of the consent shall not affect the lawfulness of the processing based on the given consent until the moment of its withdrawal.
11.4. Collecting consents
Consents are collected in one of the following ways:
personally, in the contact office - for clients of the Company;
by e-mail - for current employees;
through a licensed postal operator with notarization of the statement of consent; or
signed with QES statement of consent sent by e-mail.
11.5. Giving and withdrawing consents online
In cases where obtaining the consent to the processing of personal data by the Company is required in view of the services provided by the Company, which are requested or online, this consent is obtained (respectively, withdrawn) also online.
Concessions for personal data processing are registered and stored by the Company, in the form and volume possible for such storage.
12. Processing of personal data by the Company through a processor of personal data
For the performance of its activity the Company may use third parties (subcontractors, distributors, courier service providers, etc.), which are processing personal data within the meaning of Art. 4, item 8 of the Regulation. Such processors may be:
natural persons employed on civil contracts.
When assigning the processing of personal data to a processor, the Company complies with the following requirements:
processors shall be selected who provide sufficient guarantees for the application of appropriate technical and organizational measures for the protection of personal data;
the conditions for personal data protection are settled in writing between the Company and the processor.
The contracts / agreements that the Company concludes with the processors of personal data determine and regulate: the subject and the term of validity, the purposes and the nature of the processing; the categories of data subjects whose personal data are processed; the type of personal data that the processor will process on behalf of the Company; the rights and obligations of the Company and the processor; the requirements to the technical and organizational protection measures that the processor should apply (no deviation from the one provided for in this Policy is allowed to the processor); obligation for the processor for assistance according to art. 31-36 of the Regulation; an obligation for the processor to notify the Company without undue delay after learning of a security breach; requirements to the processor and other obligatory conditions, according to art. 28, item 3 of the Regulation.
13. Rules for response in case of breach of personal data security
13.1. Detection of a security breach by an employee
In case of a security breach discovered by an employee of the Company, the employee shall immediately notify the management of the Company or the DPO, if such is determined, in writing (and if possible - orally), providing the information, which is there for this - for the nature of the violation, for the estimated time of occurrence / commission of the violation, etc.
13.2. Security breach investigation and measures
Without undue delay, the Company should investigate the facts, analyze and assess the gravity of the violation, in view of the risk to the rights and freedoms of subjects, the number of affected data subjects, etc., and propose appropriate remedial measures, and where is impossible - to minimize the identified risks and possible adverse effects.
13.3. Notification to the CPDP
In case of a security breach, the Company informs the CPDP within 72 hours of its establishment, unless in this case there is any likelihood that the breach of security will pose a risk to the rights and freedoms of individuals.
13.4. Notification of data subjects
When the breach of security may lead to a high risk to the rights and freedoms of individuals, the Company shall report the breach of security of personal data of the affected data subjects without undue delay. The notice shall describe the nature of the security breach and shall indicate at least: the name and contact details of the Company; a description of the possible consequences of the infringement; a description of the measures taken or proposed by the Company to deal with the violation.
The company has the right not to disclose to the affected data subjects the violation if:
(I). has taken appropriate technical and organizational protection measures in advance and these measures have been implemented (eg encryption); and / or
(II). has subsequently taken measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; and / or
(III). such communication would lead to disproportionate efforts. In this case, the Company makes a public announcement on its website and / or by publicity in an appropriate manner through the media about the violation.
The signals for breaches of personal data security are registered and stored by the Company.
14. Technical and organizational measures for personal data protection
14.1. Technical and organizational measures of the Company as an administrator
The activities of the Company provide the necessary technical and organizational measures to protect personal data from accidental or illegal destruction or accidental loss, from unauthorized access, alteration or distribution, as well as from other illegal forms of processing. The types of protection are physical, personal, documentary, protection of automated information systems and / or networks, cryptographic protection. The technical and organizational measures applied by the Company are listed in detail in Appendix 1 to this Policy, as it may be subject to periodic updates.
14.2. Technical and organizational measures of the Company as a processor
In case the Company processes personal data as a processor for other administrators, the specific technical and organizational measures applied by the Company as a processor are determined in individual agreements with the respective administrator. In the absence of such designation, the Company will adhere to the technical and organizational measures it applies as an administrator.
XV. Transfer of personal data outside the European Economic Area (EEA)
The Company may carry out international transfers of data originating in the European Economic Area (EEA) when the European Commission has recognized a non-EEA country as providing an adequate level of data protection. For transfers to non-EEA countries whose level of protection is not recognized by the European Commission, the Company will either invoke a derogation applicable to the specific situation under the Regulation or apply one of the safeguards provided by applicable law. In other cases, for the transfer of personal data outside the EEA, this is done on the basis of the explicit consent of the data subject to the proposed transfer, obtained in compliance with the requirements of the Regulation.