Rules on the exercise of the rights of the data subjects

These rules (the Rules) stipulate the modalities under which natural persons whose personal data are processed by FICOSOTA Ltd (“Ficosota”) may exercise their rights in accordance with the data protection law.

Part 1: General principles

1.1 Ficosota processes and protects the personal data collected in its course of business fairly, lawfully and for the purposes for which they are collected.

1.2 The employees who carry out personal data processing for the purposes of product marketing, conclusion of contracts for procurement of goods, fulfilment of obligations under such contracts, as part of their employment obligations, shall adhere to the following principles when processing personal data:

i) The personal data are processed in a lawful and fair manner.

ii) The personal data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

iii) Personal data collected and processed in the process of human resources management shall be relevant, relating to and serving only the purposes they have been collected for.

iv) The personal data are accurate and, where necessary, kept up to date.

v) The personal data are deleted or rectified where it is ascertained that they are inaccurate or disproportionate to the purposes for which they are processed.

vi) The personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

1.3 The employees who carry out personal data processing undergo initial and regular trainings on data privacy and familiarize themselves with the applicable legislation.

Part 2: Definitions

The definitions below shall have the following meanings:

“Personal data” means any information relating to an identified natural person or to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Applicable legislation” means the legislation of the European Union and the Republic of Bulgaria which is relevant to the personal data protection;

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“Data Subject” an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Regulation (EU) 2016/679” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), published in the Official Journal of the European Union on 4 May 2016

Part 3: Rights of the data subjects

The data subjects have the following rights in respect of their personal data:

i) Right of access;

ii) Right to rectification;

iii) Right to data portability;

iv) Right to erasure;

v) Right to erasure (‘right to be forgotten’);

vi) Right to restriction of processing;

vii) Right to object to the processing of personal data:

viii) Right of the data subject not to be subject to a decision based solely on automated processing, regardless of whether the processing includes profiling.

Right of access

2.1. Upon request, Ficosota shall provide the data subject with the following information:

i) information as to whether Ficosota is processing or is not processing data of the person concerned;

ii) a copy of the person’s personal data being processed by Ficosota, and

iii) an explanation about the data being processed

2.2. The explanation under item 2.1 (iii) above shall include the following information about the personal data being processed by Ficosota:

i) the purposes of the processing;

ii) the categories of personal data concerned;

iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

v) the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

vi) the right to lodge a complaint with a supervisory authority;

vii) where the personal data are not collected from the data subject, any available information as to their source;

viii) the existence of automated decision-making, regardless of whether the processing includes profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

ix) where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer

2.3. The explanation about the data being processed shall contain information which Ficosota provides to data subjects by means of privacy notices.

3.1. Upon request of the data subject, Ficosota may submit a copy of the personal data being processed.

3.2. Upon submission of a copy of personal data, Ficosota shall not disclose the following categories of data:

i) personal data of third parties, unless they have granted their express consent thereto;

ii) data which are trade secret, intellectual property or confidential information;

iii) any other information protected under the applicable legislation

3.3. Providing data subject with access shall not have adverse effect on the rights and freedoms of third parties or result in Ficosota’s non-compliance with its statutory obligation.

4.1. In the cases where the access requests are apparently unfounded or excessive due to their repeatability, Ficosota may charge a reasonable fee based on the administrative expenses incurred for information provision or it may refuse to respond to such access request.

4.2. Ficosota shall decide on a case by case basis whether a request is apparently unfounded or excessive or not.

4.3. If Ficosota refuses access to personal data, it shall present arguments supporting its refusal and inform the data subject of his/her right to file a complaint to the Commission for Personal Data Protection.

Right to rectification

5.1. Data subjects may demand that their personal data, which are processed by Ficosota, be rectified if they are inaccurate or incomplete.

5.2. If the request for personal data rectification has been complied with, Ficosota shall notify the other recipients to whom data have been disclosed (for example state authorities, service providers), so that they could reflect the changes.

Right to erasure (‘right to be forgotten’)

6.1. Upon request, Ficosota shall be obligated to erase personal data, if any of the following grounds exists:

i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

ii) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;

iii) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;

iv) the data subject objects to the processing of personal data for direct marketing purposes;

v) the personal data have been unlawfully processed;

vi) the personal data have to be erased for compliance with a legal obligation to which Ficosota is a subject;

vii) the personal data have been collected in relation to the offer of information society services to children within the meaning of Article 8(1) of Regulation (EU) 2016/679

6.2. Ficosota shall not be obligated to erase the personal data if their processing is required:

i) for exercising the right of freedom of expression and information;

ii) for complying with the legal obligation to which Ficosota is a subject;

iii) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of Regulation (EU) 2016/679;

iv) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of Regulation (EU) 2016/679, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

v) for the establishment, exercise or defence of legal claims.

Right to restriction of processing

7.1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:i

i) the accuracy of the personal data is contested by the data subject; the restriction of processing applies for a period enabling the controller to verify the accuracy of the personal data;

ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

iii) Ficosota no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

iv) the data subject has objected to processing on the grounds of the legitimate interest of Ficosota and verification whether the legitimate grounds of the controller override those of the data subject is pending.

7.2. Ficosota may process personal data, whose processing is restricted, only for the following purposes:

i) for data storage

ii) with the consent of the data subject;

iii) for the establishment, exercise or defence of legal claims;

iv) for protection of the rights of another natural person; or

v) on important grounds of public interest

7.3. If a data subject has requested restriction of processing and if any of the grounds under item 7.1 above exists, Ficosota shall inform the data subject prior to revocation of the restriction of processing.

The right to data portability

8.1. The data subject shall have the right to receive the personal data concerning him/her, which he/she has provided to Ficosota, in a structured, commonly used and machine-readable format.

8.2. Upon request, such data may be transmitted to another controller appointed by the data subject, where technically feasible.

8.3. The data subject may exercise his/her right to data portability in the following cases:

i) processing is based on the data subject’s consent;

ii) processing is based on a contractual obligation;

iii) the processing is carried out by automated means.


Right to object

8.4. The right to data portability shall not adversely affect the rights and freedoms of others.

9.1. The data subject shall have the right to object Ficosota’s processing of his/her personal data, if such data are processed based on any of the following grounds:

i) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

ii) processing is necessary for purposes related to the legitimate interests of Ficosota or a third party;

iii) data processing includes profiling

9.2. Ficosota shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Right to object to the processing of personal data for direct marketing purposes

10.1. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data for such marketing, including to profiling to the extent that it is related to such direct marketing.

10.2. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Right to obtain human intervention in case of automated decision-making

11.1. If Ficosota makes automated individual decisions, irrespective of whether such decisions have been made using profiling or not, and they result in legal consequences for any natural persons or affect them considerably in a similar way, such persons may request re-examination of the decision, with human intervention, as well as to express their point of view.

11.2. Ficosota shall provide the natural persons subject to automated decision-making with substantial information about the logic involved, as well as the significance and the envisaged consequences of such processing for the person.

Part 4: Modalities for the exercise of the rights of the data subjects;

12.1. Data subjects may exercise their rights under these Rules by submitting a request for the exercising of the respective right.

12.2. Data subject’s requests for the exercising of rights may be submitted as follows:

i) Electronically to the following email address: dpo@ficosota.com

ii) Personally in an office of Ficosota

iii) By post – at the address of the headquarters of Ficosota: Shumen, 48, Madara Blvd., Bulgaria

12.3. Requests for the exercising of rights related to personal data protection shall include the following information:

i) The person’s identification – name and Personal Identification Number

ii) Feedback details – address, telephone, e-mail

iii) Request – description of the request

12.4. Ficosota shall provide information about the measures taken in relation to the data subjects’ requests for the exercising of rights, within one month from receipt of such a request.

12.5. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests filed by the person concerned. Ficosota shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

12.6. Ficosota shall not be obligated to respond to a request, if it cannot identify the data subject.

12.7. Ficosota may request provision of additional information necessary for confirming the subject data’s identity if there are reasonable doubts concerning the identity of the natural person making the request.

12.8. Where the request is made by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

12.9. These Rules shall become effective on 25.05.2018.