DATA PROTECTION POLICY
1. General Data Protection Regulation
Regulation (EU) 2016/679 (General Data Protection Regulation) replaces EU Data Protection Directive 95/46/EC. It has direct effect and calls for amendments in the legislation of the Member States in the field of data protection. Its purpose is to protects the ‘rights and freedoms’ of natural persons and to prevent any chances that their data are processed unbeknownst to them, and whenever possible, that they are processed with their consent.
2. Scope defined by the General Data Protection Regulation
Material scope (Article 2) – The General Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data (for example, manually or on paper), which form part of a filing system or are intended to form part of a filing system.
Territorial scope (Article 3) – The rules of the General Regulation apply to all data controllers established in the EU, processing personal data of natural persons in the context of their activities. It also applies to controllers outside the EU processing personal data in relation to the offering of goods or services, or to the monitoring of the behaviour of data subjects residing in the EU.
‘Personal data’ – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as well as any other information defined as personal data under the applicable law;
‘Special (sensitive) categories of personal data’ – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, as well as any other personal data defined as special personal data under the applicable law.
‘Processing’ – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Controller’ – any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
’Data subject’ – means any living natural person whose personal data are stored by the Controller.
‘Consent of the data subject’ – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her;
‘Child’ – The General Regulation defines a ‘child’ as any person below the age of 16 years, although this age can be lowered to 13 years depending on the law applicable in a particular Member State. The processing of personal data is lawful only if consent is given by the parent or legal guardian of the child. The processor will make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility.
‘Profiling’ – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘Personal data breaches’ – breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stores or otherwise processed;
‘Main establishment’ – the main establishment of the controller in the EU will be the place where it takes its main decisions about the purposes and means of its processing activities. As regards the processors of personal data, their main establishment in the EU will be the place of their central administration in the Union; where the processors of personal data have no central administration in the Union, their main establishment in the Union will be the place where their main processing activities are carried out.
If the controller’s main establishment is outside the EU, it will be required to appoint a representative under the jurisdiction where the controller does its business, which will be acting on behalf of the controller, and will communicate and work with the supervisory authorities. (Article 4 (16)) of GDPR)
‘Recipient’ – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with the EU or Member State law shall not be regarded as recipients; the processing of those data by those public authorities will be in compliance with the applicable data protection rules according to the purposes of the processing;
‘Third party’ – any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
II. DATA PROTECTION POLICY STATEMENT
1. The management of the data controller undertakes to ensure compliance with the EU laws and the Member States as regards to the processing of personal data and the protection of the ‘rights and freedoms’ of the persons whose personal data the controller collects and processes under the General Data Protection Regulation (Regulation (EU) 2016/679).
The controller undertakes to ensure compliance with of all activities involving the collection and processing of personal data with the requirements of GDPR.
2. Pursuant to the General Regulation, other relevant documents have been described additionally to this policy, as well as some related processes and procedures.
3. This policy applies to all activities involving the processing of personal data, including those which refer to personal data of customers, employees, suppliers, and partners, and any other personal data from various sources processed by the organization of the controller.
4. This policy applies to all employees/workers (and stakeholders) of the controller, and to the processors, and their personnel. Any breach of the General Regulation will be treated as a breach of workplace policies, and in case there is suspicion of a committed offence, the issue will be referred for settlement within the shortest timeframes to the competent criminal justice bodies.
5. All third parties working with or for the controller, including partners, external suppliers, customers, etc. and parties having or being able to obtain access to the personal data of the controller, are required to read and conform to this policy. The controller is required to sign non-disclosure agreements for such data with all third parties to whom it provides access to personal data processed by it, which authorise the controller to hold inspections to verify compliance with the obligations under the agreement, unless such processing is required under the EU laws or the laws of any Member States.
III. LIABILITIES AND RESPONSIBILITIES UNDER REGULATION (EU) 2016/679
1. The personal data controller under Regulation (ЕС) 2016/679 has full responsibility and bears all risks of any possible non-compliance with the requirements of GDPR, including the responsibility for development and promotion of good practices for personal data processing in the company.
2. A personal data processor is any person outside the organization of the controller directly processing personal data on behalf of the controller – including by storing, digitizing, cataloguing, etc. information.
3. The data protection officer, or respectively, the person whose job description or work functions include tasks relating to personal data protection (responsible person for personal data protection), participates in the meetings of the management of the controller where issues referring to the protection of personal data are discussed, and helps the controller demonstrate compliance with the applicable personal data protection laws and the relevant good practices.
DPOs accountability covers:
- Development and implementation of the requirements of REGULATION (EU) 2016/679 in compliance with this policy;
- Security and risk management concerning compliance with the policy.
4. The data protection officer must be up to the task, properly qualified and experienced, and is appointed by the management body of the controller (according to its structure and its legal form). The DPO is required to advise and notify the controller of the implementation of GDPR and other legal documents of the national and EU legislation in the field of personal data protection, in compliance with his/her contractual obligations and the GDPR requirements, including to monitor the implementation of this policy.
5. The DPO has some specific functions set out in GDPR: all requests of the data subjects are addressed to the DPO and he/she is the contact person for all employees of the controller who need clarification on any issue referring to personal data protection. The DPO is also the contact point for the supervisory authority.
6. The responsibility for compliance with the personal data protection laws belongs to all employees of the controller involved in the processing of personal data, subject to their duties as set out in their job descriptions.
7. The data controller training policy sets forth specific requirements for training and reporting associated with the specific roles of the employees/workers of the controller.
IV. DATA PROTECTION PRINCIPLES
The whole process of personal data processing must be conducted in compliance with the principles of data protection set out in Article 5 of Regulation (EU) 2016/679. The policies and procedures of the data controller have to ensure compliance with these principles.
1. All personal data must be processed lawfully, fairly, and in a transparent manner.
Lawfully – identify the legal grounds for processing before the actual personal data processing. These are the so-called ‘grounds for processing’, such as ‘consent’. The consent of the subject is regarded as legal grounds for processing of personal data. This can also happen in the implementation of an agreement or in the exercise of the legitimate interests of the controller, in which cases consent is not required.
Fairly – in order to ensure fair processing of personal data, the data controller must submit appropriate information to the data subjects required for the specific case or purpose, in a comprehensible, succinct, and accessible for the data subject manner. This applies regardless of whether the data were received directly from the data subjects or from other sources.
Transparently – Regulation (EU) 2016/679 sets forth requirements for the information that must be made available to data subjects, which is covered by the ‘transparency’ principle regulated in Articles 12, 13 and 14 of GDPR. According to the cited provisions of GDPR, the information must be communicated to the data subject in a form which is easy to understand, and that clear and plain language is used, or in other words, the non-disclosure statements that the data subjects are required to sign must be detailed and specific, easy to understand and accessible.
The rules for notification of the data subject by the controller are set out in the personal data processing transparency procedure, and the notice is recorded in the Non-Disclosure Statement Form (notice of confidential treatment of all personal data).
The specific information which needs to be submitted to the data subject must include as a minimum:
- Data identifying the controller and contact details of the controller, and of the controller’s representative, if any;
- The contact details of the data protection officer / responsible person;
- The purposes of processing for which the personal data are collected and the legal grounds for such processing;
- The period for which the personal data will be stored;
- The availability of the following rights to the data subject: to request access to the data, including correction, deletion (the ‘right to be forgotten’), limitation of processing, and right to object to the conditions (or lack thereof) for exercising such rights;
- Categories of personal data;
- Recipients or categories of recipients of personal data, if applicable;
- If applicable, whether the controller intends to transfer the personal data to third party recipients, and the level of protection of such personal data;
- Any additional information required to guarantee fair processing of the personal data.
2. Personal data may be collected only for specified, explicit and legitimate purposes.
Any data received for specified purposes can only be collected and processed for the purposes which conform to the processing activities included in the record of procession activities (Article 30 GDPR ) maintained by the controller.
The transparency procedure for personal data processing sets out specific rules.
3. The personal data collected by the controller must be limited to what is necessary for the purposes for which they are processed
- The data protection officer/responsible person make sure that only the information which is required for the purposes of the processing is collected.
- All data collection forms (soft and hard copies), including the requirements for the collection of data in the new information systems must include a fair processing statement or a notice of confidential treatment of the personal data (Non-Disclosure Statement).
- The data protection officer/responsible person are required to make periodic inspections (at least once per year) to make sure that the collected data are still adequate, relevant, and are not excessive.
4. All personal data must be correct and up to date, and all reasonable efforts must be made to ensure their prompt (according to the available technical solutions) deletion or correction.
- The data stored by the controller must be reviewed and updated, when necessary. No data must be stored if they are likely to be inaccurate.
- The data protection officer/responsible person must ensure that the entire personnel have undergone training on the collection and maintenance of accurate data.
- The data subject is responsible to confirm that the data submitted for storage by the controller are accurate and up to date. The form filled in by the data subject for the controller will include a statement confirming that the data provided are correct as at the date of submission.
- The employees/workers (customers/others) must be required to notify the controller of any changes in the circumstances, so that they can update the records of personal data.
- The data protection officer/responsible person must ensure that appropriate procedures and policies are in place to maintain the correctness and relevance of the personal data, taking into account the volumes of collected data, the rate at which they may undergo changes, and other relevant factors.
- At least once a year, the data protection officer/responsible person will review the periods of storage of all personal data processed by the controller using the data inventories, and will identify all data which are no longer required in the context of the specified purposes. Such data will be reliably disposed of in compliance with the procedures and policies implemented by the controller.
- The data protection officer/responsible person will oversee the responses to all requests for correction of data within one month – Data Subject Request Handling Procedure. This timeframe may be extended by another two months in more complicated requests. If the controller decides not to comply with the request, the data protection officer/responsible person must send a reply to the data subject, explaining the reasons for the rejection and to notify the data subject of his/her right to file a complaint with the supervisory authority, and to seek legal advice.
- The data protection officer/responsible person will inform all third parties to whom any incorrect or outdated personal data have been provided, letting them know that the information is inaccurate or obsolete, and not to be relied upon in the making of decisions about the data subjects, and to forward any corrections of personal data to such third parties, if necessary.
5. All personal data must be stored in a form which allows for the data subject to be identified throughout the period required for processing.
- Whenever the personal data need to be stored after the expiration of the processing period, they will be stored in an appropriate way (minimized, encrypted, pseudonymised), in order to protect the identity of the data subject in the event of a data breach.
- All personal data will be protected by the Data Storage and Disposal Procedure and upon the expiration of their storage period they will be reliably disposed of in the manner set out in the said procedure.
- The data protection officer/responsible person must approve individually each case of storage of data which exceeds the storage period defined in the Data Storage and Disposal Procedure, and make sure that there is a reasonable justification complying with personal data protection laws. Such approval must be in writing.
6. Personal data must be processed in a way which guarantees appropriate level of security (Article 24, Article 32 of GDPR).
The data protection officer/responsible person will perform initial assessment of the impact, if necessary, taking into account all circumstances relating to the operations involving personal data processing by the controller.
In each case where there is a personal data protection breach, the data protection officer/responsible person/ person in charge at the company of the controller must make a risk assessment, and if the risk is high, must notify the supervisory authority and/or data subject.
Ensuring the security of the personal data involves the implementation of suitable technical measures overseen by the data protection officer/responsible person, which include as a minimum:
- Password protection;
- Automatic lock of idle workstations in the network;
- Antivirus software and firewalls;
- Access rights based on roles, including those of temporary staff;
- Protection of devices leaving the premises of the organization, such as laptops, etc.;
- Security of local and wide-ranging networks;
- Privacy enhancing technologies, such as pseudonymisation and anonymisation;
- Identification of suitable international security standards appropriate for the controller.
- The assessment of the suitable organizational measures by the data protection officer/responsible person will take into account the following:
- Levels of appropriate training;
- Measures assessing the reliability of employees (for example, attestations, recommendations, etc.);
- Incorporation of data protection clauses in employment contracts;
- Identification of disciplinary measures relevant to data processing;
- Regular inspections of the personnel to ensure compliance with the relevant security standards;
- Control of physical access to soft and hard copies of records;
- Adoption of a clean desk policy;
- Hard copies of the databases in lockable wall cabinets;
- Limited use of portable electronic devices outside the workplace;
- Limited use of personal devices by employees at the workplace;
- Adoption of clear rules for creation and use of passwords;
- Periodic back-up of personal data and physical security of copies off the premises;
- Requirement for contractual obligations to be undertaken by organizations under dedicated agreements for implementation of suitable security measures in the transfer of data outside of the EU.
The assessment of suitable measures will further take into account any risks identified for personal data and the possibilities for damages to the persons whose data are being processed.
7. Compliance with the accountability principle
Regulation (EU) 2016/679 includes provisions promoting accountability and manageability, and complementing the requirements for transparency. The principle of accountability set out in Article 5, paragraph 2 stipulates that the controller should be able to demonstrate compliance with the rest of the principles set out in the GDPR, and that the controller has express responsibility.
The controller should demonstrate compliance with all principles relating to data protection by implementing data protection policies, joining codes of conduct, implementing suitable technical and organizational measures, and by adopting data protection methods at the stage of design and default protection of data, assessment of the impact on data protection, data breach reporting procedures, etc.
V. Rights of data subjects.
1. According to the GDPR, data subjects have the following rights with regard to their personal data processing:
- To receive information about their personal data which are processed by the controller and the purposes for which they are processed, including by getting access to the data and to information about the recipients of such data and any third parties to which the data are transferred;
- To request a copy of their personal data from the controller;
- To make a request to the controller to correct their personal data when such data are incorrect or are no longer valid;
- To make a request to the controller to delete their personal data (the right ‘to be forgotten’);
- To make a request to the controller to limit the processing of their personal data in which case the data will only be stored, but not processed;
- To object to the processing of their personal data;
- To object to the processing of their personal data for direct marketing purposes;
- To file a complaint with a supervisory authority if they believe that any of the GDPR provisions has been breached;
- To request and to receive their personal data in a structured, commonly used, machine-readable format;
- To withdraw their consent for personal data processing at any time in a dedicated request submitted to the controller;
- Not to be subject to automated decision-making affecting them to a significant degree, without the option for human intervention;
- To object to any forms of automated profiling which is taking place without their consent;
2. The controller will provide conditions to guarantee the adequate exercising of the following rights of the data subjects:
- The data subjects may request assess to data, as set out in the Subject Request Management Procedure; this procedure further describes the ways in which the controller will guarantee that the request of the data subjects complies with the requirements of the General Regulation.
- Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.
- The data subject will have the right to express objections before the controller relating to the processing of their personal data. The handling of the complaints filed by the data subjects and the submission of such complaints are described in the Data Subject Complaints and Requests Communication Procedure.
The complaints may be submitted directly to the supervisory authority. The competent authority for theses cases in the Republic of Bulgaria is the Personal Data Protection Commissions domiciled at 1592 Sofia, 2 Prof. Tsvetan Lazarov Street (www.cpdp.bg).
1. A ‘consent’ will mean, for the controller, any freely given, specific, informed and unambiguous indication, such as by a written statement or a clear affirmative act establishing the data subject’s agreement to the processing of personal data relating to him or her. The data subject may withdraw his/her consent at any time. The consent of the data subject will be requested every time there are no alternative legal grounds for processing.
2. The controller will accept as ‘consent’ only the cases where the data subject has been fully informed of the planned processing and has expressed his/her consent without acting under duress. No consent obtained under duress or on the basis of misleading information will be accepted as legal grounds for personal data processing.
3. Consent cannot be assumed in the absence of a reply to a message sent to the data subject. There must be active communication between the controller and the subject in order to establish consent. The controller must be able to demonstrate that consent for data processing has been duly received.
4. For any special categories of data, an express consent in writing must be obtained in compliance with the Data Processing Consent Procedure unless there are alternative legal grounds for processing.
5. The consent of the data subject for the processing of his/her personal data or special category data will be given on the basis of a relevant consent document submitted by the data subject to the controller individually for the different processing purposes. When the data subject is a party to an agreement, consent is not required because his/her data are collected on different legal grounds.
6. When the data controller processes data which belong to minors, consent must be obtained from their legal custodians (parents, guardians, etc.). This requirement applies for children under the age of 14 years (unless the Member State stipulates a lower age limit, but in any case not lower than 13 years).
VII. Data security
1. The employees of the controller who, according to their job descriptions, are required to process specific personal data on behalf of the controller, will be required to ensure the security of such data during processing and storage, including by refraining from disclosure of any such data to third parties, unless the controller authorises a particular third party to get access to such data.
2. Personal data or any part thereof must be accessible only to those parties who are involved in their processing/storage and access may be provided only in compliance with the established rules for access control. All personal data must be stored, for example:
- In a separate room with access control; and/or in a locked drawer or filing cabinet; and/or
- If computerized, password protected in compliance with the internal rules set out in the organizational and technical measures for information access control (for example, access control rules) ; and/or
- Stored on portable computer carriers protected in compliance with the organizational and technical measures for information access control.
3. To ensure an organizational policy which guarantees that computer screens and terminals cannot be seen by any people other than the authorised employees/workers of the controller. All employees/workers will be required to undergo training and to agree to the relevant contractual clauses/statements of compliance with the organizational and technical control measures, as well as the workstations locking procedures, before getting access to any information.
4. Hard copies cannot be left in places accessible by unauthorised personnel and cannot be taken off the designated office premises without express permission. Right after any hard copies are no longer needed for the current operations involving customer support, they must be destroyed in compliance with the established procedure/rules and the respective protocol.
5. Personal data may be deleted or destroyed only in compliance with the Data Storage and Disposal Procedure. Any hard copy records whose storage period has expired must be shredded and destroyed as ‘classified waste’. Soft copies saved on unnecessary personal computers must be deleted or the drives destroyed in accordance with the established rules/procedures.
6. Personal data processing ‘outside the premises’ potentially presents a higher risk of loss, theft or breach of personal data. Members of the personnel must be expressly authorised before they process data outside the premises of the controller.
VIII. Disclosure of data
1. The controller must ensure proper conditions for protection of data from disclosure to unauthorised third parties, which includes any family members, friends, government authorities, even investigative authorities, if there are any suspicions that they have been requested in an unlawful way. All employees/workers must act cautiously any time they are requested to disclose to a third party any personal data of data subjects. It is important to establish whether such disclosure of information is required for the purposes of the operations of the organization.
The employees need to undergo a special training and periodic instruction sessions to avoid the risk of such breaches.
2. All third party requests for personal data must be backed by proper documents and any disclosure of such data must be approved by the data protection officer/responsible person after he/she gives his/her opinion of the matter.
3. Personal data may only be transferred to the competent public authorities in and for the exercise of their powers of authority.
IX. Storage and disposal of data
1. The controller will not keep personal data in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are collected.
2. The controller may store personal data for longer periods insofar as the personal data will be processed only for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required in order to safeguard the rights and freedoms of the data subject.
3. The storage period for each category of personal data is specified in the Data Storage and Disposal Procedure and the criteria used to determine such periods, including any legal requirements according to which the controller must retain the data.
4. The controller will implement a Data Storage and Disposal Procedure.
5. All personal data will be destroyed in compliance with the principles of ensuring an appropriate level of security (Article 5, paragraph 1 b. е) of the General Regulation), including protection from unauthorised or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’)
X. Transfer of data
1. Any transfer of data from the EU to countries outside the EU (referred to in the General Regulation as ‘third countries’) will be unlawful unless there is an adequate level of protection of the fundamental rights of the data subjects’.
The transfer of personal data outside the EU is forbidden, unless one or more of the following safeguards or exemptions apply:
2. Adequacy decision
The European Commission may assess third countries, a territory and/or specified sector within a third country to decide whether there is an appropriate level of protection of the rights and freedoms of the natural persons. No permission is required in these cases.
The countries which are members of the European Economic Area (EEA), but not the EU, are assumed as compliant with the requirements for an adequacy decision.
3. Transfer of personal data between EU and the U.S. (EU-U.S. Privacy Shield)
If the Organization wishes to transfer personal data from EU to a third party in the U.S., it should verify that the organization has signed the Privacy Shield Agreement with the U.S. Department of Commerce.
The U.S. Department of Commerce is responsible for the management and administration of the Privacy Shield and ensures that the companies fulfil their commitments. To be able to get certified by the Department, the companies have to adopt a personal data protection policy in compliance with the principles of the GDPR, for example to use, store, and transfer personal data in compliance with strict rules and safeguards for data protection.
4. Binding corporate rules
The controller may adopt the approved binding corporate rules for transfer of data outside the EU. This will necessitate their approval by the competent supervisory authority.
5. Standard contractual clauses
The controller may adopt the established standard contractual clauses for data protection during transfer of data outside the European Economic Area. If the controller adopts standard contractual clauses approved by the relevant supervisory authority, this will automatically mean recognition of the adequacy of the level of protection.
In the absence of an adequacy decision, membership in the U.S. Privacy Shield, binding corporate rules and/or contractual clauses, transfer of personal data to third countries or international organizations may happen only in one of the following cases:
- The data subject has expressly agreed to the proposed transfer after being informed of the possible risks that may result from such transfer;
- The transfer is required in connection with the performance of an agreement signed by and between the data subject and the controller, or with the implementation of any pre-contractual measures requested by the data subject;
- The transfer is required for the signing or performance of an agreement in the interest of the data subject entered by the controller and another natural person or legal entity;
- The transfer is required for reasons of substantial public interest;
- The transfer is required for the establishment, exercise, or protection of legal demands;
- The transfer is required for the protection of the vial interest of the data subject or any other parties when the data subject is physically or legally incapable of giving a formal consent;
- The transfer is made from a register which according to the EU law or the laws of the Member States is intended to provide information to the public and is available for public review in general or by any person who can prove that they have legal interest to do so, but only insofar as the conditions for such review required by the EU or Member State laws have been complied in the respective case.
XI. Records of processing activities (data inventory)
1. The controller has designed a process to record data as part of its approach to handling risks and possibilities in the course of implementation of the policy for compliance with Regulation (EU) 2016/679. The data inventory and the data workflows identify:
- All business processes using personal data;
- All sources of personal data;
- The number of data subjects;
- Description of the categories of personal data and the elements of each category;
- All processing activities;
- All processing purposes for the respective personal data;
- Legal grounds for processing;
- Recipients or categories of recipients of personal data;
- The main systems and storage locations;
- All personal data subject to transfer outside the EU;
- Periods of storage and disposal
2. The controller is aware of the risks associated with the processing of specific types of personal data
3. The controller assesses the levels of risk for people associated with the processing of their personal data. If required, assessments are made of the impact on the protection of data associated with the processing of personal data by the controller and associated with the processing undertaken by other organizations on behalf of the controller – Data Protection Impact Assessment Procedure.
4. The controller manages all risks identified in the impact assessment in order to minimize the risk of incompliance with the rules set forth for the preparation of the assessment.
When a processing operation may result in a high risk to the rights and freedoms of natural persons, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, prior to the processing the controller should carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
5. When as a result of the Impact Assessment it is evident that the controller will start processing personal data which due to their high risk may cause damages to the data subjects, the decision whether to continue the processing or not must be reviewed by the data protection officer.
6. Where the data protection officer/responsible person have serious reasons to believe in the existence of potential damage or risks, or of the quantity of the respective data, they should refer the matter to the relevant supervisory authority.
7. The data protection officer/responsible person will make a periodic (annual) review of the originally recorded data, and revise any recorded information in the Records of Processing Activities in the light of any changes to the activities of the controller.
These rules may undergo changes at any time provided that the changes are notified immediately to all affected parties.
This policy has been approved by the manager of DENITO Ltd and takes effect on 25 May 2018.