PERSONAL DATA PROTECTION POLICY REGARDING THE COMMERCIAL REGISTER AND THE REGISTER OF NON-PROFIT LEGAL ENTITIES
INTRODUCTION
The Commercial Register and the Register of Non-Profit Legal Entities are a common electronic database containing the circumstances entered by law and the acts announced by law for traders and branches of foreign traders, non-profit legal entities and branches of foreign non-profit legal entities. The Registry Agency maintains the Commercial Register and the Register of Non-Profit Legal Entities in accordance with the provisions of the Commercial Register and the Register of Non-Profit Legal Entities Act, Ordinance No. 1 of 14.02.2007 on keeping, storing and accessing the Commercial Register and the Register of Non-Profit Legal Entities (the Ordinance) and the Ordinance on the Procedure and Manner of Ex Officio Access to the Commercial Register and to Traders File. The Commercial Register and the Register of Non-Profit Legal Entities are public.
The Registry Agency is responsible for keeping, storing and accessing the Commercial Register and the Register of Non-Profit Legal Entities, as well as for the entries, deletions and announcements in them.
For each trader and branch of a foreign trader and for each non-profit legal entity and branch of a foreign non-profit legal entity, a file is maintained in electronic form. Application, documents certifying entered circumstances, announced acts and other documents which may also contain personal data for the identification of the persons representing or managing the trader or the non-profit legal entity are attached to the file. Circumstances and acts which are subject to entry and announcement are announced without the information representing personal data in the sense of Art. 4, item 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), except for information for which there is a legal obligation to enter/announce.
The Registry Agency performs its functions of keeping and maintaining the Commercial Register and the Register of Non-Profit Legal Entities under strict regulations. In fulfillment of these functions and tasks assigned to it by the relevant normative acts such as the Commercial Register and Register of Non-Profit Legal Entities Act, the Commercial Act, etc., as well as the applicable by-laws, the Registry Agency processes personal data of natural persons in fulfillment of a legal obligation applicable to data controllers or in exercise of official powers by collecting, processing, storing or sharing personal data in accordance with the requirements and in compliance with the principles and provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR, the Personal Data Protection Act (amended and supplemented, SG No. 17 of 26.02.2019), as well as other normative acts related to the protection of personal data of natural persons.
INFORMATION ABOUT THE DATA CONTROLLER
The Registry Agency is an executive agency under the Minister of Justice. Secondary authorizing officer with headquarters in 1111 Sofia city, Sofia Municipality, Slatina Region, 20 Elisaveta Bagryana St. The Registry Agency is managed and represented by an Executive Director.
In its capacity of controller within the meaning of Art. 4, item 7 of the GDPR, the Registry Agency applies the relevant technical and organizational measures to ensure the lawful processing of personal data of natural persons in fulfillment of its obligations and the authority granted for registration, maintenance, storage and access to the Commercial Register and to the Register of Non-Profit Legal Entities, as well as the effect of entries, deletions and announcements in them, in compliance with the principles and requirements of the legislation on processing and protection of personal data of data subjects - applicants, natural persons who are representatives of traders and non-profit legal entities.
DEFINITIONS
For the purposes of this policy:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
SUBJECT
Art. 1. This policy aims to present in a clear and accessible way information on personal data processing activities in connection with the maintenance, storage and access to the Commercial Register and the Register of Non-Profit Legal Entities, as well as the actions for entry, deletion and announcement in them, in connection with the provision of electronic administrative services, through the Unified Portal for Application for Electronic Services, including:
- data identifying the controller and its contact details;
- the contact details of the data protection officer;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing of personal data;
- where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, the presence of the controller’s obligation to transfer personal data to a third country or international organisation;
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
- the existence of automated decision-making, including profiling, resp. meaningful information about the logic involved, as well as the significance and the envisaged consequences in case the data controller performs such processing.
Art. 2. This Personal Data Protection Policy regarding the Commercial Register and the Register of Non-Profit Legal Entities applies to all personal data processing activities and operations performed by the controller, as well as to all services offered by the Agency, regardless of the legal basis for data processing. Activities for data processing operations are present in all cases where, in compliance with a legal obligation applicable to the Registry Agency, entry is made of traders, branches of foreign traders, non-profit legal entities and branches of foreign legal entities and of the related circumstances for which it is provided by law that they are subject to entry (Article 4 of the Commercial Register and the Register of Non-Profit Legal Entities Act), as well as activities for announcing acts that refer to traders, branches of foreign traders, non-profit legal entities and branches of foreign non-profit legal entities for which it is provided by law that they are subject to announcement (Article 5 of the Commercial Register and the Register of Non-Profit Legal Entities Act). Activities and operations for processing personal data of natural persons are also present in cases of fulfillment of the obligation of the data controller to keep, maintain and provide access to the Commercial Register and the Register of Non-Profit Legal Entities in fulfillment of the obligation for providing free and unrestricted access to the database comprising the registers, according to Article 11 of the Commercial Register and the Register of Non-Profit Legal Entities Act.
Art. 3. With this Personal Data Protection Policy regarding the Commercial Register and the Register of Non-Profit Legal Entities, the Registry Agency declares that in carrying out the activities for processing personal data of natural persons related to the provision of electronic administrative services through the Unified Portal for Application for Electronic Services, it applies the relevant technical and organizational measures ensuring an appropriate level of data protection in compliance with the following principles:
- personal data are processed lawfully, in good faith and in a transparent manner with regard to the data subject (“lawfulness, good faith and transparency”);
- personal data are collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, shall not be considered incompatible with the original purposes (“limitation of purposes”);
- personal data are appropriate, related to and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
- personal data are accurate and, where necessary, kept up to date; all reasonable measures must be taken to ensure the timely deletion or correction of inaccurate personal data, taking into account the purposes for which they are processed (“accuracy”);
- personal data are stored in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as they are processed solely for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, provided that the appropriate technical and organizational measures provided for in this regulation in order to guarantee the rights and freedoms of the data subject (“storage restriction”) are applied;
- personal data are processed in a way that ensures an appropriate level of security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organizational measures (“entirety and confidentiality”).
Art. 4. With this Personal Data Protection Policy, the controller declares that it applies appropriate technical and organizational measures to ensure lawful processing of personal data of natural persons and that it is able to prove lawful processing of data in accordance with the principle of accountability.
Art. 5. Every trader and every non-profit legal entity are obliged to request to be entered in the Commercial Register, respectively in the Register of Non-Profit Legal Entities, stating the circumstances subject to entry and presenting the acts subject to announcement. Pursuant to the normative obligations and in connection with the provision of the respective administrative electronic services, through the portal for electronic services, the Registry Agency collects and processes personal data of natural persons in connection with:
5.1. Registration, re-registration and changes of entered circumstances regarding traders, branches of foreign traders, non-profit legal entities and branches of foreign non-profit legal entities. Entry and deletion of circumstances in the Commercial Register and the Register of Non-Profit Legal Entities is made on the basis of an application form according to Annexes No. A1-A18, B1-B7, C1, C2-1, C2-2, C2-3, C2 -4, C2-5, C2-6, C3-1, C3-2 and C3-3 to the Ordinance. Announcement of acts in the Commercial Register and the Register of Non-Profit Legal Entities is made on the basis of an application form according to Annexes No. D1-D3 to the Ordinance.
Entry - information representing personal data of a natural person - applicant, as well as data of a natural person (sole owner of the capital, partner, manager, procurator, etc.) contained in the application is required/processed. Entry and deletion in the Commercial Register is made on the basis of an application form according to Annexes No. A1-A18, B1-B7, C1, C2-1, C2-2. C2-3. C2-4, C3-1, C3-2. C3-3, as well as G1 and H1 to the Ordinance.
Announcement - information representing personal data of a natural person - applicant, as well as data of a natural person (sole owner of the capital, partner, manager, etc.) is required/processed. Announcement of acts in the Commercial Register is made on the basis of an application form according to Annex No. D1 to the Ordinance.
Announcement of annual financial statements and declaration under Article 38 of the Accounting Act /Annexes No. D2 and D3 to the Ordinance/ - information representing personal data of a natural person - applicant is required/processed.
5.2. Entry of circumstances regarding procuracy, branch, pledge, attachment, liquidation and beneficial owners.
5.3. Entry of circumstances regarding transfer of a commercial enterprise, transformation and reorganization.
5.4. Announcement of acts.
5.5. Issuance of certificates.
5.6. Appointments of an expert, general inspector, controller, liquidator. In connection with activities for appointment of an expert, general inspector, controller and liquidator, personal data of the applicant (natural person) are required/processed, these being: three names, PIN, mailing address, contact phone number and e-mail.
5.7. Reservation of a name of a trader or a name of a non-profit legal entity. In connection with the provision of the service, personal data of a natural person - applicant are required/processed according to an application form. Reservation of a name of a trader or a name of a non-profit legal entity is made on the basis of an application form according to Annex No. E1 to the Ordinance.
5.8. Issuance of a certificate of legality according to form F1. In connection with the activities for issuing a certificate of legality, personal data of a natural person - applicant are required/processed according to an application form.
5.9. Entry, deletion and announcement of an act of a court, of another state body or a private bailiff.
5.10. Filing a complaint against a refusal.
5.11. Notification of a scanning error.
5.12. Request for correction of errors and omissions.
5.13. Certificates of good standing, entries, announcements, transcripts.
5.14. Certificate of reserved name.
5.15. Provision of the free SMS notification service.
5.16. Provision of the paid SMS notification service.
5.17 Provision of a free e-mail notification service.
5.18. Making an inquiry according to criteria of a natural person.
Art. 6. Personal data of natural persons users of electronic services are processed in each case in which the natural persons use the Unified Portal for Application for Electronic Administrative Services through a registered profile. Data are related to identification/authentication of the natural person.
CATEGORIES OF INDIVIDUALS - DATA SUBJECTS WHOSE PERSONAL DATA ARE PROCESSED IN CONNECTION WITH ACTIVITIES RELATED TO ENTRY, DELETION AND ANNOUNCEMENT, AND FOR ACTIVITIES AND SERVICES RELATED TO KEEPING AND MAINTAINING THE COMMERCIAL REGISTER AND THE REGISTER OF NON-PROFIT LEGAL ENTITIES
Art. 7. In connection with the entry, deletion and announcement of circumstances and acts concerning traders and non-profit legal entities, as well as in connection with activities for keeping and maintaining the registers, the Registry Agency, in its capacity of data controller, processes personal data of the following categories of individuals - data subjects:
7.1. applicant - a natural person, a representative of a trader or a non-profit legal entity;
7.2. applicant - another natural person in the cases provided by law;
7.3. applicant - natural person - procurator;
7.4. applicant - natural person - lawyer with an explicit power of attorney drawn up in accordance with the requirements of the Bar Act for representation before the Agency;
7.5. applicant - natural person - compiler of annual financial statements with a notarized power of attorney
Art. 8. In the account of the trader, the branch of a foreign trader, the non-profit legal entity or the branch of a foreign non-profit legal entity, applications and documents certifying entered circumstances, announced acts, as well as other documents that may contain personal identification data the persons representing or managing the trader or the non-profit legal entity are attached.
Art. 9. The Registry Agency processes personal data of natural persons which are contained in an act of a court, another state body or a private bailiff. In fulfillment of a legal obligation, according to Article 14 of the Commercial Register and the Register of Non-Profit Legal Entities Act, the Registry Agency announces the acts received ex officio from a court, other state bodies and a private bailiff in the account of the respective trader or non-profit legal entity.
Art. 10. In fulfillment of the obligation to provide free and unrestricted access to the database comprising the Commercial Register and the Register of Non-Profit Legal Entities in connection with the provision of electronic administrative services through the Unified Portal for Application for Electronic Administrative Services, the Registry Agency processes personal data of natural persons in connection with the application and use of the services provided by the Agency.
Art. 11. Registered access of natural persons to the database of the registers and to the services provided by the Registry Agency in connection with the activities for keeping and maintaining the registers is carried out through an electronic signature or a digital certificate provided by the Registry Agency.
CATEGORIES OF PERSONAL DATA PROCESSED BY THE CONTROLLER
Art. 12. In its capacity of data controller, in fulfillment of normatively established obligations and with a view to fulfilling the powers granted in keeping, maintaining and providing access to the Commercial Register and the Register of Non-Profit Legal Entities, the Registry Agency collects and processes the following categories of personal data of natural persons:
- in connection with executing the functions and performing the tasks of creating, maintaining and keeping the Commercial Register and the Register of Non-Profit Legal Entities, fulfilling of the legal obligations in connection with the entry of circumstances subject to entry or deletion and acts subject to be announced:
- physical identity data – names, PIN/FIN, date and place of birth, signature, address, telephone, e-mail for contact of natural persons applicants and natural persons representing traders and non-profit legal entities, branches of foreign traders and branches of foreign non-profit legal entities;
- in connection with providing services such as inquiries, provision of certificates, etc. regarding entered circumstances and announced acts, in fulfillment of normatively regulated obligations in view of the public nature of the registers kept by the Agency:
- physical identity data – names, PIN/FIN, date and place of birth, signature, address, telephone, e-mail for contact of natural persons applying for services in connection with the identification of applicants, as well as in connection with the authentication of natural persons using registered access to the database of the respective electronic registers.
- in connection with providing other services such as free or paid notification by SMS, e-mail notification, etc.:
- physical identity data – names, PIN/FIN, date and place of birth, signature, address, telephone, e-mail for contact of natural persons applying for the respective service.
- in connection with the operation of devices, websites and applications through which the Registry Agency provides services:
- technical data – IP addresses, MAC addresses, device name, browsing history;
- “cookies” (detailed information about cookies can be found in the relevant section)
PURPOSES
Art. 13. The activities for entry, keeping, storage and access to the Commercial Register and the Register of Non-Profit Legal Entities are carried out by the Registry Agency in compliance with the principles of publicity, application of equal criteria under equal conditions in compliance with legal provisions and principles, as well as the principles of promptness and procedural economy of the registration activity. As a data controller, the Registry Agency collects, processes and stores, and, in cases of legal grounds, transmits personal data of third persons in connection with:
- Entry, deletion and announcement of circumstances subject to entry and acts subject to announcement in the Commercial Register and the Register of Non-Profit Legal Entities.
- Making inquiries about the presence or absence of an entered circumstance or announced act in the Commercial Register and the Register of Non-Profit Legal Entities.
- Provision of services in connection with the keeping and maintenance of the Commercial Register and the Register of Non-Profit Legal Entities – free or paid SMS notification, e-mail notification, reservation of a name, etc.
- Provision of registered access to the database of the Commercial Register and the Register of Non-Profit Legal Entities.
- Verification of user profiles, authentication of users, improvement of the quality of the electronic services provided by the Registry Agency.
LEGAL GROUNDS FOR PERSONAL DATA PROCESSING
Art. 14. In connection with the fulfillment of the requirement for legality of the processing, the Registry Agency processes personal data of natural persons as follows:
- For executing the functions and performing the tasks of creating, maintaining and keeping the Commercial Register and the Register of Non-Profit Legal Entities, the Property Register in fulfilling the legal obligations in connection with the entry of circumstances subject to entry and acts subject to be announced – Art. 6(1)(c) and (e) of the GDPR, in relation to compliance with a legal obligation to which the controller is subject and in the exercise of official authority vested in the controller. Personal data of natural persons are processed in connection with compliance with a legal obligation and exercise of official authority vested in the controller in view of the provisions of the Commercial Register and Register of Non-Profit Legal Entities Act, the Commercial Law, the Non-Profit Legal Entities Act, the Family Code and the applicable by-laws, such as Ordinance No. 1 of 14.02.2007 on keeping, storing and accessing the Commercial Register and the Register of Non-Profit Legal Entities, etc.
With regard to the obligation for entry and deletion of circumstances subject to entry, resp. deletion, and announcement of acts, the following provisions apply:
Art. 4 of the Commercial Register and the Register of Non-Profit Legal Entities Act, according to which traders, branches of foreign traders, non-profit legal entities and branches of foreign legal entities and the related circumstances subject to entry as provided by law are entered in the Commercial Register and in the Register of Non-Profit Legal Entities.
Art. 5 of the Commercial Register and the Register of Non-Profit Legal Entities Act, according to which acts related to traders, branches of foreign traders, non-profit legal entities and branches of foreign legal entities which are subject to announcement as provided by law are announced in the Commercial Register and in the Register of Non-Profit Legal Entities. are announced
Art. 6 of the Commercial Register and the Register of Non-Profit Legal Entities Act - Every trader and every non-profit legal entity are obliged to request to be entered in the Commercial Register, respectively in the Register of Non-Profit Legal Entities, stating the circumstances subject to entry and presenting the acts subject to announcement.
Regarding the processing of personal data of natural persons in connection with an application for entry, deletion or announcement, the following provisions apply:
Art. 13, para. 1 of the Commercial Register and the Register of Non-Profit Legal Entities Act - Entry, deletion and announcement are made according to an application form.
Art. 13, para. 2 of the Commercial Register and the Register of Non-Profit Legal Entities Act - The application contains:
1. data about the applicant;
2. data about the trader, the branch of a foreign trader, the European association of economic interests, the non-profit legal entity and the branch of a foreign non-profit legal entity in the file of which entry, deletion or announcement is requested;
3. the circumstance subject to entry, the entry the deletion of which is requested, or the act subject to announcement;
4. signature of the applicant.
Regarding the type, form and content of the applications for entry, deletion and announcement, the provisions of Ordinance No. 1 of 14.02.2007 on keeping, storing and accessing the Commercial Register and the Register of Non-Profit Legal Entities are applicable.
Art. 13, para. 6 of the Commercial Register and the Register of Non-Profit Legal Entities Act - the documents, respectively the act subject to announcement, according to the requirements of the law are attached to the application. The documents are submitted in original, a transcript certified by the applicant or a notarized transcript. The applicant also submits certified copies of the acts subject to announcement in the Commercial Register, in which personal data, except those required by law, have been redacted.
Pursuant to the provision of Art. 13, para. 8 of the Commercial Register and the Register of Non-Profit Legal Entities Act requiring verification of the identity of the applicant or sender for acceptance of the application, submission of an application in the Unified Portal for Application for Electronic Administrative Services is done through identification/authentication of the natural person via registered access.
With regard to the processing of personal data of natural persons contained in acts of a court, other state bodies or a private bailiff which are subject to announcement, the following provisions apply:
Art. 14 of the Commercial Register and the Register of Non-Profit Legal Entities Act - in the cases provided by law, entry, deletion and announcement are made immediately on the basis of an act of a court, another state body and a private bailiff. In these cases, the act is sent to the Agency ex officio.
- For providing services such as inquiries, provision of certificates and other services, etc. regarding entered circumstances and announced acts, in fulfillment of normatively regulated obligations in view of the public nature of the registers kept by the Agency – Art. 6(1)(c) and (e) of the GDPR, in relation to compliance with a legal obligation to which the controller is subject and in the exercise of official authority vested in the controller. Personal data of natural persons are processed in connection with compliance with a legal obligation and exercise of official authority vested in the controller in view of the provisions of the Commercial Register and Register of Non-Profit Legal Entities Act, the Commercial Law, the Non-Profit Legal Entities Act, the Family Code and the applicable by-laws, such as Ordinance No. 1 of 14.02.2007 on keeping, storing and accessing the Commercial Register and the Register of Non-Profit Legal Entities, etc.
- For providing other services such as free or paid notification by SMS, etc. – 6(1)(a) – the subject gives a consent to the processing of personal data concerning him or her for a specific purpose.
- Regarding the operation of devices, websites and applications through which the Registry Agency provides services – Art. 6(1)(c) – compliance with a legal obligation to which the controller is subject in connection with the provision of electronic services for keeping and maintaining the electronic registers, as well as in connection with the electronic application for entry, deletion and announcement of circumstances subject to entry and acts subject to announcement, resp. Art. 6(1)(a) – on the basis of the consent of subjects regarding the provision of electronic services such as an application for free or paid SMS notification, etc., as well as on the grounds of Art. 6(1)(c) and (f) – processing is necessary for compliance with a legal obligation to which the controller is subject for verification of user profiles, authentication of users, improvement of the quality of the electronic services provided by the Registry Agency, etc.
Art. 15. (1) In cases where the processing of personal data is based on the consent of the data subjects, the same is a freely expressed, informed, specific and unambiguous indication of the will of the data subject in relation to a specifically indicated purpose.
(2) The data subject has the right to withdraw his or her consent at any time, as the withdrawal of the consent does affect the legality of the processing based on a given consent before its withdrawal. Depending on the way of providing the service, the consent can be given during the visit of the natural person in the controller’s premises in connection with an application for use of the respective service or electronically.
Art. 16. The Registry Agency does not process personal data that are provided by a data subject without having a legal basis under Art. 6 of the GDPR or in contradiction with the principles under Art. 5 of the same Regulation. Within one month of learning, the controller returns the personal data, and if this is impossible or requires a disproportionate effort – deletes or destroys them.
Art. 17. The Registry Agency does not process personal data of children, except in cases when such processing is in compliance with a legal obligation to which the controller is subject (for example, in fulfilling the legal obligation in case of inheritance, certificates for heirs containing data of persons, as well as birth certificates of minors are attached).
Art. 18. (1) In its capacity of a data controller providing services electronically, the Registry Agency takes appropriate technical and organizational measures that do not allow the personal identification number or foreigner’s identification number to be the only means of identification or authentication of the user when providing remote access to the respective service.
(2) For full access to the functionalities and services of the Unified Portal for Application for Electronic Administrative Services, it is necessary to register a user profile and attach to it an authentication tool (QES, certificate issued by the Registry Agency or PIC of the NRA).
MANNER OF PERSONAL DATA PROCESSING, PROVISION OF PERSONAL DATA TO THIRD PERSONS, PERIODS FOR STORAGE OF PERSONAL DATA
Art. 19. In connection with the performance of its functions and tasks, the provision of services, through the Unified Portal for Application for Electronic Administrative Services, the Registry Agency collects and processes personal data as follows:
- by filling in an application electronically in connection with entry, deletion or announcement in the Commercial Register and the Register of Non-Profit Legal Entities;
- by filling in data electronically in connection with the identification/authentication of users of services provided by the Agency who use services with registered access to the database of the Commercial Register and the Register of Non-Profit Legal Entities;
- by filling in an application electronically for the provision of other services;
- by processing data for IP address, MAC address and cookies.
Art. 20. With this Personal Data Protection Policy, the Registry Agency, in its capacity of data controller, declares that it does not provide personal data of natural persons without their explicit consent to third persons/parties, except when necessary to fulfill a legal obligation to which the controller is subject or in the event that there is a legal basis for the provision of such data.
Art. 21. The Registry Agency may provide information representing personal data to law enforcement agencies and institutions in response to lawful requests.
Art. 22. In order to fulfill legal requirements, assumed obligations under contractual and/or pre-contractual relations with natural persons, the Registry Agency may provide personal data to the following categories of persons:
- other data controllers such as companies providing postal and courier services, banks, etc.
- data processors who process personal data on behalf of the controller, in compliance with the requirements of the GDPR on data processors, only in pursuance of a written order by the data controller, such as an occupational medicine service regarding personal data of employees, persons under civil-law relationship, to persons providing cloud services, persons performing maintenance activities on the Agency’s website, the electronic services portal, etc.
Art. 23. The transfer of personal data of natural persons to natural and legal persons established in countries and international organizations outside the EU and the EEA is carried out in compliance with the requirements provided for in Regulation (EU) 2016/679, namely: where for the respective country or international organization, the existence of an adequate level of protection has been established by a decision of the EC; in the presence of an alternative legal mechanism to ensure compliance with the requirements of Regulation (EU) 2016/679; in the presence of other grounds (derogations) provided for in Regulation (EU) 2016/679, such as the explicit consent of the data subject.
Art. 24. (1) Depending on the purposes for which personal data under Art. 6 of this Policy are processed, the period of storage of personal data varies.
(2) In case data are processed on the legal basis of consent of the data subject, they are stored for a period relevant to the purposes for which they have been collected and processed, in connection with the specific service provided to the natural person. After the expiration of the specified periods and in case there is no legal basis related to the information subject to archiving for continuation of the storage of personal data, the information (the records on electronic media and hard copy) are destroyed.
RIGHTS OF NATURAL PERSONS - DATA SUBJECTS
Art. 25. Every natural person who is a data subject has the right:
- to obtain confirmation from the controller whether personal data relating to him or her are being processed and, if so, to obtain access to the data and the following information on the purposes of the processing, the relevant categories of personal data, the recipients or the categories of recipients before whom personal data have been or will be disclosed, in particular recipients in third countries or international organizations. Where possible, the envisaged period for which personal data will be stored and, if this is not possible – the criteria used to determine this period, as well as the existence of the right to require the controller to correct or delete personal data or restrict processing of personal data relating to the data subject, or to object to such processing, the right to appeal to a supervisory authority. In cases where personal data are not collected from the data subject, any available information on their source, as well as information on the existence of automated decision-making, including profiling, as well as essential information on the logic used and the meaning and intended consequences of this processing for the data subject.
- to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed.
- to obtain from the controller the erasure of personal data concerning him or her where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR;
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR;
In cases where the processing of personal data is in connection with the observance of a legal obligation to which the controller is subject, for the performance of a task of public interest and in the exercise of official authority vested in the controller, the data subject may not invoke the right to delete personal data relating to him or her.
- to obtain from the controller restriction of processing where the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; where the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; in cases where the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; as well as in cases where the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
- to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided
- to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Art. 26. In cases where the natural person’s right of access to personal data relating to him or her may lead to the disclosure of personal data to third parties, the Registry Agency grants the natural person concerned access only to that part of the information which relates to him or her.
Art. 27. The Registry Agency may refuse to fully or partially exercise the rights of data subjects, as well as not to fulfill its obligation to inform according to Art. 34 of the GDOR, when the exercise of the rights or the fulfillment of the obligation would create a risk for:
- national security;
- defence;
- public security;
- the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
- the protection of judicial independence and judicial proceedings;
- the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
- the protection of the data subject or the rights and freedoms of others;
- the enforcement of civil law claims.
Art. 28. (1) The Registry Agency provides the information in connection with requests for exercising any of the rights under Art. 25 of this Policy free of charge.
(2) In case of manifestly unfounded and excessive requests by data subjects, the controller may determine an administrative fee for providing the requested information, resp. exercise of a right.
Art. 29. With the present Personal Data Protection Policy, the Registry Agency declares that it undertakes and applies the respective technical and organizational measures in connection with the assistance of data subjects in the exercise of the rights under Art. 5 of the Policy.
Art. 30. (1) The Registry Agency provides to data subjects information regarding the actions which it undertakes in connection with a request for exercise of rights within one month from the receipt of the request.
(2) If necessary, this period may be extended by another two months, taking into account the complexity and the number of requests.
(3) The controller informs the data subject of any such extension within one month from the receipt of the request, indicating also the reasons for the delay.
(4) When a data subject submits a request by electronic means, the information is provided by electronic means, if possible, unless the data subject has requested otherwise.
Art. 31. (1) Data subjects exercise their rights under Art. 25 of this Policy through a written application to the data controller.
(2) An application may also be submitted electronically under the conditions of the Electronic Document and Electronic Certification Services Act, the Electronic Government Act and the Electronic Identification Act.
Art. 32. An application containing a request for the exercise of a right should contain:
- name, address, personal identification number or foreigner’s identification number or other similar identifier, or other identification data of the natural person, as determined by the controller in connection with the activity performed by it;
- description of the request;
- preferred form for receiving information when exercising the rights under Art. 25 of this Policy;
- signature, date of submission of the application and mailing address;
- upon submission of an application by an authorized person, the power of attorney is attached to the application as well.
Art. 33. The rights referred to above are exercised by submitting a written application to the Registry Agency at the following address: 1111 Sofia city, Sofia Municipality, Slatina Region, 20 Elisaveta Bagryana St. or at the official e-mail address of the Agency office@registryagency.bg, in compliance with the conditions of the Electronic Document and Electronic Certification Services Act, the Electronic Government Act and the Electronic Identification Act.
Art. 30. Contact details of the data protection officer gdpr@registryagency.bg
Art. 31. (1) In case of a violation, natural persons also have the right to send inquiries and complaints to the supervisory body – the Commission for Personal Data Protection (CPDP).
(2) Contact details of the CPDP: 1592 Sofia city, 2 Prof. Tsvetan Lazarov Blvd., e-mail: kzld@cpdp.bg, website: www.cpdp.bg
NOTIFICATION OF CHANGES TO THIS PERSONAL DATA PROTECTION POLICY
Art. 32. The Registry Agency reserves the right to make changes and additions to this Policy. When making changes to the Policy, they will be timely reflected in it and made available to data subjects on the website of the Unified Portal for Electronic Application for Administrative Services.