Personal Data Protection

The privacy of your personal data is of paramount importance to us. We protect the security of your information which is why we have adopted policies and implemented processes that guarantee it. Please read the contents of this Notice to understand how and why we process your personal data and what your rights are. We want you to know that your personal data is in safe hands with us.

WHO ARE WE?

No matter whether you are a current or a future client, employee of Iteco Ltd, or a random visitor to our website, we recognize and respect your privacy. The protection of your personal information during the entire process of personal data processing is an essential priority of ours. We process your data by keeping their privacy and in compliancy with the statutory provisions applicable on a national and a European level.

Iteco Ltd is a company registered in the Commercial Register at the Bulgarian Registry Agency with UIC 200727763, with address: 16 Aleksandar Malinov Blvd, Floor 3, Office 2, Sofia 1784, Bulgaria tel: +359 2 441 1451, email: office@iteco.bg, website: http://iteco.bg
Iteco Ltd is a personal data controller according to the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “Regulation” or GDPR) and the Personal Data Protection Act.

This policy contains information on how we process personal data, the type of personal data that is collected, the purpose of using the collected personal data, the access of third parties to such data, the security measures to be taken with regard to the collection of personal data, as well as the options you own in connection with the use of the personal data you provide

Iteco Ltd hereby informs its current and future clients and employees that it has secured the necessary measures for personal data protection, including an adequate level of security and privacy of the data processed thereby; that the personal data are being processed to an extent that is strictly needed for and proportional to the purposes of processing and that the personal data are:
• processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation“);
• accurate and kept up-to-date with the option of timely erasure or rectification of personal data that are inaccurate, having regard to the purposes for which they are processed (“accuracy”);
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

If you have any questions regarding our Policy or if you want to exercise your rights please contact the Data Protection Officer using the following contact details: dpo@iteco.bg or the official address for correspondence.

DEFINITIONS

Our privacy and personal data protection policy should be legible and understandable for the general public, as well as our customers and business partners. To ensure this, we would like to first explain the terminology used. We use, the following terms:

• Personal data
Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Data subject
Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
• Processing
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
• Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
• Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
• Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
• Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
• Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients;
• Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
• Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

CATEGORIES OF DATA SUBJECTS AND DATA

In connection with its services and business activities, the Company processes as a controller personal data of the following categories of data subjects:
• Clients, suppliers, as well as other commercial counterparties, with whom we have business relations;
• Complainants and enquirers, as well as individuals who contact us in any way, including via mail, phone or by provide feedback or inquiry through our website;
• Individuals who have fallen within the scope of the video surveillance performed by the Company for safety and security purposes, as well as for protection of property;
• Employees and job applicants.

We process the following data about you:
• Identifying personal data:
The names of clients, employees and jobseekers of the company, data from identity documents, official personal identification numbers or any other unique elements that serve identification purposes (such as a personal ID No, personal ID No of a foreign citizen), mailing address, telephone numbers, emails.
• Data on orders and on completed transactions:
Clients and employees IBAN’s, client numbers of orders, payment orders.
• Data on your financial status:
Salaries/remunerations for employees, information about others income, information about disturbing messages.
• Data on social and family identity:
Marital status, family relationships, education, occupation, qualification, certification, professional experience and knowledge.
• Data on your online behaviour and preferences:
IP addresses, username, date of access, data on your visits internal systems, company’s public website and the applications which you use, as well as the devices that you use to access them, including the operating system and browser version which you use.
• Information on your interests and wishes that you share:
For example, through the contact form and the job application forms.
• Audio-visual data
Captured video images and movies taken inside and out of the premises of the company. The company observes the legal requirements to use video surveillance cameras and informs thereof the subjects that come into the field of shooting through a visibly displayed sticker.
• Data on children
We process data on underage children such as name and date of birth only in cases where the company participates in a joint program with schools for providing specialized traineeship for pupils. We understand the importance of protecting children’s privacy, especially in an online environment. Our Site and Services are not designed for / or directed at children under the age of 16 years (“Minors”). We do not knowingly collect Personal Data from Minors.
• Health data are processed solely for the purpose of managing employment.
• Cookies - Our public website do not use of cookies

Iteco Ltd also processes personal data on behalf of other legal entities (in its capacity as processors of personal data) when doing business on behalf of and for the account of another controller. In such cases, the processing by a processor shall be governed by a contract, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

PURPOSES AND LEGAL BASIS FOR THE PROCESSING:

The Company processes personal data of data subjects for the purposes listed below where one of the alternative legal bases under GDPR exists:
• Processing is necessary for the performance of a contract or in order to take steps at the request of a data subject prior to entering into a contract;
• Processing is necessary for compliance with legal obligations in the field of labor, accounting, tax and social security legislation, as well as any other legal obligations applicable to the business activity of the Company;
• The data subject has given their explicit consent to the processing of his or her personal data for one or more specific purposes, such as for direct marketing, participation in activities organized by the Company, etc. Please, note, that any consent granted may be withdrawn by the data subject at any time;
• Processing is particularly necessary to process and evaluate job application, make hiring decisions, communicate with job applicants and provide information of current and future career opportunities Processing is necessary for the purposes of the legitimate interest pursued by us, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

DATA PROTECTION FOR RECRUITMENT PROCEDURES

Company collects and processes personal data from applicants for employment opportunities with Iteco Ltd. The application may be submitted on paper or online via any recruitment portals or Company’s website.

Through submission of your job application, you provide personal data on voluntary basis and to the extent determined by you. However, some information (as CV, educational and employment background, contact information, job qualifications) may be necessary to the Company to complete the evaluation process and if it is not provided, Company’s ability to consider you as a candidate may be limited. The retention period for personal data of job applicants is determined in accordance with the applicable law. For the purposes of the recruitment procedures we store job applicants’ personal data during the whole process of selection. If we conclude an employment contract with the applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the job applicant, the application documents will be automatically erased within two months after notification for rejection of the application. If the job applicants give us their consent to keep their application details and consider them for future job opportunities with Iteco Ltd, we will store such data for 3 (three) years as of the date of receipt of job application.

TO WHOM PERSONAL DATA IS SHARED OR DISCLOSED?

We believe your personal data is confidential and we value its privacy. Therefore, we pay close attention to processing which is related to disclosing or providing your personal data to third parties. Whenever we disclose your personal data, this is imperative to meet the above goals.

Depending on our relations, we may disclose your personal information to the following categories of recipients:
• We may share your personal data with third parties who process your data on our behalf when they provide services to us, such as legal services, accounting, audit, consultancy or other services necessary for our business activities. In the performance of these services the third-party suppliers may have access to your personal data but there are only authorized to process such data strictly on our behalf and in accordance with our written instructions;
• We may also disclose your personal data to third parties, if we reasonably believe that disclosure of such personal data is necessary to comply with valid legal obligations such as court orders, governmental requests and as otherwise authorized by law, to protect our rights or property, or the safety of our customers or employees, to advance or defend against complaints or legal claims or proceedings;
• We may also disclose your personal data to the recipients who have legal powers to demand your personal data of the company such judicial authorities, law enforcement authorities and others.

TRANSFER OF PERSONAL DATA

We do not transfer your personal data to the third country or an international organisation outside the European Economic Area (“EEA”). In case we are required to undertake any transfer of personal data outside the EEA, we take all reasonably necessary steps to ensure that your personal data is treated securely and in accordance with this Privacy Policy and an adequate level of protection is applied to it, in particular through the implementation of standard contractual clauses approved by European Commission or contractual clauses previously authorized by the relevant authority.

HOW LONG DO WE STORE AND PROCESS YOUR DATA BEFORE WE DESTROY THEM?

The company processes your personal data where there is a specific purpose necessitating such processing. Where the purpose no longer exists, the company shall cease processing and storing your personal data.
Depending on the basis for and purpose of processing of your personal data, their storage period may vary.
If you are our client and use the company products and services, we are legally obliged to store your personal data not only for the period of completion of our contractual relations but for a period of 5 years after their completion. If storing your personal data is necessary for pending procedures in which Iteco Ltd is a party (for example, court proceedings, administrative proceedings, handling your complaint against the company, etc.), then we will keep them until these proceedings are closed.
Where there is no legally defined period, the storage period may be shorter.
Captured video records shall be kept for 30 days. They may be stored longer if they shall be used as evidence for a crime or an irregularity.
The data of job applicants shall be stored for 3 years of their provision to the company. The period commences at the beginning of the calendar year that follows the year when the relevant data was provided.
Termination of a relationship between the employee and the Employer shall not result in the termination of the processing of personal data by the Employer.
In accordance with the requirements of the Labor Code, the Accountancy Act and the Ordinance on the Labor Book and the Work Experience, the Employer shall keep for at least 50 (fifty) years from the termination of the relevant employment relationship, the payroll, the employment contract and the documents certifying paid staff remuneration.
All other documents in the employee files are kept on paper or electronically for a period of 5 (five) years from the termination of the contract.

Upon the expiry of the said periods, your personal data shall be anonymized or destroyed in the electronic systems of the company. Paper-based files containing your data must be destroyed.

YOUR RIGHTS

• Right to access
You can always ask us whether we process your personal data and if so, to be informed about what information we store, why we store it and how we process it. You are also entitled to a copy of this information.
• Right to correct
We would like your personal data to be accurate and up-to-date. If any piece of your personal data is inaccurate or out-of-date, please inform us and we will correct it.
• Right to deletion (right to be forgotten)
You may ask the company to delete your personal data, but the relevant legal grounds should apply in order to fulfil the request. We will not delete any information about you that we are legally required to keep as well as if we have grounds not to delete this information. We will have one month to answer your request. If we refuse to delete the information, we will provide the basis for our decision and the legal grounds for it.
• Right to restrict data processing
In certain cases, you may request the company not to process your personal data, including deleting them, in order to protect your legal claims.
• Right to objection
You have the right to object to this processing, including when it is profiling, direct marketing purposes or your personal data are object to the transfer to third parties.
• Right to withdraw your consent
The right at any time to withdraw your consent to personal data processing for the purposes you have consented to.
• Right to data portability
You may request the company to put your data in an electronic file and give it to you or to a third party. The data you can request may only be data we have received in connection with a contractual relation or with your consent and is automatically (electronically) processed.
• Right to lodge a complaint
If for any reason you are not satisfied with the company's actions in relation to your personal data, we would like you to tell us first in order to understand what the problem is and try to resolve it. Our Data Protection Officer will look carefully at your complaint and will answer all of your questions. Nevertheless, if you believe that you have not received adequate assistance from the company or that there is a violation of your rights, you have the right to complain to a supervisory authority. In the Republic of Bulgaria this authority is the Commission for Personal Data Protection.

You may exercise your rights at any time during the processing of your personal data. The company shall in all cases respond for free and without undue delay within one month of receipt of your request to exercise your rights.
That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The company shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

HOW TO EXERCISE YOUR RIGHTS

You can exercise any of the abovementioned rights in person or via an explicitly authorised person in company’s office as well as electronically in accordance with the Electronic Document and Electronic Certification Services Act. We have created a special form to make it easier for you to exercise your rights.

ARE YOU OBLIGED TO PROVIDE US WITH YOUR PERSONAL DATA?

As explained, we collect personal data primarily due to legal obligations or for the needs of concluding and executing contracts as well. If you refuse to provide the personal data requested for the said purposes, Iteco Ltd. shall be unable to provide you with its products or services, and shall, respectively, be unable to enter into a contract with you, or to proceed with the performance of a contract we may have already signed with you.

AMENDMENTS TO PRIVACY POLICIES

Any amendments made to this Privacy and Personal Data Protection Policy shall be communicated by Iteco Ltd on its website at http://iteco.bg. The new documents shall be made available in company office.

This Privacy and Personal Data Protection Policy was last updated on 21.05.2018.

Documents