PRIVACY AND DATA PROTECTION POLICY
The Applied Research and Communications Foundation is a non-profit legal entity for public benefit, registered in accordance with the provisions of the Law on Non-Profit Legal Entities – UPLNC, company case No. 14390/1991 of the State Court of Civil Registry, re-registered in the Commercial Register and the Register of Non-Profit Legal Entities with UIC 000713587, represented by the Chairman of the Board of Trustees Ognian Shentov. The Association has its registered office in the town of. The registered office of the company is Sofia, ul. “Alexander Zhendov” № 5, tel. 02 973 3000, fax: 02 973 3588, e-mail: email@example.com; website: www.arcfund.net.
The consulting unit ARC Consulting Ltd. is 100% owned by the Foundation and the two legal entities form the Applied Research and Communications Foundation Group (herein referred to as the Foundation).
“ARK Consulting Ltd, is a commercial company with its main activity being the provision of consultancy services in the field of European Union policy and practice, including innovation, information and communication technologies. “ARK Consulting Ltd. is registered in the Commercial Register and the Register of Non-Profit Entities with UIC 175139043, registered office in Sofia, Bulgaria. Sofia, ul. 5 “Aleksandar Zhendov”, tel. 02 973 3000, fax 02 973 3588, e-mail: firstname.lastname@example.org.
The two organizations leverage each other’s human, physical and financial resources to better realize their goals and mission.
This Privacy and Data Protection Policy has been prepared as a single document of the Applied Research and Communications Foundation Group, in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
With this Policy, the Applied Research and Communications Foundation Group takes into account the privacy of individuals and makes efforts to protect against unlawful processing of personal data of individuals. This document contains information regarding the type of personal data collected, the purpose of the use of the personal data collected, third party access to that data, the security measures that are taken with respect to the personal data collected, and the options available to individuals regarding the use of the personal data they provide. All personal data is collected and processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the legislation in force in Bulgaria in the field of personal data protection.
The processing of personal data is carried out in compliance with the following principles:
- fairness and transparency
- the relevance of the processing to the purposes;
- accuracy and timeliness;
- data minimisation;
- storage limitation;
- accountability, integrity and confidentiality;
- user consent to data processing.
Types of data, for what purposes and on what basis they are processed
- Physical and social identity data in the following areas:
- In connection with the performance of activity under an employment or civil contract – name, date and place of birth, personal identification number, date and place of issue, permanent and current address, contact telephone numbers, e-mail, bank account.
- In relation to recruitment and admission of trainees – names, contact phone number, address, e-mail, CV with description of education, professional and work experience; diplomas, certificates, references from previous employers; cover letter;
- Regarding participation in events – name, institution, email/phone;
- In connection with project applications, project implementation, contracting and contract execution – name, institution, email/phone, bio, bank account, mailing address.
- Individual categories of personal data, conditioned by the specific activity or regulatory requirement, in the following areas:
- In relation to opinion polls/interviews/focus groups – name, email; data revealing membership of a vulnerable group, ethnicity;
- In connection with the organization of business trips in the implementation of projects for which the Foundation is a beneficiary – name, identity document details, date and place of birth, address, telephone, e-mail;
- Specific personal data related to the Foundation’s functions as the operator of an Internet hotline to combat child pornography under contract with the European Commission, the International Association of Internet Hotlines, the Ministry of the Interior and Interpol:
- Maintaining internal databases of user reports of online child sexual exploitation, as well as a Child Online Advice Line. Users are duly informed on the respective reporting site about the possibility to report completely anonymously, and that if they want to receive feedback on the progress of the report, they can provide a contact channel of their choice – email, phone, or both. The Foundation for Applied Research and Communications undertakes not to disclose this data to third parties except for the purpose of investigative and procedural actions, which is done with the consent of the sender. The consent of the sender is not required where there is reasonable suspicion that a risk to the life, health or welfare of a child exists, where in accordance with legal obligations the information is provided to the competent child protection authority.
- In order to comply with legal provisions, the Applied Research and Communications Foundation collects parental consents for training and for participation in relevant activities with minors, containing the names of the parent and the child.
- The purpose of the processing of personal data is to uniquely identify individuals who are currently or in the future will carry out an activity entrusted to them by the Foundation, contractors, invitees and participants in events carried out in connection with the implementation of the Foundation’s activities. The processing is in relation to:
- The fulfilment of statutory obligations arising from the specific requirements of the legislation governing financial and accounting reporting, pension, health and social security activities, human resources management;
- The performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract;
- Performance of activities by the Prological Research and Communications Foundation – for one or more specific purposes with the consent of the data subject; for the purposes of the legitimate interests of the Foundation or of a third party with the consent of the data subject, such as: sending invitations to participate in project applications, news and announcements regarding their implementation; submitting project proposals; sending invitations, news and announcements regarding events organized by the Foundation; distribution of publications/newsletters.
- Grounds for processing:
- Conclusion of employment and civil contracts;
- With the explicit, clear and informed consent of the data subject, which may be withdrawn at any time.
- Legal obligation for data processing: the Accounting Act, the Value Added Tax Act and other applicable regulations.
Measures for the security of personal data, access to personal data of third parties, methods and time limits for their storage
- In accordance with the applicable regulations for the protection of personal data, the Applied Research and Communications Foundation Group observes procedures to prevent unauthorized access and improper use of personal data. Business systems and procedures have been developed to protect and ensure the safety of personal data; procedures are used to ensure security and technical and physical prohibitions on access and use of personal data on the available servers. Access to the subjects’ personal data is only available to authorized personnel for the implementation of the Foundation’s spheres of activity.
- Personal data provided is not used for commercial or marketing purposes.
- Personal data may be provided to third parties only in connection with the fulfillment of a specific contractual obligation for the implementation and management of programs and projects for free financing or activities for the fulfillment of other contractual obligations, and with the express consent of the data subject.
- Personal data may be provided to National Audit Authorities, auditors of the European Commission, the European Anti-Fraud Office, the European Court of Auditors, the Council for the Coordination of the fight against offences affecting the financial interests of the European Communities, funding institutions. They may carry out on-the-spot checks on the implementation of the projects on which the Foundation is working, examine accounting documents and any other documents relating to the financing of the project and containing personal data.
- Personal data shall be kept for as long as is necessary for the performance of the activities included in the scope of activities of the Applied Research and Communications Foundation and the Bulgarian legislation in force.
- The collected personal data shall be stored on paper and technical media in accordance with their category and the legal basis for their processing.
- The retention periods are in accordance with the Bulgarian legislation, and in cases where there are none, as follows:
- for data collected in recruitment procedures – 3 years
on the recruitment of trainees – 1 year
- for participants in project applications – 5 years
- for participants in projects and events – 7 years after the end of the project, in view of the requirements of the funding organisation of the specific project for the retention of documents, as well as the possibility for external auditors to carry out on-site inspections of the implementation of the project concerned and to carry out a full audit of any documents relevant to the project.
- Internal databases of user reports of online child sexual exploitation are stored on servers that perform this function only, are not accessible outside the organisation’s internal network and are protected by hardware and software firewalls.
- Parental consents for training and against minors are stored on paper in a locked cabinet in a room with limited access until the relevant child reaches the age of majority.
Personal data is stored until the data subject expresses an explicit wish to have his data deleted, and if this does not harm the Foundation’s legitimate interests.
- for data collected in recruitment procedures – 3 years
Rights of data subjects
Natural persons whose personal data are processed have the following rights:
- Right to be informed about the data that identifies the Applied Research and Communications Foundation, the purposes of personal data processing, the recipients or categories of recipients to whom the data may be disclosed, the mandatory or voluntary nature of the provision of personal data and the consequences of a refusal to providing them.
- Right of access to data relating to them. In cases where, upon granting the right of access to the data subject, personal data may also be disclosed to a third party, the administrator is obliged to grant partial access to them without disclosing data to the third party.
The right to object to the Foundation against the processing of their personal data if there is a legal basis for this.
- Right to correct or supplement inaccurate or incomplete personal data.
- Right, instead of erasure, to limit the processing of personal data in certain cases.
- Right to be “forgotten”, i.e. request that personal data be deleted in the presence of any of the following grounds:
- личните данни вече не са необходими за целите, за които са били събирани или обработвани по друг начин;
- в случай че е оттеглено съгласие за обработване;
- личните данни се обработват незаконосъобразно;
- в случай, че са възразили срещу обработването на личните данни;
- други случаи, предвидени в законодателството, уреждащо защитата на личните данни.
- Право на защита пред КЗЛД https://www.cpdp.bg/ или по съдебен ред.
Consequences of refusal to provide personal data
- Explicit consent of natural persons whose data is processed is not necessary if there is a legal basis for processing personal data, for example a legally established obligation in connection with the requirements of labor, tax and social security legislation, the Law on Obligations and Contracts, the Law on accounting, the Law on Measures against Money Laundering, the Law on Measures Against the Financing of Terrorism, etc.
- The refusal to voluntarily provide requested personal data or the withdrawal of consent to the use or processing of personal data may result in the inability of data subjects to benefit from certain information provided by the Foundation “Applied Research and Communications” or opportunities to participate in the activities of the organization.
Order for exercising rights
- Individuals exercise their rights by submitting a written application to the “Applied Research and Communications” Foundation on paper or by e-mail to email@example.com, with the subject “Request for personal information”, containing at least the following information:
- name, address and other identification data of the relevant natural person;
- description of the request;
- preferred form of information provision;
- signature, date of submission of the application and address for correspondence.
- The procedure for exercising the rights of an individual in relation to his personal data is free for the individual. However, the administrator may refuse to provide free information to a person whose data is being processed if the same person makes inquiries about it at excessively short time intervals.
- In order to avoid abuses, when an application is submitted by an authorized person, a notarized power of attorney is attached to the application.
The websites maintained by the Foundation for Applied Research and Communications use “cookies” to collect traffic statistics and speed up the loading of the sites on the user’s device, which is duly described in each of the sites:
Terms and definitions used
In terms of this Policy:
- “Personal data” means any information relating to an identified natural person or a natural person who can be identified directly or indirectly, in particular by an identifier such as a name, an identification number or by one or more specific characteristics.
- “Processing of personal data” means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, use, arrangement or combination , restriction, deletion or destruction.
- “Administrator of personal data” is the “Applied Research and Communications” Foundation, which alone or jointly/through outsourcing to another person processes personal data.
The present Personal Data Protection Policy of the “Applied Research and Communications” Foundation was approved by Order of the Chairman of the Board of Trustees on 05/22/2018 and comes into force from the same date.