As a data controller, Ibex Realty EOOD has an obligation to inform you what to expect when processing your personal information.
Transparency in information processing
1 . With this document, the management of Ibex Realty EOOD ensures compliance with the legislation of the EU and the Member States regarding the processing of personal data and the protection of the “rights and freedoms” of the persons whose personal data Ibex Realty EOOD collects and processes. under the General Data Protection Regulation (Regulation (EU) 2016/679).
2 . In accordance with the General Regulation, other relevant documents as well as related processes and procedures are described in this policy.
3 . Regulation (EU) 2016/679 and this policy apply to all personal data processing functions, including those performed on personal data of customers, employees, suppliers and partners and any other personal data that the organization processes from various sources. .
4 . This policy applies to all customers, external suppliers, and third party stakeholders, as well as by and to employees of the company. Any breach of the General Regulation will be considered a breach of labor discipline, and in the event of a suspected criminal offense, the matter will be referred to the relevant public authorities as soon as possible.
5. Partners and third parties who work with or for Ibex Realty EOOD, as well as who have or may have access to personal data, will be expected to know, understand and comply with this policy. No third party may access personal data stored by Ibex Realty EOOD without first concluding a data confidentiality agreement, which imposes on the third party obligations no less burdensome than those of Ibex Realty EOOD has undertaken, which entitles Ibex Realty EOOD to inspect compliance with the obligations imposed by the agreement.
II. Obligations and roles under Regulation (EU) 2016/679
1 . Ibex Realty EOOD is a data administrator according to Regulation (EU) 2016/679.
2 . The management of Ibex Realty EOOD is responsible for developing and promoting good practices in the field of information processing in the company.
3. Compliance with data protection legislation is the responsibility of all employees of the controller who process personal data.
4 . The training policy of Ibex Realty EOOD (Training Policy) defines the specific requirements for training and information in connection with the specific roles of the employees / employees of the company.
III. Principles of data protection
The processing of personal data shall be carried out in accordance with the principles of data protection set out in Article 5 of Regulation (EU) 2016/679. The policies and procedures of Ibex Realty EOOD aim to ensure compliance with these principles.
1 . Personal data must be processed lawfully, in good faith and transparently
Legitimate – to identify a legal basis before it can process personal data. They are often referred to as “grounds for processing”, such as “consent”.
In good faith – in order for the processing to be in good faith, the data controller must provide certain information to the data subjects as far as practicable. This applies regardless of whether the personal data are obtained directly from the data subjects or from other sources.
Regulation (EU) 2016/679 increases the requirements for what information must be available to data subjects that is covered by the “transparency” requirement.
Transparency – The General Regulation includes rules on the provision of confidential information to data subjects in Articles 12 , 13 and 14 of the DPA. They are detailed and specific, emphasizing that privacy notices are understandable and accessible. The information must be communicated to the data subject in an intelligible form, using clear and comprehensible language.
The specific information that the company provides to the data subject includes at least: data that identifies the controller and the contact details of the controller and the contacts of the data protection officer; the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; the period for which the personal data will be stored; the existence of the following rights – to request access to data, correction, deletion (“right to be forgotten”), restriction of processing, as well as the right to object to the conditions (or lack thereof) in connection with the exercise of these rights; the categories of personal data; the recipients or categories of recipients of personal data, where applicable; where applicable, whether the controller intends to transfer personal data to a recipient in a third country and the level of data protection; any additional information necessary to ensure fair processing.
- Personal data may only be collected for specific, explicit and legitimate purposes
The data obtained for specific purposes are not used for purposes that differ from those officially announced as part of the Register of data processing activities ( Article 30 of the ORD ) of Ibex Realty EOOD. A procedure for transparency in the processing of personal data sets out the relevant rules.
- Personal data must be adequate, relevant, limited to what is necessary for their processing for the relevant purpose. (principle of minimum necessary )
- The persons responsible for data protection ensure that Ibex Realty EOOD does not collect information that is not strictly necessary for the purpose for which it was obtained.
- All data collection forms (electronic or paper), including the data collection requirements in the new information systems, include a statement of good faith processing or a link to a Privacy Statement (notice of confidential treatment of personal data).
- Data protection officers shall ensure that at least once a year all data collection methods are reviewed by an internal audit or external experts to ensure that the data collected continue to be adequate, relevant and not excessive, according to the Data Protection Impact Assessment Procedure, as well as the impact assessment methodology used is adequate.
- Personal data must be accurate and up-to-date at all times, and the necessary efforts must be made to enable immediate (within the scope of possible technical solutions) deletion or rectification.
- The data stored by the data controller is reviewed and updated as necessary. No data is stored in cases where it is likely to be inaccurate.
- Data protection officers ensure that all staff are trained in the importance of collecting and maintaining accurate data.
- Also, it is the obligation of the data subject to declare that the data he transmits for storage by Ibex Realty EOOD are accurate and up-to-date. The completion of a form by the data subject intended for the controller will include a statement that the data contained therein are correct as of the date of submission.
- Employees, customers and everyone else are required to notify Ibex Realty EOOD of any changes in circumstances so that personal data records can be updated. It is the responsibility of Ibex Realty EOOD to ensure that any notification of a change in circumstances is recorded and adequate action is taken.
- Data protection officers shall ensure that appropriate procedures and policies are in place to maintain the accuracy and timeliness of personal data, taking into account the volume of data collected, the speed with which it may change and other relevant factors.
- At least on an annual basis, the Management of Ibex Realty EOOD reviews the retention periods of all personal data processed by Ibex Realty EOOD, referring to the data inventory and identifies all data that are no longer required in the context of the registered purpose. This data shall be duly destroyed in accordance with the administrator’s procedures and rules.
- The data protection officers are responsible for compliance with data correction requests within one month (Subject Request Management Procedure). This period can be extended by another two months for complex applications. If Ibex Realty EOOD decides not to comply with the request, it responds to the data subject to explain its reasons and inform it of its right to lodge a complaint with the supervisory authority and seek legal redress.
- Personal data must be stored in such a form that the data subject can only be identified for as long as is necessary for processing.
- Where personal data are retained after the date of processing, they are stored in an appropriate manner (minimized) to protect the identity of the data subject in the event of a data breach.
- Personal data are kept in accordance with the Procedure for storage and destruction of data and after their storage period has expired, they are duly destroyed in accordance with the procedure specified in this procedure.
- Data protection officers shall specifically approve any retention of data that exceeds the retention period defined in the Data Retention and Destruction Procedure and shall ensure that the justification is clearly defined and complies with the requirements of data protection legislation. This approval must be in writing.
- Personal data must be processed in a way that ensures adequate security ( Article 24 , Article 32 of the ORD)
The management of Ibex Realty EOOD performs an impact assessment (risk assessment), taking into account all the circumstances related to the operations of data management or processing by the administrator.
In determining the appropriateness of the processing, the Management considers the extent of any damage or loss that may be caused to individuals (staff, customers, etc.) if a security breach occurs, as well as any likely damage to the administrator’s reputation. , including a possible loss of customer confidence.
In assessing appropriate technical measures, data protection officers shall consider the following: Password protection; Automatic locking of inactive workstations in the network; Antivirus software and firewalls; Role-based access rights; Protection of devices that leave the premises of the organization, such as laptops or others; Security of local and wide area networks; Privacy enhancement technologies, such as pseudonymization and anonymization; Identification of appropriate international security standards suitable for the administrator.
In assessing the appropriate organizational measures, the Management takes into account the following: The levels of appropriate training in Ibex Realty EOOD; Measures that take into account the reliability of employees (certification assessments, recommendations, etc.); The inclusion of data protection in employment contracts; Identification of disciplinary measures for violations with regard to data processing; Regular inspection of personnel for compliance with relevant security standards; Control of physical access to electronic and paper-based records; Adopting a “clean workplace” policy; Storage of database paper in lockable wall cabinets; Restricting the use of portable electronic devices outside the workplace; Restricting employees’ use of personal devices in the workplace; Adopt clear rules for creating and using passwords; Regular backup of personal data and physical storage of media with copies outside the office; Imposing contractual obligations on counterparty organizations to take appropriate security measures when transferring data outside the EU.
These controls are selected on the basis of the identified risks to personal data, as well as the potential for harm, to the data subjects.
- Observance of the principle of accountability
Regulation (EU) 2016/679 includes provisions that promote accountability and manageability and complement transparency requirements. The principle of accountability in Art. 5, para. 2 requires the administrator to prove that he observes the other principles in the ORZD and explicitly states that this is his responsibility.
Ibex Realty EOOD proves the observance of the principles of data protection by applying data protection policies, joining codes of conduct, implementing appropriate technical and organizational measures, as well as by adopting data protection techniques at the stage of design and protection of default data, personal data protection impact assessment, personal data breach notification procedure, etc.
IV. Rights of data subjects
- Data subjects have the following rights with regard to the processing of data as well as the data recorded for them:
- Make requests to confirm whether personal data relating to him are being processed and, if so, to have access to the data as well as information on the recipients of this data.
- Request a copy of your personal data from the administrator;
- To ask the administrator to correct personal data when they are inaccurate and when they are no longer up to date;
- Require the administrator to delete personal data (right to be “forgotten”);
- To ask the administrator to limit the processing of personal data, in which case the data will only be stored, but not processed .;
- To object to the processing of his personal data;
- To object to the processing of personal data concerning him for the purposes of direct marketing.
- To file a complaint to a supervisory body if it considers that any of the provisions of the ORD is violated;
- To request and be provided with personal data in a structured, widely used and machine-readable format;
- Withdraw your consent to the processing of personal data at any time with a separate request addressed to the administrator;
- Not be subject to automated decisions that affect him significantly, without the possibility of human intervention;
- To oppose automated profiling, which happens without his consent;
- Ibex Realty EOOD provides conditions to guarantee the exercise of these rights by the data subject:
- Data subjects may make requests for access to data as described in the procedure for the Subject Request Management Procedure; this procedure also describes how Ibex Realty EOOD will ensure that the response to the data subject’s request meets the requirements of the General Regulation.
- Data subjects have the right to submit complaints to Ibex Realty EOOD related to the processing of their personal data, the processing of a request by the data subject and an appeal by the data subject regarding the manner of processing the complaints in accordance with the Procedure for the means of communication in case of complaints and requests from the data subject.
- By “consent” Ibex Realty EOOD means any freely expressed, specific, informed and unambiguous indication of the will of the data subject, through a statement or clearly confirming action, which expresses his consent to the processing of personal data related to him. The data subject may withdraw his consent at any time.
- Ibex Realty EOOD means by “consent” only the cases in which the data subject has been fully informed about the planned processing and has expressed his consent without being pressured. Consent obtained under duress or on the basis of misleading information will not be a valid basis for the processing of personal data.
- Consent cannot be inferred from the lack of response to a message to the data subject. In order for there to be consent, there should be active communication between the administrator and the subject.
- For special categories of data, explicit written consent must be obtained in accordance with the Consent Procedure for the processing of personal data of data subjects, unless there is an alternative legal basis for processing.
- When Ibex Realty EOOD processes personal data of children, it receives permission from the exercisers of parental rights (parents, guardians, etc.). This requirement applies to children under 18 years of age.
VI. Data security
- All employees are responsible for ensuring the security of the storage of the data for which they are responsible and for which Ibex Realty EOOD is responsible, as well as that the data is stored securely and is not disclosed under any circumstances to third parties, except if Ibex Realty EOOD has not granted such rights to this third party by concluding a contract / confidentiality clause.
- All personal data are available only to those who need them, and access is provided only in accordance with the established rules for access control. All personal data is treated with the utmost security and stored properly as follows: in a separate room with controlled access; and / or in a locked cupboard or file cabinet; and / or if it is computerized, password protected in accordance with the internal requirements specified in the organizational and technical measures for controlling access to information; and / or stored on portable computer media, which are protected in accordance with the organizational and technical measures for controlling access to information.
- All employees are trained to comply with the organizational and technical measures for access, as well as the rules for locking workstations, before they have been granted access to information of any kind.
- Paper records shall not be left where they may be accessible by unauthorized persons and may not be removed from the designated office premises without express permission. As soon as the paper documents are no longer needed for the current work of customer support, they are stored for the specified period and are destroyed in a timely manner in accordance with the established procedure / rules and the relevant protocol.
- Personal data are deleted or destroyed only in accordance with the Procedure for storage and destruction of data. Paper records that have reached the date of storage are cut and destroyed as “confidential waste”. The data on the hard disks of the redundant personal computers are erased or the disks are destroyed, according to the established rules / procedures.
- The processing of personal data “outside the office” poses a potentially higher risk of loss, theft or breach of personal data. The staff is specially authorized to process the data outside the sites of the administrator.
VII. Data disclosure
- Ibex Realty EOOD provides conditions under which personal data are not disclosed to unauthorized third parties, which includes family members, friends, government agencies, even investigators, if there is a reasonable suspicion that they are not required in the prescribed manner. Employees are provided with special training and periodic briefings in order to avoid the risk of such a violation.
- The Company requires that all requests from third parties for the provision of data be supported by appropriate documentation and all such disclosures are specifically authorized by the persons responsible for data protection.
VIII. Data storage and destruction
- Ibex Realty EOOD does not store personal data in a form that allows the identification of subjects for a longer period than necessary, in relation to the purposes for which the data were collected.
- Ibex Realty EOOD may store data for longer periods only if the personal data are processed for archiving purposes, for purposes of public interest, scientific or historical research and for statistical purposes, and only when implementing appropriate technical and organizational measures. to guarantee the rights and freedoms of the data subject.
- The retention period for each category of personal data is specified in the Data Retention and Destruction Procedure as well as the criteria used to determine this period, including any legal obligations.
- The procedure for storing and destroying data, as well as the rules for destroying information on unused recording media, shall apply in all cases.
- Personal data is securely destroyed by applying appropriate technical or organizational measures (“integrity and confidentiality”).
IX. Data transfer
Any export of data from within the EU to non-EU countries (referred to in the General Regulation as “third countries”) is illegal, unless there is an appropriate “level of protection of the fundamental rights of data subjects”.
The transfer of personal data outside the EU is prohibited unless one or more of the following guarantees or exceptions apply:
- Adequacy decision
The European Commission may assess third countries, territory and / or specific sectors in third countries to assess whether there is an appropriate level of protection of the rights and freedoms of individuals. In these cases, no authorization is required. Countries that are members of the European Economic Area (EEA) but not the EU are considered eligible for an adequacy decision.
- Mandatory company rules
Ibex Realty EOOD may adopt approved mandatory corporate rules for data transfer outside the EU, where applicable. This requires their submission to the relevant supervisory authority for approval.
- Standard contractual clauses
The controller may accept approved standard data protection contractual clauses for data transfers outside the European Economic Area. If Ibex Realty EOOD accepts standard contractual clauses approved by the respective supervisory body, there is an automatic recognition of adequacy.
In the absence of an adequacy decision, mandatory company rules and / or contractual clauses, the transfer of personal data to a third country or international organization takes place only under one of the following conditions: the data subject has explicitly agreed to the proposed transfer after being informed of the possible risks of such transfers; the transfer is necessary for the performance of a contract between the data subject and the controller or for the performance of pre-contractual measures taken at the request of the data subject; the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; the transmission is necessary for important reasons of public interest; the transfer is necessary for the establishment, exercise or defense of legal claims; the transfer is necessary in order to protect the vital interests of the data subject or of other persons where the data subject is physically or legally incapable of giving his or her consent; the transmission shall be made by a register which, under EU law or the law of the Member States, is intended to provide information to the public and is available for consultation by the general public or by any person who can demonstrate a legitimate interest in doing so, but only in so far as the conditions of reference laid down in European Union law or in the law of the Member States are satisfied in the present case.
X. Data inventory
- Ibex Realty EOOD has created a data inventory process as part of its approach to dealing with risks and opportunities in the process of complying with the policy of compliance with Regulation (EU) 2016/679. During the inventory of the data in Ibex Realty EOOD and in the workflow of data the following are established:
- business processes that use personal data;
- sources of personal data;
- the number of data subjects;
- a description of the categories of personal data and the elements of each category;
- processing activities;
- the purposes of the processing for which the personal data are intended;
- the legal basis for the processing;
- the recipients or categories of recipients of personal data;
- basic storage systems and locations;
- all personal data subject to transfers outside the EU;
- storage and deletion periods.
- Ibex Realty EOOD is aware of the risks associated with the processing of certain types of personal data.
- Ibex Realty EOOD assesses the level of risk for the persons related to the processing of their personal data. Data protection impact assessments are performed in connection with the processing of personal data by Ibex Realty EOOD and in connection with the processing undertaken by other organizations on behalf of Ibex Realty EOOD (Data Protection Impact Assessment Procedure). ).
- Ibex Realty EOOD manages all risks identified by the impact assessment in order to reduce the likelihood of non-compliance with these rules. When the type of processing may lead to a high risk for the rights and freedoms of individuals, in particular through the use of new technologies and taking into account the nature, scope, context and purposes of the processing before processing Ibex Realty EOOD also performs an assessment of the impact of the envisaged processing operations on the protection of personal data. An overall impact assessment may consider a set of similar processing operations that pose similar high risks.
- When as a result of the Impact Assessment it is clear that Ibex Realty EOOD will start processing personal data, which due to high risk could cause harm to the data subjects, the decision whether to continue the processing or not will be submitted for review. by the supervisory authority.
- The management of Ibex Realty EOOD makes a periodic annual review of the initially inventoried data, reviews the information entered in the “Register of processing activities” in the light of any changes in the activities of Ibex Realty EOOD.
ADDITIONAL INFORMATION TO THE PERSONAL DATA PROTECTION POLICY
- General regulation on personal data protection
Regulation (EU) 2016/679 (General Data Protection Regulation) replaces Data Protection Directive 95/46 / EC. It has direct effect and implies an amendment to the legislation of the member states in the field of personal data protection. Its purpose is to protect the “rights and freedoms” of individuals and to ensure that personal data are not processed without their knowledge and, where possible, that they are processed with their consent.
- Scope outlined by the General Data Protection Regulation
Material scope – this Regulation applies to the processing of personal data in whole or in part by automatic means, as well as to the processing by other means of personal data which are part of a personal data register or which are intended to form part of a personal data register .
Territorial scope – the rules of the General Regulation will apply to all data controllers established in the EU who process personal data of individuals in the context of their activities. It will also apply to non-EU controllers who process personal data for the purpose of offering goods and services or if they monitor the behavior of data subjects residing in the EU.
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); a person who can be identified is a person who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more features specific to the natural person, the physiological, genetic, mental, intellectual, economic, cultural or social identity of that individual;
“Special categories of personal data” means personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the unique identification of an individual, health data or data on the sexual life of an individual or sexual orientation.
“Processing ” means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission , disseminating or otherwise making the data accessible, arranging or combining, restricting, deleting or destroying it;
“Administrator” means any natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU law or the law of a Member State, the controller or the specific criteria for determining it may be laid down in Union law or in the law of a Member State;
“Data subject” – any living natural person who is the subject of personal data stored by the Administrator.
“Consent of the data subject” means any freely expressed, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or clearly confirming action expressing his consent to the processing of personal data relating to him;
“Child” – The General Regulation defines a child as anyone under the age of 16 and, under national law, anyone under the age of 18. The processing of a child’s personal data is lawful only if a parent, guardian or custodian has given consent. The administrator shall make reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given or is authorized to give his or her consent.