PERSONAL DATA PROTECTION POLICY
GENERAL FRAMEWORK
The Registry Agency is an executive agency under the Minister of Justice. It is a legal entity with headquarters in Sofia and with registry offices in the seats of district courts. The Registry Agency was established on 31 July 2004 with the adoption of §27 of the Law for Amendment and Supplement of the Cadastre and Property Register Act (prom. SG No. 36 of 30 April 2004) and the Rules of Procedure of the Agency (SG No. 63 of 20 July 2004, in force as of 31 July 2004).
The Registry Agency keeps the Commercial Register and the Register of Non-Profit Legal Entities, in accordance with the provisions of the Commercial Register and Register of Non-Profit Legal Entities Act. The Commercial Register and the Register of Non-Profit Legal Entities is a common electronic database containing the circumstances entered by law and the acts announced by law for traders and branches of foreign traders, non-profit legal entities and branches of foreign non-profit legal entities.
The Registry Agency organizes the work on the establishment and maintenance of the Property Register. The Agency provides the liaison between the Property Register and other registers, ensures the development and technical improvement of the Property Register. In the performance of its functions for keeping the Property Register, the Agency creates and maintains a central archive in electronic form of real estate accounts and entered acts with documents attached thereto. Registrations, notes and deletions are made in the registry offices in the court district of the respective district court by an order of the registry judge in respect of properties. The registry offices make inquiries and issue certificates for the registrations, as well as other activities of keeping and maintaining the Property Register.
The Registry Agency keeps and maintains the BULSTAT Register as a unified electronic centralized register and carries out activities for entries in it, as well as issuance of statements and certificates for the entered circumstances. The BULSTAT register includes legal entities which are not traders and are not non-profit legal entities in the sense of the Non-Profit Legal Entities Act and are subject to entry in the Commercial Register, respectively in the Register of the Non-Profit Legal Entities, foreign persons which are not traders and are not non-profit legal entities, as well as commercial representation offices of foreign persons under Art. 24 of the Investment Promotion Act and foreign legal entities. Natural persons exercising a free profession or craft activity, foreign natural persons who do not have a personal identification number or foreigner’s identification number and who carry out commercial activity or provide independent personal services in the country, including through a place of economic activity or a certain base or site, own real estate in the country or are insurers or pledgers within the meaning of the Special Pledges Act, as well as other natural persons who are insurers are subject to entry in the BULSTAT Register.
The Register of Property Relations of Spouses is a single centralized electronic database containing information about marriage contracts and about the applicable legal regime of property relations of spouses. The register also includes the changes in the regime of property relations between spouses, as well as amendment and termination of a marriage contract noted in a certificate of marriage. The Family Code regulates three regimes of property relations of spouses: legal regime of community; legal regime of separation and contractual regime. The Register of Marital Property Relations is the fourth national electronic register administered by the Registry Agency. The register is public, inquiries and certificates are made for the selected regime of property relations.
The Registry Agency performs its functions of keeping and maintaining the national electronic registers under strict normative regulation of the activities for creation, maintenance and keeping of the electronic registers. In fulfillment of these functions and tasks assigned to it by the relevant normative acts such as the Commercial Register and Register of Non-Profit Legal Entities Act, the Cadastre and Property Register Act, etc., as well as the applicable by-laws, the Registry Agency processes personal data of natural persons that, in its capacity as controller in fulfillment of a legal obligation applicable to data controllers or in exercise of official powers, it collects, processes, stores or shares in accordance with the requirements and in compliance with the principles and provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR, the Personal Data Protection Act (amended and supplemented, SG No. 17 of 26.02.2019), as well as other normative acts related to the protection of personal data of natural persons.
INFORMATION ABOUT THE DATA CONTROLLER
The Registry Agency is an executive agency under the Minister of Justice. Secondary authorizing officer with headquarters in 1111 Sofia city, Sofia Municipality, 20 Elisaveta Bagryana St.
In his capacity of controller within the meaning of Art. 4, item 7 of the GDPR, the Registry Agency applies the relevant technical and organizational measures to ensure the lawful processing of personal data of natural persons, in compliance with the principles and requirements of the legislation on processing and protection of personal data of data subjects - applicants, natural persons who are representatives of traders and non-profit legal entities, natural persons subject to entry in the relevant registers, users of the services offered by the Agency, employees, visitors to the building of the headquarters of the Registry Agency, etc.
DEFINITIONS
For the purposes of this policy:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
SUBJECT
Art. 1. This policy aims to present in a clear and accessible way information on personal data processing activities, as well as information on the main parameters of personal data processing, including:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation;
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
- the existence of automated decision-making, including profiling, resp. meaningful information about the logic involved, as well as the significance and the envisaged consequences in case the data controller performs such processing.
Art. 2. This data protection policy (General Framework) applies to all personal data processing activities and operations performed by the controller, as well as to all services offered by the Agency, regardless of the legal basis for data processing. With regard to the activities for processing personal data in connection with the implementation of the functions of keeping and maintaining electronic registers, the following apply: Personal Data Protection Policy regarding the Commercial Register and the Register of Non-Profit Legal Entities, Personal Data Protection Policy regarding the Property Register, Personal Data Protection Policy regarding the BULSTAT Register and Personal Data Protection Policy regarding the Register of Property Relations of Spouses.
Art. 3. With this Personal Data Protection Policy, the Registry Agency declares that in carrying out the activities of personal data processing of natural persons, it applies the relevant technical and organizational measures ensuring an appropriate level of data protection in compliance with the following principles:
- personal data are processed lawfully, in good faith and in a transparent manner with regard to the data subject (“lawfulness, good faith and transparency”);
- personal data are collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, shall not be considered incompatible with the original purposes (“limitation of purposes”);
- personal data are appropriate, related to and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
- personal data are accurate and, where necessary, kept up to date; all reasonable measures must be taken to ensure the timely deletion or correction of inaccurate personal data, taking into account the purposes for which they are processed (“accuracy”);
- personal data are stored in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as they are processed solely for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, provided that the appropriate technical and organizational measures provided for in this regulation in order to guarantee the rights and freedoms of the data subject (“storage restriction”) are applied;
- personal data are processed in a way that ensures an appropriate level of security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organizational measures (“entirety and confidentiality”).
Art. 4. With this Personal Data Protection Policy, the controller declares that it applies appropriate technical and organizational measures to ensure lawful processing of personal data of natural persons and that it is able to prove lawful processing of data in accordance with the principle of accountability.
Art. 5. The Registry Agency collects and processes personal data of natural persons in connection with:
- executing the functions and performing the tasks of creating, maintaining and keeping the Commercial Register and the Register of Non-Profit Legal Entities, the Property Register, the BULSTAT Register and the Register of Property Relations of Spouses, fulfilling of the legal obligations in connection with the entry of circumstances subject to entry and acts subject to be announced;
- providing services such as inquiries, provision of certificates, certified transcripts, etc. regarding entered circumstances and announced acts, in fulfillment of normatively regulated obligations in view of the public nature of the registers kept by the Agency;
- providing other services such as free or paid notification by SMS, etc.;
- registration and processing of complaints, signals and proposals submitted by natural persons to the Registry Agency
- employment and civil-law relationships to which the Registry Agency is a party;
- contractual relations with partners and contractors, insofar as the preparation, conclusion and execution of contracts requires the processing of personal data of natural persons;
- providing security in the controller’s building, as well as in connection with ensuring internal order and security;
- the operation of devices, websites and applications through which the Registry Agency provides services.
CATEGORIES OF PERSONAL DATA PROCESSED BY THE CONTROLLER
Art. 6. As a data controller, the Registry Agency collects and processes the following categories of personal data:
- in connection with executing the functions and performing the tasks of creating, maintaining and keeping the Commercial Register and the Register of Non-Profit Legal Entities, the Property Register, the BULSTAT Register and the Register of Property Relations of Spouses, fulfilling of the legal obligations in connection with the entry of circumstances subject to entry and acts subject to be announced:
- physical identity data – names, PIN/FIN, date and place of birth, data from identity document, signature, address, telephone, e-mail for contact of natural persons representing traders and non-profit legal entities, branches of foreign traders and branches of foreign non-profit legal entities; physical identity data of persons subject to entry in the BULSTAT Register, data on the natural person owner of a property, physical identity data of persons entered in the RMPR;
- economic identity data – property rights, resp. limited real rights over real estate;
- social status data – documents for civil status of natural persons;
- professional activity data – practiced profession, craft regarding the natural persons subject to entry in the BULSTAT Register (diplomas are also submitted in the Commercial Register - e.g. for completed education and acquired specialty by doctors, upon registration of medical establishments pursuant to the Medical Establishments Act, etc.).
- in connection with providing services such as inquiries, provision of certificates, certified transcripts, etc. regarding entered circumstances and announced acts, in fulfillment of normatively regulated obligations in view of the public nature of the registers kept by the Agency:
- physical identity data – names, PIN/FIN, date and place of birth, data from identity document, signature, address, telephone, e-mail for contact of natural persons applying for services in connection with the identification of applicants, as well as in connection with the authentication of natural persons using registered access to the database of the respective electronic registers.
- in connection with providing other services such as free or paid notification by SMS, etc.:
- physical identity data – names, PIN/FIN, date and place of birth, data from identity document, signature, address, telephone, e-mail for contact of natural persons applying for the respective service.
- in connection with registration and processing of complaints, signals and proposals submitted by natural persons to the Registry Agency:
- physical identity data – names, PIN/FIN, date and place of birth, data from identity document, signature, address, telephone, e-mail for contact of natural persons – complainants, resp. natural persons submitting signals and proposals.
- in connection with the conclusion, implementation and termination of employment and civil-law relationships to which the Registry Agency is a party:
- physical identity data – names, PIN/FIN, date and place of birth, data from identity document, signature, address, telephone, e-mail of job applicants, resp. participants in competition or selection procedures, employees of the Agency and natural persons parties to civil-law relationships;
- data on acquired education and professional qualification – document for acquired educational degree, qualification, legal capacity;
- data on labour and/or professional activity/identity – professional biography, documents certifying work experience;
- data on health status and state of health – data from medical examinations, medical opinions, hospital records for sick leaves, decisions of TEMC and NEMC;
- data on convictions and offenses – criminal record;
- data in connection with the performance of labour, resp. employment relationship – data from an attestation procedure, imposed disciplinary sanctions, awards, etc.;
- data in connection with the fulfillment of the obligations under the Counter-Corruption and Illegal Assets Forfeiture Act – introductory and annual declaration, declaration regarding change in declared circumstances;
- economic status data – bank account, data on imposed seizures, etc.
- in connection with contractual relations with partners and contractors, insofar as the preparation, conclusion and execution of contracts requires the processing of personal data of natural persons:
- physical identity data – names, PIN/FIN, date and place of birth, data from identity document, signature, address, telephone, e-mail;
- economic status data – bank account.
- in connection with providing security in the controller’s building, as well as in connection with ensuring internal order and security:
- physical identity data – names, PIN/FIN, date and place of birth, data from identity document for persons visiting the Agency’s premises;
- video surveillance data – video recordings from technical means for surveillance of the Agency’s premises.
- in connection with the operation of devices, websites and applications through which the Registry Agency provides services:
- technical data – IP addresses, MAC addresses, device name, browsing history;
- “cookies” (detailed information about cookies can be found in the relevant section)
PURPOSES
Art. 7. As a data controller, the Registry Agency collects, processes and stores, and, in cases of legal grounds, transmits personal data of natural persons in connection with:
- Entry, deletion and announcement of circumstances subject to entry and acts subject to announcement in the Commercial Register and the Register of Non-Profit Legal Entities.
- Making inquiries about the presence or absence of an entered circumstance or announced act in the Commercial Register and the Register of Non-Profit Legal Entities.
- Provision of services in connection with the keeping and maintenance of the Commercial Register and the Register of Non-Profit Legal Entities – free or paid SMS notification, reservation of a name, etc.
- Provision of registered access to the database of the Commercial Register and the Register of Non-Profit Legal Entities.
- In connection with registration in the Property Register, according to the provisions of the Cadastre and Property Register Act.
- In connection with the provision of information on the entries in the account of a property, a transcript or extract from it or a certificate of an entered or unentered circumstance.
- Provision of registered access to the database of the Property Register.
- Registration and deletion in the BULSTAT Register.
- Making an inquiry for the presence or absence of a circumstance entered in the BULSTAT Register.
- Entry of circumstances subject to entry in the RMPR.
- Human resources management, financial and accounting activities
- Execution of civil-law relationships to which the Agency is a party.
- Execution of contracts with partners and contractors.
- Provision of security and safety of employees and visitors in the Agency’s premises, protection of the controller’s property.
- Verification of user profiles, authentication of users, improvement of the quality of the electronic services provided by the Registry Agency.
LEGAL GROUNDS FOR PERSONAL DATA PROCESSING
Art. 8. In connection with the fulfillment of the requirement for legality of the processing, the Registry Agency processes personal data of natural persons as follows:
- For executing the functions and performing the tasks of creating, maintaining and keeping the Commercial Register and the Register of Non-Profit Legal Entities, the Property Register, the BULSTAT Register and the Register of Property Relations of Spouses, fulfilling of the legal obligations in connection with the entry of circumstances subject to entry and acts subject to be announced – Art. 6(1)(c) and (e) of the GDPR, in relation to compliance with a legal obligation to which the controller is subject and in the exercise of official authority vested in the controller. Personal data of natural persons are processed in connection with compliance with a legal obligation and exercise of official authority vested in the controller in view of the provisions of the Commercial Register and Register of Non-Profit Legal Entities Act, the Cadastre and Property Register Act, the BULSTAT Register Act, the Commercial Law, the Non-Profit Legal Entities Act, the Family Code and the applicable by-laws, such as Ordinance No. 1 of 14.02.2007 on keeping, storing and accessing the Commercial Register and the Register of Non-Profit Legal Entities, the Regulations for Entries, etc.
- For providing services such as inquiries, provision of certificates, certified transcripts, etc. regarding entered circumstances and announced acts, in fulfillment of normatively regulated obligations in view of the public nature of the registers kept by the Agency – Art. 6(1)(c) and (e) of the GDPR, in relation to compliance with a legal obligation to which the controller is subject and in the exercise of official authority vested in the controller. Personal data of natural persons are processed in connection with compliance with a legal obligation and exercise of official authority vested in the controller in view of the provisions of the Commercial Register and Register of Non-Profit Legal Entities Act, the Cadastre and Property Register Act, the BULSTAT Register Act, the Commercial Law, the Non-Profit Legal Entities Act, the Family Code and the applicable by-laws, such as Ordinance No. 1 of 14.02.2007 on keeping, storing and accessing the Commercial Register and the Register of Non-Profit Legal Entities, the Regulations for Entries, etc.
- For providing other services such as free or paid notification by SMS, etc. – 6(1)(a) – the subject gives a consent to the processing of personal data concerning him or her for a specific purpose.
- For registration and processing of complaints, signals and proposals submitted by natural persons to the Registry Agency – Art. 6(1)(c) – fulfillment of a legal obligation applicable to the controller in connection with the need for identification of complainants and for establishing a contact with the natural persons submitting complaints, signals and proposals.
- In connection with employment and civil-law relationships to which the Registry Agency is a party – Art. 6(1)(C) – fulfillment of a legal obligation applicable to the controller in connection with the conclusion, implementation and termination of employment and civil-law relationships in view of the provisions of the Labour Code, the Civil Servant Act, the applicable by-laws on employment legal relations, the Social Insurance Code, the Health Insurance Act, the Corporate Income Tax Act, the Personal Income Tax Act, etc.
- For performance of contractual relations with partners and contractors, insofar as the preparation, conclusion and execution of contracts requires the processing of personal data of natural persons – Art. 6(1)(b) and (c) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract and processing is necessary for compliance with a legal obligation to which the controller is subject – Obligations and Contracts Act, Public Procurement Act, etc.
- For providing security in the controller’s building, as well as in connection with ensuring internal order and security – Art. 6(1)(f) – processing is necessary for the purposes of the legitimate interests pursued by the controller.
- Regarding the operation of devices, websites and applications through which the Registry Agency provides services – Art. 6(1)(c) – compliance with a legal obligation to which the controller is subject in connection with the provision of electronic services for keeping and maintaining the electronic registers, as well as in connection with the electronic application for entry, deletion and announcement of circumstances subject to entry and acts subject to announcement, resp. Art. 6(1)(a) – on the basis of the consent of subjects regarding the provision of electronic services such as an application for free or paid SMS notification, etc., as well as on the grounds of Art. 6(1)(f) – processing is necessary for the purposes of the legitimate interests pursued by the controller regarding verification of user profiles, authentication of users, improvement of the quality of the electronic services provided by the Registry Agency, etc.
Art. 9. (1) In cases where the processing of personal data is based on the consent of the data subjects, the same is a freely expressed, informed, specific and unambiguous indication of the will of the data subject in relation to a specifically indicated purpose.
(2) The data subject has the right to withdraw his or her consent at any time, as the withdrawal of the consent does affect the legality of the processing based on a given consent before its withdrawal. Depending on the way of providing the service, the consent can be given during the visit of the natural person in the controller’s premises in connection with an application for use of the respective service or electronically.
Art. 10. The Registry Agency does not process personal data that are provided by a data subject without having a legal basis under Art. 6 of the GDPR or in contradiction with the principles under Art. 5 of the same Regulation. Within one month of learning, the controller returns the personal data, and if this is impossible or requires a disproportionate effort – deletes or destroys them.
Art. 11. The Registry Agency does not process personal data of children (in the Commercial Register, in case of inheritance, certificates for heirs containing data of persons, as well as birth certificates of minors are attached), except in cases when such processing is in compliance with a legal obligation to which the controller is subject.
Art. 12. In its capacity of a data controller providing services electronically, the Registry Agency takes appropriate technical and organizational measures that do not allow the personal identification number or foreigner’s identification number to be the only means of identification or authentication of the user when providing remote access to the respective service.
Art. 13. In its capacity of an employer, the Registry Agency sets a period for storage of personal data of participants in recruitment and selection procedures which is not longer than 6 months, unless the candidate has given his or her consent for storage for a longer period. After the expiration of this period, the controller deletes or destroys the stored documents with personal data, unless a special law contains a provision that provides otherwise.
MANNER OF PERSONAL DATA PROCESSING, PROVISION OF PERSONAL DATA TO THIRD PERSONS, PERIODS FOR STORAGE OF PERSONAL DATA
Art. 14. In connection with the performance of its functions and tasks, the provision of services, in connection with human resources management activities, the conclusion and implementation of contracts, the provision of security and safety, the provision of services electronically, the Registry Agency collects and processes personal data, as follows:
- on a hard copy by filling in an application in connection with entry, deletion or announcement in the electronic registers kept by the Agency;
- on a hard copy by filling in an application for providing an inquiry, certificate, transcript or certified transcript regarding the presence or absence of an entered circumstance, resp. announced act, in the electronic registers kept by the Agency;
- on a hard copy in connection with the submission of an application for the provision of services;
- on a hard copy by filling in the legally required documents in connection with the emergence, performance and termination of an employment or civil-law relationship to which the Agency is a party;
- on a hard copy in connection with the conclusion and implementation of contracts with partners and contractors;
- by filling in an application electronically in connection with entry, deletion or announcement in the electronic registers kept by the Agency;
- by filling in an application electronically for providing an inquiry, certificate, transcript or certified transcript regarding the presence or absence of an entered circumstance, resp. announced act, in the electronic registers kept by the Agency;
- by filling in data electronically in connection with the identification/authentication of users of services provided by the Agency who use services with registered access to the databases of the electronic registers kept by the Agency;
- by filling in an application electronically for the provision of services;
- by entering data in videos from technical means of surveillance and security;
- by processing data for IP address, MAC address and cookies.
Art. 15. With this Personal Data Protection Policy, the Registry Agency, in its capacity of data controller, declares that it does not provide personal data of natural persons without their explicit consent to third persons/parties, except when necessary to fulfill a legal obligation to which the controller is subject or in the event that there is a legal basis for the provision of such data.
Art. 16. The Registry Agency may provide information representing personal data to law enforcement agencies and institutions in response to lawful requests.
Art. 17. In order to fulfill legal requirements, assumed obligations under contractual and/or pre-contractual relations with natural persons, the Registry Agency may provide personal data to the following categories of persons:
- other data controllers such as companies providing postal and courier services, banks, etc.
- data processors who process personal data on behalf of the controller, in compliance with the requirements of the GDPR on data processors, only in pursuance of a written order by the data controller, such as an occupational medicine service regarding personal data of employees, persons under civil-law relationship, to persons providing cloud services, persons performing maintenance activities on the Agency’s website, the electronic services portal, etc.
Art. 18. The transfer of personal data of natural persons to natural and legal persons established in countries and international organizations outside the EU and the EEA is carried out in compliance with the requirements provided for in Regulation (EU) 2016/679, namely: where for the respective country or international organization, the existence of an adequate level of protection has been established by a decision of the EC; in the presence of an alternative legal mechanism to ensure compliance with the requirements of Regulation (EU) 2016/679; in the presence of other grounds (derogations) provided for in Regulation (EU) 2016/679, such as the explicit consent of the data subject.
Art. 19. (1) Depending on the purposes for which personal data under Art. 6 of this Policy are processed, the period of storage of personal data varies. Personal data that are collected and processed by the Registry Agency in fulfillment of a legal obligation to which the controller is subject and in the exercise of official authority are stored for the period specified in the relevant law or in view of the statute of limitations.
(2) The personal data processed in fulfillment of contractual obligations are stored for the terms provided in the respective contracts and with a view to the observance of the legal requirements for exercising rights and bringing claims, as well as in connection with the observance of terms provided for in special laws such as the Public Procurement Act.
(3) In case data are processed on the basis of consent of the data subject, they are stored for a period relevant to the purposes for which they have been collected and processed, resp. in connection with the specific service provided to the natural person. After the expiration of the specified periods and in case there is no legal basis related to the information subject to archiving for continuation of the storage of personal data, the information (the records on electronic media and hard copy) are destroyed.
RIGHTS OF NATURAL PERSONS - DATA SUBJECTS
Art. 20. Every natural person who is a data subject has the right:
- to obtain confirmation from the controller whether personal data relating to him or her are being processed and, if so, to obtain access to the data and the following information on the purposes of the processing, the relevant categories of personal data, the recipients or the categories of recipients before whom personal data have been or will be disclosed, in particular recipients in third countries or international organizations. Where possible, the envisaged period for which personal data will be stored and, if this is not possible – the criteria used to determine this period, as well as the existence of the right to require the controller to correct or delete personal data or restrict processing of personal data relating to the data subject, or to object to such processing, the right to appeal to a supervisory authority. In cases where personal data are not collected from the data subject, any available information on their source, as well as information on the existence of automated decision-making, including profiling, as well as essential information on the logic used and the meaning and intended consequences of this processing for the data subject.
- to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.
- to obtain from the controller the erasure of personal data concerning him or her where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR;
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR;
In cases where the processing of personal data is in connection with the observance of a legal obligation to which the controller is subject, for the performance of a task of public interest and in the exercise of official authority vested in the controller, the data subject may not invoke the right to delete personal data relating to him or her.
- to obtain from the controller restriction of processing where the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; where the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; in cases where the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; as well as in cases where the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
- to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided
- to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article6(1) of the GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Art. 21. In cases where the natural person’s right of access to personal data relating to him or her may lead to the disclosure of personal data to third parties, the Registry Agency grants the natural person concerned access only to that part of the information which relates to him or her.
Art. 22. The Registry Agency may refuse to fully or partially exercise the rights of data subjects, as well as not to fulfill its obligation to inform according to Art. 34 of the GDOR, when the exercise of the rights or the fulfillment of the obligation would create a risk for:
- national security;
- defence;
- public security;
- the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
- the protection of judicial independence and judicial proceedings;
- the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
- the protection of the data subject or the rights and freedoms of others;
- the enforcement of civil law claims.
Art. 23. (1) The Registry Agency provides the information in connection with requests for exercising any of the rights under Art. 20 of this Policy free of charge.
(2) In case of manifestly unfounded and excessive requests by data subjects, the controller may determine an administrative fee for providing the requested information, resp. exercise of a right.
Art. 24. With the present Personal Data Protection Policy, the Registry Agency declares that it undertakes and applies the respective technical and organizational measures in connection with the assistance of data subjects in the exercise of the rights under Art. 21 of the Policy.
Art. 25. (1) The Registry Agency provides to data subjects information regarding the actions which it undertakes in connection with a request for exercise of rights within one month from the receipt of the request.
(2) If necessary, this period may be extended by another two months, taking into account the complexity and the number of requests.
(3) The controller informs the data subject of any such extension within one month from the receipt of the request, indicating also the reasons for the delay.
(4) When a data subject submits a request by electronic means, the information is provided by electronic means, if possible, unless the data subject has requested otherwise.
Art. 26. (1) Data subjects exercise their rights under Art. 21 of this Policy through a written application to the data controller.
(2) An application may also be submitted electronically under the conditions of the Electronic Document and Electronic Certification Services Act, the Electronic Government Act and the Electronic Identification Act.
Art. 27. An application containing a request for the exercise of a right should contain:
- name, address, personal identification number or foreigner’s identification number or other similar identifier, or other identification data of the natural person, as determined by the controller in connection with the activity performed by it;
- description of the request;
- preferred form for receiving information when exercising the rights under Art. 20 of this Policy;
- signature, date of submission of the application and mailing address;
- upon submission of an application by an authorized person, the power of attorney is attached to the application as well.
Art. 28. The rights referred to above are exercised by submitting a written application to the Registry Agency at the following address: 1111 Sofia city, Sofia Municipality, Slatina Region, 20 Elisaveta Bagryana St. or at the official e-mail address of the Agency office@registryagency.bg, in compliance with the conditions of the Electronic Document and Electronic Certification Services Act, the Electronic Government Act and the Electronic Identification Act.
Art. 29. Contact details of the data protection officer gdpr@registryagency.bg
Art. 30. (1) In case of a violation, natural persons also have the right to send inquiries and complaints to the supervisory body – the Commission for Personal Data Protection (CPDP).
(2) Contact details of the CPDP: 1592 Sofia city, 2 Prof. Tsvetan Lazarov Blvd., e-mail: kzld@cpdp.bg, website: www.cpdp.bg
NOTIFICATION OF CHANGES TO THIS PERSONAL DATA PROTECTION POLICY
Art. 31. The Registry Agency reserves the right to make changes and additions to this Policy. When making changes to the Policy, they will be timely reflected in it and made available to data subjects in the Personal Data Protection section on the website of the Registry Agency https://www.registryagency.bg/bg/za-agenciyata/zashita-na-lichnite-danni-gdpr-006/