INTERNAL PERSONAL DATA PROCESSING ACTIVITIES REGISTER

ADMINISTRATOR

Contact with the personal data administrator:

Name: Plamen Arnaudov
Position: Manager of Evinat Ltd.
Phone: +359 889 262 662
Personal data protection officer for company: Evinat Ltd.

GOALS

As part of its social responsibility, Evinat Ltd. is committed to international compliance with data protection laws. This register is applied globally to Evinat Ltd and is based on generally accepted basic principles for the protection of personal data. The protection of personal data is the basis of the reliable business relations and the reputation of Evinat Ltd. as an attractive employer.

The register ensures the adequate level of data protection prescribed by the EU Data Protection Directive and national laws, including in countries where there are still no adequate data protection laws.

SCOPE

This register applies to all offices of Evinat Ltd., all its employees and third parties who process, store and destroy personal data on behalf of Evinat Ltd.

Anonymous data, e.g. statistical evaluations or surveys, is not subject to this data protection policy.

Changes to this register will entail appropriate processes that will ensure the notification of all persons in Evinat Ltd. and the subjects for whom the company collects and processes personal data.

The latest version of the Personal Identification Register is available on the website of Evinat Ltd: www.evinat.com.

CATEGORIES SUBJECTS AND PERSONAL DATA

CUSTOMERS AND PARTNERS

Data processing for contractual relations

The personal data of the relevant clients and partners can be processed to establish, execute, and terminate a contract. This also includes consultancy services for the partner if this is related to the contractual purpose. Prior to the conclusion of the contract, during the start of the contract, personal data may be processed in order to prepare orders or purchase orders or fulfill other requests of the entity related to the conclusion of the contract.

Data processing for advertising purposes

If the data subject contacts Evinat Ltd. to request information (for example, request to receive product or service information material), data processing to respond to this request is permitted.

Personal data may be processed for advertising purposes or for market research and public opinion, provided that this is consistent with the purpose for which the data were originally collected.

If the data subject refuses to use his or her data for advertising purposes, its data may no longer be used for these purposes and must be deleted.

Consent to data processing

The Register of Personal Data Processing Activities is published on the website of Evinat Ltd. – www.evinat.com, where all data subjects can read it. When initiating contact on any of the communication channels with the company by a person submitting his or her personal data, he agrees to have read and is informed about Evinat Ltd.’s personal data processing activities.

Data processing according to legal authorization

The processing of personal data is also permitted if national law requires or permits this. The type and scope of the data processing must be necessary for the legally authorized data processing activity and must be in accordance with the relevant legal provisions.

Data processing in legitimate interest

Personal data may also be processed if this is necessary for the legitimate interest of Evinat Ltd. Legitimate interests are, in principle, legal (eg debt recovery) or commercial (for example, avoidance of breach of contract). Personal data can not be processed for purposes of legitimate interest if in individual cases there is evidence that the interests of the data subject deserve protection and that this has an advantage. Before data is processed, it is necessary to determine whether there are interests deserving protection.

Processing of highly sensitive data

Highly sensitive personal data may be processed only if the law requires it or the data subject has explicitly given its consent. These data may also be processed if they are mandatory for the establishment, exercise or protection of legal claims against the data subject.

Consumer data and the Internet

The Web site of Evinat Ltd. collects anonymous cookies, anonymous system information for the correct operation of the website and anonymous statistical information through a popular web analytics service.

EMPLOYEES

Data processing for employment relationship

In the employment relationship, personal data may be processed, if necessary, to initiate, implement and terminate the employment agreement. When the employment relationship is established, the complainants’ personal data can be processed. If the candidate is rejected, his or her data should be deleted, subject to the required retention period, unless the applicant has agreed to remain in place for a future selection process. It is also necessary to agree to use the data for further application processes or before sharing with other companies in the group.

In the existing employment relationship, data processing must always refer to the purpose of the employment agreement if none of the following circumstances apply to the authorized data processing.

If it is necessary to collect information about a candidate from a third party in the application process, the requirements of the relevant national laws must be respected. In case of doubt, the consent must be obtained from the data subject.

There must be a legal clearance for the processing of personal data, which is related to the employment relationship but is not initially part of the implementation of the employment agreement. This may include legal requirements, collective arrangements with employee representatives, employee consent, or the legitimate interest of the company.

Data processing according to legal authorization

The processing of personal data about employees is also permitted if national law requires or permits this. The type and scope of the data processing must be necessary for the legally authorized data processing activity and must be in accordance with the relevant legal provisions. If there is any legality, the interests of the employee deserving protection should be taken into account.

Collective agreements for data processing

If a data processing activity exceeds the performance objectives of the contract, it may be admissible if authorized by collective agreement. Collective agreements are pay agreements or agreements between employers and employees’ representatives, within the limits of the labor law permit. Agreements must cover the specific purpose of the planned data processing activity and must be prepared in accordance with national data protection laws.

Consent to data processing

Employee data can be processed with the consent of the person concerned. Declarations of consent must be submitted voluntarily. Invalid consent is invalid. The declaration of consent must be received in writing or electronically for the purposes of the documentation. Under certain circumstances, consent may be given orally, in which case it must be duly documented. In the event of an informed and voluntary provision of data by the party concerned, consent may be agreed if national law does not require explicit consent.

Data processing in legitimate interest

Personal data can also be processed, if necessary, the legitimate interest of Evinat Ltd. Personal data can not be processed on the basis of legitimate interests if in individual cases there is evidence that the interests of the employee deserve protection. Before processing the data, it must be determined whether there are interests deserving protection.

Processing of sensitive personal data

Sensitive personal data can only be processed under certain conditions. Highly sensitive data is data on racial and ethnic origin, political beliefs, religious or philosophical beliefs, trade union membership, and the data subject’s health and sexual life. Under national law, other categories of data may be considered very sensitive or the content of the data categories may be excluded separately. In addition, data relating to a criminal offense can only be processed under special requirements under national law.

Processing must be expressly permitted or prescribed by national law. In addition, processing may be permitted if the responsible authority is required to fulfill its rights and obligations in the field of labor law. The employee may also explicitly approve the processing.

Automated solutions

If personal data are automatically processed as part of an employment relationship and specific personal data are assessed (for example, as part of staff selection or skill assessment), such processing can not be the sole basis for decision-making, consequences or material problems for the selected employee. In order to avoid mistakes, the automated process must ensure that a natural person assesses the content of the situation and that this assessment is at the heart of the decision. The data subject must also be informed of the facts and results of automated individual solutions and the ability to respond.

Telecommunications and the Internet

Phone equipment, e-mail addresses, intranet, and the Internet, along with internal social networks, are provided by the company primarily for work-related tasks. They are the tool and resource of the company. They can be used within the applicable legal regulations and internal policy of the company.

SHARING PERSONAL DATA WITH THIRD PARTIES

Processing of personal data by assignment

The processing of personal data by assignment means that a provider is hired to process personal data on behalf of Evanat Ltd. In such cases, an agreement / personal data processing agreement should be concluded on the basis of a contract between Evanat Ltd. and the respective external contractors. Evina Ltd. retains full responsibility for the proper execution of the processing of personal data. The Contractor may only process personal data in accordance with the customer’s instructions. When ordering, the following requirements must be met: the department that submits the order must ensure that they are fulfilled.

  • The Contractor must be selected on the basis of his ability to cover the necessary technical and organizational safeguards.
  • The data handling instructions and responsibilities of Evinat Ltd. and the contractor must be documented.
  • Prior to the processing of personal data, the representatives of Evinat Ltd. must be confident that the contractor will perform his / her duties. The contractor can document compliance with data security requirements, in particular by presenting appropriate certification. Depending on the risk of data processing, checks must be repeated regularly throughout the contract period.
  • In the case of cross-border data processing under contract, the relevant national requirements for the disclosure of personal data abroad must be respected. In particular, personal data from the European Economic Area may be processed in a third country only if the provider can demonstrate that there is a data protection standard equivalent to this data protection policy.

Providing data under a legal authorization

The provision of personal data to state institutions is also permitted if national law requires or permits this. The type and scope of the data processing must be necessary for the legally authorized data processing activity and must be in accordance with the relevant legal provisions. If there is any legality, the interests of the employee deserving protection should be taken into account.

TERMS OF OBLITERATION

CUSTOMERS AND PARTNERS

Term of obliteration: Up to 10 business days after the expiration of the contractual relationship and the warranty period, unless the client / partner does not wish Evinat Ltd. to keep his / her personal contact details and after that period or no new contract between Evinat Ltd. and the same client / partner is signed. When providing personal data by subscribing to the company’s newsletter – up to a refusal to receive ad messages. In case there is a legitimate interest of the company or a legal decision – within 10 working days after the termination of the interest and / or the decision.

EMPLOYEES

Term of obliteration: Up to 10 business days after termination of the employment relationship, unless the employee wishes Evinat Ltd. to keep his / her personal contact details and after that period or no new contract between Evinat Ltd. and the same employee is signed. In case there is a legitimate interest of the company or a legal decision – within 10 working days after the termination of the interest and / or the decision.

GENERAL SECURITY MEASURES DESCRIPTION

Personal data is subject to secrecy. Any unauthorized collection, processing or use of such data by employees is prohibited. Any data processing undertaken by an employee for which he was not authorized to perform part of his or her legal duties is unauthorized. Employees may only have access to personal information as appropriate to the type and scope of the task in question. This requires careful allocation and implementation of roles and responsibilities.

Employees are prohibited from using personal data for personal or commercial purposes, disclosing them to unauthorized persons or otherwise providing them. Supervisors must inform their employees at the beginning of their employment relationship with the data protection obligation. This obligation remains in effect even if employment is completed.

Personal data must be protected against unauthorized access and unauthorized processing or disclosure, as well as accidental loss, alteration or destruction. This is true regardless of whether the data is processed electronically or in paper form. Before introducing new data processing methods, especially new information systems, technical and organizational measures for the protection of personal data must be defined and applied. These measures must be based on the state of the art, the processing risks and the need for data protection (defined by the classification process).

The technical and organizational measures for the protection of personal data are part of the corporate information security management and must be continually adapted to the technical development and organizational changes.

All employees must immediately inform their supervisor to inform the controller or inform the data administrator directly of breaches of this privacy policy.

In cases of

  • Incorrect transmission of personal data to third parties,
  • Unlawful access of third parties to personal data or
  • Loss of personal data

the necessary company reports must be made immediately so that the reporting obligations under national law can be met.

PERSONAL DATA SUBJECT RIGHTS

Every data subject has the following rights. The processing of his personal data must not place the person at a disadvantage.

  • The data subject may request information about which personal data associated with it is stored, how the data is collected, and for what purpose. If there are additional rights to review the employer’s records of the employment relationship (eg staff) under the relevant labor laws, they will remain unaffected.
  • If personal data is transferred to third parties, information about the recipient or categories of recipients should be provided.
  • If personal data are inaccurate or incomplete, the data subject may request correction or addition.
  • The data subject may object to the processing of his or her data for the purposes of advertising or market research / public opinion. Data must be deleted from these usage types.
  • The data subject may request the deletion of his or her data if the processing of such data has no legal basis or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has expired or has ceased to be applicable for other reasons.

The data subject has the right to object to the processing of his data and this should be taken into account if the protection of his or her interests takes precedence over the data controller’s interest due to a particular personal situation. This does not apply if a legal provision requires data to be processed.