MILKOTRONIC LTD’s RULES FOR ADMINISTRATION, COLLECTION AND PROCESSING OF PERSONAL DATA OF INDIVIDUALS
1. These Rules are adopted in connection with the fulfilment of the requirements of the General Regulation on the protection of personal data (“Regulation”, “GDPR”) and apply to all employees of the company, as well as to its management and/or supervisory bodies. These rules have been adopted in accordance with the basic principles of the Regulation, namely: the principle of accountability, the principle of limitation of objectives, the principle of the collection and processing of minimum personal data, the principle of limitation of the storage of collected data, the principle of integrity and confidentiality of collected personal data.

2. The Company collects personal data of individuals for the following purposes and in the following cases:
2.1. In the case of labor legal relations and related labor relations with employees - for labor-law purposes, to maintain a work file of the employee.
2.1.1. When looking for and selecting staff for employment in the company.
2.2. In the case of management relations with the management and supervisory bodies of the company - in order to maintain a working file of the management and representatives of the company.
2.3. For tax and legal purposes;
2.4. For insurance purposes;
2.5. For other accounting purposes;
2.6. For contractual purposes, namely, in the case of commercial, debenture and/or real legal relations between the company and an individual, incl. under contractual relationships related to security activities.

3. Type of personal data/information processed for the purposes described in item 2:
3.1. In case of employment law and related employee relations: three names, personal identification number, personal identity card number, permanent address, current address, telephone number, e-mail address, individual address, according to communication/Skype, Viber applications , Whatsapp, etc./, bank account number, curriculum vitae, documents proving different educational and qualification degrees and/or courses, criminal record of the person when a statutory act requires it, health information of the person when a statutory act requires this.
3.2. In the case of management relations with the management and supervisory bodies of the company: three names, personal identification number, personal identity card number, permanent address, current address, telephone number, e-mail address, individual address, according to communication/Skype,Viber, Whatsapp, etc. ./, bank account number, curriculum vitae, documents proving different educational and qualification degrees and/or courses of conviction data of the person when a statutory act requires it, data on the health status of the person when a statutory act requires it.
3.3. For tax and legal purposes: three names, personal identification number, job title;
3.4. For insurance purposes: three names, personal identification number, job title;
3.5. For other accounting purposes: three names, personal identification number, job title, documents proving different educational qualifications and/or courses;
3.6. For contractual purposes, namely, in the case of commercial, debenture and/or legal relations between the company and an individual: PIN, personal identification card number, permanent address, current address, telephone number, e-mail address, individual address, according to applications for communication (Skype, Viber, Whatsapp, etc.), bank account number, CV, documents proving different educational qualifications and/or courses, surveillance videos of persons / the latter are stored in a special register /

4. Grounds for the collection and processing of personal data:
4.1. In case of labor legal relations and related legal relations with employees: by law, by protection of the legitimate interest of the company and / or by the expressed consent of the individual.
4.2. In case of management relations with the management and supervisory bodies of the company: by law, by the protection of the legitimate interest of the company and / or by the expressed consent of the individual.
4.3. For tax purposes: by law and/or by the expressed consent of the individual.
4.4. For insurance purposes: by law and/or by the express consent of the individual.
4.5. For other accounting purposes: by law, by protection of the legitimate interest of the company and/or by the expressed consent of the individual.
4.6. For contractual purposes, namely, in the case of commercial, debenture and/or legal relations between the company and an individual: by law, by protection of the legitimate interest of the company and/or by the expressed consent of the individual.
4.7. For the protection of vital interests and/or in the public interest.
4.8. When personal data are provided by the data subject to the company without a legal basis and/or contrary to the principles of Art. 5 of Regulation (EU) 2016/679, the company shall immediately return them or delete them or destroy them within one month of their knowledge.

5. Personal data collected and processed shall be disclosed to the following persons/bodies outside the company:
5.1. Public authorities: National Revenue Agency, National Social Security Institute, Ministry of the Interior Affairs, judicial authorities, control authorities, local authorities, etc.
5.2. Personal data processor (individual or legal entity who processes personal data on behalf of the company and upon his or her order or assignment) - registered auditor, accounting firm, IT company maintaining information systems, lawyer, bank.
5.3. Public authorities in other Member States of the European Union, based on local law, when operating in the countries concerned.
5.4. Transmission of personal data of individuals to third parties within the meaning of item 5.3. is carried out by law, by the protection of the legitimate interest of the company and/or by the expressed consent of the individual, providing the minimum necessary information.
5.5. The Company provides personal data to: accounting firm/accountant, FINCONSULT ZK Ltd, for the purpose of processing them in accordance with item 3

6. The period for saving the personal data is:
6.1. The relevant period specified in a regulatory act requiring the storage of certain types of data.
6.2. In the cases under item 3.7.1. this period is 5 years.
6.3. In the cases outside item 6.1. and item 6.2. is up to 2 months.

7. The Company transfers personal data to individuals in other Member States of the European Union, on the basis of local law, when operating in the respective countries.

8. Acceptance, distribution, processing of personal data by employees of the company.
8.1. Documents, files, contracts, etc. sources of information are accepted by the Technical Secretary, employee responsible for the IT support of the company information systems and / or by an accountant.
8.2. When receiving a source of information from a technical secretary, the secretary shall forward the information in paper and/or electronic form to the employee responsible for the collection of the relevant personal data. The Technical Secretary does not maintain or have direct access to registers on paper and/or electronic media of personal data of individuals, except for data obtained in the search and selection of staff for employment in the company.
8.3. When accepting a source of information from an accountant, the accounting officer applies it to the appropriate database and is responsible for its storage.v 8.3.1. The accounting officers of the company are responsible for maintaining databases of personal data of individuals in the following: labor legal relations and related legal relations with employees; management relations with the management and supervisory bodies of the company; tax and legal objectives; insurance goals; other accounting purposes; contractual purposes, namely, in the case of commercial, debenture and/or legal relations between the company and an individual.

9. Measures for storage of personal data.
9.1. The collected and processed personal data are stored on paper and/or electronic media.
9.2. The personal data on paper collected under item 3 are stored in separate unnamed folders, which are located in the office of the company, by being placed in a locker, access to which is restricted.
9.2.1. Personal data on paper relating to the criminal record and/or health status of an individual shall be stored separately from the personal data under item 9.2. in separate unnamed folders, which are located in the company office by being placed in a locker, access to which is restricted.
9.3. Personal data on electronic media are stored on the hard disks of the individual computers used by the accountants, the employee responsible for IT support of the company information systems and the technical secretary. The computers themselves are protected by an individual password. There is a separate personal login for each of the individual computer applications that store personal data;
9.4. Personal data received and/or sent via company’s e-mail shall be stored on a separate hard disk in full compliance with the requirements of the Regulation.
9.5. In the case that: a / personal data were received without justification and b / the period for storing them has expired, then the data under b. a / and b / are physically destroyed and / or permanently deleted from the respective databases. A protocol is drawn up for the actions described above.

10. Procedure for action in case of personal data breach:
10.1. In the event that a suspected breach of personal data is identified, the employee who reported the alleged breach shall immediately notify in writing and/or by e-mail the employee / manager responsible for the IT support of the company information systems and the manager / CEO of the company.
10.2. The employee responsible for the IT support of the company information systems shall detect the existence of a personal data breach and immediately inform the manager / CEO of the company about his / her opinion. The employee responsible for IT-support of the information systems of the company is the responsible employee for reaction to breach of personal data security.
10.3. The manager/executive director of the company notifies personally or through an authorized CPDP of the detected personal data breach within 72 hours from the found breach within the meaning of item 10.2.
10.4. The notification under item 10.3. contains at least the following:
1. a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records affected
2. an indication of the name and contact details of the Data Protection Officer or other contact point from which further information may be obtained
3. a description of the possible consequences of a personal data breach;
4. a description of the measures taken or proposed by the controller to deal with the breach of personal data security, including, where appropriate, measures to reduce possible negative effects.
10.5. The company documents any breach of personal data security, including the facts related to the breach of personal data security, its consequences and the actions taken to address it.

11. Procedure for accepting, reviewing and responding to requests by individuals for the exercise of their rights as personal data subjects:
11.1. Each individual has:
- the right to correct or supplement inaccurate or incomplete personal data;
- the right to delete (the "right to be forgotten") personal data processed illegally or with a lost legal basis (expired, retired consent, fulfillment of the original purpose for which they were collected, etc.);
- right to limit processing - in the presence of a legal dispute between the company and the individual pending its resolution and/or for the establishment, exercise or defense of legal claims;
- data transmission right - if processed in an automated manner on the basis of consent or contract. For this purpose, the data is transmitted in a structured, widely used and machine-readable format.
- right of objection - at any time and on grounds relating to the particular situation of the person, provided that there are no compelling legal grounds for processing which take precedence over the interests, rights and freedoms of the data subject or legal process;
- the right to provide information as to whether a company collects, processes and stores personal data of a person and whether such data are provided to a third party and on what basis.
11.2. The exercise of the above rights may be effected by a written or electronic request by the individual.
11.3. The request is accepted by the technical secretary and immediately forwarded to the accountants, to the employee responsible for IT support of the company information systems.
11.4. The accountant and/or the employee, responsible for IT support of the company information systems shall consult the maintained databases and send a detailed reasoned reply to the person, in the manner indicated by him, within one month of receiving the request.
These Rules shall come into force on 25.05.2018.
These Rules should be made known to all employees of the company for information and enforcement.

Date: 23.05.2018

MILKOTRONIC LTD
4, Narodni Buditeli Street
8900 Nova Zagora
BULGARIA
tel/fax: + 359 457 670 82
office@autocellcount.com

Copyright © 1997-2020 Autocellcount.com Milkotronic Ltd. All rights reserved. W