THE PROTECTION OF PERSONAL DATA CONTROLLED BY CPAPstore Ltd
1. These internal rules (hereafter “Rules”) regulate and apply to the protection of personal data collected and controlled by CPAPstore Ltd, company registered with the Commercial Register at the Registry Agency under UIC 202438857, having its registered seat and address of management in Petrich, Vlagoedrav District, 2850, 9 Tsar Boris III , in the capacity of data controller subject to the Bulgarian Law on Personal Data Protection.
2. These Rules regulate the following in respect of the personal data as controlled and processed by the Data Controller:
2.1 the level of sensitivity and recommended data media for long-term storage;
2.2 responsible employees of the Data Controller and their rights and obligations.
2.3 mandatory and recommendatory security measures providing adequate level of protection in view of the level of sensitivity;
2.4 technical resources, applied to the processing of personal data ;
2.5 organization procedures processing of personal data;
2.6 security measures for the protection of the technical and organizational resources in the event of incident or force major;
2.7 measures against intentional damage or unauthorized access to personal data;
2.8 procedures for safekeeping and demolition of data media;
2.9 procedures for generation, usage and change of passwords and encrypting keys; and
2.10 regular sanitization of computer and communication media.
Registers of the Data Controller
3. The Data Controller administers 2 (two) personal data registers (hereafter collectively “Registers” and anyone “Register”), which are as follows:
3.1 Personnel Register, such register including personal data relating to job applicants and current employees of the Data Controller;
3.2 Customers Register, such register including personal data relating to clients of the Data Controller and personal data relating to customers of the clients of the Data Controller.
4. Each Register includes only the personal data of relevant data subjects, reasonably necessary for the fulfillment of the respective purposes of the processing, such personal data being as follows:
4.1 Personnel Register:
4.1.1 Physical Identity: name, personal identification number / date of birth, address, place of birth, telephones, ID card details, e-mail address.
4.1.2 Physiological Identity: medical certificates upon commencement of work and other medical documentation, to be submitted to the employer under the law;
4.1.3 Social Identity: education (type, qualification, diplomas details); employment
(length of service, industrial sectors in which the person has worked);
4.2 Customers Register:
4.2.1 Physical Identity: name, personal identification number / date of birth, address, telephones, ID card details, email address;
4.2.2 Economic Identity: financial status; bank account numbers, credit card numbers, data relative to invoices/payment/credit, expenses, debts, costs.
5. The Data Controller may undertakes and completes transfer of personal data from the Registers in accordance with the applicable laws and model clauses data transfer agreement(s), entered into on an intra-group.
Personal Data Processing. Level of Sensitivity
6. The level of sensitivity of the Personal Data is high, as determined in accordance with the criteria provided for in Regulation № 1 of February 7th, 2007 relating to the Minimum Level of Technical and Organizational Measures and Required Type of Protection of Personal Data, issued by the Commission for Personal Data Protection, promulgated in State Gazette # 25 of 23.03.2007.
7. The Manager designates himselves or other employee of the Data Controller that will be responsible for the processing and security of personal data in the Registers. The employee responsible for processing and security of personal data in the Registers is responsible for procuring the conformity of the personal data processing carried out by the Data Controller with these Rules and the applicable laws. He/she processes and procures the processing by other employees of the Data Controller, as applicable, of the personal data in accordance with these Rules and the applicable laws.
8. Besides the Manager, other employees of the Data Controller that directly or indirectly process Personal Data in the Registers are the employees responsible for the IT system of the Data Controller. By virtue of an express written
order, the Manager may designate other employees of the Data Controller that will have the right to process personal data in the Registers.
9. The employees under the preceding Section have access to the Registers and to the data from the Registers, to the extent necessary for fulfillment of their employment duties.
10. The access to the Registers is restricted by passwords and locked cabinets. The Manager and the employee responsible for processing and security of personal data in the Registers may at any time identify who of the employees with the right to access has processed personal data in a Register.
11. Each data subject, whose personal data is processed by the Data Controller has the right to access, rectification, deletion or blocking of his/her personal data, in accordance with the applicable data protection laws.
12. The Data Controller collects the Personal Data directly from the data subjects.
13. Registers are administered on hard, paper-back copies and/or in electronic form in a computer network that is connected to the Internet.
14. The Data Controller stores the information carriers on which the personal data before entering it into the Registers is collected, for a period of 5 to 7 years, after which those carriers are destroyed.
15. Each Register provides, in respect of the personal data processed in and under such Register, a record of at least the following:
15.1 name and title of the employee that has accessed or has attempted to access the Register;
15.2 date of access or attempt for access;
15.3 type of access;
15.4 date and time of denied access; and
15.5 personal data of the Register to which access is completed or denied.
The above information shall be stored for at least two years.
16. The employee responsible for processing and security of personal data in the Registers reviews and reports to the Manager once per each calendar month the resource information in respect of each Register under Section 16 hereof.
Protection from unauthorized access and sanitization
17. Protection from unauthorized access, intentional damage or destruction of personal data in the Registers, stored in digital form, is safeguarded through antivirus software, firewall, as well as encryption of data that will be transferred online.
18. The Manager/IT employees of the Data Controller conduct regular sanitization of computers and communication media, used in the processing of personal data in the Registers, on a continuous basis. The sanitization includes among others, virus checks, checks for illegal software, for the integrity of the databases of the Registers, as well as archiving of data and update of system information.
Archiving and restoration of personal data
19. Personal data on electronic media is archived periodically by the employee responsible for processing and security of personal data in the Registers on the last business day of each successive period of six calendar months as of the start of the personal data processing. Once the archiving is made, the archives are kept in a safe place for a term period in accordance with administrator’s internal record retention policy and guidelines.
20. Restoration of personal data of any of the Registers may be executed by the employee responsible for processing and security of personal
data in the Registers or an employee with access to personal data, upon an express written order of the Manager. Each of the Registers provides information on any restoration procedure undertaken in respect of such Register, whereby the information includes at least the identification details of the person who has undertaken the procedure, the restored personal data and the personal data that has been restored manually.
Incidents prevention and reporting
21. In respect of each Register the Data Controller opens and maintains updated on a daily basis a Diary of incidents. In respect of each incident the diary provides record of at least the following:
21.1 approximate time and date or time period of the incident occurrence;
21.2 time and date of incident establishment;
21.3 time and date of incident reporting to the Manager/ the employee responsible for processing and security of personal data in the Registers;
21.4 name and title of the employee who reports the incident; and
21.5 consequences of the incident and corrective and preventive measures undertaken in relation thereto.
The diary of incidents is kept by the employee responsible for processing and security of personal data in the Registers.
22. Upon the express written order of the Manager, different measures for prevention of incidents with the Registers are implemented. Such measures could be, among others change of access passwords and/or encryption keys for access to the Registers (periodically, as well as in the event of doubt of their secrecy), unexpected inspections, etc.
23. Periodically, the employee responsible for
processing and security of personal data in the Registers carries out a regular data protection compliance review and prepares a written report on any non – compliance established in result thereof. The Data Controller keeps safe such reports for 5 years as of the report issuance date and provides them for review upon the request of
the Commission for Personal Data Protection.
24. Upon the issuance of the written compliance report under Section 23 hereof, the employee responsible for processing and security of personal data in the Registers proposes to the Manager of the Data Controller organizational and technical measures that he/she finds necessary and appropriate for termination of the established incompliances and for bringing the business activity of the Data Controller in compliance with the applicable rules.
25. These Rules come into force as of date of their approval in writing by the Manager of the Data Controller and will stay in effect until they are derogated expressly and in writing.
26. These Rules are governed by and must be construed in accordance with the Bulgarian law.
27. These Rules have been approved and issued under Article 23, paragraph (4) of the Law on Personal Data Protection and Regulation # 1 of February 7th, 2007 relating to the Minimum Level of Technical and Organizational Measures and Required Type of Protection of Personal Data, issued by the Commission for Personal Data Protection, promulgated in State Gazette # 25 of
END OF INTERNAL RULES
9 Tsar Boris III Str,