Logo

Privacy and Personal Data Protection Policy

PRIVACY POLICY AND PROTECTION OF PERSONAL DATA AT "НИКЕ - YA CONSULT" LTD.

I. Introduction

"Nike-Ya Consult Ltd" (hereinafter referred to as "Nike-Ya Consult Ltd", "the Company" or "the Administrator") is a commercial company registered in the Commercial Register at the Registry Agency with UIC: 160040993 with its registered office and registered office address. Plovdiv, ul. Hristo Botev № 92D and website http://www.tiaris.bg/.

"Nike-Ya Consult Ltd. is active in the field of FINANCIAL, ACCOUNTING, CONSULTING, MARKETING, RESEARCH AND ASSISTANCE SERVICES, HA REAL ESTATE MANAGEMENT, ORGANIZATION HA ACCOUNTING AND PREPARATION HA ANNUAL, INTERIM AND OTHER FINANCIAL STATEMENTS IN ACCORDANCE HA THE ACCOUNTING LAW,.

"Nike-Ya Consult Ltd. is a Personal Data Controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR") and the Personal Data Protection Act (hereinafter referred to as "PDPA").

With this Privacy and Personal Data Protection Policy (hereinafter referred to as "Policy"), Nike-Ya Consult Ltd. takes into account the privacy of individuals and makes efforts to protect against unlawful processing of personal data of individuals. In accordance with Bulgarian legislation, GDPR and good practices, Nike-Ya Consult Ltd has taken the necessary technical and organizational measures to protect the personal data of individuals.

Familiarity with this Policy before using our services is imperative, as their provision involves the collection of certain categories of personal data necessary for Nike-Ya Consult Ltd to fully provide the services.

1. Objectives and Scope of the Policy

With this Privacy and Data Protection Policy, Nike-Ya Consult Ltd aims to inform individuals about:

  • the purposes and means of the processing of personal data;
  • the recipients or categories of recipients to whom the data may be disclosed;
  • the basis for processing the personal data /the mandatory or voluntary nature of the provision of the data/, as well as the consequences of refusing to provide them;
  • information on the right of access, rectification and erasure of the data collected.

2. Terms and definitions:

1. "Personal data" means any information relating to an identified natural person or an identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. "Special categories of personal data" - personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data uniquely identifying an individual, data concerning health or data concerning an individual's sex life or sexual orientation.

3. 'Processing' means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

4. "Controller" - any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the Controller or the specific criteria for its determination may be laid down in Union or Member State law;

5. "Joint Controllers" - where two or more Controllers jointly determine the purposes and means of processing personal data, they are joint Controllers;

6. "Processor" - a natural or legal person, public authority, agency or other body that processes personal data on behalf of the Controller

7. 'Register' means any structured set of personal data which is accessed according to certain criteria, whether centralised, decentralised or distributed according to a functional or geographical principle.

8. "Data Subject" - any living natural person who is the subject of personal data stored by the Controller.

9. "Consent of the data subject" - any freely given, specific, informed and unambiguous indication of the data subject's wishes, by means of a statement or a clear affirmative action, which signifies the data subject's agreement to the processing of personal data relating to him or her;

10. "Profiling" - any form of automated processing of personal data consisting in the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of that natural person's professional duties, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

11. "Personal data breach" - a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is transmitted, stored or otherwise processed;

12. "Recipient" - the natural or legal person, public authority, agency or other body to whom the personal data is disclosed, whether or not a third party. However, public authorities which may receive personal data in the framework of a specific investigation in accordance with Union or Member State law shall not be considered as 'recipients'; the processing of those data by those public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing;

13. "Third party" - any natural or legal person, public authority, agency or other body other than the data subject, the Controller, the processor and those persons who, under the direct authority of the Controller or the processor, have the right to process the personal data

3. Thelegal basis for the processing of personal data, the sources of personal data and the period for which the personal data collected is stored:

"Nike-Ya Consult Ltd processes personal data on the following grounds:

  • On the basis of the data subject's free, informed and explicit consent;
  • Where there is a legal obligation to process the data;
  • When concluding or performing a contract, as well as for actions preceding the conclusion of a contract;
  • Where it is necessary to protect the vital interests of the individual or the legitimate interests of the Controller, provided that it does not conflict with the legitimate interests of the individual

"Nike-Ya Consult EOOD processes personal data provided by employees, clients, principals, suppliers, contractors and other individuals to whom the data relates in connection with the provision of services within the scope of its activities, as well as for the preparation and conclusion of contracts.

"Nike-Ya Consult Ltd. also processes personal data that is not obtained from the individual to whom it relates, but is provided by a third party in connection with a specific service, and the person who provided the data to Nike-Ya Consult Ltd. undertakes:

1. to provide the third party with data about the Controller;

2. inform the third party of the purposes, categories of data provided and categories of recipients of such data;

3. provide information on the right of access and rectification of personal data to the data subject.

Option 1: The personal data collected shall be stored for a period of 5 (five) years from the date of termination of the relevant service contract.

Option 2: Personal data shall be kept for a period necessary in accordance with the purposes for which they were collected or for a period laid down in a legal act.

Where the data subject has consented to direct marketing, the personal data shall be retained until the data subject unsubscribes or requests to be unsubscribed.

4. Means, principles and purposes of processing:

4.1 Nike-Ya Consult Ltd processes personal data through a set of actions that may be carried out by automatic or other non-automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, provision, updating or combination, blocking, erasure and destruction.

"Nike-Ya Consult Ltd shall process the personal data independently or by assigning data processors, by means of a written contract defining the purposes and scope of the obligations assigned by the Data Controller to the data processor, in the presence of a relevant legal basis, in accordance with the requirements of the GDPR / GDPR. Processors on behalf of Nike-Ya Consult Ltd. are, for example, the Controller's employees, whose rights and obligations in relation to the processing of personal data of natural persons are duly regulated in the Controller's internal acts, as well as in the job descriptions of the respective employees. Processors are also third parties outside the structure of the Controller who are entrusted with the processing of personal data on behalf of the Controller.

4.2 The processing operations referred to shall be carried out in accordance with the following principles:

  1. lawfulness of processing of personal data;
  2. appropriateness of the processing of personal data;
  3. proportionality of processing;
  4. timeliness of the personal data processed;

4.3. In connection with the performance of statutory obligations and pre-contractual and contractual relations, in the performance of its activities, Nike-Ya Consult Ltd. processes personal data of its employees, customers and third parties for the following purposes:

- administration of employment relationships: personal data of job applicants and employees in connection with an existing employment relationship (data processing is most often a consequence of the fulfilment of statutory obligations of the Data Controller arising from the specific requirements of the legislation governing its activities, financial and accounting activities, pension, health and social security activities, human resources management activities, the automatic exchange of information in the field of the

- administration of contractual relations: personal data of persons prior to a service contract and current customers (including where explicit consent has been given or processing is necessary for the performance of obligations under a contract to which the data subject is a party, as well as for pre-contractual actions taken at the request of the person).

SPECIFICITY. "a" and b. "(c) of the Anti-Money Laundering Measures Act (AMLA), is obliged to identify its customers. Pursuant to Art. 2 par. 1 of the Regulations for the Implementation of the AMLA in conjunction with Art. 6 para. 1(2) of the AML Act, the identification of customers and the verification of the identification of natural persons shall be carried out by presenting an official identity document and taking a copy thereof. The controller is obliged to collect and process information constituting personal data on natural persons pursuant to Article 4, in conjunction with Articles 10 and 11 of the AML Act.

5. Categories of personal data processed and records

5.1. Categories of personal data that Nike-Ya Consult Ltd processes for the performance of its activities:

1. Related to the physical identity of individuals - name, ID number, passport details, address, telephone, e-mail, etc.;

2. Related to economic identity - property and financial situation, participation and/or ownership of shares, securities in companies, presence of public debts, data necessary for identification for the purposes of tax legislation in the jurisdiction where the person is a resident for tax purposes, tax identification number issued by that jurisdiction, function of controlling persons, etc.;

3. Related to social identity - education, employment, citizenship;

4. Related to family identity - marital status, family ties, etc.;

5. Other personal data that may be provided for the receipt of a service of Nike-Ya Consult Ltd.

5.2. The processed personal data are structured in the following registers:

  • Personnel Register;
  • Register "Customers";

6. Rights of data subjects:

6.1 Right to information

Each data subject shall have the right to request information on the type of personal data processed by the Nike-Ya Consult Ltd. that personally affects him or her. This information shall be provided irrespective of where the personal data are processed. The data subject may make any such request to Todor Chankov - Controller. The specialised department/designee must assist the data subject by providing, where possible, the personal data processed about him/her in the format he/she wishes, which must be structured, in a commonly used and machine-readable format. This information shall be provided to the subject in accordance with a Procedure for the Provision of Information to the Data Subject adopted by Nike-Ya Consult Ltd.

The data subject shall have the right to information about the purposes of the processing of his or her personal data, which shall be provided to him or her upon collection of his or her personal data and upon subsequent change of the purposes of the processing.

6.2 Request for correction

If the personal data stored are incorrect or incomplete, the data subject may request that they be rectified. Data subjects are responsible for providing correct personal data to the Data Controller. In addition to this, the data subject should inform the Data Controller of any relevant changes to his or her personal data (such as changes to the address or name of the subject).

6.3 Restricts non-use

At any time during the processing of personal data, the data subject may request the Controller to restrict the use of his or her personal data for some or all of the processing purposes for which the data subject has given consent.

6.4 Refusal of a request for information, rectification or restriction of processing of personal data

If the request for information, rectification or restriction of processing is refused, the data subject will be informed of the reason for the refusal. The refusal shall be made in the form of the request made by the data subject and shall be reasoned.

6.5 Right to erasure ("right to be forgotten")

Any person shall have the right to request from the Controller the erasure of personal data relating to him or her and the Controller shall have the obligation to erase such data without undue delay. Upon exercise of this right by the data subject, the Data Controller shall indicate to the data subject in what way the erasure will affect the relationship between them in the future.

6.6. Right to object

Each data subject shall have the right to object to processing of personal data concerning him or her. The controller shall terminate the processing of personal data unless it demonstrates that there is a legitimate ground for the continued processing.

In addition, each data subject has the right to object if his or her personal data is used for advertising purposes (direct marketing) or for purposes related to market research or public opinion polling. In this case, the personal data shall be blocked and not used for the purposes concerned.

6.7. Withdrawal of consent to the processing of personal data

The data subject shall have the right to withdraw his or her consent to the processing of his or her personal data at any time by a separate request addressed to the Controller. The Data Controller shall inform the data subject how the erasure will affect the relationship between them in the future.

6.8. Issues and complaints/remedies

The data subject shall have the right to lodge complaints/requests with the Controller on issues related to the processing of his/her personal data, to which the Controller shall respond in accordance with an adopted procedure(Procedure for the means of communication for complaints and requests from the data subject).

6.9. Right to consent to the processing of his/her personal data

The Controller shall assume the existence of "consent" only in cases where the data subject has been fully informed of the intended processing and has expressed his or her consent without being subjected to pressure. Consent obtained under pressure or on the basis of misleading information is not a valid basis for processing personal data.

Consent cannot be inferred from the absence of a response to a communication to the data subject. There must be an active communication between the Controller and the data subject for consent to exist. The controller should be able to demonstrate that consent has been obtained for the processing activities.

In most cases, consent to the processing of personal data is routinely obtained from the Data Controller using standard consent documents, for example when a new client signs a contract or during the recruitment of new staff.

When processing personal data of children, the Controller shall obtain the permission of the exercising parents (parents, guardians, etc.). This requirement applies to children under the age of 16 (unless the Member State has provided for a lower age limit, which may not be lower than 13).

6.10. Right to representation

The data subject may authorise another person to exercise the rights referred to in paragraphs 1.1 to 1.9 of this Policy. The authorisation must be explicit and made in writing. Whenever exercising the data subject's rights, the proxy must provide a copy of his or her power of attorney to the Controller or to the processor on behalf of the Controller.

II. Security of personal data:

"Nike-Ya Consult Ltd shall ensure the security of personal data in accordance with the principles set out in the GDPR / DPA by taking appropriate and sufficient administrative, technical and organizational measures to ensure the protection of data from loss, theft, misuse, as well as from unauthorized access, disclosure, alteration or destruction.

7. General principles relating to the processing and security of personal data:

7.1. Admissibility of data processing

The processing of personal data shall only be permissible if the data subject has consented to it, if there is a legal obligation to process the data, in the conclusion or performance of a contract, where it is necessary for the protection of the vital interests of the natural person or the legitimate interests of the Controller, provided that it does not conflict with the legitimate interests of the natural person. The admissibility of the processing of personal data is a prerequisite for the transmission of personal data.

Consent must be given in writing or by other legally permissible means and the data subject must be informed in advance of the purpose of the processing and the possibility of transferring personal data to third parties. The provision of consent shall be emphasised when included in other declarations so that it is clear to the data subject.

7.2. Intended objective

Personal data may only be collected for the purposes exhaustively listed and may not be processed for purposes other than those specified. The purpose of the collection and processing of data must be taken into account by the Data Controller when further processing and storing such data. Changes to the purpose are only permissible with the consent of the data subject or if permitted by the local law of the relevant country from which the personal data was obtained.

7.3. Data economy

The processing of personal data must be necessary for the intended purpose. Available options for anonymisation or the introduction of pseudonymisation for personal data should be used at an early stage as far as possible and cost-effective for the intended protective purpose.

7.4. Data quality

Personal data must be factually correct and, as far as necessary, up-to-date. The controller shall take appropriate and reasonable measures to correct or erase any incorrect or incomplete data.

7.5 Data security

The data controller shall put in place appropriate technical and organisational measures to ensure the necessary data security. These measures apply in particular to computers (servers and workstations), networks and communication links and applications and are incorporated into the IT security management system. Appropriate measures shall be taken to protect this data from erasure by mistake, unauthorised deletion or loss. Full details are provided in Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures for a high common level of network and information systems security in the Union.

7.6. Confidentiality of data processing

Only authorised personnel who have committed to comply with the data confidentiality requirements are entitled to participate in the processing of personal data. Employees are prohibited from using such data for personal purposes or from making it available to unauthorised companies and third parties. Unauthorised in this context also means the use of personal data by employees who do not need access to such data to carry out their official responsibilities. The obligation of confidentiality shall continue to apply after the termination of the employment/civil/service relationship with the Controller.

8. Administrative and technical measures to protect personal data:

"Nike-Ya Consult Ltd uses administrative and technical measures to protect the personal data it processes through its employees or provides to third party processors for processing. These measures consist in the following:

8.1. All employees of the Controller are responsible for ensuring that the data they process is stored securely and is not disclosed under any circumstances to third parties, unless the Controller has granted such rights to such third parties on the basis of a written contract or confidentiality clause;

8.2. All personal data shall be accessible only to those employees/processors whose duties include the processing of the specific data, and access shall be made only in accordance with the adopted internal access control rules (Procedure on the rules and rights in relation to the control of access to personal data by technical means).

8.3. In order to ensure sufficient protection of the personal data processed, Nike-Ya Consult Ltd. uses the following technical measures (virus protection, firewall, encryption/encryption option);

8.4. The Data Controller shall adopt internal rules to determine the sensitivity levels of the personal data (information) processed, on the basis of which separate categories of personal data are created and processed for specific purposes. The individual categories of personal data shall be separated into personal data registers. The internal rules shall determine both the procedure for access to these registers and the persons who are entitled to access them and, respectively, to process the personal data stored in them;

8.5. The controller shall determine by an internal act the procedure for controlling the separation of personal data. These rules shall contain measures to ensure that data collected for different purposes can be processed separately by authorised employees/persons;

8.6. The controller shall take measures to ensure that personal information is protected against accidental destruction or loss;

8.7. The Controller shall establish procedures to restore the availability of personal data following a physical or technical incident. In order to fulfil these obligations, the Data Controller shall provide the necessary technical means (servers, computer network, cloud space) for which the protective measures referred to in paragraph 8.3 of this Section shall be taken.

9. Administrative and organisational measures to protect personal data:

9.1 Nike-Ya Consult Ltd shall adopt procedural rules setting out the measures and procedures for physical access and protection of personal data which shall be binding on all employees who process personal data;

9.2. The Controller shall designate secure areas for the storage of physical media of personal data, access to which shall be determined in accordance with the procedural rules in paragraph 9.1 of this section;

9.3. The Controller shall implement the following measures to restrict access to the physical data media -(e.g. high security locks on the doors of the Controller's office and on the doors providing access to the building in which the office is located; locking of the cabinets in which the paper media of the created records are located);

9.4. The Controller shall implement a "clean desk" policy which all employees who process personal data shall become familiar with and implement. Paper records must not be left where they can be accessed by unauthorised persons and must not be removed from designated secure premises without express permission. As soon as paper records are no longer necessary for the ongoing processing of personal data, they should be archived as appropriate and, if there is no justification for archiving them, they should be destroyed in accordance with an established procedure;

9.5 Personal data may only be erased or destroyed in accordance with the procedure adopted by the Data Controller(Data Retention and Destruction Procedure). Paper records whose processing period has expired should be shredded and destroyed as 'confidential waste'. Data on the hard drives of unused PCs should be deleted or the drives destroyed in accordance with established procedures;

9.6. The processing of personal data outside the Controller's premises shall be carried out in accordance with the relevant procedural rules and shall be permissible with the express written consent of the processor's line manager or the Controller.

10. Data Protection Officer

"Nike-Ya Consult Ltd appoints a Data Protection Officer (DPO). The Data Protection Officer is an employee of the Controller. The role of this person is to monitor compliance with this Policy across the Controller's enterprise and to ensure the ability to demonstrate that the processing of personal data complies with data protection legislation.

The DPO shall develop and implement the requirements for the protection of personal data in accordance with the provisions of this Policy. The DPO shall carry out security and risk management with respect to compliance with this Policy.

The DPO is responsible for administering and processing the requests and inquiries made by the data subject to the Controller. The DPO shall provide the necessary explanations to the Controller's employees regarding the compliance with the protection of personal data.

The DPO shall periodically prepare and submit reports to the Controller in relation to the implementation of this Policy, the legal provisions governing the protection of personal data, as well as on the compliance of the personal data protection ensured in the enterprise with the legal requirements in this area.

III. Storage, destruction and inventory of personal data:

11. Storage

11.1 Nike-Ya Consult Ltd shall not store personal data in a form which permits identification of data subjects for longer than is necessary to carry out the processing for which the data subject's consent has been given and in view of the purposes for which they were collected. The retention of personal data for a longer period shall also be permissible without the data subject's explicit consent if provided for in a provision of domestic law or European Union law;

11.2. The controller may retain data for a longer period than necessary to carry out the processing for which consent has been given and in cases where personal data will be processed for archiving purposes in the public interest, scientific or historical research and statistical purposes, and only if appropriate technical and organisational measures are implemented to safeguard the rights and freedoms of the data subject;

11.3. The retention period for each category of personal data, separated in a separate register, shall be determined in a procedure adopted by the Data Controller(Data Retention and Destruction Procedure). This procedure sets out the criteria used to determine the retention period, including any legal obligations imposed on the Data Controller in respect of the retention of the data.

11.4. The procedure for storage and destruction of data as well as the rules for destruction of information on physical media shall apply in all cases.

12. Destruction

Personal data must be destroyed securely, in accordance with the principle of ensuring an appropriate level of security. Compliance with the procedure is mandatory in order to ensure protection against unauthorised or unlawful processing and against accidental loss, destruction or damage of data, by implementing appropriate technical or organisational measures.

13. Inventory

13.1. The Controller shall establish a data inventory process as part of its approach to address possible risks in the processing of the personal data collected. A personal data risk impact assessment shall be carried out during the data inventory and processing, the methodology and elements of which are governed by a Personal Data Protection Impact Assessment Methodology adopted by the Data Controller. The determination of risks in accordance with this methodology shall also apply to processing undertaken by other organisations on behalf of the Controller;

13.2. The administrator shall manage any risks identified in the impact assessment in order to reduce the likelihood of non-compliance with the rules introduced by the GDPR/HPA. Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, in particular with the use of new technologies, and taking into account the nature, scope, context and purposes of the processing, the Controller should carry out an impact assessment of the intended processing operations on the protection of personal data before proceeding with the processing. A general impact assessment may consider a range of similar processing operations which present similar high risks;

13.3. Where, as a result of the Impact Assessment, it is clear that the Data Controller will process personal data which, because of the high risk, could cause harm to data subjects, the decision whether or not to proceed with the processing must be submitted to the DPO for review;

13.4. If the DPO has serious concerns about either the potential harm or danger or the amount of data involved, they should make a report to the supervisory authority / DPO;

13.5. GDPR, periodically review the data initially inventoried, review the information recorded in the "Register of Processing Activities" in light of any changes in the activities of the Controller.

IV. Provision of personal data to third parties

14.1. The data controller shall have the right to disclose the personal data processed only to the following exhaustively listed categories of persons:

a). individuals to whom the data relate;

b). persons for whom the right of access is provided for in a statutory instrument or

c). persons for whom the right arises by virtue of a contract;

14.2 For the purpose of providing services, the Controller shall provide information /required personal data/ for the performance of a contractual obligation to the data subject. The controller shall provide personal data to third parties who provide services on its behalf on the basis of an explicit written instruction / written contract. These third parties are not permitted to use or disclose the data beyond the purposes for which it was provided to them, except where necessary to perform services on behalf of the Controller or to comply with legal requirements. The purposes for processing the personal data provided are expressly set out in the written instruction/written contract on the basis of which the data is provided to the third party. Third parties (processors of personal data) are obliged to provide the necessary technical and organisational measures to protect the personal data provided by the Controller or greater;

14.3. The Controller shall share the personal data received with its affiliates, franchisees, dealers and joint venture partners on the basis of an express written instruction or written contract. These persons may use the information for the purposes described in this Privacy Policy. If explicit consent is provided by the data subject, personal data may be shared with third parties, based on a written contract, for their own purposes, such as offering products and services that may be of interest to the data subject;

14.4. The Controller shall share personal data with competent authorities/persons in order to organise the protection of their legitimate rights and interests in the initiation of warrant, arbitration, security, claim and other proceedings;

14.5. The controller shall disclose personal data about subjects whose personal data it processes when it is obliged to do so by law, regulation, international treaty or act of European Union law, or in connection with a judicial proceeding, in response to a request from public authorities (for example, law enforcement or investigative authorities), or where it suspects that the legitimate rights and interests of the subjects of the right are being seriously and unlawfully affected.

V. Training

15. Purpose

Taking into account the regulation on the protection of personal data of natural persons and the enhanced measures for the protection of personal data introduced by the GDPR / PDPA, Nike-Ya Consult Ltd. recognises the need to conduct initial and subsequent training of its staff whose duties include the processing of personal data of natural persons on behalf of the Controller. Initial and subsequent training is intended to inform employees of the rules and procedures established for compliance with this Policy and applicable data protection legislation, as well as other issues related to data protection and privacy.

The training of employees is aimed at raising their awareness of existing or emerging requirements regarding the protection of personal data and the measures taken by the Data Controller in accordance with them.

16. Duties and roles

16.1. The Data Protection Officer shall ensure that the responsibilities of employees in relation to data protection are properly allocated in accordance with the Data Controller's rules and procedures for the processing of personal data.

16.2. The Data Protection Officer should ensure that all employees who have ongoing duties relating to personal data and processing operations, as well as those with permanent/regular access to personal data, demonstrate compliance with data protection requirements.

16.3. Employees must be able to demonstrate competency in their understanding of regulatory compliance requirements, and how they apply in the Administrator's organization.

16.4. The Data Protection Officer shall be responsible for keeping such employees up to date and informed of all matters relating to personal data within the scope of their professional duties by arranging for ongoing training when there is a change in the legal framework for the protection of personal data or a change in the scope of the Controller's activities, as well as when new procedures/measures for the protection of personal data are introduced by the Controller.

16.5. The Administrator shall promote training and awareness-raising measures by providing the necessary resources and facilities.

16.6. The Data Protection Officer shall brief and inform employees on the importance of data protection in the performance of their direct duties, and in accordance with their role within the organisation.

16.7. The Data Protection Officer is responsible for ensuring that employees understand how and why the Controller's organisation's rules and procedures apply to the processing of personal data, for which he/she draws up appropriate reports/records.

16.8. The Data Protection Officer shall develop training and awareness programmes both for all staff and for each specific role within the organisation relevant to the processing of personal data.

16.9. The Data Protection Officer shall establish a system to periodically check awareness as well as to update the knowledge of employees in relation to changes in data protection requirements.

16.10. Employees shall receive specific training on the processing of personal data related to their regular job roles and responsibilities and in accordance with the policies and procedures adopted by the Controller.

16.11. Employees shall receive specific training on all information protection requirements and procedures applicable to data protection and data processing within their day-to-day job roles and responsibilities, including reporting personal data breaches.

16.12. Employees shall receive training on the handling of requests and complaints from data subjects relating to the protection of personal data and the processing of personal data in accordance with the Controller's rules and procedures.

16.13. The Data Protection Officer shall organise training for all responsible persons and employees.

16.14. The Data Protection Officer shall document any training conducted by preparing a list/record of those who attended the relevant training sessions at appropriate times according to the activities of the Controller.

16.15. Initial employee training shall be conducted upon implementation of this policy and upon the employment of new employees whose job duties involve the processing of personal data.

16.16. Follow-up training shall be conducted periodically (not less frequently than once every 6 months) or when there is a change in the legal framework for the protection of existing data/ a change in the scope of the Controller's activities in relation to the processing of personal data or when new protection measures/procedures are introduced.

VII. Transitional and final provisions:

1. This Policy is adopted by the Decision of 01.09.2022 of the Manager of "Nike-Ya Consult Ltd" and comes into force on 01.09.2022;

2. The personal data subjects may familiarize themselves with this policy at the office of the Administrator, located in the town of. Plovdiv, ul. 92D "Hristo Botev", as well as on the website of the Administrator http://www.tiaris.bg/.

3. The Data Protection Officer at Nike-Ya Consult Ltd. is:

name: Miroslav Yazov

Phone: 0899 105 305

address gr. Plovdiv 92D Hristo Botev Blvd.

Email address: miroyazov@gmail.com

Tia Estates

Plovdiv 4000,
92 Hristo Botev Blvd
Mon-Fri: 09:00 - 18:00
Saturday: 10:00 - 14:00
© Tia Estates 2024. All rights reserved
crosschevron-down