OF LUCKY DRIVE LTD, EICs 200522826 ON THE PROTECTION OF THE RIGHTS OF DATA SUBJECTS IN RELATION TO THE EU GENERAL DATA PROTECTION REGULATION 2016/679
These rules and policies (“Rules”) set out the terms and conditions under which the natural persons whose personal data are processed by B & G DRINK AND DRIVE LTD, EICs 200522826, may exercise their rights under data protection legislation.
In order to provide the Services (“Services”) by the B & G DRINK AND DRIVE LTD, UIC 200522826, with registered address: Fr. Sofia, Lozenets district, ul. Миджур N 11, Et. 3, App. 6, processes data of individuals (“Data Subjects”) in accordance with this Policy. When processing personal data B & G DRINK AND DRIVE LTD, UIC 200522826, complies with all applicable personal data protection regulations, including, but not limited to, Regulation (EU) 2016/679 (“Regulation”).
According to the Regulation, personal data is any information that relates to individuals and through which a specific natural person can be identified. Processing of personal data (“Processing”) is any action or set of actions that can be performed on personal data by automatic or other means.
PART 1: GENERAL PRINCIPLES
1.1. B & G DRINK AND DRIVE processes and protects personal data collected in the course of its activities transportation of people with their personal cars, and offering professional drivers fairly, lawfully and in accordance with the purposes for which the data was collected.
1.2. Employees, persons of civil compliance and partners who process personal data for the purpose of providing purchased services to customers and for the purpose of fulfilling legal obligations shall observe the following principles when processing personal data:
i) Personal data is processed lawfully and fairly.
ii) Personal data shall be collected for specified, explicit and legitimate purposes and shall not be further processed in a manner that is incompatible with those purposes.
- The personal data collected and processed in the management of human resources shall be relevant, related to and not exceeding the purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data shall be deleted or rectified where it is found to be inaccurate or disproportionate to the purposes for which they are processed.
- Personal data shall be kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which such data are processed.
1.3. Employees and partners who process personal data undergo initial and periodic confidentiality trainings and familiarize themselves with the applicable legislation.
PART 2: DEFINITIONS
The definitions listed below have the following meanings:
Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Applicable legislation ” means the legislation of the European Union and the Republic of Bulgaria that is relevant to the protection of personal data;
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Regulation (EU) 2016/679’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), published in the Official Journal of the European Union on 4 May 2016.
1. GROUPS OF PERSONS FOR WHOM DATA ARE PROCESSED
In connection with the services provided B & G DRINK AND DRIVE processes information about the following Data Subjects:
(a) natural persons, customers under current contracts
(b) natural persons, information about whom is contained in inquiries, proposals for concluding a contract, requests, signals, complaints or other correspondence addressed to
B & G DRINK AND DRIVE
(c) employees under an employment contract, persons under a civil contract with B & G DRINK AND DRIVE and subcontractors and service providers;
(d) persons and applicants for employment with whom no civil/employment has subsequently been concluded;
contract or subcontractors and service providers.
2. DATA PROCESSED IN RELATION TO THE QUALITY OF THE DATA SUBJECT IN THE LEGAL RELATIONSHIP BETWEEN HIM AND THE B & G DRINK AND DRIVE
2.1. Information that the “Data Subject” provides
Depending on the quality of data subjects, the type of personal data collected and the purposes for which they are collected vary.
- In terms of customers B & G DRINK AND DRIVE collects personal data concerning information necessary for the conclusion and performance of relevant contracts with customers, i.e. those without which it is impossible to provide the service.
- With regard to natural persons under a civil and employment contract and contractors B & G DRINK AND DRIVE collects personal data concerning information necessary for the implementation of the employment relationship and the civil contract.
- With regard to persons who are not subsequently under a civil/employment contract – personal data of job applicants after the fulfillment of the purposes for which they are processed are not stored, unless it is by virtue of a law or the person has given his written consent to the processing of his data for the future, with a view to opening new positions for which he can apply.
-Personal data that B & G DRINK AND DRIVE processed are: Names, PIN, address, phone number, email, bank information, ID number, driving license number.
Additional / sensitive information about personal data subjects from any of the above categories is not collected.
2.2. PURPOSES FOR THE PROCESSING OF PERSONAL DATA
- Purposes necessary for the conclusion and performance of the contract for the provision of the Services.
- Purposes necessary to protect and implement the legitimate interests of other users of the Services, third parties and B & G DRINK AND DRIVE;
- Purposes for which the “Data Subject” has given explicit consent;
- Purposes necessary for the fulfilment of legal obligations of the B & G DRINK AND DRIVE.
NB. In addition, these purposes include the communication with the “Data Subject”, including by e-mail, necessary in connection with the provision of the Services and / or notification of changes in the Services provided. For this purpose, it may be necessary to process part or all of the above categories of data.
2.3 GROUNDS FOR IMAGE OF PERSONAL DATA
2.3.1. Legitimate interest
These are purposes relating to the legitimate interests of the B & G DRINK AND DRIVE and/or third parties, such as other users, Employers, Employers’ representatives, accountants, IT and telecommunications specialists, etc. These objectives include:
- Ensuring the normal functioning of the service by the B & G DRINK AND DRIVE and by other users, support and administration of the Services, resolve disputes, detect and prevent malicious actions.
- Detect and resolve technical or functional issues, development and improvement of the Services.
- Communication with customers, including electronically on important issues related to the Services.
- Receiving and processing received signals, complaints, requests and other correspondence;
- Implementation and protection of the rights and legitimate interests of B & G DRINK AND DRIVE, including in court, and assisting in the implementation and protection of the rights and legitimate interests of other users of the site and / or affected third parties.
For these purposes, it may be necessary to process part or all of the above categories.
2.3.2. Legal obligations
Purposes related to compliance with legal obligations of B & G DRINK AND DRIVE, include the fulfillment of statutory obligations to preserve or provide information upon receipt of an appropriate order by competent state or judicial authorities, to enable the exercise of the control powers of the competent state authorities, in the fulfillment of the legal obligations of the B & G DRINK AND DRIVE to notify customers about different circumstances related to their rights, the Services provided or the protection of their data. For these purposes, it may be necessary to process part or all of the above categories.
2.3.3. Explicit consent
In the cases provided for by law, B & G DRINK AND DRIVE may process personal data only with explicit consent and for a specific purpose, to the extent and scope provided for in the respective consent.
3. SHELF LIFE
B & G DRINK AND DRIVE store data in a minimum volume and for a period no longer than necessary for the provision of the Services, ensuring their security and reliability and the requirements of the law.
|Data Types||Storage period||Explanations|
|Data by concluded contract For personal data related only to an offer that has not been followed by a contract.||Depending on the term of the contract, 5 years after the expiration of the term Within 1 (one) month after the preparation of the offer, unless there is an agreement according to the agreement. Art. 7 of the Regulation.|
|Personal data collected under an employment/civil relationship Personal data necessary for accounting records (invoices)||Until termination of the contract and after the expiry of the statutory period for storage of such data for the purposes of pension insurance and in accordance with labor and social security legislation Within 5 years from 1 January of the reporting period following the reporting period to which they relate,|
* In the event of a legal dispute or proceedings requiring the retention of data and/or a request from a competent state authority, data may be retained for longer than the specified time limits until the final settlement of the dispute or proceedings before all instances. These deadlines may be changed in the event that a different requirement for the retention of information under current legislation is established.
4. PROVISION OF INFORMATION
B & G DRINK AND DRIVE does not provide personal data to third parties in any way other than those described in this Policy and the cases provided for by law.
4.1. Suppliers and subcontractors
B & G DRINK AND DRIVE uses subcontractors and service providers such as specialized data centers for reliable and secure colocation of server and network equipment, providers of accounting, consulting and legal services, etc. Working with subcontractors and suppliers B & G DRINK AND DRIVE requires them to strictly comply with data protection legislation by concluding an additional agreement to the relevant contracts with suppliers/subcontractors on the protection of personal data.
4.2. Third parties
Your personal data may be provided to third parties only in the following cases: when this is provided for by law; if duly requested by a competent state or judicial authority; when we have obtained your explicit consent to do so; where necessary for the protection of the rights and legitimate interests of the B & G DRINK AND DRIVE and/or other users of the Services.
4.3. Change of ownership
In the event of a merger, acquisition or sale of assets affecting the processing of personal data, Data Subjects will be notified in due course.
PART IV. RIGHTS WITH REGARD TO PERSONAL DATA
The GDPR provides for the following rights of the data subjects who B & G DRINK AND DRIVE ensure and protect:
Data subjects have the following rights regarding their personal data, which are set out below:
- 1.Right to information;
- Right of access;
- Right to rectification;
- Right to data portability;
- Right to erasure (‘right to be forgotten’);
- Right to request restriction of processing;
- Right to object to the processing of personal data;
- Right of the data subject not to be subject to a decision based solely on automated processing, including profiling.
5.1. Right to information.
The data subject must be informed in advance of the purposes for which the data are processed in connection with the Services provided.
5.2. Right of access
- On request B & G DRINK AND DRIVE provide a data subject with the following information:
- confirmation of whether B & G DRINK AND DRIVE processing the personal data of the person or not;
- a copy of the person’s personal data processed by the B & G DRINK AND DRIVE and
- an explanation of the data processed.
- The explanation under para. 1 shall include the following information on the B & G DRINK AND DRIVE Personal data: i) the purposes of the processing; ii) the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
- the existence of the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, and information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject;
- Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
- The explanation concerning the data processed shall include the information B & G DRINK AND DRIVE provided to data subjects by means of a confidentiality notice.
- At the request of the data subject B & G DRINK AND DRIVE may provide a copy of the personal data undergoing processing.
- With the provision ofa copy of personal data B & G DRINK AND DRIVE cannot disclose the following categories of data:
- personal data of third parties, unless they have explicitly agreed to do so;
- data that constitute a trade secret, intellectual property or confidential information;
- other information that is protected under applicable law.
- Providing access to data subjects may not adversely affect the rights and freedoms of third parties or lead to a violation of a regulatory obligation of B & G DRINK AND DRIVE.
- Where requests for access are manifestly unfounded or excessive, in particular because of their repeatability, B & G DRINK AND DRIVE may charge a reasonable fee based on the administrative costs of providing the information or refuse to respond to the request for access.
- B & G DRINK AND DRIVE assess on a case-by-case basis whether a request is manifestly unfounded or excessive.
- In case of refusal to provide access to personal data, B & G DRINK AND DRIVE justify his refusal and inform the data subject of his or her right to lodge a complaint with the CPDP.
5.3. Right to rectification
- Data subjects may request their personal data processed by the B & G DRINK AND DRIVE, to be corrected in case the latter are inaccurate or incomplete.
- In the event of a request for correction of personal data, B & G DRINK AND DRIVE notify the other recipients to whom the data have been disclosed (e.g. public authorities, service providers) so that they can reflect the changes.
5.4. Right to data portability (1) Each data subject shall have the right granted by the European legislator to receive the personal data concerning him or her and which he or she has provided to him or her. B & G DRINK AND DRIVE, in a structured, widely used and machine-readable format or on paper.
- Upon request, such data may be transferred to another controller designated by the data subject, where technically feasible.
- The data subject may exercise the right to portability in the following cases:
(i) the processing is based on the consent of the data subject; (ii) the processing is based on a contractual obligation; (iii) the processing is carried out by automated means.
- The right to portability may not adversely affect the rights and freedoms of others.
5.5. Right to erasure (‘right to be forgotten’)
- On request B & G DRINK AND DRIVE is obliged to delete personal data if any of the following grounds are present:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing.
- the data subject objects to the processing of personal data for direct marketing purposes;
- the personal data have been unlawfully processed;
- personal data must be erased in order to comply with a legal obligation of the
B & G DRINK AND DRIVE;
(vii) the personal data have been collected in relation to the offer of information society services of a child within the meaning of Article 8(1) of Regulation (EU) 2016/679.
- B & G DRINK AND DRIVE is not obliged to delete the personal data insofar as the processing is necessary:
- for exercising the right to freedom of expression and information; (ii) to comply with a legal obligation of the B & G DRINK AND DRIVE;
(iii) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Ar ticle 9(2) and
Regulation (EU) 2016/679;
(iv) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of Regulation (EU) 2016/679 in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(v) for the establishment, exercise or defence of legal claims.
5.6. Right to restriction of processing
- Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
iv) the data subject has objected to the processing on the basis of the legitimate interest of the B & G DRINK AND DRIVE and an examination is ongoing as to whether the legitimate grounds of the controller override the interests of the data subject.
- B & G DRINK AND DRIVE may process personal data whose processing is restricted only for the following purposes:
(i) to store the data
(ii) with the data subject’s consent;
(iii) for the establishment, exercise or defence of legal claims; (iv) for the protection of the rights of another natural person; or (v) for important reasons of public interest.
- When a data subject has requested restriction of processing and one of the grounds referred to in Art. 6 para. 7.1. above, B & G DRINK AND DRIVE inform him before the restriction of processing is lifted.
5.7. Right to object
(1) The data subject has the right to object to the processing of his or her personal data by the B & G DRINK AND DRIVE, if the data are processed on one of the following grounds:
- processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing не Is necessary for purposes relating to the legitimate interests of the B & G DRINK AND DRIVE or to a third party;
iii) data processing includes profiling.
We shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
5.8. The right of the data subject not to be subject to a decision based solely on automated processing, including profiling.
5.8.1. Right to object to the administration of personal data for direct marketing purposes
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing.
If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
5.8.2. Right to human intervention in automated decision-making
- In cases where B & G DRINK AND DRIVE Makes automated individual decisions, including or excluding profiling, that produce legal effects concerning natural persons or significantly affect them in a similar way, these persons may request a review of the decision with human intervention, as well as express their point of view.
- B & G DRINK AND DRIVE provide natural persons subject to automated decision-making with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.
PART V. PROCEDURE FOR EXERCISING THE RIGHTS OF THE DATA SUBJECTS
- The data subjects may exercise the rights under these Rules by submitting a request for exercising the relevant right. At the disposal of personal data subjects are sample forms available in the office of the B & G DRINK AND DRIVE.
- A request for exercising the rights of the data subjects may be submitted in the following way:
- Electronically to the following email address: firstname.lastname@example.org
- On site in an office of B & G DRINK AND DRIVE
- By post at the address of the B & G DRINK AND DRIVE:Sofia Ul. Midzhur N 11, fl. 3, App. 6
- The request for exercising personal data rights should contain the following information:
- Identification of the person – name and PIN/contract number/customer number
ii) Feedback contacts – address, telephone, e-mail
iii) Request – description of the request
- B & G DRINK AND DRIVE provide information on the action taken in relation to a request to exercise the rights of the subjects within one month of receipt of the request.
- If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests from a particular person. B & G DRINK AND DRIVE inform the person of any such extension within one month of receipt of the request, together with the reasons for the delay.
- B & G DRINK AND DRIVE is not obliged to respond to a request in the event that it is not able to identify the data subject.
- B & G DRINK AND DRIVE may request the provision of additional information necessary to confirm the identity of the data subject, where there are reasonable concerns regarding the identity of the natural person making the request.
- Where the request is made by electronic means, the information shall, where possible, be provided by electronic means, unless otherwise requested by the data subject.
PART VI. MEANS OF PERSONAL DATA PROTECTION
14. B & G DRINK AND DRIVE must apply means to protect personal data from unauthorized access. The minimum remedies to be applied include:
- use of individual accounts and passwords to access devices and information systems
- antivirus and external access restriction programs and systems
- protection of premises where paper files and documents are stored