With this Policy, the management of Element Timelines Ltd. declares that it will endeavour to ensure the protection of the personal data of natural persons with regard to the processing of their personal data in accordance with their fundamental rights and freedoms and in particular the right to the protection of their personal data, in accordance with the requirements of "REGULATION (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data personal data and on the free movement of such data" (GDPR), as well as the current legal rules for the Republic of Bulgaria – Personal Data Protection Act (PDPA) and its regulations.

TERMS AND DEFINITIONS USED

Art.1. For the purposes of this Policy:

1. "Personal data" means any information relating to an identified or idable natural person (data subject). The natural person may be identified directly or indirectly by an identifier such as name, identification number, location data, online identifier, by one or more physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. 'Processing of personal data' means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, arrangement or combination, restriction, erasure or destruction.
3. 'Register of personal data' means any structured set of personal data accessed according to certain criteria, whether centralised, decentralised or distributed according to a functional or geographical indication.
4. "Controller" means the specific legal entity "Element Timelines" EOOD, which independently or jointly with others determines the purposes and means of the processing of personal data.
5. "Processor" means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
6. "Recipient" means a natural or legal person, public authority, agency or other body to which personal data are disclosed. At the same time, public authorities which may receive data in the context of a specific investigation in accordance with Union or Member State law shall not be considered as 'recipients'.

POLICY OBJECTIVES AND SCOPE

Art.2. With this Policy we adopt the main objectives of the Regulation (GDPR):

1. Lay down rules regarding the protection of natural persons with regard to the processing of personal data, as well as rules on the free movement of personal data.
2. To protect the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data;
3. The free movement of personal data within the European Union shall not be restricted or prohibited for reasons related to the protection of individuals with regard to the processing of personal data.

Art.3. The data protection policy of Element Timelines Ltd. aims to:

1. To comply with applicable data protection legislation and to follow established good practices;
2. To prescribe the mechanisms for keeping and maintaining the reporting registers, to determine the corresponding level of protection of personal data, to provide for technical and organizational measures for the protection of personal data;
3. To determine the responsibilities and obligations of the processors and persons who have access to personal data and work under the authority of the controller;
4. To inform natural persons about the purposes of processing personal data, recipients or categories of recipients to whom the data may be disclosed, the mandatory or voluntary nature of the provision of data, information on the rights of natural persons with regard to their personal data.

Article.4. The scope of the Policy follows the material and territorial scope of the Regulation (GDPR):

1. The policy applies to the processing of personal data in whole or in part by automatic means, as well as processing by other means (electronically, on paper or other media).
2. The policy applies to the processing of personal data in the context of the activities of Element Timelines EOOD at the place of establishment of the Controller (Republic of Bulgaria), whether the processing is carried out in the Union or not.
3. The policy does not apply to the processing of personal data of the individual in the framework of a purely personal activity or activity within the household.

OBLIGATIONS OF THE PERSONAL DATA CONTROLLER "Element Timelines" Ltd.

Art.5. The obligations of the data controller include:

• Adoption of internal rules and instructions for processing personal data;
• Maintenance of registers of the activities of processing personal data;
• Risk assessment based on: nature, scope, context and purposes of processing; possible risks to the rights and freedoms of natural persons and their likelihood and severity; rights and freedoms of natural persons;
• Impact assessment (where there is a likelihood of a high risk to the rights and freedoms of natural persons); periodic update of the impact assessment;
• Determination of the corresponding level of protection;
• Prescribing and implementing specific measures for the protection of personal data, according to the specifics of the kept registers and the specified level of protection.

As a controller, Element Timelines Ltd. introduces the necessary technical and organizational measures for the protection of personal data in order to ensure an adequate level of protection that corresponds to the nature of the personal data processed and the impact of violating their protection.

• Monitoring compliance with the protection requirements and taking measures to remedy violations in case of violation of their protection;
• Notifying supervisory authorities of personal data breaches and communicating such breaches to data subjects;
• Assistance in carrying out the supervisory functions of the Commission for Personal Data Protection.
• Compliance with the requirements of the Regulation (GDPR)– accountability.

PROCESSING OF PERSONAL DATA IN "ELEMENT TIMELINES" LTD.

Art.6. When processing personal data, we apply the principles of the Regulation (GDPR):

• Legality, good faith and transparency;
• Personal data are collected and processed for specific, explicit and legitimate purposes ("Purpose Limitation")
• Data that are appropriate and limited to what is necessary in relation to the purposes ('Data minimisation') shall be processed
• Accuracy and, if necessary, keeping the data up to date. Ensuring timely erasure or rectification, taking into account the purposes for which the data are processed ('accuracy')
• Storage of data for a period not exceeding is necessary for the purposes ('storage restriction')
• Processing in such a way as to ensure an appropriate level of security of personal data, including against unauthorised or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organisational measures ('integrity' and 'confidentiality')

Art.7. "ELEMENT TIMELINES" Ltd., as a Personal Data Controller, performs the following: 

1. Determined:

• the type of personal data to be processed;
• purposes for which such data will be processed;
• the means of processing them and the corresponding levels of protection.

2. It processes categories of personal data structured in separate registers in accordance with Article 30 of the Regulation (GDPR), the Bulgarian legal norms and this Policy. Personal data of employees, prospective employees, contractors, suppliers, clients, partners are processed;

Art.8. The grounds for collecting personal data in ELEMENT TIMELINES Ltd. are:

• With the consent of the data subject. In this case, the entity shall give clear and explicit consent to the processing of the personal data for one or more specific purposes. Consent shall be valid where it is freely given, given for a particular purpose of processing, informed and unambiguous;
• Where there is an agreed requirement;
• Where there is a legal requirement or legal obligation of the controller;
• Where processing is necessary to protect the vital interests of the data subject or of another natural person;
• In carrying out a task in the public interest or exercising official powers conferred on the controller;
• For the purposes of legitimate interests of the controller or of a third party, where they take precedence over the interests or fundamental rights of the data subject.

Art.9. (1) ELEMENT TIMELINES Ltd. processes personal data provided by the natural persons to whom the data relate in connection with the appointment of employees of an employment contract, procedures for recruitment of staff, assignment of work under civil contract, preparation, conclusion, amendment and termination of contracts, implementation of legal requirements, in connection with the permeability regime and video surveillance on the territory of the company's sites.

1. Where personal data relating to a data subject are collected by the data subject (in the cases under para 1), at the time of receipt of the data, the Controller shall provide the data subject with the following information:

• Data that identifies the Administrator and contact details;
• The purposes of the processing and the legal basis of the processing of personal data;
• The legal interests of the Controller or a third party, where this is the basis for the processing;
• The recipients of the personal data, if any;
• Additional information necessary for good faith and transparent processing, such as: retention period of personal data, information on the rights of the data subject concerning access to rectification, erasure, restriction of processing, right to data portability, right to complaint.

Art.10. (1) ELEMENT TIMELINES Ltd. may also process personal data that are not received by the natural person to whom they relate, but are provided by a third party in connection with a regulatory or contractual requirement. In this case, the Controller shall provide the data subject with the information in both the previous article, paragraph 2, and the source of the personal data. This information the Controller shall provide within a reasonable time, but at the latest:

• Within one month of receipt of the data, taking into account the specific circumstances;
• Until the first contact with this data subject is made;
• Until the disclosure of the personal data for the first time to another recipient.

(2) The conditions for the provision of information described in paragraph 1 shall not apply where and to the extent that the data subject already has the information or the provision of the information proves impossible or requires disproportionate effort.

Art.11. (1) ELEMENT TIMELINES Ltd. processes personal data of natural persons in connection with:

• Preparation, conclusion, amendment and termination of contracts for performance, subcontracting, supplies and services;
• Recruitment, conclusion of employment and civil contracts;
• Accounting, financial and banking operations;
• Insurance of employees, movable and immovable property;
• Activities and operations with documents for the ownership of movable and immovable property containing personal data;
• Creation of video surveillance video and/or permeability mode on the territory of the company's sites.

1. Subject to a legal basis for processing personal data, the provisions of the Commercial Act, the Obligations and Contracts Act, the Accountancy Act, the Value Added Tax Act, the Spatial Development Act, the Labour Code, the Social Security Code, the Health Insurance Act, the Insurance Code and Regulations, the Environmental Protection Act, the Waste Management Act, Health and Safety at Work Act, House of Builders Act and other applicable laws, regulations and regulations.

Art.12. The categories of personal data processed in "ELEMENT TIMELINES" Ltd. are differentiated from the specific activity or by a legal norm, such as the categories are:

1. 'ordinary' personal data

• Names, address, place of birth, location, identity document details, nationality, telephone, e-mail, IP address – applicable by the Administrator;
• Data on education, qualification, legal capacity, position held and performed employment function, employment activity – traineeship and professional biography - applicable by the Administrator;

1. PIN (Single Civil Number) - applicable by the Administrator;
2. 'Special' (sensitive) personal data 

• Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data on sex life or sexual orientation – mostly not applicable by the Controller. The possible processing of such data is done with the explicit consent of the data subject and under the terms of Article 9 of the Regulation (GDPR);
• Data on health status - applicable by the Administrator in connection with mandatory legal requirements under OSH, for the purposes of preventive and occupational medicine, for assessing the working capacity of the employee (basis under Article 9, para 2, b. H of the GDPR). The data in question shall be processed for the specified purposes by or under the direction of a professional worker bound by the obligation of professional secrecy under Union law or Member State law or the rules established by the national competent authorities (Article 9(3) gdpr).

Art.13. "ELEMENT TIMELINES" Ltd. processes personal data individually or by assigning a processor, determining the purposes and volume of the obligations assigned by the controller of the processor, subject to a relevant legal basis, according to the requirements of the PDPA and the Regulation (GDPR).

1. The controller "Element Schedules" Ltd. uses only processors who provide sufficient guarantees for the implementation of appropriate technical and organizational measures in such a way that the processing is carried out in accordance with this Policy, the Regulation (GDPR) and in particular the conditions in Article 28 and to ensure protection of the rights of the data subjects.
2. The processing by the processor is governed by a contract that is mandatory for the processor vis-à-vis the Controller and which regulates the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories and data subjects, as well as the obligations and rights of the Controller. Processors of personal data on behalf of Element Timelines Ltd. are legal persons such as the Occupational Medicine Office, an insurance company, individuals such as the employees of the company, whose rights and obligations in connection with the processing of personal data are duly regulated in internal acts.

PURPOSE OF THE PROCESSING OF PERSONAL DATA

Art.14. The purpose of processing personal data is unambiguous to identify the individuals, current and future employees of the company, contractors, visitors and other related persons.

1. The purposes of the processing of personal data in Element Schedules Ltd. are most often determined by the fulfillment of statutory obligations of the Administrator arising from the specifics of the requirements of the legislation in the field of construction, including health and safety at work and environmental protection, financial and accounting activities, pension, health and social security activity, human resources management, insurance operations.
2. The administrator "Element Schedules" Ltd. processes personal data of individuals for the purposes (mainly, but not exhaustively) listed below:

• Identification and exchange of information for the purposes of labour, social, health insurance and tax legislation in the country;
• Preparation, conclusion, performance and termination of contractual relations related to the commercial activity of the company;
• For the purposes of preventive and occupational medicine, to assess the working capacity of the employee;
• For insurance purposes related to the protection of the health and life of employees, as well as for the protection of property, own or entrusted to the Administrator;
• For accounting, for processing payments, for financial purposes related to relations with banks and other institutions;
• For the purposes of acquisition, use, sale, rental and other operations of real estate and movable property;
• For the purposes of omission regimes and video surveillance of the company's sites established in connection with legitimate interests of the Administrator, such as the protection of property and prevention of violations of internal rules;
• For information and communication with employees, contractors, clients, contractors, suppliers, partners, etc. floor.

1. The processing of personal data in Element Timelines EOOD, except where necessary for the fulfillment of a statutory obligation of the Controller, is also permissible where the natural person to which the data relate has given his explicit consent or the processing is necessary for the performance of obligations under a contract to which the natural person is a party or representative of a party, actions prior to the conclusion of a contract and taken at the request of the person.
2. Where the processing of data is for purposes requiring the consent of the data subject, the Controller should be able to demonstrate that the data subject has given his or her consent freely, informedly, for the purposes of processing and to what extent he gives it. In the case of a declaration of consent drawn up in advance by the Controller, it must be in an intelligible and easily accessible form, in plain and simple language, and should not contain unfair terms.

DISCLOSURE OF PERSONAL DATA

Art.15. Element Timelines EOOD, as a Data Controller, has the right to disclose the processed personal data to the following categories of persons:

1. The natural persons to whom the data relate;
2. Persons for whom the right of access is provided for in a regulatory act or established regulatory requirement;
3. Persons for whom the right derives under a contract.

Art.16. The processed personal data of clients and counterparties of Element Schedules EOOD, as well as related persons, may be provided to other personal data controllers or processors in connection with the performance of specific tasks and contractual obligations, on instructions and on behalf of Element Schedules EOOD, by providing sufficient guarantees, that the processing is carried out in accordance with the requirements of the Regulation (GDPR) and ensures the protection of the rights of data subjects.

SECURITY AND PROTECTION OF PERSONAL DATA

Art.17. The Controller of Personal Data "Element Timelines" EOOD provides security in the processing, access and exchange of personal data through:

• The choice of appropriate technical and organisational measures to ensure the appropriate level of security of personal data protection, taking into account the state of the art, the scope, context and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons;
• Ability to ensure confidentiality, integrity and availability and sustainability of the processing of personal data.
• Ability to recover availability and access to personal data in a timely manner in the event of a physical or technical incident;
• Application of pseudonymization and encryption of personal data where necessary;
• Regular verification, assessment and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing.

Art.18. When assessing the appropriate level of security, the risks associated with the processing of personal data, in particular the risks associated with accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data, shall be taken.

Art.19. The level of protection is a set of technical and organizational measures. 

1. The levels of protection are directly dependent on the level of impact as follows:

• Low level of protection - with low impact (where the unlawful processing of personal data would jeopardise the privacy of an individual or group of natural persons);
• Medium level of protection - with medium impact (where the unlawful processing of personal data could create a risk of prejudice to interests revealing racial or ethnic origin, political, religious or philanthropic beliefs, membership of political parties or organizations, trade unions, health, sex life or human genome of an individual or group of individuals);
• High level of protection - with high impact (where the unlawful processing of personal data could result in significant damage or identity theft of a large group of natural persons or persons occupying senior public positions, or permanent damage or death of an individual);
• Extremely high level of protection – with extremely high impact (where the unlawful processing of personal data could result in significant damage or identity theft of a particularly large group of natural persons or permanent disabilities or the death of a large group of individuals).

2. The levels of protection in Element Schedules EOOD, relative to reciprocal levels of impact, are mainly defined as "Low" or "Medium" (mainly because of the processing of data related to health status).

Article.20. The types of protection of personal data are:

1. Physical protection - is a system of technical and organizational measures to prevent unauthorized access to buildings, premises and facilities in which personal data are processed;

• Basic organizational measures for physical protection – identification of the premises in which personal data are processed and the premises in which the elements of communication and information systems for processing, organization of physical access (low level) are located;  definition of controlled access areas (mid-level);
• Basic technical measures for physical protection – locks, cabinets, equipment of the premises, fire extinguishers (low level); metal crates, controlled access areas, security or security system, means of protection of the pyrimeter (high level);

1. Personal protection - is a system of organizational measures vis-à-vis individuals who process personal data at the instructions of the controller;

• Basic personal protection measures – knowledge of the legal framework for personal data protection, knowledge of the dangers of data processing, consent to undertake a non-dissemination of personal data (low level); sharing critical information among staff – identifiers, access passwords, training, training of staff to respond to data security-threatening events (mid-level);
• Personal protection measures shall ensure access to personal data only to persons whose duties require such access. Persons shall sign a declaration of non-disclosure of personal data to which they have access.

1. Documentary protection - is a system of organizational measures for the processing of personal data on paper;

• Main measures for documentary protection – identification of the registers to be maintained on paper, regulation of access to registers, conditions for processing personal data, setting retention periods and destruction procedures (low level); control of access to registers, breeding and distribution rules (mid-level); processing verification and control procedures (high level).

1. Protection of automated information systems and/or networks - is a system of technical and organizational measures to protect against illegal forms of processing of personal data;

• Main measures – identification and authentication, registry management, external links/connection, virus protection, reconstruction copies/backups, data carriers, personal protection, retention periods and procedures for the destruction/deletion/deletion of media (low level); telecommunications and remote access, maintenance/operation, physical environment/environment (mid-level); policy, manuals and standard operating procedures, definition of roles and responsibilities, session controls, monitoring, random planning/contingencies, training of staff to respond to data-threatening events (high level).

1. Cryptographic protection - is a system of technical and organizational measures that are applied in order to protect personal data from unauthorized access in case of transmission, distribution or provision.

• Main measures – standard cryptographic capabilities of operating systems, database systems, communication equipment (medium level); cryptographic key allocation and management systems, electronic signature (high level).

Art.21. In order to ensure security and protection of personal data, the Controller shall take measures to ensure that the processor and any natural person acting under the authority of the controller process such data only on the instructions of the controller, by providing sufficient guarantees that the processing is carried out in accordance with the requirements of the Regulation (GDPR) and ensures the protection of the rights of the data subjects.

Art.22. In case of personal data breach, the Controller shall, without undue delay and where feasible, within 72 hours of knowledge, notify the breach to the competent supervisory authority – the Commission for Personal Data Protection. The notification shall be in accordance with Article 33 of the Regulation (GDPR).

RETENTION PERIODS OF PERSONAL DATA

Art.23. Documents and information containing personal data, commercial and accounting information, tax documents, compulsory social security contributions, business files and other company documents containing personal data shall be kept by the Controller for the following periods:

• Payrolls for salaries and work records of employees – 50 years;
• Personal data of job applicants who have not been appointed – one month after the end of the competition for the post;
• Accounting registers, tax documents and financial statements – 10 years;
• Personal data contained in works contracts – 15 years from the date of issue of a valid document for placing in service;
• CCTV footage – one month;
• Personal data related to a permeability regime – one month after the suspension of the access of the individual to the respective site;
• Insurance policies for insurance "accident at work" - 50 years;
• In all other cases – 5 years, insofar as no other term is provided by law or contract.

Art.24. After the expiry of the period for storage of personal data, the holders of information (paper or technical) which are not subject to transmission to an archive fund may be destroyed.

RIGHTS OF NATURAL PERSONS

Art.25. The Controller "Element Timelines" Ltd. undertakes that it will take the necessary measures for transparent information, communication and conditions for the exercise of the rights of the data subject in order to ensure compliance with the fundamental rights of the data subjects under the Regulation (GDPR):

• Right to information;
• Right of access to personal data;
• Right to rectification – the data subject has the right to request rectification without undue delay of inaccurate personal data related to him or her;
• Right to erasure (the right to be forgotten) – on the grounds set out in the GDPR (for example, if the personal data are no longer necessary for the purposes of the processing, or in case of suspicion that the personal data have been processed unlawfully), the data subject has the right to request and obtain the erasure of the personal data related to it;
• Right to restriction of processing – on the grounds set out in the GDPR (e.g. in case of doubt of the accuracy of the personal data or objection to the purposes of processing personal data), the data subject has the right to request restriction of the processing of personal data until a solution is found;
• Right to object to the processing – the data subject has the right at any time and on grounds related to his or her particular situation to object to the processing of his or her personal data, and the data controller terminates such processing unless it is demonstrated that there are compelling legal grounds that take precedence over the interests and rights of the data subject.
• Right to data portability from one controller to another controller;
• Right to restriction for automated decision-making, including profiling;
• Right to lodge a complaint with a control body.

Art.25. Natural persons shall exercise their rights by submitting a written application to the Data Controller.

1. The application shall be submitted personally by the data subject or by a person expressly authorized by him or her, unless a special law provides otherwise;
2. The application may also be made electronically in the appropriate legal order, with an electronic signature;
3. The application shall contain at least the following information:

• Name, address and other data to identify the individual;
• Description of the request;
• Preferred form of communication and actions in relation to the rights of the entity;
• Signature, filing date and correspondence address.

Art.26. In the event of the death of a natural person, his rights shall be exercised by his heirs and the application shall be subject to a notarized certificate of heirs.

Art.27. The Administrator accepts the application and decides on it.

1. The deadline for examining the application and adjudicating on it is 14 days from the day of submission of the request, respectively 30 days, when more time is needed to collect the requested data, in view of possible difficulties in the activity of the company of the Administrator.
2. The administrator shall draw up a written reply and communicate it to the applicant, either personally against signature or by post with receipt, taking into account the form of communication preferred by the applicant.
3. Where the data does not exist or is prohibited by law, the applicant shall be denied access.
4. In the event that the Controller does not respond to the request for access to personal data within the prescribed time limits or the applicant is not satisfied with the reply received, he shall have the right to exercise his rights of defence.

JOINT ADMINISTRATORS

Art.28. Under Article 26 of the Regulation (GDPR), when two or more controllers jointly determine the purposes and means of the processing, they are joint controllers.

Art.30. This Policy is valid for Element Schedules Ltd.

CONCLUSION

Through this Policy we declare that in good faith and responsibly we will implement Regulation (EU) 2016/679 (GDPR), taking into account the specific characteristics of the data processed and the specific needs of the company, applying protection measures to ensure the security, integrity and confidentiality of personal data.

The policy was approved by the company manager on May 25, 2018.