Overview
The General Data Protection Regulation became EU law on 25 May 2018. The purpose of the legislation is to protect the personal data of the citizens of EU and to harmonise the rules for processing of personal data.
As an Administartor of personal data BISC complies fully with the new legislation by collecting and safekeeping solely the personal data necessary to carry out its contractual obligations.
BISC’s Business and Contact Details
Наименование Мега План ЕООД; Name of company: Mega Plan Ltd.
Company House Number :831552969;
Head Office : jk. Suha reka bl.107, Sofia
E-mail: office@cherry-adv.net
Landline: 080090060
Web: https://yuppie.bg
Details of the person responsible for the GDPR enforcement:
Name: Anna Stoilova – Account Manager
Company House Number :831552969;
Head Office : jk. Suha reka bl.107, Sofia
Email: office@cherry-adv.net
Phone: 080090060
Watchdog Body Contact Details
Name: Personal Data Protection Commission
Head Office: 2, Prof. Tsvetan Lazarov Street, 1592 Sofia, Bulgaria
Correspondence address: 2, Prof. Tsvetan Lazarov Street, 1592 Sofia, Bulgaria
Landline: 0035929153518
Email: kzld@government.bg, kzld@cpdp.bg
Web: www.cpdp.bg
Definitions:
The following term of reference will be used in the present policy:
Website – refers to a virtual platform that covers a site: https://yuppie.bg;
Scope of permission:
By accepting our Policy for Protection of Personal Data you grant us your permission to collect and process your personal data for the purposes described below. By virtue of visiting and using the Platform of the School you are aware of and accept the present Policy. Please be aware that the present Policy is subject to changes and updates. The date of the latest review appears at the top of this page. Providing personal data is voluntary. In the event of refused permission some contractual services may become unavailable.
Why we colect personal data:
We collect, safeguard and process personal data for the purposes of
- The Contract to Provide Education, signed by you annually
- Legal Compliance: to allow us to comply with current legislation
- Legitimate business interest – to meet your expectations and to allow you an informed choice of our services
- Responding to your requests – when you require us to supply and organise webinars, events, training sessions, special projects, etc. Mega Plan Ltd. is a Personal Data Administrator with respect to your personal data and for the purposes that we have stated.
Aims and principles for collecting, safekeeping and processing of your peronal data in educational context:
- Identifying the contractor;
- Creating a user frofile on our Platform;
- Completing the application form and enrolling / matriculating the new student;
- Accounting purposes;
- Gathering statistics;
- Information security protection;
- Fulfilling our contractual obligations and delivering services;
- Maintaining good communication;
- Improving and personalising our services by offering information about events and related products and services;
- Compliance with legal regulations.
Basic principles for processing of personal data
Mega Plan Ltd. adhere to the following principles for processing of personal data:
- Compliance with legilation, diligence and transparancy;
- Using personal data only for the stated purposes;
- Collecting only the data necessary for the stated purpose;
- Using accurate and up-to-date data;
- Storing only the data necessary for maintaining normal functions;
- Maintaining confidentiality when processing data and ensuring secure data storage.
Valid reasons for processing personal data
1.Processing of personal data is only valid and legal when at least one of the following conditions is fulfilled:
- The customer has provided their personal data voluntarily, freely, in response to a specific request and has given an informed and unambiguous concent for his personal data to be processed for one or more stated purposes;
- Informed concent may be recorded electronically by making a tick in a box, choosing a setting from a menu or a similar expression clearly demonstrating that the customer gives concent for the processing of their personal data. Consent may be recorded differently on non-electronic media.
- Customer may withdraw their concent for the processing of personal data at any time without personal negative consequences. Concent for processing of the personal data of a child is given by the child’s parent or legal guardian.
2. Processing of personal data is necessary for fulfilling the contractual obligations the owner of the personal data is entering into or in response to a request by the customer to enter into a contract;
3. The School is requires to process the personal data in order to comply with the current education legislation;
4.The personal data processing is necessary in order to protect the vital interests of the data’s owner or those of another person;
5. The processing is necessary for the purpose of protecting the legitimate interests of the School or thos of a third party, except in cases when the personal rights and freedoms of the personal data’s owner prevail, particularly when the personal data’s owner is a child.
Official in charge of data protection
The Official in charge of data protection carries the following obligations:
- Maintains compliance with the law and the code of practice for the protection of personal data;
- Provides advice and information to employees processing personal data regarding their obligations and provides them with appropriate training;
- Empowers and audits the employees processing personal data;
- Acts as a contact person for the subjects of the personal data who may contact the Official in connection with all matters pertaining to the protection and procesing of their personal data and their rights in that respect. Acts as a contact person for the Commission for the Protection of Personal Data and complies with their requests;
- Takes part in the impact analysis and risk assessment of the data processing operations, accounting for factors such as nature, range, context and purposes of the data processing;
- The Official maintains the confidentiality of their work.
Personal Data
Mega Plan Ltd. process the following categories of personal data:
- Personal data of a parent / legal guardian: name, ID document number, date and place of birth, nationality; demographic characteristics: gender, age, place of residence, contact details: address, landline / mobile / business / office numbers, e-mail address.
- Personal data of a student: name, ID document number, date and place of birth, nationality; demographic characteristics: gender, age, place of residence, biometrics: facial image, voice sample, handwriting sample, personal health record (see Instruction 3/27.04.2000 of the DfE in Bulgaria regarding the operation of school medical units) .
- Personal data of employees: name, ID document number, date and place of birth, nationality; demographic characteristics: gender, age, place of residence, contact details: address, landline / mobile numbers, medical fitness certificate and qualification certificates.
- Schools do not harvest and process personal data pertaining to race and ethnicity, political affiliations, religious and philosophical beliefs, trade union membership, sexual orientation and personal life details.
Grounds and reasons for collecting and processing the personal data
Mega Plan Ltd. processes personal data for the following purposes:
- To enroll a student and register their parent / guardian for the purposes of the contract to provide education;
- To form and fulfill a contract with a client or a partner and to allow appropriate administration of the contract;
- To complete a registration of users of the School’s platform;
- To keep parents and customers informed about new and improved services by electronic messages; to issue invoices to customers;
2. Grounds for collecting personal data: Entering into a Contract for Providing of Paid Education – Article 6, Para. 1b of GDPR, DfE in Bulgaria and Contract Law.
Permissable periods of data-keeping
1. Personal data is kept for the folowing periods:
- The period specified by the prevailing legislation;
- Until the data is needed for the fulfilling of the School’s contractual obligations;
- No more than three years with respect to job applicants;
- In case of a legal claim – until the claim is finally settled;
- Up to three months with respect to data provided with the intention of signing of a contract, but no later than 18 August of the current year;
- As long as the contract which they service lasts;
- Until permission for processing of personal data is withdrawn;
- Until the required outcome or the dropping of the case when data is processed to defend the privileged rights and interests of the School.
2. Personal data is destroyed at the end of the above period(s) if no other grounds for its processing exists. In case of unfulfilled contractual obligations an extension of the term may be granted untill all duties are discharged.
Sharing of personal data
Mega Plan Ltd. is an administartor of personal data. As such we have a legal obligation to share some personal data with institutions such as DfE in Bulgaria, Regional Education Service – Plovdiv, AdminSoft, Tax Office, Customs and Excise – for the purposes of Declaration Form No3 and the Regional Department of Public Health – Plovdiv, partners, consultants, etc. The respective institutions are contractually and legally obliged to protect the shared personal information.
Your rights regarding gathering, processing and storage of your personal data
1.Under EU legislation you have the right to:
- Withdraw your permission to have your personal data processed;
- Request confirmation that you personal data has been processed;
- Request information related to the gathering, processing and storage of your personal data;
- Request a copy of your personal data in a format you prefer;
- Submit a ritten request to the School to correct or amend your personal data;
- Request that your personal data held by the School is deleted and destroyed. The School is obliged to comply with your request without delay provided the data is no longer needed for the purpose for which it was collected an procecessed.
- Object to the processing of your data including for the purposes of direct marketing. The School is obliged to comply provided there are no overriding legally valid reasons for the processing of the personal data.
- In order to comply with a legal obligation under EU law or the law of a Member State that applies to schools or personal data have been collected in connection with the provision of information society services.
2. The School is not obliged to delete and destroy the personal data if they store and process it for the purposes of:
exercising the right to freedom of expression and the right to information;
- complying with a legal obligation that requires treatment provided for under EU law or the law of the Member State that applies to the Administrator or for the performance of a public interest task or the exercise of official authority;
- for reasons of public interest in the field of public health;
- for purposes of archiving in the public interest, for scientific or historical research or for statistical purposes;
- for the establishment, exercise or protection of legal claims.
- In order to exercise the right of “forgetting”, a request is made and identity and identity with the person are certified.
3. You may request to restrict data processing when:
- you challenge the accuracy of your personal data for a period that allows you to verify the accuracy of personal data;
- processing is unlawful and use may be restricted;
- schools do not need more personal data for processing purposes,
- but require it for the establishment, exercise or the protection of their legal rights claims;
- oppose the processing of your personal data pending verification that the School has overriding legal grounds.
4. Data may be downloaded at any time to be kept processed when technically feasible,
5. Your personal data can be transferred directly to a specified other administrator.
6. You may request that the School to informs you of all recipients to whom the personal data for which the correction, deletion or restriction of processing was requested , have been revealed. The school may refuse to provide this information if this is impossible or requires disproportionate effort.
7. You may at any time object to the processing of personal data that apply to you, including processing for profiling or direct marketing purposes.
Your rights in the event of a breach of security of your personal information
If the School establishes a breach of the security of your personal data, which may pose a high risk to your rights and freedoms, we will notify you without undue delay of the violation, as well as of the measures taken or to be taken. The obligation is waived if:
- appropriate technical and organisational protection measures have been taken to protect the data affected by the security breach;
- measures have subsequently been taken to ensure that the violation will not have led to significant damages for you;
- notification would require disproportionate efforts.
Security and privacy in the processing of personal data
We use all appropriate technical and organisational measures to protect personal data that provide a level of protection that is appropriate to risk by applying best practices. We provide various types of protection: personal, documentary, physical, protection of information systems and cryptographic. Each of these types of protection is made up of various specific measures. Separate premises in which data is stored, special equipment, lock, access control, ID entry, copying and distribution rules – these are just some of the measures we apply to protect data on the best way. It is important to know that your data is well protected, including through a strictly prescribed procedure for action in case of potential risk to them.
Level of impact and level of protection
With the help of the Data Protection Officer, the type of processed personal data and the nature of the processing operations are periodically checked. Depending on the results of the verification, the data processing operations are divided into two categories, depending on the risks to the rights and freedoms of the entities deriving from them, as follows:
- low impact processing operations and medium impact processing operations
- Depending on the level of impact identified, an appropriate level of protection shall also apply to the relevant data:
- personal data with a low level of protection;
- personal data to which an average level of protection applies;
If the verification reveals that a processing operation entails a high risk for the rights of the data subjects, e.g. owing to the fact that it entails new technological means, and provided that the School can not limit this risk by appropriate measures in terms of available technologies and implementation costs, the Data Protection Commission will be consulted prior to the relevant processing operation.
Low-level technical and organisational measures:
1. Specifying the measures, including by designating persons responsible for their implementation, is done through internal order protections.
• physical protection – the data are processed on the premises or in restricted areas; the elements of the communication and information systems are located on the office premises or in restricted areas; the premises in which the data are stored are locked when there are no persons to supervise them; documents with personal data are stored in separate cabinets; access to the data is only available to the persons to whom it is necessary to ensure its lawful processing, appropriate fire extinguishing equipment and facilities are provided.
personal protection – those involved in data processing operations are made aware of the data protection legislation; these persons acquaint themselves with and adopt the General Rules for the processing of the data of the School and the Special Rules for processing the data of the individual members; the dangers associated with the processing of personal data are explained to them; persons involved in data processing operations undertake the non-proliferation of personal data.
- documentary protection – each employee keeps separate registers of the personal data he processes; each employee determines the registers they maintain on paper; access to the registers shall be made available only to persons to whom it is necessary to ensure the lawful processing of the data; employees are required not to allow unauthorised access to documents they work with and which contain personal data; personal data shall be stored within the time limits set by the controller; after expiry of the data storage periods they shall be destroyed in accordance with the administrator’s procedures
- protection of automated information systems and / or networks is ensured as those involved in data processing operations with automated means are aware how the systems operate and the risks of processing personal data associated with them; access to the data is only available to persons to whom it is necessary for the lawful processing of the data; persons are given access to the systems after identification and authentication; access to data takes place at different levels (the need-to-know principle is respected); unauthorised access to and processing of the data, including when transmitted is restricted; logbooks are kept for change, reference, disclosure, transmission, combining, and deletion of records; recordings or disclosures make it possible to establish the reason, date and time of such operations and, as far as possible, the identification of the person who made the consultation or disclosure of personal data as well as the data identifying the recipients of that personal data; equipment and data carriers are protected and access to them is limited; secure connections between information systems are used; appropriate protection against computer viruses is implemented;
- Backup electronic copies for data recovery are created and maintained; it is possible to recover the systems in the event of a technical failure; reporting of functional defects is provided; no personal data stored on the systems may be damaged in the event of malfunctions; the time limits for storing data when processing with automated means are in line with the deadlines applicable to paper data.
Technical and organisational measures at an average level of protection:
1. Physical protection:
- all physical protection measures are applied with a low level of protection;
- identifying the controlled access areas in which data is processed;
- specific means of physical protection;
2. Personal protection:
- all personal protection measures are applied with a low level of protection;
- persons involved in data processing operations participate in appropriate training, including responses to personal data breaches;
- persons involved in data processing operations share the critical information needed to protect the data.
3. Documentary protection:
- all documentary protection measures are applied with a low level of protection;
- access to registers is only available to certain individuals;
- copies of the data can not be made, or such copies may be disseminated without the permission of a person granted access to the data;
4. Protection of automated information systems and / or networks:
- all measures for the protection of automated information systems and / or networks with low level of protection are implemented;
- elements of the information systems are placed in restricted rooms;
- keeping accountable for the maintenance and operation of the information systems elements.
5. Cryptographic protection:
- standard cryptographic capabilities of operating systems are applied;
- the cryptographic capabilities of database management systems are implemented;
- the standard cryptographic capabilities of the communication equipment are applied.
Procedures for the destruction of personal data
After expiry of the storage periods or when the reason for processing the data has been ruled out for another reason, they are destroyed in a secure manner. Paper data carriers are destroyed by a shredder. Data on electronic media is destroyed in a way that prevents their recovery. The data subject to destruction shall be kept confidential, including in the process of destruction, unless other measures are taken to protect the rights and freedoms of data subjects. In all cases, good practice in the relevant case is applied to ensure the irreversible deletion of the data;
Data privacy breach strategy
This is a violation that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. Types of violations are:
- confidentiality violation – unauthorised or unauthorised access to the data;
- disturbance of availability – data can not be accessed, although they should be processed;
- violation of integrity – the data has been changed in an unauthorised or unauthorised way.
Internal reporting
Anyone who is known to have breached the security of the personal data processed by the School shall immediately notify the Data Protection Officer thereof. The communication must include accurate information to the knowledge of the reporting person about the type of violation, how many individuals are affected, when the violation is identified, and the name of the reporter and his contact details. The data on the offense is not disclosed to other persons unless otherwise the violation would be exacerbated or would make it more difficult to overcome its consequences.The Data Protection Officer shall without delay carry out a prior examination of the communication and shall as far as circumstances allow, establish whether a personal data breach has occurred, what is his or her appearance and how many and who are the persons concerned. Immediately thereafter, the Data Protection Officer shall report on the received message and on the results of the preliminary verification of the management.The official takes the measures at the earliest possible time.
Investigation and risk assessment. Action Plan
The Data Protection Officer carries out a careful assessment and analysis of the circumstances surrounding the violation and its risk for the rights and freedoms of individuals. If necessary, other (including external) specialists are involved. A plan is being developed to quickly restrict and end the infringement and to deal with its consequences. The objectives of the plan are to be graded in importance: protecting the rights and freedoms of the individuals affected by the violation, including not allowing the violation to be deepened; not allowing the rights and freedoms of other individuals to be affected; restoring the status of personal data as it was prior to the occurrence of the violation; preventing or limiting material damage. If the violation has occurred with a data processor, the data controller is also immediately notified and the necessary coordination of action is created.
Necessity to notify CPDP for the violation
In case the personal data breach creates a risk of the rights and freedoms of the data subjects affected, the Data Protection Officer organizes the notification to the Commission for the Protection of Personal Data (CPDP) for the violation. An official shall notify the CPDP of the breach if he considers it necessary to protect the rights and freedoms of the data subjects, regardless of the management’s opinion on the matter. The notification of the CPDP should be done without undue delay and where feasible – no later than 72 hours after the initial knowledge of the violation. Notification of CPDP contains:
- a general description of the violation of personal data security;
- a description of the categories and approximate number of persons and categories concerned and the approximate number of affected personal data records;
- the name and contact details of the Data Protection Officer;
- a description of the possible consequences of the personal data breach;
- a description of the measures taken or proposed to address the breach, including measures to mitigate the possible adverse effects.
When there is no possibility that all information about the violation is provided in full to CPDP, it is given in stages without undue delay. Notification of CPDP is done by the data controller.
Notification of individuals affected by the breach
Where the personal data breach is likely to pose a high risk to the rights and freedoms of individuals, the Data Protection Officer shall, without undue delay, and in compliance with the applicable law, notify the individuals concerned. An official shall arrange for the person concerned to notify the offender if he considers it necessary to protect his or her rights and freedoms, regardless of the management’s opinion on the matter. The notification shall be without undue delay and shall contain the following information:
- a general description of the violation of personal data security;
- the possible consequences of the infringement;
- the measures taken to deal with the violation;
- the name and contact details of the Data Protection Officer;
- what actions the data subjects themselves can take to protect their rights.
Notification of individuals may be refused if appropriate technical and organisational measures have been taken to adequately protect their rights or if measures have been taken to ensure that the high risk of their rights freedoms no longer exists.
Recording of violations
You may exercise all of your rights to protect your personal data. You can make your claims in any form that contains a statement about it and identify you as the holder of the data that is recorded in a register of personal data breach violations that occurred in its members that contains the following information:
- date of establishment of the infringement; description of the violation – source,
- type and scale of the data concerned, reason; a description of the notifications made to the CPDP, eventually also to the affected persons; the measures taken to prevent and mitigate the consequences for the subjects; measures taken to limit the possibility of subsequent security breaches.
Other provisions
In case of violation of your rights under the above or applicable data protection laws, you have the right to file a complaint with the Personal Data Protection Commission as follows:
Name: Personal Data Protection Commission
Head Office: 2, Prof. Tsvetan Lazarov Street, 1592 Sofia, Bulgaria
Correspondence address: 2, Prof. Tsvetan Lazarov Street, 1592 Sofia, Bulgaria
Landline: 0035929153518
Email: kzld@government.bg, kzld@cpdp.bg
Web: www.cpdp.bg
You may exercise all of your rights to protect your personal data. You can make your claim in any form that contains a statement about it and identifies you as the data holder.
A public announcement of the violation can be made, which is coordinated with the CPDP.