Privacy policy
Mandatory information on individuals’ rights in relation to the protection of personal data
(Privacy notice)
Information on the Foundation which processes your data:
Name
Ghena Dimitrova Foundation
Unified Identification Code (UIC)
205403427
Seat and address of management
Mladost 1 Residential District, Block 98V, Entrance B, Apt. 56, Studentski Region, 1797 Sofia
Correspondence address
Mladost 1 Residential District, Block 98V, Entrance B, Apt. 56, Studentski Region, 1797 Sofia
Tel.
+359 897 296 377
E-mail
foundationghenadimitrova@gmail.com
Website
https://ghenadimitrova.info/
Information on the competent supervisory authority for the protection of personal data:
Name
Commission for Personal Data Protection
Seat and address of management
2, Prof. Tsvetan Lazarov Blvd., 1592 Sofia
Correspondence address
2, Prof. Tsvetan Lazarov Blvd., 1592 Sofia
Tel.
02 915 3 518
Website
www.cpdp.bg
The GHENA DIMITROVA public benefit foundation (hereinafter referred to as the “Controller” and/or the “Foundation”) carries out its activities in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Foundation and the rights you have with regard to this processing.
Grounds for collecting, processing and storing your personal data
Article 1. The Controller shall collect and process your personal data in connection with entering into and performance of contracts with the Foundation, applying for a job with the Foundation and sending enquiries to the Foundation on the grounds of Article 6, paragraph 1 of Regulation (EU) 2016/679 (GDPR), and in particular on the following grounds:
- In order to take steps at your request to enter into a contract if you are a candidate for a job with us;
- For the performance of a contract or in order to take steps to enter into a contract with partners and donors;
- Explicit consent from you;
- For compliance with a legal obligation to which the Controller is subject;
- For the purposes of the legitimate interests pursued by the Controller or by a third party.
Purposes and principles of collecting, processing and storing your personal data
Article 2. (1) We shall collect and process the personal data you provide to us in connection with applying for a job with us and entering into a contract with the Foundation, including for the following purposes:
- selection of job candidates;
- conclusion and performance of a contract with a partner or donor and its administration;
- individualisation of a party to the contract;
- accounting purposes;
- statistical purposes;
- contacting website visitors in order to provide response to enquiries.
(2) We shall comply with the following principles when processing your personal data:
- lawfulness, fairness and transparency;
- limitation of the purposes of processing;
- relevance to the purposes of the processing and minimisation of data collected;
- accurate and up-to-date data;
- limitation of storage with a view to achieving the purposes;
- integrity and confidentiality of the processing and ensuring an appropriate level of security of the personal data
(3) When processing and storing personal data, the Controller may process and store personal data in order to protect, inter alia, its legitimate interests and perform its legal obligations as follows:
- performance of its obligations to the National Revenue Agency, the Ministry of Interior and other state and municipal authorities.
What types of personal data our company collects, processes and stores
Article 3. The Foundation shall perform the following operations with the personal data provided by you for the following purposes:
- Conclusion and performance of an employment or civil contract: For the selection of job candidates, we shall process the personal data which you have sent us in your curriculum vitae and which we need for your individualisation, for making contact with you and for assessing your qualifications for the relevant position.
Conclusion of the impact assessment: Based on the impact assessment carried out, the operation “Conclusion and performance of an employment or civil contract” is permissible to carry out and provides sufficient guarantees for the protection of the rights and legitimate interests of data subjects in accordance with the requirements of the GDPR. - Conclusion and performance of contracts with a partner: The purpose of the operation shall be the conclusion and performance of a contract with a partner and its administration. In individual cases, the purpose of the operation may also be the protection of the legitimate interests of the Foundation in the performance of the contract.
Conclusion of the impact assessment: In view of the small volume of natural persons whose data shall be processed and the limited amount of personal data to be collected, an impact assessment is not necessary for this operation. - Conclusion and performance of a donation contract: The operation’s purpose shall be the conclusion and performance of a contract with a donor and its administration. In individual cases, the purpose of the operation may also be the protection of the legitimate interests of the Foundation in the performance of the contract.
Conclusion of the impact assessment: In view of the small volume of natural persons whose data shall be processed and the limited amount of personal data to be collected, an impact assessment is not necessary for this operation. - Processing of enquiries sent through the form and contact details on the website: The purpose of this operation shall be to establish contact with the enquirer by email for the purpose of identifying the data subject as the enquirer and sending a response to the enquiry. In view of the limited scope of the personal data collected, it is not necessary to carry out an operation’s impact assessment.
Conclusion of the impact assessment: In view of the small volume of natural persons whose data shall be processed and the limited amount of personal data to be collected, an impact assessment is not necessary for this operation.
Article 4. (1) The Foundation shall process the following categories of personal data and information, for the following purposes and on the following grounds:
- Data relating to job candidates (names, address, contact details and qualification and work experience data, photographic image, additional data provided by the candidate)
- Purpose for which the data shall be collected: 1) Individualisation of the candidate, 2) Making contact with the candidate and 3) Selecting the candidates.
- Grounds for processing your personal data: The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract – Article 6, paragraph 1 (b) GDPR.
- Data for concluding a contract with a partner (names of the legal representatives of legal persons; names and personal identification number of authorised representatives of legal and natural persons; names, personal identification number, address, telephone number and email address of partners – natural persons)
- Purpose for which the data shall be collected: 1) Identification of the natural person as the legal representative of a legal person or trader for the purposes of concluding and performing a contract and preparing tax and accounting documents; 2) Identification of the authorised representative in order to verify his/her representative authority; 3) Identification of a natural person – partner; 4) Making contact with the partner.
- Grounds for processing your personal data: When entering into a contract, a contractual relationship is created between the Controller and you, on which basis we shall process your personal data – Article 6, paragraph 1 (b) GDPR.
- Conclusion and performance of a donation contract (names of the legal representatives of legal persons; names and personal identification number of authorised representatives of natural and legal persons; names, personal identification number, address, telephone number and e-mail address of donors – natural persons)
- Purpose for which the data shall be collected: 1) Identification of the natural person as the legal representative of a legal person or trader for the purposes of concluding and performing a contract and preparing tax and accounting documents; 2) Identification of the authorised representative in order to verify his/her representative authority; 3) Identification of a natural person – donor; 4) Making contact with the donor.
- Grounds for processing your personal data: When entering into a contract, a contractual relationship is created between the Controller and you, on which basis we shall process your personal data – Article 6, paragraph 1 (b) GDPR.
- Data for contacting website visitors in order to send a response to an enquiry made through the form on the Foundation’s website: (names, e-mail address)
- Purpose for which the data shall be collected: 1) Identification of the enquirer and 2) Making contact with the person who made the enquiry through the forms on the website and sending a response to the enquiry.
- Grounds for processing your personal data: Your data for making an enquiry shall be processed on the basis of an explicit consent given – Article 6, paragraph 1 (a) GDPR, and for the purposes of the Controller’s legitimate interests – Article 6, paragraph 1 (f) GDPR, namely for making contact with the enquirer.
(2) The Controller shall not collect or process personal data which:
- reveal racial or ethnic origin;
- reveal political, religious or philosophical beliefs, or trade union membership;
- genetic and biometric data, data concerning health or data concerning sex life or sexual orientation,
unless any of the grounds explicitly listed in Article 9, paragraph 2 GDPR applies.
(3) The personal data shall be collected by the Controller from the persons to whom they relate or from publicly accessible sources and registers.
(4) The Foundation shall not perform automated decision-making with data.
(5) The Foundation shall not collect or process data of persons below the age of 16 years, except with the explicit consent of their parents or legal representatives.
Period of storage of your personal data
Article 5. (1) The Foundation shall store your personal data as a job candidate for a period not longer than the availability of a current job advertisement published on our website or elsewhere. After the expiry of the advertisement or the completion of the selection, the Foundation shall take the necessary steps to erase and destroy all your data without undue delay or anonymise them (i.e. render them in a form that does not reveal your identity), unless you give your explicit consent for your data to continue to be stored and processed in the future.
(2) The Foundation shall store your personal data as a partner or donor for a period of up to 5 years after termination or performance of the contract, and the period may be longer for the purposes of the Foundation’s legitimate interests in judicial or administrative disputes. Accounting documents shall be stored for the relevant statutory period.
(3) The Foundation shall store the personal data of individuals who have made an enquiry through the website form until the individual’s express withdrawal of the given consent.
(4) The Controller shall notify you in the event that the data storage period needs to be extended for compliance with a statutory obligation or in view of the Controller’s legitimate interests or otherwise.
Transfer of your personal data for processing
Article 6. (1) The Controller may, at its own discretion, transfer part or all of your personal data to personal data processors for the fulfilment of the processing purposes to which you have consented, subject to the requirements of Regulation (EU) 2016/679 (GDPR).
(2) The Controller shall notify you in case of an intention to transfer part or all of your personal data to third countries or international organisations.
Your rights in relation to the collection, processing and storage of your personal data
Withdrawal of consent to the processing of your personal data
Article 7. (1) If you do not wish all or part of your personal data which are processed on the basis of your consent to continue to be processed by the Foundation for specific or all processing purposes, you may withdraw your consent to the processing at any time by sending a request in free text or by completing and submitting the form in Appendix No. 1.
(2) The Controller may ask you to verify your identity and identity with the person to whom the data relate by requesting that you present an identity document on the spot.
(3) The withdrawal of consent shall not affect the lawfulness of the processing of the personal data provided by you before the withdrawal.
(4) You may withdraw your consent to the processing of your personal data for direct marketing purposes at any time.
(5) The Controller may continue to process part or all of your data if there is a legal obligation to do so or for the purposes of protecting its legitimate interests.
Right of access
Article 8. (1) You shall have the right to request and obtain confirmation from the Controller as to whether or not personal data relating to you are being processed.
(2) You shall have the right to access the data relating to you, and the information concerning the collection, processing and storage of your personal data.
(3) The Foundation may ask you to verify your identity and identity with the person to whom the data relate.
(4) The Controller shall provide you, upon request, with a copy of the processed personal data relating to you in an electronic or other appropriate form.
(5) Providing access to the data shall be free of charge, but the Controller reserves the right to charge an administrative fee in case of repetitive or excessive requests.
Right to rectification or completion
Article 9. You shall have the right to ask the Controller to:
- rectify inaccurate personal data relating to you;
- complete incomplete personal data relating to you.
(2) The Foundation may ask you to verify your identity and identity with the person to whom the data relate.
Right to erasure (“to be forgotten”)
Article 10. (1) You shall have the right to obtain from the Controller the erasure of part or all of the personal data relating to you and the Controller shall have the obligation to erase them without undue delay where any of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw your consent on which the data processing is based and where there is no other legal ground for the processing;
- you object to the processing of personal data relating to you, including for direct marketing purposes, and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in EU or Member State law to which the Controller is subject;
- the personal data have been collected in relation to the offer of information society services.
(2) The Controller shall not be obliged to erase the personal data if the Controller stores and processes them:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by EU or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- for the establishment, exercise or defence of legal claims.
(3) In the event of exercising your right to be forgotten, the Foundation shall erase all your data, except for the information that is necessary to certify that your right to be forgotten has been fulfilled.
(4) In order to exercise your right to be forgotten, it is necessary to send a request to the Controller in free text or by completing and submitting the form in Appendix No. 2.
(5) The Controller may ask you to verify your identity and identity with the person to whom the data relate.
(6) The Controller shall not erase the data which the Controller is legally obliged to store, including for defending legal claims made against the Controller or proving its rights.
Right to restriction
Article 11. (1) You shall have the right to obtain from the Controller restriction of the processing of data relating to you where:
- you contest the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful, but you oppose the erasure of the personal data and request the restriction of their use only;
- The Controller no longer needs the personal data for the purposes of processing, but they are required by you for the establishment, exercise or defence of your legal claims;
- You have objected to the processing pending the verification whether the Controller’s legitimate grounds override your interests.
(2) The Foundation may ask you to verify your identity and identity with the person to whom the data relate.
Right to portability
Article 12. (1) You may request, at any time, to receive in a machine-readable format the data relating to you which are stored and processed in connection with the use of the Controller’s services by sending an e-mail in free text or by completing and submitting the form in Appendix No. 3.
(2) You may request that the Controller directly transmits your personal data to a controller specified by you, where this is technically feasible.
(3) The Foundation may ask you to verify your identity and identity with the person to whom the data relate.
Right to receive information
Article 13. You may request that the Controller informs you of all recipients to whom the personal data for which rectification, erasure or restriction of processing has been requested have been disclosed. The Controller may refuse to provide this information if it would be impossible or would involve disproportionate effort.
Right to object
Article 14. You may object at any time to the processing by the Controller of personal data related to you and processed for the performance of a task carried out in the public interest or for the protection of the Controller’s legitimate interests, including if they are processed for profiling or direct marketing purposes.
Your rights in the event of a personal data breach
Article 15. (1) If the Controller becomes aware of a breach of your personal data which may result in a high risk to your rights and freedoms, the Controller shall notify you without undue delay of the breach, and of the measures taken or to be taken.
(2) The Controller shall not be obliged to notify you if:
- the Controller has implemented appropriate technical and organisational protection measures in respect of the data affected by the personal data breach;
- the Controller has taken subsequent measures which ensure that the breach will not result in a high risk to your rights;
- notification would involve disproportionate effort.
Persons to whom your personal data shall be provided
Article 16. For the purposes of processing your personal data and providing the service in its full functionality and in view of your interests, the Controller may provide the data to the following persons who are data processors – see the list of data processors. The personal data processors listed shall comply with all lawfulness and security requirements when processing and storing your personal data.
Article 17. The Controller shall not transfer your data to third countries.
Article 18. In the event that your rights hereunder or under the applicable legislation on personal data protection are infringed, you shall have the right to lodge a complaint with the Commission for Personal Data Protection as follows:
Name
Commission for Personal Data Protection
Seat and address of management
2, Prof. Tsvetan Lazarov Blvd., 1592 Sofia
Correspondence address
2, Prof. Tsvetan Lazarov Blvd., 1592 Sofia
Tel.
02 915 3 518
Website
www.cpdp.bg
Article 19. You can exercise all your rights in relation to the protection of your personal data through the forms attached to this information. Of course, these forms are not mandatory and you can make your requests in any form that contains a statement to that effect and identifies you as the data subject.
Article 20. If the consent relates to a transfer, the Controller shall describe the possible risks for the transfer of data to third countries in the absence of an adequacy decision and appropriate safeguards.