In its daily business operations, ATERRICA Ltd uses various data to identify individuals, including data about:
- current, former and future employees and hired persons;
- clients;
- contractors;
- other stakeholders.
When collecting and using this data, the company is obliged to comply with various legislative acts that control the manner in which these activities can be carried out and the necessary precautions for their protection.
The purpose of this policy is to determine the relevant regulations and to describe the steps that ATERRICA Ltd undertakes to ensure that the organization is in compliance with the requirements.
This approach applies to all persons and processes that are related to the information systems of the organization, including employees, clients, suppliers and other parties that have a relationship with ATERRICA Ltd
This policy is applied both by the company ATERRICA Ltd and by all its subsidiaries and branches.
Privacy and personal data policy
“Personal Data”:
any information relating to an identified or identifiable individual (“data subject”). An identifiable individual is a person who can be identified directly or indirectly, in particular by specifying an identifier such as name, identification number, location data, online identifier or one or more factors specific to the individual, the physiological, genetic, mental, economic, cultural or social identity of that individual;
“Processing” shall be:
any operation or set of operations that is performed with personal data or sets of personal data, including with automated methods, such as the collection, recording, organization, structuring, storage, adaptation or modification, retrieval, use, disclosure by transmission, distribution or using other means of granting, adapting or combining, limiting, deleting or destroying;
“Controller” shall be:
an individual or a legal entity, public authority, agency or other entity which, alone or jointly with other ones, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by the Union law or the law of a Member State, the controller or the specific criteria for determining it may be laid down in the Union law or in the law of a Member State;
“Processor” shall be:
an individual or a legal entity, public authority, agency or any another body which processes personal data on behalf of the controller;
Principles related to the processing of personal data in ATERRICA Ltd
- Personal data shall be:
(a) processed lawfully, in good faith and in a transparent manner with regard to the data subject (“lawfulness, good faith and transparency”);
(b) collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, shall not be considered (in accordance with Article 89 (1)) incompatible with the original purposes (“limitation of purposes”);
(c) appropriate, related to and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
(d) accurate and, where necessary, kept up to date; all reasonable measures must be taken to ensure the timely deletion or correction of inaccurate personal data, taking into account the purposes for which they are processed (“accuracy”);
(e) stored in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as they are processed solely for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, provided that the appropriate technical and organizational measures provided for in this regulation in order to guarantee the rights and freedoms of the data subject (“storage restriction”) are applied;
(f) processed in a way that ensures an appropriate level of security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organizational measures (“entirety and confidentiality”);
- ATERRICA Ltd OOD, in its capacity of administrator, shall be responsible and shall be able to prove compliance with the rules for processing of personal data (“reporting”).
ATERRICA Ltd OOD shall guarantee that it complies with the listed principles, both in the processing it currently performs and as part of the introduction of new processing methods and systems (e.g. new information systems).
ATERRICA Ltd shall only process personal data when:
- it is necessary for the observance of a legal obligation, which is applied to the activity of ATERRICA Ltd.;
- the data subject has consented to the processing of their personal data, for one or more specific purposes, by providing the Company with the relevant written documents and/or by other actions and technical means (including electronically);
- it is necessary for the performance of a contract to which the data subject is a party, or for undertaking steps, at the request of the data subject, before the conclusion of a contract (such as employment contract, contract with a client, contract with a supplier, contractor, a service provision or product delivery contract, etc.);
- it is necessary to protect the vital interests of the data subject or another individual;
- it is necessary for the performance of a task of public interest or in the performance of actions under a law or regulation (including processing related to the provision of information to a public authority);
- it is necessary for the purposes of the legitimate interests of ATERRICA Ltd or a third party, except where such interests take precedence over the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular when the data subject is a child.
ATERRICA Ltd’s policy is to identify the appropriate processing base and to document it in accordance with the regulation. The options are briefly described in the following sections.
Consent
Unless necessary for a reason permissible in Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR[1], Regulation 2016/679), ATERRICA Ltd shall always process data with the express consent of the data subject. Transparent information on the use of personal data will be provided to data subjects as soon as their consent has been obtained and their rights with regard to their data, such as the right to withdraw consent, have been explained. This information will be provided in an accessible form, written in clear language and free of charge.
If the personal data are not received directly from the data subject, this information will be provided to the data subject within a reasonable time after receipt of the data and definitely within one month.
Execution of a contract
Where the personal data collected and processed are necessary for the performance of a contract with the data subject, no explicit consent shall be required as the person with whom we have a contractual relationship should be identified.
Legal obligation
If personal data is required to be processed in order to comply with the law, explicit consent shall not be required. This may be the case for some data related to, for example, employment and taxation, as well as for many areas affected by the public sector.
Protection of vital interests
ATERRICA Ltd Shall process special categories of personal data, such as health status and others, in order to improve the quality of services provided and to prevent harm to the health and life of the data subject or another individual.
Legitimate interests
If the processing of specific personal data is in the legitimate interests of the Company, the consent of the subject shall be required. Detailed rules on when there are legitimate interests have been objectified in the Guidelines of a working group at the European Commission under Art. 29, according to which POL1 – Policy for personal data protection, of ATERRICA Ltd has been formed.
Protection of the right to privacy
ATERRICA Ltd shall accept the principle of privacy and shall ensure that the identification and planning of all new or significantly modified systems that collect or process personal data will be subject to due regard of confidentiality issues, including the completion of one or more data protection impact assessments.
The data protection impact assessment shall include:
- Research of the type of personal data processing and for what purposes;
- Assessment of whether the proposed processing of personal data is necessary and proportionate to the purpose(s);
- Assessment of the risks for individuals in the processing of personal data;
- The control mechanisms available to address the identified risks and to demonstrate compliance with the legislation.
The use of techniques such as data minimization, anonymization and pseudonymisation will be discussed whenever applicable and appropriate.
Contracts concerning the processing of personal data
ATERRICA Ltd shall guarantee that all relationships that involve the processing of personal data are settled through a written contract that includes the specific information and conditions required by the GDPR.
Person responsible for the protection of personal data
Pursuant to the GDPR and the Personal Data Protection Act, ATERRICA Ltd has decided to appoint a Data Protection Officer, and you can contact them at tel. 00359898751269; email: admin@aterrica.com .
Notification of violation
The policy of ATERRICA Ltd is fair and proportionate when considering the actions that must be undertaken to inform the parties concerned about personal data breaches. In accordance with the GDPR, where it is known that there is a breach that could lead to a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours. This will be managed in accordance with our PRO 6 – Procedure for responding and informing in case of personal data breach, which shall determine the general process of dealing with incidents related to information security.
Addressing compliance with the GDPR
The following actions have been undertaken to ensure that ATERRICA Ltd complies with the GDPR reporting principle at all times:
- The legal basis for the processing of personal data is clearly and unambiguously defined.
- All personnel involved in the processing of personal data shall understand their responsibilities to comply with good data protection practices.
- Data protection training has been provided to the entire staff.
- The rules for consent and notification in case of an accident have been announced to the employees and shall be strictly observed.
- The rules for exercising the rights of the subjects have been clearly defined and shall be effectively implemented within the statutory period.
- Procedures involving personal data shall be regularly monitored.
- Protection of the right to privacy shall be assumed for all new or changed systems and processes.
- The following documentation for processing activities shall be recorded:
- Name of the organization and relevant details;
- Purpose of personal data processing;
- Categories of persons and processed personal data;
- Categories of recipients of personal data;
- Terms for storage of personal data;
- Existing organizational and technical measures for personal data protection.
These actions shall be regularly reviewed as part of the data protection management process.
Rights of the data subject:
- The right to be informed;
- The right of access to the processed data;
- The right to correct;
- The right to delete;
- The right to limit processing;
- The right to data portability;
- The right to object;
- Rights in connection with automated decision making and profiling.
Each of these rights shall be supported by appropriate policies and procedures within ATERRICA Ltd, which allow the necessary actions to be taken within the deadlines specified in the GDPR. The realization of these rights shall be carried out by taking the necessary actions within certain deadlines, as follows
Request of the data subject | Term |
The right to be informed | At the time of data collection (if provided by the data subject) or within one month (if provided by another subject) |
The right to access | Up to 30 days from the date of receipt of the request. This period may be extended by two months, if necessary, given the amount and complexity of the information. The data subject must be notified thereof within one month of receiving the request. The reasons for the term extension must also be described. |
The right to correct | Up to 30 days from the date of receipt of the request. This period may be extended by two months, if necessary, given the amount and complexity of the information. The data subject must be notified thereof within one month of receiving the request. The reasons for the term extension must also be described. |
The right to delete | Up to 30 days from the date of receipt of the request. This period may be extended by two months, if necessary, given the amount and complexity of the information. The data subject must be notified thereof within one month of receiving the request. The reasons for the term extension must also be described. |
The right to limit processing | Up to 30 days from the date of receipt of the request, without any undue delay. This period may be extended by two months, if necessary, given the amount and complexity of the information. The data subject must be notified thereof within one month of receiving the request. The reasons for the term extension must also be described. |
The right to data portability | Up to 30 days from the date of receipt of the request. This period may be extended by two months, if necessary, given the amount and complexity of the information. The data subject must be notified thereof within one month of receiving the request. The reasons for the term extension must also be described. |
The right to object | Up to 30 days from the date of receipt of the objection. This period may be extended by two months, if necessary, given the amount and complexity of the information. The data subject must be notified thereof within one month of receiving the request. The reasons for the term extension must also be described. |
Rights in connection with automated decision making and profiling. | Up to 30 days from the date of receipt of the request. This period may be extended by two months, if necessary, given the amount and complexity of the information. The data subject must be notified thereof within one month of receiving the request. The reasons for the term extension must also be described. |
In order to exercise any of the rights listed above, please contact us at:
Town of Pernik, Bulgaria
Postal code: 2300
23 Sv. Sv. Kiril i Metodiy Str., office 201
The applications for exercising the rights shall be submitted personally or by an explicitly authorized person, through a notarized power of attorney. The application may also be submitted electronically, in accordance with the procedure for drawing up and submitting an electronic document provided for in the current legislation.
The application should contain:
- a) name, address and other data for identification of the respective individual;
- b) description of the request;
- c) signature, date of submission of the application and address for correspondence;
- d) upon submission of an application by an authorized person, the respective power of attorney shall be attached to the application as well
You shall not owe a fee for access to your personal data (or for exercising any of the other rights). However, if your request is manifestly unfounded, recurring or excessive, we may refuse to comply with your request in these circumstances or charge a reasonable fee, taking into account the administrative costs of providing information or communication or undertaking the requested action.
We may need to ask you for specific information to help us verify your identity and guarantee your right to access personal data. This is a security measure that ensures that personal data is not disclosed to a person who is not entitled to receive it.
We try to respond to all legitimate requests within one month. Sometimes, it may take longer if your request is particularly complex one or you have made several requests. In case of an objectively necessary longer term, in order to collect all the data or due to a serious difficulty of our activity, this term may be extended, but not more than 60 days. In this case, you will be duly notified.
The manager of ATERRICA Ltd or a person authorized by it shall consider your application and shall decide on it, with the notification of the decision being carried out in person, against a signature, by mail with a return receipt, or under the Electronic Document and Electronic Certification Services Act. Lack of notification shall be considered a refusal.
You shall be entitled to lodge a complaint with the supervisory body at any time:
Commission for Personal Data Protection of the Republic of Bulgaria
address: 1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd.
Email: kzld@cpdp.bg
However, we would like to have the chance to satisfy your requests before you contact the Commission for Personal Data Protection, so please contact us first.
[1] The General Data Protection Regulation
COOKIES POLICY OF ATERRICA OOD
Cookies are small text files that are generated upon a request from your browser to our web server and are stored on your device. The information in them may concern you, your preferences or the identification of your internet access device (computer, tablet or mobile device). Cookies help the site remember your settings, such as language, font size and other preferences about how you want to see our site, so you don’t have to enter them every time you visit it. We shall not use cookies to identify you, their purpose is only to facilitate the use of the site.
What cookies do we use on our site?
As you visit our site, we may place cookies in your browser. The cookies coming from our website are known as First Party Cookies and are primarily intended to store information about the session while you are browsing the products or other information on the site. For example, we use cookies to store the things you have viewed. Other purposes related to their use are:
- Possible and easy entry
- Ensuring the security of the site
- Statistical analysis of visits
Without this type of technology, our online store and the service we provide to you would not be able to operate with its full capabilities and functionalities. Other cookies we use come from third parties and are called Third Party Cookies. These are:
- Analytics and statistics cookies – These cookies help us analyze the use of our site and track the effectiveness of the service and its communication. We use Google Analytics to assess how users use the capabilities of our site – the analysis tool allows us to determine whether you have viewed a specific page, how much time you have spent on the website, or whether you have opened an email sent by us. This helps us to provide you only with the information you are interested in, improving the content and the process of using our site. More information and settings can be found at
https://support.google.com/analytics/answer/6004245?hl=bg
- Social Network Cookies – These cookies are integrated by social platforms such as Facebook, Twitter, G+, Pinterest, YouTube and they aim to provide or improve the content of the website. Examples include services that allow you to play video files, create comment sections, integrate like or share buttons, etc. We use social networks to improve your interaction with us and to establish an even closer relationship with you, our clients. Please note that some of these platforms place cookies, which are also used for things like behavioral advertising, analysis and market research. You can set your preferences related to Facebook advertising settings from
https://www.facebook.com/ads/preferences/
- Advertising Platform Cookies – Advertising cookies allow us to tailor our marketing to you and your own interests. This way we can be sure that we will provide you with more personalized opportunities in the future. This type of cookies remembers that you have visited our site and a specific product page and/or category therefrom. This is how we can match the ads we show you. Although these cookies may track your device’s visits to our website and other sites, they may not normally identify you personally. Without these cookies, the ads you see may be less relevant and interesting to you. To control them, you can use the following link: youronlinechoices.com
How do I disable the use of cookies
You can control the deactivation and activation of cookies through the settings of the browser you use. As a user, you have the ability to set your preferences for each browser and/or device you use to access the Internet.
Want to learn more about cookies, how to control, deactivate or delete them? For detailed information visit www.aboutcookies.org
Any future changes to our Cookie Policy will be posted on this page. The changes shall take effect immediately, unless otherwise stated.
This policy was adopted on 11.06.2020.