I. GENERAL PROVISIONS
Art. 1. (1) The Institute of Transport Construction and Infrastructure Ltd. (hereinafter referred to as "the Company") is a company registered in the Commercial Register of the Registry Agency with UIC 202117100, with its registered office and registered address: Republic of Bulgaria, Sofia, 78 Serdika Area, Iliyantsi str. No 78, with main activity: consultancy in the field of construction.
(2) The company is a controller of personal data, it processes personal data in connection with its activity and defines by itself the purposes and means for their processing.
Art. 3. For the purposes of this Policy:
"personal data" means any information relating to an identified or identifiable natural person ("data subject"); identifiable individual is an identifiable person, directly or indirectly, in particular by an identifier such as a name, identification number, location data, online identifier, or by one or more physical-specific attributes, the physiological, genetic, psychic, mental, economic, cultural or social identity of that individual;
2. "processing" means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure through transmission, dissemination or otherwise making the data accessible, arranging or combining, limiting, deleting or destroying them;
3. "restriction of processing" means the marking of stored personal data in order to limit their processing in the future;
4. “pseudonymisation” means the processing of personal data in such a way that personal data can no longer be linked to a particular data subject without the use of additional information, provided that it is stored separately and is subject to technical and organizational measures to ensure that personal data are not linked to an identified or identifiable individual;
5. "personal data register" means any structured set of personal data that is accessed according to certain criteria, whether centralized, decentralized or distributed according to a functional or geographical principle;
6. "controller" means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; when the purposes and means of such processing are determined by European Union law or the law of a Member State, the controller or the specific criteria for determining it may be laid down in Union law or in the law of a Member State;
7. "processor" means a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller;
8. "recipient" means a natural or legal person, public authority, agency or other entity to whom personal data are disclosed, whether a third party or not. At the same time, public authorities which may receive personal data in the context of a specific investigation under the law of EU or Member State law are not considered as "recipients"; the processing of such data by the designated public authorities complies with the applicable data protection rules for the purposes of processing;
9. "third party" means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct control of the controller or the processor, have the right to process the personal data;
10. "consent of the data subject" means any freely expressed, specific, informed and unambiguous indication of the data subject's will, by means of a statement or clearly affirmative action, expressing his / her consent to the processing of personal data relating to him / her;
11. "personal data breach" means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data which is transmitted, stored or processed in another way;
12. "supervisory authority" means an independent public body set up by a Member State pursuant to Article 51 of the General Data Protection Regulation.
Art. 4. The principles related to the processing of personal data are:
1. the principle of legality, integrity and transparency of the processing of personal data - the collection of personal data must be within the necessary range. The information is collected in a lawful and objective manner;
2. the principle of minimizing data and limiting purposes and retention - personal data should not be used for purposes other than those for which they were collected, except with the consent of the person or in cases specifically provided for in the law. Personal data must be stored for no longer than is necessary for the purposes for which the personal data are processed;
3. principle of accuracy - personal data must be precize, accurate, complete and up-to-date insofar it is necessary for the purposes for which they are processed;
4. principle of integrity and confidentiality - personal data must be processed in such a way as to guarantee an adequate level of personal data security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or corruption, by applying appropriate technical or organizational measures.
Art. 5. Personal data of individuals, visitors to the site https://conferenceroad.bg/ shall be processed in the Visitors sub-register.
II. VISITORS SUB-REGISTER
Art. 6. (1) The following categories of personal data shall be processed in the VISITORS sub-register:
1. name and surname;
6. IP address - location;
7. IBAN (upon payment of conference fee).
(2) The data shall be processed for the purposes of registration for participation in the XIII National Conference of Transport Infrastructure with International Participation.
Art. 7. Personal data shall be processed electronically. The personal data is collected by the users themselves in specially developed registration software for participation in the conference. The data shall be kept for a period of one year from the date of commencement of registration. Upon expiration of the storage period and provided that there are no documents to be transferred to the State Archives, all data carriers from the register shall be destroyed by an appropriate method, incl. and deleting backup electronic copies.
Art. 8. (1) The controller shall entrust the processing of personal data to persons appointed under an employment relationship. The rights and obligations of the data processors shall be indicated in the relevant job description.
(2) Access to personal data is also granted to third parties - Academica Sea Palace JSC, operating the hotel where the Conference is held;
(3) Access to personal data shall be given to a legal adviser or lawyer in connection with the protection of the rights of the Company in case of dispute between the parties and / or the need for consultation.
(4) Access to personal data of a person shall be granted to third parties at the order of a court and / or on the basis of a specific regulatory act.
(2) The Company uses two types of cookies: required and functional.
Art. 10. Necessary cookies distinguish site users from bots.
Art. 11. (1) Functional cookies allow the website to understand how visitors interact with other websites by anonymously collecting and reporting information.
(2) The functional cookies used by the Company – owned by it and by third-party partners - are as follows:
Art. 12. The Company uses the following websites and their cookies, the type and name of cookies and the storage location and storage period of the third parties listed below are indicated in the tables above:
1. Google Analytics - a web analytics service provided by Google LLC., 1600 Amphitheater Parkway Mountain View, CA 94043, USA, using cookies stored on a user's computer to enable the analysis of site usage by users. Information about the use of this site obtained through cookies is transmitted and stored by Google LLC., 1600 Amphitheater Parkway Mountain View, CA 94043, USA (data processor) on servers located in the United States. The data that reaches Google Analytics is pseudonymized on the company's electronic platform under Art. 11, para. 1 of this Policy. By virtue of its contractual relationship with Google LLC. the Company assigns it to use this information to evaluate the use of the site, to compile web-based activities and to provide the site operator with other services related to the use of the site and the use of the Internet to the Company's site. Google LLC. will not link the IP address sent from the user's browser via Google Analytics to other data stored by Google LLC. Google LLC processes the data in compliance with the requirements of EU law on personal data protection and the EU-US Privacy Shield Framework.
RIGHTS OF THE DATA SUBJECTS AND PROCEDURE FOR THEIR IMPLEMENTATION
Art. 13. The data subjects have the following rights regarding their personal data:
1. right of access;
2. right of correction;
3. the right to data portability;
4. right to be deleted (right to be "forgotten");
5. the right to request restriction of processing;
6. the right to object to the processing of personal data;
7. the right of the subject not to be the subject of a decision based solely on automated processing involving profiling.
Art. 14. (1) Every natural person, subject of personal data, has the right to receive information about the controller of personal data, as well as about the processing of his personal data. This information includes:
1. data identifying the controller as well as his / her contact details, including contact details of the data protection officer;
2. the purposes and the legal basis for the processing;
3. the recipients or categories of recipients of personal data, if any;
4. the intention of the controller to transfer the personal data to a third party (where applicable);
5. the period of storage of the personal data;
6. the existence of automated decision-making, including profiling (if any);
7. information about all rights that the subject has;
8. the right of appeal to the supervisory authority.
(2) The information under para. 1 shall not be provided if the data subject already has it.
(3) When sending a request for information from a data subject according to the procedure of para. 1, the Company together with the data protection officer under Art. 23 of the Policy shall carry out the necessary verification and provide a response with the required information within 14 (fourteen) days, but not later than 30 (thirty) days from the date of receipt of the request. If necessary, this period may be extended by another two months, taking into account the complexity and number of requests from a specific person. The company shall inform the person of any such extension within one month of receipt of the request, indicating the reasons for the delay. The request contains the identification of the person (three names and personal identification number for Bulgarian citizens, and for all other persons - citizens of other EU Member States - names and date of birth), description of the request, preferred form of access to personal data, signature , date, email, correspondence address and power of attorney when the application is submitted by an authorized person. The company is not obliged to respond to a request if it is unable to identify the data subject. The request is filed in a separate incoming register of the Company and can be submitted in one of the following ways: a) electronically to the following email: email@example.com b) on site, at the Company's office, located in Sofia, 78 Iliyantsi str.
(4) The information under para. 1 is provided in one copy to the data subject free of charge. For additional copies requested by the data subject or at excessive requests of the data subject, especially because of its repeatability, the Company may impose a reasonable fee in the amount of the administrative expenses incurred.
(5) When providing a copy of personal data, the Company may not disclose the following categories of data:
1. personal data of third parties, unless they have explicitly given their consent;
2. data that is a trade secret, intellectual property or confidential information;
3. other information that is protected in accordance with the applicable legislation.
(6) The reasonableness and excessiveness of a request shall be assessed separately in each case by the Company.
(7) In case of refusal to provide access to personal data, the Company shall justify its refusal and inform the data subject of its right to file a complaint with the supervisory body.
Art. 15. (1) The data subjects may request their personal data processed by the Company to be corrected in case the latter are inaccurate or incomplete.
(2) Upon a satisfied request for correction of personal data, the Company shall notify the recipients of data to which such data have been disclosed.
(3) The right under para. 1 shall be exercised by making a request in accordance with Art. 14, para. 3 of the Policy.
Art. 16. (1) Every natural person, subject of personal data, has the right to request erasure of his data, the so-called "Right to be forgotten" if one of the following conditions is true:
1. the personal data of the person are no longer necessary for the purposes for which they were otherwise collected or processed;
2. the data subject withdraws his or her consent on which the processing of the data is based and has no other legal basis for the processing;
3. the data subject objects to the processing and there are no legitimate grounds for processing to take precedence;
4. the personal data have been illegally processed;
5. personal data must be erased in order to comply with a legal obligation under EU or Member State law applicable to the controller;
6. personal data have been collected in connection with the provision of information society services to children and consent has been given by the parent responsible for the child.
(2) The right under para 1 shall be exercised by making a request pursuant to Art. 14, para. 3.
Art. 17. (1) Every natural person, subject of personal data, has the right to restrict the processing of his personal data by the controller, but for this purpose specific conditions are necessary, among which:
1. the accuracy of the personal data is contested by the data subject;
2. the processing is unlawful, but the data subject does not want the personal data to be erased, but instead requires a restriction on their use;
3. the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or protection of legal claims;
4. the data subject has objected to the processing pending verification that the legitimate grounds of the controller have priority over the interests of the data subject.
(2) In the cases of para. 1, item 1, the limitation of processing is for a period which allows the controller to check the accuracy of personal data.
(3) The right under para 1 shall be exercised by making a request under the procedure of Art. 14, para. 3.
Art. 18. (1) Every natural person, subject of personal data, has the right to receive personal data concerning him and which he has provided to the administrator in a structured, widely used and machine-readable format and has the right to transfer this data to another controller without hindrance by the controller to whom the personal data are provided when processing is based on consent or contractual obligation and processing is carried out in an automated manner.
(2) When exercising its right of data portability, the data subject shall also have the right to receive the personal data directly from one controller to another, where technically feasible.
(3) The right under para 1 shall be exercised by making a request pursuant to Art. 14, para. 3.
Art. 19. (1) The data subject shall have the right to object to the processing of his personal data by the Company if the data are processed on one of the following grounds:
1. processing is necessary for the performance of a public interest task or for the exercise of official powers conferred on the controller;
2. the processing is necessary for purposes related to the legitimate interests of the Company or of a third party;
3. data processing involves profiling.
(2) The controller shall terminate the processing of personal data unless it proves that there are compelling legal grounds for its continuation, which take precedence over the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.
Art. 20. (1) Every natural person, subject of personal data, has the right to be informed, and the Company is obliged to notify the subject in case of breach of the security of his personal data and when such breach is likely to create a high risk for the rights and the freedoms of the data subject.
(2) The notification under para. 1 shall be carried out without undue delay after its detection and shall contain a description of the nature of the personal data breach, indicating the nature of the breach, the name and contact details of the data protection officer, the consequences of the breach and the measures taken by the Company to deal with the breach and to reduce any adverse effects.
Art. 21. In case of violation of your rights or the applicable legislation on personal data protection, you have the right to file a complaint with the Commission for Personal Data Protection, address: 1592 Sofia, “Prof. Tsvetan Lazarov 2, tel.: 00359-2-91-53-518, email: firstname.lastname@example.org, website: www.cpdp.bg .