Personal Data Protection Policy of non-profit organisation Trinoga association
Adopted by decision of non-profit organisation Trinoga association of 18 May 2018
I.General provisions and definitions
Art. 1. (1) The accompanying Personal Data Protection Policy of the non-profit organization (association) Trinoga (Trinoga) shall apply to the non-profit organization (association) Trinoga and is based on the personal data protection requirements and principles adopted by virtue of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Regulation (EU) 2016/679 or General Data Protection Regulation).
(2) Non-profit organization Trinoga association, VAT no 175102568, with headquarters and management address: Bulgaria, post code 2267, village of Zhelen, Bukor area, Teacher‘s house is personal data controller in the meaning of Regulation (EU) 2016/679 and the Personal Data Protection Act.
Art. 2. The terms listed below have the meanings assigned to them in the Regulation (EU) 2016/679 (General Data Protection Regulation) and the accompanying Policy:
(a) Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(b) Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(c) Controller means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or the law of the Republic of Bulgaria;
(d) Data subject is an identified or identifiable natural person who can be identified, directly or indirectly, based on particular information representing personal data;
(e) Legitimate interest of Trinoga or of a third party, where the latter prevail over the interests or the fundamental rights and freedoms of the data subject (the customer), for example for the purpose of preventing crime, including fraud, preventing money laundering and financing of terrorism, other lawful objectives.
Art. 3. Trinoga acknowledges the privacy of natural persons and makes efforts to protect them against any unlawful processing of their personal data. Trinoga applies the relevant measures to protect the personal data of natural persons in accordance with the effective legislation.
Art. 4. The accompanying Personal Data Protection Policy of Trinoga is aimed to inform natural persons regarding the objectives and grounds for the processing of personal data, the rights of the data subjects, categories of recipients to which data may be disclosed, the statutory or voluntary nature of the provision of data, information as to the right of access and the right for rectification of data collected in accordance with the Personal Data Protection Act.
- Processing of personal data
Art. 5. Trinoga in its capacity as controller of personal data, processes personal data in a manner that ensures appropriate level of security, including protection against unauthorised or illegal processing and against accidental loss, destruction or damage, while applying suitable technical and / or organisational measures in compliance with the following principles:
(a) lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
(b) data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“appropriateness in the processing of personal data and purpose limitation”);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
(d) accurate and kept up to date;
(e) limitation of the storage for periods not longer than necessary for the purposes for which they are processed (“storage limitation”);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”);
Art. 6 Trinoga processes personal data only if and to the extent at least one of the conditions listed below shall apply:
- a) processing is required for the performance of an agreement with Trinoga under which the data subject is party or to undertake steps at the request of the data subject prior to the signing of an agreement with Trinoga;
(b) processing is required for compliance with a legal obligation which applies to Trinoga in its capacity as controller of personal data;
(c) the data subject has given consent for the processing of their personal data for one or more specific purposes. In the cases when personal data are processed solely on the grounds of consent, the data subject has the right to withdraw such consent at any time. Withdrawal of the consent of the data subject is not applicable in the cases when the processing of the data is based on the provisions of items “a” and “b” above;
Art. 7. Trinoga, in its capacity as controller, does not process personal data which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data solely for the purpose of identification of the natural person, data concerning health or data concerning sex life or sex orientation of the natural person unless the data subject have given an explicit consent for the processing of such data for one or more specific purposes.
III. Purpose of personal data processing
Art. 8. Trinoga processes personal data for the purpose of providing services, specifically described in Personal Data Protection Notice to the Customers of Trinoga[WU2] . Provision of personal data is voluntary. In case of refusal to provide personal data, Trinoga shall not provide the requested service to the extent the processing of personal data at large is in fulfilment of the Trinoga’s legal and regulatory obligations.
Art. 9. Except the cases set out above, processing of personal data of data subjects is allowed if there is legitimate interest of Trinoga or of a third party and the latter prevail over the interests or the fundamental rights and freedoms of the data subject (the customer), for example for the purpose of preventing crime, including fraud, preventing money laundering and financing of terrorism, other lawful objectives.
Art. 10. The personal data of the data subjects are stored over the legal terms in accordance with the requirements of the applicable specific laws.
Art. 11. Persons of less than 18 (eighteen) years of age are data subjects entitled to higher level of protection of their personal data. If the child is less than 16 years old such processing is legal only and to the extent such consent has been given or allowed by the holder of parental responsibilities for the child.
- Rights of the data subjects (customers – natural persons whom the data relates to)
Art. 12. Right to information (in relation to the processing of the data subject’s personal data by Trinoga – the natural persons that are data subjects have the right to receive information* as to Trinoga as personal data controller, as well as the processing of their personal data. Such information includes: data identifying Trinoga, as well as its contact details, including contact details of the Chairman of Trinoga; the purposes and legal grounds for the processing; the personal data recipients or categories of recipients, if any; the controller’s intent to transmit personal data to a third party / third country (where applicable); the personal data storage period; the existence of automated decision making, including profiling (if any); information as to all rights that the data subject has; right to file a complaint to the supervision authority.
* The information listed above is available in the Personal Data Protection Notice to the Customers of Trinoga, available on the internet address: http://www.vegetarium.info/privacy-notice .
Art. 13. Right of access to own personal data – the data subjects have the right to receive from Trinoga confirmation as to whether personal data related to them are processed and if so, to be given access to the data and the following information: purpose of the processing; respective personal data categories; personal data recipients or categories of recipients, if any; the intention of the controller to transmit personal data to a third party (where applicable); personal data storage period; existence of the right to correct personal data, as well as the right to object against the processing of personal data; existence of automated decision making, including profiling (if any); information as to all rights that the data subject has.
Art. 14. Right to rectification of personal data (if data is not accurate) – the data subject has the right to request Trinoga to rectify, without undue delay, any incorrect data pertaining to the data subject.
Art. 15. Right to erasure of personal data (right “to be forgotten”) – the data subject may request from Trinoga to erase personal data, if any of the conditions listed below exist: Ø Personal data are no longer needed for the purposes they have been collected for or processed otherwise; Ø The data subject withdraws his / her consent, which data processing is solely based on, and no other legal grounds for the processing exist (processing due to regulatory obligation of the Trinoga, an agreement signed with Trinoga).
Art. 16. The data subject has the right to object against the processing of personal data if there are no legal grounds for processing that have an advantage.
Art. 17. Right to limitation of processing by Trinoga or by the personal data processor – specific conditions are required to be in place for that right to be exercised, namely: Ø Accuracy / up to date nature of the data is disputed by the data subject. In this case the limitation of the processing is over a period of time allowing Trinoga to check the accuracy of the personal data; Ø The processing is unlawful, but the data subjects do not wish their personal data to be erased, but rather require limitation of their use; Ø Trinoga no longer needs such personal data for processing purposes, but the data subject requires them for establishing, exercising or defending legal claims; Ø The data subject has objected to the processing while awaiting a check to be performed whether Trinoga’s legal grounds prevail over the interests of the data subject.
Art. 18. Right to transferability of the personal data between the various controllers – the data subjects have the right to receive personal data pertaining to them, which they have provided to Trinoga in a structured, widely used and machine readable format and have the right to transfer such data to another controller without hindrance by Trinoga, to which personal data has been provided, when processing is based on consent or contractual obligation and the processing is automated. When exercising the right to transferability the data subject has the right to receive also direct transfer of the personal data from Trinoga to another controller, where technically feasible.
Art. 19. Right to object against the processing of their personal data – data subjects have the right to object before Trinoga against the processing of their personal data, whereby Trinoga shall cease such processing, unless Trinoga is able to prove that compelling legitimate grounds for the processing exist that override the interests, rights and freedoms of the data subject, or for the establishment, exercising or defence of legal claims. In case of objection against the processing of personal data for direct marketing purposes Trinoga shall cease such processing forthwith.
Art. 20. The data subject also has the right not to be subject to decision based solely on automated processing, including profiling, which ensues legal consequences for the data subject or significantly affects the data subject otherwise.
Art. 21. Right to defence through judicial or administrative procedure if the data subject’s rights have been breached – if the data subjects decide that their right to personal data protection and privacy has been violated, they may file a complaint with the relevant supervision authority – the Commission for Personal Data Protection or to file a claim with the court to defend their rights.
- Disclosure of personal data
Art. 22. Trinoga may disclose the personal data to the following categories of persons:
(a) The persons whom the data relate to, namely: persons using services or products, or persons filing a request to use services, as well as persons who are party to contractual relations with Trinoga;
(b) Persons that have right to access to personal data by virtue of law or another regulation;
- Procedure to exercise the rights
Art. 23. (1) In exercising their right to access natural persons have the right to request from Trinoga at any time: 1. confirmation as to whether data related to them are processed by Trinoga, the purpose of the processing, the data category and recipients of such data or the categories of recipients data is disclosed to; 2. to send them a message in an understandable format, containing the personal data subject to processing and any information available as to the source of such data; 3. information as to the logic of any automated processing of personal data pertaining to natural persons, at least in the case of automated decisions under the provisions of the General Data Protection Regulation and the Personal Data Protection Act;
(2) Upon request Trinoga provides the information under paragraph 1 free of charge.
(3) Natural persons have the right to request at any time that Trinoga: 1. erases, rectifies or blocks their personal data the processing of which is not compliant with the requirements of the effective legislation 2. notifies the third parties to which the personal data of the natural persons have been disclosed as to any erasure, rectification or blocking in accordance with item 1 above, except when this proves to be impossible or would involve a disproportionate effort.
Art. 24. (1) Natural persons exercise their rights by filing a written request to Trinoga, containing as a minimum the following information:
- name, personal ID number, address and other data allowing identification of the respective natural person; 2. description of the request; 3. preferred form for provision of the information (oral or in writing – as a hard copy or electronically); 4. signature, date, correspondence address and telephone number.
(2) The filing of the request is free of charge;
(3) Upon filing of a request by an authorised person, the notarised power of attorney must be attached to the request;
(4) In case of death of the natural person, his / her rights are exercised by his / her heirs and certificate of heirs shall be attached to the request;
Art. 25. Trinoga shall review and pronounce on the request within within 1 month as of its filing. This period may be extended by further two months, if necessary. Trinoga informs the data subject as to any such extension within 1 month as of receipt of the request, stating the reasons for the delay. When the data subject files a request by electronic means, the information is provided electronically, if possible, unless the data subject has requested otherwise.
Art. 26. Trinoga provides an answer to the requesting person taking into account their preferred form for the provision of the information (orally or in writing – as a hard copy of electronically).
Art. 27. Where data do not exist or their provision is forbidden by law, access of the requesting party to such data is refused.
Art. 28. If the requesting party is not satisfied with the response received and / or believes that their rights related to personal data protection were violated, they are entitled to exercise their right to defence.
VII. Information for the data subject:
Controller: Non-profit organization (association[WU4] ) Trinoga, BULSTAT175102568, with registered address and management address: Bulgaria, post code 2267, village of Zhelen, Bukor area, Teacher‘s house; Chairman of Trinoga: Filip Kirilov; e-mail email@example.com; Telephone +359 885050565; website www.vegetarium.info