Contact with the personal data administrator:
Name: Plamen Arnaudov
Position: Manager of Evinat Ltd.
Phone: +359 889 161 777
Personal data protection officer for company: Evinat Ltd.
As part of its social responsibility, Evinat Ltd. is committed to international compliance with data protection laws. This register is applied globally to Evinat Ltd and is based on generally accepted basic principles for the protection of personal data. The protection of personal data is the basis of the reliable business relations and the reputation of Evinat Ltd. as an attractive employer.
The register ensures the adequate level of data protection prescribed by the EU Data Protection Directive and national laws, including in countries where there are still no adequate data protection laws.
This register applies to all offices of Evinat Ltd., all its employees and third parties who process, store and destroy personal data on behalf of Evinat Ltd.
Anonymous data, e.g. statistical evaluations or surveys, is not subject to this data protection policy.
Changes to this register will entail appropriate processes that will ensure the notification of all persons in Evinat Ltd. and the subjects for whom the company collects and processes personal data.
The latest version of the Personal Identification Register is available on the website of Evinat Ltd: www.evinat.com.
CATEGORIES SUBJECTS AND PERSONAL DATA
CUSTOMERS AND PARTNERS
Data processing for contractual relations
The personal data of the relevant clients and partners can be processed to establish, execute, and terminate a contract. This also includes consultancy services for the partner if this is related to the contractual purpose. Prior to the conclusion of the contract, during the start of the contract, personal data may be processed in order to prepare orders or purchase orders or fulfill other requests of the entity related to the conclusion of the contract.
Data processing for advertising purposes
If the data subject contacts Evinat Ltd. to request information (for example, request to receive product or service information material), data processing to respond to this request is permitted.
Personal data may be processed for advertising purposes or for market research and public opinion, provided that this is consistent with the purpose for which the data were originally collected.
If the data subject refuses to use his or her data for advertising purposes, its data may no longer be used for these purposes and must be deleted.
Consent to data processing
The Register of Personal Data Processing Activities is published on the website of Evinat Ltd. – www.evinat.com, where all data subjects can read it. When initiating contact on any of the communication channels with the company by a person submitting his or her personal data, he agrees to have read and is informed about Evinat Ltd.’s personal data processing activities.
Data processing according to legal authorization
The processing of personal data is also permitted if national law requires or permits this. The type and scope of the data processing must be necessary for the legally authorized data processing activity and must be in accordance with the relevant legal provisions.
Data processing in legitimate interest
Personal data may also be processed if this is necessary for the legitimate interest of Evinat Ltd. Legitimate interests are, in principle, legal (eg debt recovery) or commercial (for example, avoidance of breach of contract). Personal data can not be processed for purposes of legitimate interest if in individual cases there is evidence that the interests of the data subject deserve protection and that this has an advantage. Before data is processed, it is necessary to determine whether there are interests deserving protection.
Processing of highly sensitive data
Highly sensitive personal data may be processed only if the law requires it or the data subject has explicitly given its consent. These data may also be processed if they are mandatory for the establishment, exercise or protection of legal claims against the data subject.
Consumer data and the Internet
The Web site of Evinat Ltd. collects anonymous cookies, anonymous system information for the correct operation of the website and anonymous statistical information through a popular web analytics service.
Data processing for employment relationship
In the employment relationship, personal data may be processed, if necessary, to initiate, implement and terminate the employment agreement. When the employment relationship is established, the complainants’ personal data can be processed. If the candidate is rejected, his or her data should be deleted, subject to the required retention period, unless the applicant has agreed to remain in place for a future selection process. It is also necessary to agree to use the data for further application processes or before sharing with other companies in the group.
In the existing employment relationship, data processing must always refer to the purpose of the employment agreement if none of the following circumstances apply to the authorized data processing.
If it is necessary to collect information about a candidate from a third party in the application process, the requirements of the relevant national laws must be respected. In case of doubt, the consent must be obtained from the data subject.
There must be a legal clearance for the processing of personal data, which is related to the employment relationship but is not initially part of the implementation of the employment agreement. This may include legal requirements, collective arrangements with employee representatives, employee consent, or the legitimate interest of the company.
Data processing according to legal authorization
The processing of personal data about employees is also permitted if national law requires or permits this. The type and scope of the data processing must be necessary for the legally authorized data processing activity and must be in accordance with the relevant legal provisions. If there is any legality, the interests of the employee deserving protection should be taken into account.
Collective agreements for data processing
If a data processing activity exceeds the performance objectives of the contract, it may be admissible if authorized by collective agreement. Collective agreements are pay agreements or agreements between employers and employees’ representatives, within the limits of the labor law permit. Agreements must cover the specific purpose of the planned data processing activity and must be prepared in accordance with national data protection laws.
Consent to data processing
Employee data can be processed with the consent of the person concerned. Declarations of consent must be submitted voluntarily. Invalid consent is invalid. The declaration of consent must be received in writing or electronically for the purposes of the documentation. Under certain circumstances, consent may be given orally, in which case it must be duly documented. In the event of an informed and voluntary provision of data by the party concerned, consent may be agreed if national law does not require explicit consent.
Data processing in legitimate interest
Personal data can also be processed, if necessary, the legitimate interest of Evinat Ltd. Personal data can not be processed on the basis of legitimate interests if in individual cases there is evidence that the interests of the employee deserve protection. Before processing the data, it must be determined whether there are interests deserving protection.
Processing of sensitive personal data
Sensitive personal data can only be processed under certain conditions. Highly sensitive data is data on racial and ethnic origin, political beliefs, religious or philosophical beliefs, trade union membership, and the data subject’s health and sexual life. Under national law, other categories of data may be considered very sensitive or the content of the data categories may be excluded separately. In addition, data relating to a criminal offense can only be processed under special requirements under national law.
Processing must be expressly permitted or prescribed by national law. In addition, processing may be permitted if the responsible authority is required to fulfill its rights and obligations in the field of labor law. The employee may also explicitly approve the processing.
If personal data are automatically processed as part of an employment relationship and specific personal data are assessed (for example, as part of staff selection or skill assessment), such processing can not be the sole basis for decision-making, consequences or material problems for the selected employee. In order to avoid mistakes, the automated process must ensure that a natural person assesses the content of the situation and that this assessment is at the heart of the decision. The data subject must also be informed of the facts and results of automated individual solutions and the ability to respond.
Telecommunications and the Internet
Phone equipment, e-mail addresses, intranet, and the Internet, along with internal social networks, are provided by the company primarily for work-related tasks. They are the tool and resource of the company. They can be used within the applicable legal regulations and internal policy of the company.
SHARING PERSONAL DATA WITH THIRD PARTIES
Processing of personal data by assignment
The processing of personal data by assignment means that a provider is hired to process personal data on behalf of Evanat Ltd. In such cases, an agreement / personal data processing agreement should be concluded on the basis of a contract between Evanat Ltd. and the respective external contractors. Evina Ltd. retains full responsibility for the proper execution of the processing of personal data. The Contractor may only process personal data in accordance with the customer’s instructions. When ordering, the following requirements must be met: the department that submits the order must ensure that they are fulfilled.
Providing data under a legal authorization
The provision of personal data to state institutions is also permitted if national law requires or permits this. The type and scope of the data processing must be necessary for the legally authorized data processing activity and must be in accordance with the relevant legal provisions. If there is any legality, the interests of the employee deserving protection should be taken into account.
TERMS OF OBLITERATION
CUSTOMERS AND PARTNERS
Term of obliteration: Up to 10 business days after the expiration of the contractual relationship and the warranty period, unless the client / partner does not wish Evinat Ltd. to keep his / her personal contact details and after that period or no new contract between Evinat Ltd. and the same client / partner is signed. When providing personal data by subscribing to the company’s newsletter – up to a refusal to receive ad messages. In case there is a legitimate interest of the company or a legal decision – within 10 working days after the termination of the interest and / or the decision.
Term of obliteration: Up to 10 business days after termination of the employment relationship, unless the employee wishes Evinat Ltd. to keep his / her personal contact details and after that period or no new contract between Evinat Ltd. and the same employee is signed. In case there is a legitimate interest of the company or a legal decision – within 10 working days after the termination of the interest and / or the decision.
GENERAL SECURITY MEASURES DESCRIPTION
Personal data is subject to secrecy. Any unauthorized collection, processing or use of such data by employees is prohibited. Any data processing undertaken by an employee for which he was not authorized to perform part of his or her legal duties is unauthorized. Employees may only have access to personal information as appropriate to the type and scope of the task in question. This requires careful allocation and implementation of roles and responsibilities.
Employees are prohibited from using personal data for personal or commercial purposes, disclosing them to unauthorized persons or otherwise providing them. Supervisors must inform their employees at the beginning of their employment relationship with the data protection obligation. This obligation remains in effect even if employment is completed.
Personal data must be protected against unauthorized access and unauthorized processing or disclosure, as well as accidental loss, alteration or destruction. This is true regardless of whether the data is processed electronically or in paper form. Before introducing new data processing methods, especially new information systems, technical and organizational measures for the protection of personal data must be defined and applied. These measures must be based on the state of the art, the processing risks and the need for data protection (defined by the classification process).
The technical and organizational measures for the protection of personal data are part of the corporate information security management and must be continually adapted to the technical development and organizational changes.
In cases of
the necessary company reports must be made immediately so that the reporting obligations under national law can be met.
PERSONAL DATA SUBJECT RIGHTS
Every data subject has the following rights. The processing of his personal data must not place the person at a disadvantage.
The data subject has the right to object to the processing of his data and this should be taken into account if the protection of his or her interests takes precedence over the data controller’s interest due to a particular personal situation. This does not apply if a legal provision requires data to be processed.