The current policy for personal data protection (hereinafter referred to as the “Policy”) regulates the activities for processing personal data by SENIORA LTD, UIC 160137403, with an address of management Plovdiv, 26 Bulair Str., (Hereinafter referred to as the “Company”). ), to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals about the processing of personal data and on the free movement of such data. hereinafter "the Regulation"), as well as with all other applicable regulations on personal data protection. This Policy applies to issues of personal data protection, for which there is no other regulation under other acts of the Company.
1. Information about the Company
NLFORYOU is a trademark owned by SENIORA LTD, UIC 160137403, with registered office: District: Plovdiv, 26 Bulair Str. (Hereinafter referred to as the “Company”). For the purposes of the legislation in the field of data protection, the company is an administrator in the processing of personal data.
2. Terms and abbreviations used
All terms and abbreviations that are not explicitly defined in the Policy have the meaning defined in the Regulation.
3. Personal data processing activities
3.1. Principles of personal data processing
The processing of personal data by the Company is subject to the principles of legality, good faith, and transparency and to minimizing data. The personal data processed is limited to what is necessary about the purposes for which it is processed. Personal data is collected for specific, explicit, and legitimate purposes and is not further processed in a way incompatible with those purposes. Personal data is accurate and, if necessary, kept up to date. Personal data shall be stored in a form that allows the identification of the data subject for a period not longer than necessary for the purposes of which the personal data is processed. Personal data shall be processed in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss.
3.2. Categories of data subjects.
Categories of personal data and purposes of the processing.
3.2.1. The company has the right to process personal data about its customers, employees, and other data subjects as follows:
- customers (individuals) of the Company in its main activity of offering and trading in products in respect of which personal data may be processed such as IP address, e-mail address, telephone number, MAC address, address (postal and delivery) ), information on invoicing and acceptance of bank payments, etc. The processing purposes for this category of entities include:. acceptance, processing, and execution of orders for order of the products and / or services offered by the Company, including the use of the website of the Company; (II). storage of tax and accounting register; (III). compliance with legislative requirements; (IV). goals related to the legitimate interests of the Company; (v). purposes for which the data subject has consented to the processing of thier data;
- potential, current and / or former employees of the Company, and individuals who are or have been in a contractual relationship with the Company under civil contracts; candidates for work or for concluding a civil contract as external contractors - individuals who are not in employment or contractual relations with the Company, but wish to enter into such, in respect of which personal data can be processed as three names, PIN / LNC / Official number, date of birth; address, data on previous work or professional experience, education and qualification, exercised disciplinary responsibility; information for bank accounts (IBAN, when paying by bank transfer), contact details: phone number; e-mail address; other data required by the applicable legislation for the conclusion and execution of an employment or civil contract; data from logs or activity of the persons in the systems maintained by the Company, in order to perform the functions assigned to the persons (eg systems for entering orders), IP address, etc. The processing purposes in respect of this category of entities include:. study of the possibility for this, conclusion, and execution of an employment or civil contract with the data subjects; (ii). storage of tax and accounting register; (iii). compliance with legislative requirements; (iv). goals related to the legitimate interests of the Company; (v). purposes for which the data subject has consented to the processing of their data. data from logs or activity of the persons in the systems maintained by the Company, to perform the functions assigned to the persons (eg systems for entering orders), IP address, etc. The processing purposes in respect of this category of entities include:. study of the possibility for this, conclusion, and execution of an employment or civil contract with the data subjects; (ii). storage of tax and accounting register; (iii). compliance with legislative requirements; (iv). goals related to the legitimate interests of the Company; (v). purposes for which the data subject has consented to the processing of his data. study of the possibility for this, conclusion, and execution of an employment or civil contract with the data subjects; (ii). storage of tax and accounting register; (iii). compliance with legislative requirements; (iv). goals related to the legitimate interests of the Company; (v). purposes for which the data subject has consented to the processing of his data. study of the possibility for this, conclusion, and execution of an employment or civil contract with the data subjects; (ii). storage of tax and accounting register; (iii). compliance with legislative requirements; (iv). goals related to the legitimate interests of the Company; (v). purposes for which the data subject has consented to the processing of thier data.
- co-contractors and partners - individuals, under contracts for advertising and promotion of products offered by the Company, for which the Company may collect personal data in the form of photographic images. The processing purposes in respect of this category of entities include:. fulfillment of contracts for advertising or promotion; ; (ii). goals related to the legitimate interests of the Company; (iii). purposes for which the data subject has consented to the processing of their data;
- other natural persons and natural persons-representatives or contact persons of legal entities who have contact with the Company (including, but not limited to suppliers, business contacts, subcontractors, business partners, etc.) for the purposes of implementation and / or management of the activity of the Company;
- other individuals, representatives by law or power of attorney, of individuals - clients of the Company.
3.2.2. The Company retains personal data for the length of the periods necessary or to comply with applicable laws and regulations, or another period according to the requirements applicable to the commercial activity of the Company or to its activity as an employer or assignor under civil contracts. The processing of personal data is based on the principle of minimizing the data, depending on and providing the services used by the respective client.
3.2.3. Categories of data recipients
The Company may disclose personal data of the following persons:
- service providers - consultants, lawyers, accountants, IT specialists, etc., in connection with the conclusion of contracts of the main activity of the Company, compliance with legal requirements, technical support, etc .;
- subcontractors - when providing services on behalf of the Company (distributors, etc.), in connection with the conclusion and execution of contracts for trade with the products offered by the Company;
- persons providing services for the provision and maintenance of equipment, software, and hardware used for processing (including storage) of personal data, for reporting payments, etc .;
- banks, to service payments by data subjects;
- public and / or judicial bodies, in and to the extent permitted and / or required by law.
3.2.4. Obligations of the Company
The company has the following obligations:
- determines the policies and procedures for the protection of the processed personal data according to the applicable legislation;
- put in place, appropriate technical and organizational measures with a view to the effective application of data protection principles and to ensure that, by default, only personal data which are necessary for the relevant purpose of the processing are processed;
- ensures the exercise of the rights of the subjects for personal data protection;
- updates the maintained databases and monitors compliance with the requirements for protection establishes circumstances related to breach of protection and takes measures for their elimination;
- maintain personal data in a form that allows the identification of the relevant subjects for a period not longer than necessary for the purposes for which such data is processed;
- inform the employees on the issues of personal data protection as appropriate;
- assists in the implementation of the control functions of the Commission for Personal Data Protection (hereinafter referred to as "CPDP");
- determines the rights of employees for access to personal data in the information systems according to the purposes of the processing;
- uses personal data processors that provide sufficient guarantees through the application of appropriate technical and organizational protection measures;
- observes certain rules in case of breach of personal data security;
- document breaches of personal data security by applicable law;
- carry out a risk assessment by the requirements of the Regulation, respectively an impact assessment, if the conditions for this are met by the Regulation.
4. Obligations of the employees of the Company. Responsibility. Confidentiality
The employees of the Company start processing personal data after getting acquainted with the legislation in the field of personal data protection; The policy and other internal acts of the Company related to the protection of personal data; the dangers for the personal data processed by the Company.
4.1. The employees of the Company are obliged to:
- comply with the requirements of the Regulation, other applicable legislation in the field of personal data protection, the Policy and other internal acts of the Company related to the protection of personal data;
- to process personal data only in the presence of a condition for lawful processing, namely: legal grounds for the processing; or grounds for the processing which arise from the contractual relationship with the person or are necessary for the possible conclusion of a contractual relationship with the person; or grounds for the processing which result from the express consent of the person; or grounds for processing arising from the legitimate interest of the Company or a third party by the requirements of the Regulation;
- to use personal data by the purposes for which they are collected and not to further process them in a manner incompatible with those purposes;
- not to use the personal data to which they have access in their capacity as employees of the Company, for any personal purposes;
- to comply with the rule to avoid the possibility of unauthorized access to personal data and to leave accessible personal data unattended at the respective workplace. In premises to which outsiders have access, the employees concerned are obliged to take measures so that outsiders do not have any unauthorized access to documents containing personal data, including being able to view, copy or photograph them with a technical device.;
- where the performance of the relevant activity allows, to limit the use of personal data to the maximum extent;
- to ensure and guarantee the observance of the rights of the subjects in connection with the processing of personal data;
- not to allow, assist or create conditions for security breaches in the processing of personal data; not to share or provide to each other or to third parties information essential for data security (their usernames, passwords for access to the systems, etc.);
- not to copy files with corporate information containing personal data on removable media in unencrypted (or in password-free) form;
- not to send by e-mail to e-mail addresses outside the Company information containing significant volumes of personal data, or any special categories of personal data or other personal data, unauthorized access to which may pose a high risk to the rights and interests of subjects data to which they relate, in password-free files or in unencrypted or otherwise pseudonymous form.
- not to publish personal data about clients or employees of the Company on public sites, etc., without having an adequate legal basis for this;
4.2 Responsibility of employees
All actions that lead or may lead to unauthorized deletion, destruction, or modification of personal data received by the Company in electronic form or on paper, as well as unauthorized sharing / disclosure of personal data by employees of the Company is prohibited and may to lead to the realization of the responsibility of the respective employee (disciplinary, administrative-penal and / or criminal, and / or civil).
4.3 The company:
Ensures the signing of a declaration of confidentiality and non-disclosure of personal data by all employees who process personal data about him. inform the employees who process personal data of their obligations related to this processing.
4.3.1. Maintaining a Register of personal data processing activities as an administrator
According to the requirements of art. 30, para. 1 of the Regulation, the Company keeps a Register of processing activities as an administrator, which contains the name and contact details of the Company. The register includes a detailed description of all activities for processing personal data according to Art. 30, para. 1 of the Regulation, including the following characteristics: name of the activity (business process, function) for processing; processing purposes; the categories of natural persons for whom personal data are processed; the categories of personal data that are processed in the respective activity; third parties who receive or otherwise participate in the processing of personal data in the activity concerned; where applicable, the transfer of personal data to a third country outside the EU; the envisaged time limits for storage and deletion of the different categories of personal data, where possible; a general description of the technical and organizational security measures, where possible.
4.3.2. Maintaining a Register of personal data processing activities as a processor
In case, given the activities of the Company, the need arises for it to maintain a Register of the activities for processing personal data as a processor within the meaning of Art. 30, para. 2 of the Regulation, the Company will create and maintain such a Register in the type, volume, and content required by the applicable legislation.
4.3.3. Data protection officer
The Company will designate a Data Protection Officer (hereinafter referred to as the DPO) if such appointment is or becomes necessary by the applicable legal requirements for personal data protection.
4.3.4. Rights of data subjects
The company ensures the exercise of the following rights of data subjects:
- right to information when collecting personal data from the data subject;
- right of access to the data subject's data, in particular: (i). confirmation whether personal data of the data subject is processed by the Company; (ii). providing access to the data through a copy of the data that are being processed, as well as information about the purposes of the processing; the categories of personal data; the recipients or categories of recipients to whom the personal data is or will be disclosed; the terms for storage of personal data; the existence of the right to correct or delete personal data or to restrict the processing of personal data, or to object to the processing;
- right to appeal to the CPDP; sources of personal data; the existence of automated decision making, including profiling.
- right of correction - to request the correction or completion of their personal data, if it is inaccurate or incomplete; the right to delete personal data where the grounds provided for in the Regulation are present;
- right to limit processing;
- right to data portability;
- right to object;
- the right of the data subject not to be the subject of a decision based solely on automated processing, including profiling, which gives rise to legal consequences or otherwise affects him substantially;
- giving, changing or withdrawing consent for the processing of personal data when the basis for the processing is the consent of the data subject.
- data subjects may exercise their rights by submitting a written application to the Company in one of the following ways:
- by e-mail to firstname.lastname@example.org through a qualified electronic signature, by the Electronic Document and Electronic Certification Services Act (called hereinafter "QES”);
- by mail to the contact address of the Company by sending a notarized application to ensure identification of the applicant, and in cases where the application is submitted by a legal representative of the applicant, or by a notarized representative of the applicant, the application should also contain a notarized signature of the signatory.
Applications shall be considered without undue delay. Within one month from the submission of the application, the Company notifies the data subject of the actions taken on the application, respectively of the reasons for not taking action and of the possibility to file a complaint to a supervisory body and seek protection in court. If action is taken on the application, the period for notifying the data subject of such action may be extended to a total of three months, taking into account the complexity and number of applications. In this case, the Company notifies the data subject of the extension within the initial one-month period.
The information (which may vary depending on which right of the data subject is exercised) is provided on paper personally to the data subject or to his legal or authorized representative with an explicit notarized power of attorney. If the application is submitted by e-mail, the information is also provided by e-mail to the e-mail address from which the submitted application originates, in password-protected files.
5. Consent of the data subject as a basis for processing
5.1. The basis
In cases where the basis for the processing of personal data is consent within the meaning of the Regulation, consent should be given in person by written declaration, in electronic form, or by another means specified by the Company to ensure that consent is freely given, in particular, informed, and unambiguous.
5.2. Data subjects
The Company may collect consents for all categories of data subjects for which personal data is processed, including customers, employees, and persons with whom the Company has entered into civil contracts for the provision of services or orders, etc.
The Company provides an opportunity for data subjects to easily change or withdraw their consent, without causing adverse legal consequences for them, when objectively there is a possibility to do so. Changes or withdrawal of consent is carried out by the data subjects in the order of collection of consent. In case of partial or complete withdrawal of consent, when the processing of personal data is carried out on this basis, the Company may be unable to provide the service requested by the customer or to perform the activity for which it was necessary to provide personal data. The withdrawal of the consent shall not affect the lawfulness of the processing based on the given consent until the moment of its withdrawal.
5.4. Collecting consents
The consents are collected in one of the following ways:
- in person, in the contact office - for clients of the Company;
- by e-mail - for current employees;
- through a licensed postal operator with notarization of the statement of consent; or a statement of consent signed with QES, sent by e-mail.
5.5. Giving and withdrawing consents online
In cases where obtaining consent to the processing of personal data by the Company is required given the services provided by the Company, which are requested or online, this consent is obtained (respectively, withdrawn) also online.
The consents for personal data processing is registered and stored by the Company, in the form and volume possible for such storage, respectively.
5.6.1. Processing of personal data by the Company through a personal data processor
For the performance of its activity, the Company may use third parties (subcontractors, distributors, courier service providers, etc.), which are processing personal data within the meaning of Art. 4, item 8 of the Regulation. Such processors may be:
- commercial companies;
- individuals employed on civil contracts.
When assigning the processing of personal data to a processor, the Company complies with the following requirements:
- processors are selected who provide sufficient guarantees for the application of appropriate technical and organizational measures for personal data protection;
- the conditions for personal data protection is settled in writing between the Company and the processor.
- The contracts / agreements that the Company concludes with the processors of personal data determine and regulate the subject and the term of validity, the purposes and the nature of the processing;
- the categories of data subjects whose personal data is processed;
- the type of personal data that the processor will process on behalf of the Company;
- the rights and obligations of the Company and the processor;
- the requirements to the technical and organizational protection measures that the processor should apply (no deviation from the one provided for in this Policy is allowed to the processor);
- obligation for the processor for assistance according to art. 31-36 of the Regulation; an obligation for the processor to notify the Company without undue delay after learning of the existence of a security breach;
- requirements to the processor and other obligatory conditions, according to art. 28, item 3 of the Regulation.
6. Rules for response in case of breach of personal data security
6.1. Detection of a security breach by an employee
In case of a security breach discovered by an employee of the Company, the employee shall immediately notify the management of the Company or the DPO, if such is determined, in writing (and if possible - orally), providing the information, which is for this - for the nature of the violation, for the estimated time of occurrence / commission of the violation, etc.
6.2. Security breach investigation and measures
Without undue delay, the Company should investigate the facts, analyze and assess the gravity of the violation, given the risk to the rights and freedoms of subjects, the number of affected data subjects, etc., and propose appropriate remedial measures, and where it is impossible - to minimize the identified risks and possible adverse consequences.
6.3. Notification to the CPDP
In case of a security breach, the Company informs the CPDP within 72 hours of its establishment, unless in the specific case there is any probability that the security breach will pose a risk to the rights and freedoms of individuals.
6.4. Notification of data subjects When the breach of security may lead to a high risk to the rights and freedoms of individuals, the Company shall report the breach of security of personal data of the affected data subjects without undue delay. The notice shall describe the nature of the security breach and shall indicate at least: the name and contact details of the Company; a description of the possible consequences of the infringement; a description of the measures taken or proposed by the Company to deal with the violation. The Company shall have the right not to communicate the infringement data to the data subjects concerned if
6.4.1. has taken appropriate technical and organizational security measures in advance and these measures have been implemented (eg encryption); and / or
6.4.2. has subsequently taken measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; and / or
6.4.3. such communication would lead to a disproportionate effort. In this case, the Company makes a public announcement on its website and / or by publicity in an appropriate manner through the media about the violation.
The signals for breaches of personal data security are registered and stored by the Company.
7.Technical and organizational measures for personal data protection
7.1. Technical and organizational measures of the Company as an administrator
The activities of the Company provide the necessary technical and organizational measures to protect personal data from accidental or illegal destruction or accidental loss, from unauthorized access, alteration, or distribution, as well as from other illegal forms of processing. The types of protection are physical, personal, documentary, protection of automated information systems and / or networks, cryptographic protection.
7.2. Technical and organizational measures of the Company as a processor
In case the Company processes personal data as a processor for other controllers, the specific technical and organizational measures applied by the Company as a processor are determined in individual agreements with the respective controller. In the absence of such designation, the Company will adhere to the technical and organizational measures it applies as an administrator.
7.2.1. Transfer of personal data outside the European Economic Area (EEA)
The company may carry out international data transmission originating in the European Economic Area (EEA) when the European Commission has recognized a non-EEA country as providing an adequate level of data protection. For transfers to non-EEA countries whose level of protection is not recognized by the European Commission, the Company will either invoke a certain derogation applicable to the specific situation under the Regulation or apply one of the guarantees provided by the applicable legislation. In other cases, for the transfer of personal data outside the EEA, this shall be done based on the data subject's explicit consent to the proposed data transfer, obtained in compliance with the requirements of the Regulation.