Personal data protection policy of OPTIX
Information about us:
OPTIX JSC is a company registered in the Commercial register and register of NPLE under UIC 121722373, with company address: city of Sofia 1756, country of Sofia (capital); region Studentski, j.k “Darvenitsa”, Kliment Ohridski Blvd., block 19, entr. B, Floor 1, office 3
Tel .: 35 935 764 125, Fax: 35 935 763 097
E-mail: optix@optixco.com
Content:
1. Purpose
2. Scope
3. Terms, definitions, abbreviations
4. General considerations
4.1 Principles for handling personal data
4.2 Rights of data subjects
4.2.1 Right to information
4.2.2 Right of access
4.2.3. Right of rectification
4.2.4 Right to delete
4.2.5. Right to data portability
4.2.6. Right of objection
4.2.7. Rights in automated decision-making, profiling
5. Registers of processing activities
5.1 List of registers
5.2 Register contents
6. Requirements for personnel working with personal data
6.2.1 General
6.2.2. Rights and subjugations
7. Complaints, inquiries and requests for personal data
8. Assessment of the impact on the protection of personal data
8.1 General considerations
8.2 Execution
9. Providing security for personal data
9.1 General considerations
9.2 Security breach actions
1. Purpose
The present policy contains the basic principles, rules and approaches for organizing and carrying out the activities related to collecting, processing, storing, communicating, using and protecting personal data of individuals in OPTIX.
This policy aims to ensure the fulfillment of the Personal Data Protection Act and the requirements of EP Regulation 2016/679 as part of the business processes of the company.
2. Scope
All employees of OPTIX should apply the instructions of this policy in their day-to-day work. This is of particular importance for employees working with personal data.
This policy applies to the personal data of employees of the company and to the personal data of other individuals to whom OPTIX is acting as administrator or processor.
3. Terms, definitions, abbreviations
In the text of this policy, terms and definitions are used in the sense in which they are used in the Personal Data Protection Act and EP Regulation 2016/679 (Article 4)
4. General considerations
4.1 Principles for handling personal data
When working with personal data OPTIX adheres to the following principles:
-Regularity, good faith and transparency
Personal data are processed in a lawful, conscientious and transparent manner with respect to the data subject.
- Restrict goals
Personal data are collected and / or processed only for specific, explicit and legitimate purposes and are not further processed in a way incompatible with those purposes.
- Minimize data
Only relevant personal data matched to objectives and limited to what is necessary in relation to the purposes for which they are processed are collected and processed.
- Accuracy
Personal data is kept accurate and up to date to be fit for the purposes for which it is processed.
- Storage limitation
Personal data shall be stored in a form that allows the data subject to be identified for a period no longer than is necessary for the purposes in question.
- Comprehensiveness and confidentiality
Personal data shall be collected, stored and processed at an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical and organizational measures.
- Accountability
The Company implements the principles set out hereto and maintains the necessary documents and records as proof of this.
4.2 Rights of data subjects
OPTIX provides the data subjects' rights when performing their duties as administrator or processor of such data. These rules are the following:
4.2.1 Right to information
OPTIX, acting as Data Controller, performs the following actions to inform individuals and personal data about:
- their data rights by doing so before or at the time of data collection or subsequent change in the purpose of the processing;
- Targets of processing and their proper justification;
-The recipients or categories of recipients of the personal data, if any;
-The storage period or the criteria for determining this period;
- Data and contact details for personal data.
4.2.2 Right of access
OPTIX, acting as Administrator, provides the subject with a confirmation of the processing of his or her personal data and, if so, provides him with access to the data and the following information:
- The purposes of the processing and its legal basis;
- Categories of personal data;
- the storage period or the criteria for determining that period;
- Recipients or categories of recipients of personal data, if any;
-The existence of the right to require the administrator to correct or delete personal data or restrict the processing of personal data relating to the data subject or to object to such processing;
- The right of appeal to a supervisor;
- Where personal data are not collected by the data subject, any available information about their source;
- The existence of automated decision making, including profiling, if applicable.
This information is not provided if the data subject already has it.
4.2.3 Correction rights
OPTIX, as a personal data controller, provides the data subject with the opportunity to request correction of inaccurate personal data associated with him without undue delay.
Given the purposes of the processing, the data subject may have incomplete personal data filled in, including by adding a declaration.
4.2.4 Right to delete
OPTIX, as a data controller, provides the data subject with the opportunity to request the deletion of the personal data associated with him without undue delay.
OPTIX has the obligation to delete personal data without undue delay when any of the following reasons apply:
- They are no longer needed for the purposes for which they were collected;
- The subject withdraws his consent (if he has given it);
- In case of objection to processing and proof of lack of legal grounds;
- For unlawful processing.
Upon deletion, OPTIX, taking into account available technology and execution costs, takes reasonable steps, including technical measures, to notify the data processors that the data subject has requested that all administrators delete all links, replicas or replies of that personal data.
4.2.5 Right to data portability
OPTIX, in the role of a data controller, ensures data portability if the conditions provided for therein (Article 20 (1) of the Regulation) are fulfilled, transmitting its personal data to a structured, widely used and adaptable non- for machine readable format.
OPTIX can directly transfer the personal data to another administrator when it is technically feasible.
4.2.6 Right of objection.
OPTIX, as a personal data controller, enables the data subject at any time and on grounds related to his or her particular situation to object to the processing of personal data relating to him, including profiling
OPTIX undertakes to discontinue the processing of personal data unless there are convincing legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject or the authentication, exercise or protection of legal claims.
When processing personal data for the purpose of direct marketing, the data subject is entitled to object at any time to the processing of personal data relating to him / her on this type of marketing, including profiling insofar as it relates to direct marketing.
When the data subject opposes processing for direct marketing purposes, the processing of personal data for these purposes is terminated.
4.2.7 Rights in automated decision-making, profiling
OPTIX, in the role of administrator, informs the subject (if this is actually done) of the existence of automated decision making, including profiling (Article 22 of the Regulation), as well as essential information on the logic used, as well as the designation and foreseeable consequences of this processing for the data subject.
When processing personal data for direct marketing purposes, the data subject is entitled at any time to object to the processing of personal data relating to him / her for this type of marketing, including profiling insofar as it relates to direct marketing.
5. Registers of processing activities
5.1 List of registers
OPTIX, as an administrator, creates and maintains the following internal registers of processing activities:
- Staff Register
- Register Candidates for work
- Video Surveillance Register
- Visitors Register
- Register Clients
- Providers Register
- The Health and Safety Register
OPTIX, as a processor, creates and maintains the following internal registers of processing activities:
- Staff Register
- Jobseekers Register
- Register Clients
- Providers Register
- The Health and Safety Register
5.2 Register contents
The internal registers of the company's personal data processing activities contain the following information.
- The name and contact details of the controller / processor and, where applicable, all joint administrators / processors of the representative of the controller and the Data Protection Officer, if any;
- Targets of processing;
- Description of categories of data subjects and categories of personal data;
- The categories of recipients to whom personal data are or will be disclosed, including recipients in third countries or international organizations;
- where applicable, the transfer of personal data to a third country or international organization, including the identification of that third country or international organization, the documentation of appropriate safeguards;
- Deadlines for deleting the different categories of data;
- General description of the technical and organizational security measures.
6. Requirements for staff working with personal data
6.1 General requirements
Every employee of OPTIX, which is engaged in the processing of personal data, is obliged:
- Process personal data in a lawful and conscientious manner;
- Use personal data accessed in accordance with the purposes for which they are collected and not processing them; furthermore in a manner incompatible with those objectives;
- To perform accurately and timely its obligations (if any) to update or delete personal data;
Apply all necessary personal data protection measures to ensure their continued confidentiality, integrity, availability and sustainability of systems and processing services;
- Report immediately, in accordance with the established order, about weaknesses and events related to the security of personal data;
- If any personal data dispute arises, ask the Data Protection Officer, if any, to seek assistance from the competent employees of the company before taking any action.
- To know and observe the current external regulations regulating the processing of personal data;
- To know and observe the internal documents of the company related to the management of personal data;
Participate in all activities related to training, upgrading or maintaining a level of awareness and competence with respect to personal data.
6.2 Data Protection Officer
6.2.1 General
OPTIX appoints the Privacy Officer
The Data Protection Officer may also perform other tasks and have other duties that do not necessarily lead to a conflict of interest.
The Company ensures that the Data Protection Officer is adequately and timely involved in all matters relating to the protection of personal data.
The Company assists the Data Protection Officer in the performance of his / her specific tasks by providing the resources needed to perform these tasks and access to the Data Sheets and Processing Operations.
The Company assists the Data Protection Officer in the performance of his specific tasks by supporting his expert assignments.
The Company makes sure that the Data Protection Officer does not receive any instructions regarding the performance of these tasks in view of his independence and impartiality.
The Data Protection Officer can not be dismissed or sanctioned by the OPTIX Management for the performance of his or her tasks.
The Data Protection Officer is directly accountable to the Chief Executive Officer.
Data subjects may contact the Data Protection Officer on any matter relating to the processing of their personal data and the exercise of their rights under this Regulation.
6.2.2 Rights and obligations
The Data Protection Officer has the following powers:
- To inform and advise employees who process their duties in accordance with the current legal requirements and the regulation;
- Monitor compliance with the Regulation, other personal data protection provisions in Bulgaria and the EU, and internal documents OPTIX concerning the protection of personal data;
- Monitor and control the assignment of responsibilities, awareness-raising and training of personnel involved in the processing operations and related audits;
- Provide advice on impact assessment on data protection on request and monitor the performance of the assessment;
- To cooperate with the supervisory body - CPDP;
- To act as a contact point for CPDP on issues related to the processing, including the prior consultation, and when appropriate to consult on any other issues;
- To take account of the risks associated with processing operations and to take account of the nature, scope, context and purposes of the processing;
- To observe the secrecy or confidentiality of his / her tasks.
7. Complaints, inquiries and requests for personal data
the commission is a subsidiary body that has the task of managing the customer complaint handling process, inquiries from state authorities, and requests for personal data consistent with the services undertaken by the company.
The Commission is appointed by an order of the Executive Director and has an exemplary body that can be expanded and further specified:
- Chairman -
- Member - Deputy Director
- Member - Head of Department
- Member - Specialist
The Commission is meeting, at least once a month and if necessary. The Commission invites the meetings and engages with specialist actions whenever necessary.
The Commission has the following responsibilities:
- Consideration of requests, complaints, inquiries and decisions for their implementation;
- Controls the execution times;
- Views and offers for confirmation answers to received requests, complaints, inquiries;
- Keeping a register and filing jokes, queries and requests;
- Clarify controversial issues;
- seeks assistance from legal consultants or CPDP;
- Seeks assistance from the Data Protection Officer (if any);
- Take steps to improve the process
8. Impact assessment on the protection of personal data
8.1. General
An impact assessment on the protection of personal data is mandatory when:
- The processing falls under the List of Types of Processing Operations for which an Impact Assessment on the Protection of Personal Data, prepared and disclosed by the Personal Data Protection Commission;
- Processing is for profiling purposes;
- There is a high risk for the rights and freedoms of individuals caused by:
- Use of new technologies;
- The nature, scope and context of the processing;
- Targets of processing;
When performing an Impact Assessment on the protection of personal data, the Data Protection Officer's opinion is required when so determined.
In the Impact Assessment on the protection of personal data, the guidelines of ISS / IEC 29134 are used
When the impact assessment on the protection of personal data shows that the abduction will generate a high risk for the rights and freedoms of individuals, OPTIX obligatorily carries out:
- Consultation with the Personal Data Protection Commission before processing;
- Take risk mitigation measures.
An impact assessment on the protection of personal data is implemented in the company by:
- Form of early warning to identify hidden hitherto weaknesses in the processing of personal data;
- Method for identifying issues to control authorities or competition
8.2 Execution
An impact assessment on the protection of personal data includes the following actions:
- Preparation of a systematic inventory of the processing operations envisaged;
- Prepare an inventory of the purpose of the processing;
- Establishing the grounds for the lawfulness of the processing;
- Assessment of the necessity and proportionality of the processing operations in terms of objectives;
- Assessing the risks to the rights and freedoms of data subjects;
- Establish measures to address risks and comply with the requirements of the Regulation.
The Impact Assessment on the protection of personal data takes into account the compliance with the approved Codes of Conduct (Article 40 of the Regulation) if they are accepted by the OPTIX.
Where appropriate and applicable, the OPTIX may contact the data subjects or their representatives for an opinion on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.
OPTIX performs a review to assess whether the processing is in compliance with the Personal Data Protection Impact Assessment when there is a change in the risk associated with the processing operations.
9. Ensuring security for personal data
9.1 General considerations
OPTIX offers technical and organizational measures to ensure the necessary level of security for the personal data it processes.
The Company provides a proven high level of protection and guarantees for:
- The main properties of information - confidentiality, integrity, availability;
- Resilience of processing systems and services - continuity, availability, reliability;
- Maintaining the level of security by regularly testing, assessing and assessing the effectiveness of technical and organizational measures;
- Prevent unauthorized access to personal data by applying adequate measures where necessary - pseudonymization, encryption, anonymity, randomisation.
OPTIX holds certificates for compliance with information security standards - ISO 27001.
OPTIX applies an effective method of assessing the risks to the rights and freedoms of data subjects in the processing of their personal day.
Major risks are focused on:
- Accidental or unlawful destruction of data;
- Loss of data not recoverable;
- Unauthorized or incorrect data change
- Unauthorized disclosure or access to data.
The Company ensures that its personal data processors are properly qualified and optimized both to perform such processing in a secure manner and according to the legal requirements and internal rules of the company.
The Company maintains records and records that provide and demonstrate compliance with the requirements of the Regulation.
9.2 Security breach actions
The company uses automated means of monitoring data processing activities and timely identifying vulnerabilities, events and security incidents. This means to document any breaches of personal data security, including the specific data, the consequences, the actions taken to deal with it.
In the event of a personal data breach that may result in violation of data subjects' rights and freedoms, OPTIX informs the Personal Data Protection Commission within 72 hours of the occurrence of this violation.
In the event of a personal data breach, OPTIX informs the administrator (if any) immediately after the violation has been established.
When the breach of personal data security is likely to pose a high risk to the rights and freedoms of individuals, OPTIX immediately expires:
- Objectively assessing whether the previously taken data protection measures ensure that their confidentiality is maintained;
- Taking follow-up measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to occur;
- Assessing the effort required to notify each individual of the data affected by the breach;
- Depending on the results of the actions described above and complying with the requirements of the Regulation, take one of the following actions:
- Does not take action to notify data subjects;
- Immediately notify the data subjects of the violation;
-Project a public message or take a similar measure so that the data subjects are equally effectively informed.