When processing personal data by the Commission for Consumer Protection
This Privacy policy aims to inform you why and what personal data we collect in our capacity as a personal data controller, how we process and store it, including when it is necessary to disclose personal data to third parties, and what your rights are.
To contact the Commission for Consumer Protection (CCP):
Bulgaria, Sofia 1000, 1 Vrabcha str, 5th floor
Email: [email protected]
Website: www.kzp.bg
Data Protection Officer (DPO)
The contact details for the DPO of the Commission for Consumer Protection are:
Name: Valentin Slavilov - holder
Email address: [email protected]
Personal data is any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more specific factors. Personal data is collected for specified, specific and legitimate purposes, processed lawfully and fairly and may not be further processed in a manner incompatible with those purposes.
Processing of personal data is any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Access to personal data in the CCP is carried out on a need-to-know basis. Only persons who:
a) process data in the performance of their official duties in accordance with the act/contract and/or the job description for the relevant position;
b) are authorized by an express act of the Chairman of the CCP;
c) implement contracts/agreements concluded with the CCP.
Access to personal data is provided after familiarizing individuals with the regulatory framework in the field of personal data protection.
Principles of personal data processing
The Commission for Consumer Protection processes personal data in strict compliance with the principles set out in Article 5 of the Regulation, as follows:
- Legality, good faith and transparency;
- Limitation of goals;
- Data minimization;
- Accuracy;
- Storage restriction;
- Integrity and protection;
- Accountability.
Why do we process personal data?
The Commission for Consumer Protection processes personal data in connection with compliance with legal obligations, the exercise of official powers, the performance of tasks in the public interest, the legitimate interest of the Commission for Consumer Protection, archiving in the public interest, as well as for purposes for which the data subject (the natural person to whom the data relate) has consented to the processing of his or her data.
The information, which may contain your personal data, is processed for the following purposes:
1. Human resources:
- conducting competitions for civil servants and selecting individuals in connection with the conclusion of employment and civil contracts;
- emergence, amendment, existence and termination of service relationships and implementation of the legislation governing the civil service;
- conclusion, execution and termination of employment and civil contracts;
- administrative services and fulfillment of obligations under an existing legal relationship;
- conclusion, implementation and termination of agreements for conducting student internships.
2. Counterparties:
- verification and evaluation of the criteria set for the selection of candidates;
- conclusion and execution of contracts.
3. Applications under the Access to Public Information Act (APIA);
4. Video surveillance;
5. Complaints, signals and other requests.
What personal data do we process?
1. Human resources
For the purposes of human resources management, we process personal data of job applicants, interns, current and former employees of the CCP.
In the course of human resources management activities, data on the physical identity of individuals, data on education and qualifications, health data, contact data, as well as other data required by special laws regulating employment and service relationships, tax and insurance relationships, accounting of activities, safe and healthy working conditions, as well as social issues are processed.
Personnel selection procedures comply with the requirements of the special laws governing this activity.
The CCP processes and publishes, when required by law, personal data of civil servants and persons holding high public positions, in accordance with the Anti-Corruption Act. The declaration is kept in the employee's file.
The activities to ensure healthy and safe working conditions are regulated by a contract with an occupational health service in accordance with Regulation No. 3 of January 25, 2008 on the conditions and procedure for carrying out the activities of occupational health services.
In connection with the performance of employment or service relationships, only the personal data required by law are processed, which are stored within the time limits specified by labor and social security legislation.
The collected data is used only for the purposes specified above and is provided to third parties only in cases where this is provided for by law. In such cases, data may be provided, for example, to the National Revenue Agency, the Court of Auditors, the General Directorate of Labor Inspection and other public authorities, in view of their powers and competence.
The information is not stored outside the EU and the European Economic Area. The CCP provides appropriate technical and organizational measures to protect your personal data.
2. Counterparties
In the performance of its activities and in connection with its powers, the CCP processes personal data of individuals for the performance of contracts concluded by the CCP within the meaning of the Obligations and Contracts Act, the Public Procurement Act, the Commerce Act, etc.
Insofar as personal data of individual individuals are processed in connection with the performance of these contracts, information about them is processed in a minimal volume, sufficient only for the accurate performance of the obligations under the respective contract. Access to this information is provided to third parties only when specified in a special law.
The information is not stored outside the EU and the European Economic Area. The CCP provides appropriate technical and organizational measures to protect your personal data.
3. Applications under the Access to Public Information Act
In connection with the processing of applications under the APIA, information about individual data subjects is processed, which may contain data on the physical, economic, social or other identity of individuals. The CPA provides such information only and to the extent that it meets the purposes of the Access to Public Information Act.
The collected data is provided to third parties only in cases where this is provided for by law, for example to public authorities, in view of their powers and competence.
The information is not stored outside the EU and the European Economic Area. The CCP provides appropriate technical and organizational measures to protect your personal data.
4. Video surveillance
The CCP is subject to video surveillance for security purposes. Video recordings collected from video surveillance cameras containing video images of the movement of employees and visitors around the approaches to the CCP buildings, in the common areas and in the security areas are stored for a period of 2 weeks. Personal data may be processed for a longer period if this is necessary to achieve the relevant objectives or to protect the rights and/or legitimate interests (including in court) of the CCP or if the current legislation provides for the processing of data for a longer period.
Access to the data is granted to certain employees within the scope of their official duties. The collected data is provided to third parties only in cases where this is provided for by law, for example to public authorities, in view of their powers and competence.
The information is not stored outside the EU and the European Economic Area. The CCP provides appropriate technical and organizational measures to protect your personal data.
5. Complaints, reports and other requests
Complaints, signals and other requests in connection with the exercise of the powers of the CCP are submitted in accordance with the terms and conditions of the current legislation.
When processing the information contained in complaints, reports and other requests submitted to the CCP, only personal data relevant to the specific case is processed.
Data that has become known to the commission in this regard may be provided to third parties only if provided for by law.
The information is not stored outside the EU and the European Economic Area. The CCP provides appropriate technical and organizational measures to protect your personal data.
What are your rights?
You have the right to exercise your rights under Articles 15-22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the Regulation) before the Commission for Consumer Protection, regarding the personal data that the CCP processes for you, namely:
1. Right to information – right to receive information regarding the processing of your personal data by the Commission for Consumer Protection;
2. Right of access:
- to receive confirmation whether your personal data is being processed;
- to obtain access to your processed personal data and information regarding their processing in accordance with the Regulation.
3. Right to rectification – the right to request the correction or completion of your personal data if it is inaccurate or incomplete;
4. Right to erasure (the right to be forgotten) – the right to request the deletion of your personal data if the grounds for this provided for in the Regulation are present;
5. Right to restrict the processing of personal data – right to request from the Commission for Consumer Protection to restrict the processing of your personal data within the framework provided for in the Regulation, if the grounds for this provided for therein are present;
6. Notification of third parties – the right to require the Commission for Consumer Protection to notify third parties to whom your personal data has been disclosed of any correction, erasure or restriction of the processing of your personal data, unless this is impossible or requires disproportionate efforts from the Commission for Consumer Protection;
7. Right to data portability – the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and to transfer these data to another controller.
The specified right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The right to data portability applies when the following two conditions are simultaneously met:
- the processing is based on consent or the performance of a contract; and
- the processing is carried out in an automated manner.
If technically feasible, you have the right to obtain direct transfer of personal data from the Commission for Consumer Protection to another controller. The right to data portability may be exercised in a manner that does not adversely affect the rights and freedoms of others.
8. Rights in automated individual decision-making, including profiling - the right not to be subject to an automated decision based solely on automated processing (i.e. processing without human intervention), including profiling within the meaning of the Regulation, which produces legal effects concerning you or similarly significantly affects you, unless the grounds provided for in the Regulation are present and appropriate safeguards are provided to protect your rights and freedoms and legitimate interests.
Such guarantees include, at a minimum, the right to human intervention by the Commission for Consumer Protection, your right to express your point of view and challenge the decision.
9. Right to withdraw consent to processing – where the processing of personal data is based solely on your consent, you may withdraw your consent at any time. Such withdrawal shall not affect the lawfulness of the processing based on the consent given up to the moment of its withdrawal.
10. Right to object – You have the right at any time and on grounds relating to your situation to object to the processing of personal data concerning you, including profiling within the meaning of the Regulation, which is based on public interest, exercise of official authority or the legitimate interests of the Commission for Consumer Protection or a third party.
In these cases, the Commission for Consumer Protection will cease processing your personal data unless it proves that there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
How to exercise your rights
You may exercise the rights under Art. 15-22 of the Regulation in person or through a person expressly authorized by you (with a notarized power of attorney) by submitting a written application. The application should contain:
- the full name and address of the applicant;
- description of the request;
- preferred form of communication and contact details (telephone, e-mail address);
- signature and date of submission.
When submitting a request for the exercise of rights within the meaning of the Regulation to the CCP, it is necessary to identify yourself - by presenting an identity document (when submitting a request on site at the CCP building) or by qualified electronic signature (when submitting a request through the Electronic Document Portal of the CCP or by e-mail). The application for the exercise of rights can also be sent by mail with a return receipt, in which case the application should be notarized.
A response will be provided to you within the applicable time limits – up to one calendar month, which may be extended by a further two months, taking into account the complexity and number of requests. In the event that an extension of the time limit is necessary, you will be notified of the same, as well as of the reasons for the extension.
Personal data processed in connection with the consideration of individual requests will be used only for the purposes of exercising the aforementioned rights. In this regard, personal data may be provided to third parties only if provided for by law.
Do we transfer your personal data to a third country or international organization?
No. If a legal obligation to transfer them nevertheless arises, we will inform you in advance and apply the relevant legal instruments and measures for the specific case that guarantee the adequacy of the protection of your personal data.
Right to complain to a supervisory authority
Every data subject has the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State (EU/EEA) of his/her habitual residence, place of work or place of the alleged infringement, if he/she considers that the processing of his/her personal data infringes the provisions of the Regulation or other applicable data protection requirements.
Supervisory authority in the Republic of Bulgaria
The supervisory authority in the Republic of Bulgaria is the Commission for Personal Data Protection, address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd., website: www.cpdp.bg
Agreed by:
Paulina Shishkova
Acting Secretary General of the CCP
Prepared by:
Iliana Tsolova,
Director of the Directorate of the Human Rights Protection Agency