GDPR & DATA POLICY
GDPR / PERSONAL DATA POLICY
1. INTRODUCTION
1.1. This personal data protection policy shall arrange the way Navtech Group Ltd collects, processes and stores the personal data, in accordance with the requirements of the ‘General Data Protection Regulation’ (Regulation (EU) 2016/679), the Personal Data Protection Act of the Republic of Bulgaria and other Bulgarian or international laws and regulations.
1.2. The confidentiality of our users’ information is one of our top priorities. Navtech Group Ltd, as a Controller, and in accordance with the legislation and good practices, shall apply the required technical and organisational measures for the protection of personal data of the natural persons.
1.3. This policy provides information on how and what types of personal data we collect from and on you, why we need them, to whom they may be provided or disclosed and how they are protected. Please, read it carefully. When you provide your personal data to Navtech Group Ltd, whether electronically or on paper, you accept and agree with the practices described in this personal data privacy and protection policy. Please, in case you have any questions relating to this policy, contact {$RESP_SEC} and, in case you do not accept any terms of our personal data protection policy, we do not recommend using any products and services provided by Navtech Group Ltd where you are required to provide your personal data.
2. INFORMATION ON NAVTECH GROUP LTD AS A CONTROLLER.
2.1. With regard to the processing of your personal data, you may contact us at the following points of contact:
• Identification of Controller
First name: Navtech Group | Country: Bulgaria |
Address: 7 Iskarsko shousse Blvd Trade Center Europe, Buld 6, Floor 2 | Telephone:+359 2 4396680 |
City/Village: Sofia | email: sales@navtech.net |
Postal Code: 1528 | Website: www.navtech365.net |
If, in your opinion, we infringe upon your rights relating to the processing of your personal data, in accordance with the requirements of the ‘General Data Protection Regulation’ (Regulation (EU) 2016/679), you have the right to submit a complaint to us, lodge a complaint with a supervisory authority and seek judicial remedy as follows:
•Right to lodge a complaint with a supervisory authority
Under point (e) of Article 14(2)
If you would like to lodge a complaint relating to our processing of your personal data or the way we have addressed your complaint, you have the right to lodge a complaint with the Commission for Personal Data Protection and the Data Protection Officer (where available).
You may lodge a complaint in one of the following ways:
- Personally, on paper, at the CPDP’s records office at the following address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
- By sending a letter to the following address: Sofia 1592, 2 Tsvetan Lazarov Blvd., Commission for Personal Data Protection.
- By sending a fax to: 029153525.
- By sending an email to the CPDP’s email address (kzld@cpdp.bg). In this case, your complaint must be formatted as an electronic document, signed with an electronic signature (not scanned).
- Via the CPDP’s website: https://cpdp.bg/?p=pages&aid=6, as described on the respective page. In this case, your complaint must be formatted as an electronic document, signed with an electronic signature.
In any of the above cases, your complaint must contain:
- data on the complainant—full name, address, contact telephone, email address (where available)
- nature of the complaint
- any other information and documents relevant to the complaint, in your opinion
- date and signature (for the electronic documents—electronic, for the paper documents—hand-written)
The CPDP provides a form for complaints lodged with the Commission (to aid and guide the citizens) relating to any misuse where personal data are processed in the voter rolls of the supporters of political entities. The form can be downloaded from the following page: https://cpdp.bg/userfiles/file/Documents_2017/Forma_jalba_politicheski subekti.doc.
3. LEGAL BASIS
3.1. This personal data protection policy (‘Policy’) is issued pursuant to the Personal Data Protection Act and its subordinate legislation (‘Bulgarian Law’), and the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
3.2. Both the Bulgarian Law and the GDPR lay down rules for the way Navtech Group Ltd shall collect, process and store personal data. These rules shall be applied by Navtech Group Ltd as a Controller, irrespective of whether the data are being processed electronically, on paper or other media.
3.3. To ensure the compliance of personal data processing with the legal requirements, the personal data are collected and used lawfully, the required security of the processing operations is provided and Navtech Group Ltd has taken the required measures to prevent unlawful disclosure of processed personal data. Under the general principles adhered to by Navtech Group Ltd, your personal data are:
3.3.1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
3.3.2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
3.3.3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
3.3.4. accurate and kept up to date; Navtech Group Ltd has taken all reasonable measures to ensure the erasure or rectification without delay of any inaccurate personal data, having regard to the purposes for which they are processed (‘accuracy’);
3.3.5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
3.3.6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’);
3.3.7. Navtech Group Ltd shall be responsible and able to prove its adherence to the general principles of personal data processing (‘reporting’).
4. PURPOSES OF THE POLICY
4.1. With the adoption and application of this Policy by Navtech Group Ltd, in accordance with the Bulgarian Law and Regulation (EU) 2016/679, the rules for protection of natural persons with regard to the personal data processing as well as the rules with regard to the free movement of personal data are established.
4.2. With the adoption and application of this Policy by Navtech Group Ltd, in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679, the fundamental rights and freedoms of the natural persons, and, more specifically, their right to protection of personal data are protected.
4.3. With this Policy, Navtech Group Ltd aims to guarantee:
4.3.1. The lawfulness of the personal data processing performed by Navtech Group Ltd;
4.3.2. The rights of the natural persons—personal data subjects, in accordance with Regulation (EU) 2016/679;
4.3.3. The compliance with the requirements of the Regulation by Navtech Group Ltd as a Controller and/or Processor, including:
4.3.3.1. Data protection by design and by default
4.3.3.2. Records of processing activities
4.3.3.3. Appropriate technical and organisational measures, which shall be reviewed and updated, as needed
4.3.3.4. Measures for risk assessment relating to the processing of personal data
4.3.3.5. The compliance with the requirements where the processing of your personal data is assigned to third parties (Processors)
4.3.3.6. The obligations of all officers, processors, and/or the persons having access to personal data and working under the authority of the processors, and their responsibility upon failure to perform these obligations;
4.3.4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Navtech Group Ltd as a Controller and/or Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate for the risk.
4.3.5. Shall ensure the adherence to the general principles for transfers of personal data to third countries or international organisations outside the EU.
5. SCOPE
5.1. Definitions:
5.1.1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
5.1.2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
5.2. The data protection policy shall be applied with regard to the processing of personal data of the users, the employees, where they have become known to partners and providers, as described in the records of processing activities established in accordance with Article 30 of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘Records of processing activities’).
6. PURPOSES OF THE PERSONAL DATA PROCESSING
6.1. In accordance with the requirements of Chapter III, Section I, ‘Transparency and modalities’ of the General Data Protection Regulation (Regulation (EU) 2016/679), Navtech Group Ltd shall provide transparent information, communication and modalities for the exercise of the rights of the data subjects, in accordance with Article 12 of the Regulation.
6.2. The purposes and the information with regard to the personal data processing by Navtech Group Ltd shall be provided in accordance with the ‘Procedure for transparent communication’ (P_A2_BG), ‘Procedure upon collection of personal data’ (P_A13_BG) and ‘Procedure upon reception of personal data’ (P_A14_BG).
6.3. The purposes and the information with regard to the personal data processing shall be specified in the following documents provided to the data subjects: ‘Personal data processing information to be provided upon collection’ (D_A13_BG) and ‘Information upon reception of personal data’ (D_A14_BG).
7. TRANSPARENCY. RIGHTS OF THE PERSONS WHOSE DATA ARE PROCESSED BY NAVTECH GROUP LTD
•Information on your rights relating to the processing of personal data
Under point (c) of Article 14(2)
Right |
Grounds |
Description of the right |
Right to access |
Article 15 |
Right to confirmation for processing and access to your personal data. |
Right to rectification |
Article 16 |
To rectify inaccurate or incomplete personal data. |
Right to erasure |
Article 17 |
To request erasure of your personal data. |
Right to restriction of processing |
Article 18 |
To request restriction of processing of your personal data. |
Notification obligation |
Article 19 |
To request to be notified upon any action relating to rectification, erasure or restriction of processing. |
Right to object |
Article 21 |
To object at any time to the processing of your personal data: for the performance of a task carried out in the public interest or based on any official authority, or for the purposes of the legitimate interests, including profiling. processing for direct marketing purposes processing for scientific or historical research purposes or statistical purposes. |
Right to rejection of automated processing |
Article 22 |
You have the right to refuse to be subject to a decision based only on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. |
Right to portability |
Article 20 |
You have the right to receive your personal data. |
Right to lodge a complaint and effective judicial remedy |
Articles 77, 78 and 79 |
You have the right to lodge a complaint with the Commission for Personal Data Protection upon any infringement upon Regulation (EU) No 2016/679 of 27 April 2016 and the right to effective remedy against the CPDP, Controller or Processor of your personal data. |
Right to compensation |
Article 82 |
You have right to compensation for material or non-material damage as a result of an infringement upon Regulation (EU) No 2016/679. |
7.1. All personal data subjects (users, clients or employees, where such partners’ or providers’ data have become known to you, as described in the records of processing activities) may exercise their rights as follows:
How you can exercise your rights |
|||||
Personally |
By telephone |
Online |
|||
Address: |
7 Iskarsko shousse Blvd |
Telephone: |
+359 2 4396680 |
Website |
N/A |
City/Village: |
Sofia |
Telephone (SMS): |
+359 2 4396680 |
email: |
sales@navtech.net |
8. TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
8.1. Any transfer of personal data processed or intended for processing after the transfer to a third country or an international organisation outside the EU by Navtech Group Ltd may take place only under the terms of the General Data Protection Regulation (Regulation (EU) 2016/679), in compliance with the requirements laid down in Chapter V of the Regulation.
8.2. Navtech Group Ltd shall apply all provisions of the Regulation to prevent any risk for the required level of protection of the natural persons provided for by the Regulation.
8.3. In case Navtech Group Ltd will transfer personal data to a third country or an international organisation outside the EU, this transfer may take place in accordance with the ‘Procedure for data transfer outside the EU’ (P_A44_BG) and the data subjects shall be notified in advance by providing the ‘Personal data processing information to be provided upon collection’ (D_A13_BG) and ‘Information upon reception of personal data’ (D_A14_BG), requiring their ‘Consent for personal data transfer’ (D_A49_BG).
9. BREACHES AND NOTIFICATION OF BREACHES
9.1. ‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by Navtech Group Ltd.
9.2. In the event of a personal data breach, the following shall be notified immediately:
•CONTACT DETAILS OF THE DATA PROTECTION OFFICER
UNDER POINT (B) OF ARTICLE 14(1)
First name: |
Radostina Savova |
Country:Bulgaria |
Address: |
7 Iskarsko Shose Bldv. Business Center Europe, Building 6, floor 2 |
Telephone: +359 2 4396680 |
City/Village: |
Sofia |
email: radostina.tsonkova@navtech.net
|
Postal code: |
1528 |
Website:navtech365.net |
9.3. In the event of a personal data breach likely to create a risk for the rights and freedoms of the natural persons, without undue delay and, where feasible, not later than 72 hours after having become aware of it, Navtech Group Ltd shall notify the Commission for Personal Data Protection of the breach.
9.4. In case a specific breach creates a risk for the rights and freedoms of the natural persons, Navtech Group Ltd shall take action to notify the affected persons in order to minimise any adverse consequences.
9.5. Navtech Group Ltd shall take action following the ‘Procedure upon personal data breach’ (P_A33_BG).
10. DESTRUCTION
10.1. Navtech Group Ltd shall follow the ‘Procedure for destruction of personal data’ (P_A17_BG_01).
11. AMENDMENTS TO THE PRIVACY POLICY
11.1. Navtech Group Ltd may update by amending and supplementing the personal data protection policy at any time in the future, as required under the circumstances.
12. DOCUMENT OWNER AND APPROVAL
12.1. Navtech Group LTD shall be the owner of this document and shall be responsible to have this procedure reviewed, in accordance with the reviewing and updating requirements of Regulation (EU) 2016/679.
12.2. This version of this document shall be available to all members of the staff of Navtech Group LTD
12.3. This procedure was approved by Dimitar Iliev, General Manager Navtech Group LTD on 01.07.2019 and was issued under version control with their signature.
Date 01.07.2019
• Revision history
Version |
Revision description |
Approval |
Effective date of the new version |
1 |
Version one |
Dimitar Iliev |
01.07.2019 |
|
|
|
|
We hereby and in accordance with the requirements of Regulation (EU) No 2016/679 of 27 April 2016, Section 4, Article 21(4), would like to inform you that you have the right to object at any time to processing of your personal data:
• for the purposes of the legitimate interests of the controller or a third party (Article 21(1)) and for direct marketing purposes (Article 21(2));
How you can exercise your rights:
Personally |
By telephone |
Online |
|||
Address: |
7 Iskarsko shousse Blvd |
Telephone: |
+359 2 4396680 |
Website |
N/A |
City/Village: |
Sofia |
Telephone (SMS): |
+359 2 4396680 |
email: |
sales@navtech.net |