Privacy policy
This document describes the responsibilities of COOLSPED LTD and the privacy and personal data protection policy.
In its daily activities, COOLSPED LTD uses a large volume of various data through which persons can be identified, including:
• current, past and future employees;
• job candidates;
• customers;
• users of the organization’s website;
Due to the collection and use of this information, COOLSPED LTD is the addressee of numerous legal provisions, which regulate the methods for carrying out the data processing activities and the precautionary measures that should be provided.
The purpose of this policy is to describe the actions that COOLSPED LTD has taken to achieve compliance with the requirements.
The control under this policy extends to all units, persons and processes within the organization’s information systems, including management bodies, directors and management bodies, staff, suppliers and other third parties that have access to the organization’s systems.
This procedure should be read and modified in the context of the following documents, which provide additional information on the scope, objectives, resources, roles and responsibilities to ensure compliance with the requirements of the GDPR:
• Procedure for liability in case of data security breach
• Internal regulations for personal data in the Human Resources Department
• Policy for archiving documents in Act Logistics AD
1. General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is one of the most important pieces of legislation governing data processing. Through this policy, COOLSPED LTD strives to ensure, maintain and demonstrate compliance with the requirements of the GDPR and legislation at all times.
2. Legal definitions
The definitions listed below have the following meanings:
“Personal data”
any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is an identifiable person, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more features specific to the natural, the physiological, genetic, mental, intellectual, economic, cultural or social identity of that individual;
“Processing”
any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission, distribution or otherwise by which the data becomes accessible, arranged or combined, restricted, deleted or destroyed;
“Personal Data Administrator”
a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means for the processing of personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for its determination may be laid down in Union law or in the law of a Member State.
3. Basic principles in the processing of personal data:
Personal data is processed on the following principles:
• Legitimate, conscientious and transparent;
• Personal data is collected for specific, well-defined and legitimate purposes and is not further processed in a way incompatible with those purposes;
• Minimization of data;
• Accuracy – Personal data is accurate and updated as necessary
• Storage restriction – Personal data are deleted or corrected when they are found to be inaccurate or disproportionate to the purposes for which they are processed.
• Integrity and confidentiality
COOLSPED LTD guarantees that it respects and observes the cited principles, both in the use of the current data processing methods and in the development of new ones (eg new software solutions).
4. Rights of the data subject
• the right to be informed;
• right of access;
• right to correct existing data;
• right to erase data (“right to be forgotten”);
• the right to restrict the processing of data.
• right to data portability.
• right to object.
• rights in connection with automated data processing and profiling.4.
Legality of processing.
5. Grounds for processing
Depending on the specific circumstances, COOLSPED LTD processes data only on the indicated grounds, depending on the case, documenting the connection between the ground and the circumstances, in accordance with the GDPR. The options are briefly described below.
5.1. Consent
If necessary for purposes recognized by the GDPR, COOLSPED LTD will seek to obtain the express consent of the data subjects in order to collect and process their data. In the case of children’s data, the consent of a parent / guardian is also required. Full information on the data processing policy and on the use of their data will be provided to the subjects at the time of requesting their consent. They will be further explained the rights they receive in connection with the given consent, such as the right to withdraw it at any time. If the data are not received directly from the data subject, this information shall be communicated to him within a reasonable period of time, but not later than one month after receipt of the data.
5.2. Execution of contract
Where the data collected and processed are necessary for the performance of a contract with the data subject, explicit consent is not required. This ground is applicable in cases where the data provided are vital for the performance of the contract (eg the delivery cannot be made without the person’s address).
5.3. Legal obligation
When personal data are collected and processed in order to fulfill a legal obligation, explicit consent is not required. This ground is applicable in the field of labor, tax and, in general, public law.
5.4. Vital interests of the data subject
It is lawful to receive and process personal data if it is necessary to protect the vital interests of the data subject or another individual. COOLSPED LTD will process personal data on this basis only in the event that vital interests are really affected, and the circumstances will be documented in detail so that it can be proven.
5.5. Execution of a task of public interest
When COOLSPED LTD has to perform a task that it believes is in the public interest or is part of an official duty, the consent of the data subject will not be required. The assessment of whether it is a matter of public interest and / or official duty is documented and can serve as evidence if necessary.
5.6. Legitimate interest
COOLSPED LTD may process data for the protection of a legitimate interest, in case the rights and freedoms of the data subjects are not significantly affected. In this case, too, the assessment of whether an interest is legitimate and of the extent to which the rights and freedoms of data subjects are affected should be documented.
6. Protection at the design stage
COOLSPED LTD respects the principle of protection at the design stage. The planning and construction of any new or substantially modified existing systems that collect, store or process data will be assessed in the light of possible security concerns. For each project, a data protection impact assessment will be carried out and appropriate safeguards will be taken.
7. Contracts involving the processing of personal data
COOLSPED LTD will guarantee that all contracts it concludes and which covers the processing of personal data will contain the necessary information and general conditions required by the GDPR.
8. Disclosure and transfer of personal data
The transfer of data outside the European Union will be carefully considered before it is actually implemented to ensure that it falls within the limits set by the GDPR. Each case is considered on a case-by-case basis, as it depends on the European Commission’s assessment at the moment of the level of security that the third country provides with regard to personal data.
9. Data protection officer
The GDPR obliges any public organization that processes a large amount of personal data or collects / stores “sensitive” data to have a data protection officer. In accordance with the requirements set by the regulation, COOLSPED LTD must not engage a data protection official.
10. Notification of data security breach
In case of a breach in data security, COOLSPED LTD takes the necessary actions to warn the affected persons. Actions should be proportionate to the infringement, and the principle of transparency should be respected. The GDPR obliges the organization, in the event of a breach that could jeopardize the rights and freedoms of individuals, to notify the supervisory authority (Data Protection Commission) within 72 hours of learning. The notification is made in accordance with a specific procedure prescribed by COOLSPED LTD .
11. Achieving compliance with the GDPR
The following actions have been taken by COOLSPED LTD in order to achieve full compliance with the requirements of the GDPR:
• The legislation in the field of personal data is analyzed;
• Employees involved in the processing of personal data understand their duties and responsibilities for compliance with the policies and procedures for personal data protection of the organization;
• The staff is instructed on the required level of data protection;
• The rules for consent of data subjects are observed;
• Opportunities are provided for the exercise of rights by data subjects and their requests are managed effectively;
• Periodic reviews are performed in order to update the policies / procedures regarding personal data protection;
• The principle of protection at the design stage for all new or drastically changed systems and processes is observed
• The following documentation for the processing activities is kept:
• Register of activities – administrator;
• Register of activities – Processing personal data
These documents should be periodically reviewed as part of the overall data protection audit carried out by the governing bodies.
12. Storage of personal data
Our general approach is to keep the personal data of our employees, suppliers, customers, and contractors, as well as third parties, for the minimum necessary period of time – until the fulfillment of the purpose for which they were collected by us or provided by you, including the applicable legal term.
13. Security of your personal data
We take reasonable physical, technical, and administrative security measures designed to protect your personal information from loss, misuse, alteration, destruction, or damage, as required by our national law.
You also play an important role in protecting the security of your personal data and you need to be careful about who you disclose personal data to and how you protect your communications and devices.
14. Contact Us
If you have any questions or concerns regarding the processing of your personal data or wish to exercise any of your rights, please send us an email at: office@cooslped.bg
Information about the Personal Data Administrator:
• Name: COOLSPED LTD , a trade company registered in 2019
• Headquarters and address of management: Plovdiv 4006 Plovdiv, 5 Archaritsa Str
• Address for correspondence: Plovdiv 4006 Plovdiv, 5 Archaritsa Str
• E-mail: office@coolsped.bg
• Contact phone: +359 889 4444 99