Association of the traders of large construction equipment – ATEST is a non-governmental organization that unites companies authorized by leading manufacturers of large construction equipment and machinery for import and distribution on the territory of the Republic of Bulgaria.
ATEST is a controller of personal data within the meaning of Regulation (EU) 2016/679 Of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the Personal Data Protection Act.
As a controller of personal data, ATEST processes the personal data of natural persons in accordance with the principles of data legality, expediency and proportionality and applies the necessary technical and organizational measures to ensure their confidentiality. For this purpose, internal rules and procedures for protection of personal data, compliant with the legal requirements, as well as a policy for transparency in the processing of personal data of natural persons have been developed.
- Contact details of ATEST
Republic of Bulgaria, Sofia 1000, 10 Vitosha Bld., fl. 4, off. 16
Phone: +359 0899 306093
- Contact details of ATEST on the protection of personal data
Phone: +359 0899 306093
- Personal data, which ATEST collects and processes
“Personal data” means any information relating to an identified natural person or identifiable person (data subject).
ATEST collects and processes personal data in accordance with the “data minimization” principle exclusively and only for specific, explicit and legitimate purposes.
The source of the personal data ATEST processes are:
- The data subject;
- Public registers with personal data to which free access is provided;
- Documents issued by competent authorities;
- Third parties, in connection with or on the occasion of their participation in contractor selection procedures.
- The categories of personal data ATEST processes are:
3.1. Ordinary categories of personal data:
(a) names, national identification number, date and place of birth, age, gender, nationality, photographs;
(b) contact details – telephone numbers, current and permanent address, email address;
(c) data on marital status and children under 18 years of age (if processing is necessary to protect employees’ rights);
(d) data on labor and civil relations income (if processing is necessary to meet the statutory obligation of the data controller);
(e) data on education, qualification, length of service, professional biography;
(f) data on bank accounts in connection with employment contacts, contracts concluded, etc.
3.2. Special categories of personal data: health status data (if processing is necessary to protect the rights of the data subject in performing employment and related to it relations).
3.3. Personal data collected under a statutory instrument on criminal law status – conviction status certificate; a certificate that the person is not under trial and consequence (if applicable for taking up a job or performing a specific activity).
3.4. Personal data collected in CCTV for security purposes, in compliance with the requirements of the Private Security Act and the Personal Data Protection Act.
- Objectives of the processing of personal data:
The personal data ATEST processes are used only for the following purposes:
4.1. Human resource management:
- Occurrence, modification and termination of employment and related to it relations, which are exercised by law;
- Accounting for remuneration for tax and social security purposes;
- Establishing contact with the persons by telephone, email, home address and for sending correspondence related to work, statutory, membership, management and other relations;
- Protection of legal rights of data subjects;
- Protection of the interests of the data controller.
4.2. Execution of obligations under concluded contracts; to exercise rights deriving from contracts concluded; for the purposes of reporting on the performance of contracts; auditing the performance of contracts.
4.3. For purposes explicitly stated in the subject’s declaration of consent for the processing of his or her personal data. For example:
(a) for communication with informational, advertising and/or marketing purposes;
(b) when collecting data for statistical surveys;
(c) when subscribing to newsletters prepared by ATEST.
The declaration of consent explicitly states what personal data are collected by ATEST and what the purpose of their processing is. The data subject is entitled at any time to withdraw his or her consent to the processing of personal data at a written request or in a free form.
4.4. When processing the data for a purpose other than the original one, ATEST informs the data subject and requires his/her consent.
- Consequences of refusal to provide personal data
Where the reason for the collection and processing of data is the consent or execution of a contract/pre-contract relations, the refusal to provide personal data results in impossibility of establishing a relation and/or service provision and/or conclusion of a contract in respect of which the data have been requested.
- Transfer of personal data
The collected personal data may be provided to third parties only in the following cases:
6.1. In fulfilling legal requirements related to:
(a) labor relations: data are provided to public authorities, in view of their powers and competencies (National Revenue Agency, National Social Security Institute, Executive Agency “General Labour Inspectorate” and others);
(b) member legal relations – Council of Ministers, courtS;
(c) other public authorities which receive the data by virtue of a law.
6.2. On a contractual basis – to pay salaries and fees and to fulfill legal obligations related to the obligations of ATEST for ensuring healthy and safe working conditions (Occupational Health Service, accounting offices).
6.3. On the basis of consent to data processing – in accordance with the consent of the data subject.
- Personal data storage periods
7.1. Statutory data storage periods:
- on employment relations, incl. salary payroll – 50 years;
- accounting records – 10 years from the 1st of January of the accounting period following the reporting period to which they relate.
7.2. Data storage periods for the precluding of statutory limitation periods related to obligations under civil and commercial contracts:
for periodic payments – 3 years;
in other cases – 5 years from the date of the due date of the claim.
7.3. Data storage periods related to the processing objectives: contractual deadlines, deadlines for completion and reporting of contractual and financial relations under contracts related to national, European and international funding.
7.4. Data storage periods for information for tax and accounting purposes, tax audits and public financial control.
7.5. ATEST sets the following storage periods for data collected by using information technologies:
(a) data collected using information technology – Internet Protocol (IP) address, cookie ID – 3 months;
(b) internet traffic on personal computers – 1 week;
(c) logs related to security, technical support, development, etc. – 3 months;
(d) server logs, Web Application Firewalls logs and other devices falling under this category – 3 months;
(e) data collected on the basis of consent of the data subject to receive information and other newsletters from the ATEST website and other information systems administered by ATEST – until the consent is withdrawn, respectively – termination of the account/registration;
(f) data on the withdrawn consent of the data subject – indefinitely;
(g) data collected by video surveillance – 1 week;
(h) data of applicants for appointment to the controller – 30 days after completion of the application and selection process.
7.6. After expiry of the storage periods, unless otherwise justified, the data on a technical medium shall be erased and, in paper form, if they are not subject to a statutory transfer, shall be destroyed.
- Rights of personal data subjects and order of their exercise
8.1. Right to information and access
The data subject is entitled to information about his or her personal data processed by ATEST, as well as the right to access to them. The data subject is entitled to receive a copy of the personal data that are being processed by ATEST in electronic or paper form. For this purpose, a written request must be submitted personally or through an authorized person to ATEST, including electronically.
8.2. Right to data confidentiality
Personal data processed by ATEST are confidential, subject to the obligation of professional secrecy. ATEST employees sign a confidentiality statement about the personal data they are working with, within their professional responsibilities.
8.3. Right to rectification of processed data
The data subject has the right to request from ATEST the rectification, without undue delay, of inaccurate personal data related to him or her, as well as data that are not up to date. For this purpose, a written request must be submitted personally or through an authorized person to ATEST, including electronically.
8.4. Right to erasure (“right to be forgotten”)
8.4.1. The data subject may request ATEST to erase his or her personal data without undue delay in any of the following circumstances:
(a) personal data are no longer necessary for the purposes for which they were collected;
(b) upon withdrawal of the given consent for the processing of personal data;
(c) in objection of processing;
(d) where the processing of personal data is unlawful;
(e) where personal data must be erased in order to comply with an obligation under European Union or national legislation of the Republic of Bulgaria that applies to ATEST as a personal data controller;
(f) where personal data have been collected in relation to the provision of information society services.
In order to exercise the right to erase data, the data subject must submit a written request personally or through an authorized person to ATEST, including electronically.
8.4.2. ATEST may refuse to erase the data subject’s personal data for the following reasons:
(a) for compliance with a statutory obligation by ATEST or the performance of a task of public interest;
(b) in exercise of the right to freedom of expression and the right to information;
(c) in exercise of official authority (if applicable);
(d) for the establishment, exercise or protection of legal claims.
8.5. Right to restriction of processing
The data subject has the right to request ATEST to restrict the processing of his or her personal data. In this case, the data will be stored within the specified data storage periods (referred to in para 7 of this Transparency Policy) but not processed unless there is a legal basis for this. For this purpose, it is necessary for the data subject to submit a written request personally or through an authorized person to ATEST, including electronically.
8.6. Right to object to processing
The data subject has the right to object to the processing of his or her personal data by ATEST (for example, see Article 21 (2) and (6) of the General Data Protection Regulation (GDPR)). In order to exercise the right to object to the processing, the data subject must admit a written request personally or through an authorized person to ATEST, including electronically.
8.7. ATEST does not carry out automated decision-making, including profiling.
8.8. Right to data portability
The data subject has the right to receive the personal data that concerns him or her and which he or she has provided to ATEST in a structured, commonly used and machine-readable format, as well as to request such data to be transmitted to another data controller when the processing is based on consent or a contractual obligation, provided that ATEST carries out the processing by automated means.
8.9. Right to lodge a complaint
The data subject has the right to lodge a complaint concerning the processing of his or her personal data through ATEST by using the contact details given in para 2 of this Transparency Policy.
A complaint may also be lodged with the supervisory authority – Commission for Personal Data Protection, address: Sofia, 1592, “Prof. Tsvetan Lazarov” 2 Blvd., email: firstname.lastname@example.org , website: www.cpdp.bg
8.10. The exercise of the rights under item 8.1., item 8.3. – 8.6. is free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, ATEST may:
(a) charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested;
(b) refuse to act on the request.
8.11. The period for consideration of the requests under item 8.1., item 8.3. – 8.6. and for their pronouncement by ATEST, as a data controller, is 30 days from the receipt of the request and may be extended by 2 months, taking into account the complexity and the number of requests.
ATEST reserves the right to amend and supplement this Transparency Policy for the processing of personal data of natural persons in the event of changes to the applicable data protection legislation.