Data Protection Policy

Likora Ltd.

I. Introduction and presentation

  1. Likora OOD, BG131049943, is an administrator within the meaning of Regulation (EC) 2016/679. For the purposes of this document, it will be referred to as Administrator.
  2. Contact information:
    • Address: Bulgaria 1407, Sofia, 5, Herik Ibsen St.
    • Internet addresses:
    • Phones: +359 2 9311015, +359 888777128
  3. For a Data Protection Officer, the Administrator appoints Maria Petrova Nikolova parallel with her other position. Obligations:
    • develops and implements the requirements of Regulation (EC) 2016/679 as required by this policy;
    • it is directly responsible for ensuring that both Administrators’ organizations and the activities of each member of the Management Board within their area of ​​responsibility comply with the requirements of Regulation (EC) 2016/679;
    • is responsible for the management of security and risk in terms of policy compliance;
    • represents the Administrators on all matters relating to the processing of data.

II. Definitions

  1. All terms used in this document are defined in Article 4 of the European Parliament Regulation (EU) 2016/679 (General Data Protection Regulation – ARRD).
  2. Other terms not included in the ARP:
    • B2B – business to business – means the business relationship of Likora with other businesses
    • B2C – business to customers – means the relationship of Likora with individuals, users of its services.

III. Categories of data subjects In their business activities, Administrator interacts with the following categories of data subjects:

  1. Representatives of legal entities whose information is publicly available in the Registry of the Registry Agency (В2В)
  2. Individuals – users of Administrators or potential (B2C)
  3. Natural persons hired under contracts of employment in the Administrators or other contractual relations with them.

The purpose of this policy is to ensure data protection of individuals by Administrators.

IV. Categories of personal data According to their needs, Administrators collect and process the following categories of personal data:

  1. Ordinary personal data – names, address, e-mail, IP address
  2. Unified civil number when required to enter into different contractual relationships

Administrators do not collect or process sensitive personal data. All categories of personal data are described in detail in the Register of Personal Data Processing

V. Legal bases for data processing

  1. Agree:
    • Administrators maintain information about the data gathered on the basis of the subject’s consent, demonstrating in each case that the consent is:
      • freely expressed – not put under pressure or threat of adverse consequences;
      • in particular – a separate agreement for each specific purpose and, where relevant, for a specific category of personal data;
      • informed – given on the basis of complete, accurate and easily understandable information;
      • unambiguously – is not inferred or implied on the basis of other statements or actions of the individual;
      • explicit statement or clear confirmation action – the data subject’s silence is not accepted.
    • Administrators shall maintain documentation (on paper or electronically) of the consent they have given for the purpose of proof to the competent authorities.
    • Administrators have provided the opportunity to withdraw the consent at any time as easily as it is given.
  2. Conclusion or performance of a contract
  3. Legal obligation

All categories of personal data with the appropriate ground for processing are described in detail in the Register of Personal Data Processing

VI. Targets of data processing

  1. Labor relations – under labor and civil contracts
  2. Accounting
  3. Commercial and marketing activities
  4. Under contractual relations with counterparties

All data processing purposes are described in detail in the Register of Personal Data Processing Activities. VII. Provision of personal data Administrators provide conditions under which personal data will not be disclosed to unauthorized third parties, including family members, friends, public authorities, even investigators, if there is reasonable doubt that they are not required by the established order. All employees / workers should be cautious when they ask them to disclose personal data stored to another person of a third party. It is important to keep in mind whether or not the disclosure of information is related to the needs of the activity performed by the organization. All requests from third parties to provide data should be supported by appropriate documentation and any such disclosure of data should be specifically authorized by the Data Protection Officer. Outside the organization, Administrators provide data to the following contractors:

  1. Public authorities – NRA, NSSI
  2. Other processing data according to business needs:
    • Accounting firm
    • IT companies supporting Administrators’ websites, the email platform and the information system

All recipients of data are described in detail in the Register of Personal Data Processing Activities.

VIII. Data transfer

  1. Administrators collect and process e-mail addresses of potential and current clients through the GetResponse platform, owned by the Polish company GetResponse Sp. z oo, at address Arkońska 6, A3, ZIP Code: 80-387, Gdańsk, Poland, VAT PL9581468984
  2. Outside point 1 Administrators treat any export of data within the EU to non-EU countries (referred to in the General Regulation as “third parties”) as illegal unless there is an adequate level of protection of the fundamental rights of the data subjects.
  3. Exceptions: transfer of personal data to a third country or international organization is only possible under one of the following conditions:
    • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
    • transmission is necessary for important reasons of public interest;
    • transmission is necessary for the establishment, exercise or protection of legal claims;
    • transmission is necessary in order to protect the vital interests of the data subject or other persons when the data subject is physically or legally incapable of giving his consent;
    • transmission is by a register which, under EU law or the law of the Member States, is intended to provide information to the public and is accessible for consultation by the public in principle or by any person who can prove that he has a legitimate interest in doing so. only in so far as the reference conditions laid down in Union or Member State law are met in the present case.

IX. Storing and destroying data

  1. Administrators shall not store personal data in a form that permits identification of the subjects for a longer period than is necessary with respect to the purposes for which the data were collected.
  2. Administrators may only store data for longer periods if the personal data are processed for purposes of archiving, for purposes of public interest and for statistical purposes and only when appropriate technical and organizational measures are in place to safeguard the rights and freedoms of the data subject.
  3. The procedure for storing and destroying the data accepted by the Administrators shall apply in all cases.
  4. Personal data will be destroyed securely, in accordance with the principle of ensuring an appropriate level of security (Article 5 (1b) of the General Regulation) – including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, appropriate technical or organizational measures.

X. Risk assessment

  1. Administrators are aware of the risks associated with the processing of certain types of personal data.
  2. Administrators assess the level of risk to individuals involved in the processing of their personal data. Impact assessments on data protection in relation to the processing of personal data and in relation to the processing undertaken by other organizations on behalf of the Administrators are carried out.
  3. Administrators manage all the risks identified by the impact assessment in order to reduce the likelihood of non-compliance with these rules.
  4. Where, as a result of the Impact Assessment, it is clear that Administrators will start processing personal data which, due to a high risk, could cause harm to data subjects, the decision whether or not to continue processing should be submitted for review by the The Data Protection Officer.
  5. If the DPO has serious concerns about either the potential harm or danger or the amount of relevant data, it should escalate the issue to the supervisor.
  6. The Data Protection Officer makes a periodic (annual) review of the initial inventory data, revises the entered information in the Registry of Processing Activities in the light of any changes in the ADMINISTRATOR’s activities.

XI. Security measures

  1. Administrators have provided the appropriate technical and organizational security measures for the data processed, detailed in the Data Processing Operations Register.
  2. All Administrator employees / employees are responsible for ensuring the security of the storage of the data they are responsible for and which the Administrators collect and that the data is safely stored and is not disclosed under any circumstances to third parties unless ADMINISTRATORS did not grant such rights to that third party by entering into a contract / confidentiality clause.
  3. All personal data should be accessible only to those who need it and access can only be granted in accordance with established access control rules.

XII. Principles of data protection Administrators shall complete the processing of personal data in accordance with the data protection principles referred to in Article 5 of Regulation (EC) 2016/679. The policies and procedures of Administrators aim to ensure that these principles are respected.

  1. Legitimacy, Integrity and Transparency:Personal data is processed lawfully, in good faith and transparently
  • Legally – with an identified legal basis / legal basis.
  • Good faith – Administrators shall provide the data subjects with the necessary information as far as practicable. This applies irrespective of whether personal data is obtained directly from data subjects or from other sources.
    • All data collection forms (electronic or paper), including data collection requirements in the new information systems, must include a declaration of good faith or be approved by the DPO.
  • Transparent – At any time Administrators can provide summary, concise and comprehensible information through their website or other data accessible to data subjects on:
    • identification of the company or organization – name and means of contact, including the Data Protection Officer, if any (address, e-mail, telephone, etc.);
    • what categories of personal data are collected and for what purposes they are processed;
    • the categories of recipients of personal data outside of the company or organization, and whether data will be transferred (transferred) to third countries outside the EU;
    • the period for storing the data;
    • the existence of specific rights of data subjects (right of access, rectification or deletion of personal data, limitation of processing, objection to processing, portability of data) and the order of their exercise;
    • the right of data subjects to file a complaint with the CPDP or the court;
    • whether the provision of personal data is a statutory or contractual requirement and the possible consequences if such data are not provided;
    • (if applicable) whether it has automated decision making, including profiling.
  1. Goal limitation
    • Personal data is collected only for specific, explicit and legitimate purposes and is not processed further in a manner inconsistent with these purposes.
    • Further processing for archiving purposes in the public interest, for scientific or historical research or for statistical purposes is not considered to be incompatible with the original objectives (“limitation of objectives”) under Article 89 (1)
  2. Minimize data
    • Personal data must be adequate, relevant, limited to what is necessary to process them for the purpose in order to comply with the principle of minimum necessity.
    • DPOA / Data Protection Officer is responsible for ensuring that Administrators do not collect information that is not strictly necessary for the purpose for which it was received.
    • The Data Protection Officer will ensure that on an annual basis all data collection methods are reviewed to ensure that the collected data is still adequate, relevant and not excessive.
  3. Accuracy:Personal data must be accurate and up-to-date at all times, and the necessary efforts are made to allow deletion or correction immediately (within the framework of possible technical solutions).
    • The data stored by the data controller must be reviewed and updated as necessary. No data is stored in cases where it is likely not to be accurate.
    • The Data Protection Officer is responsible for ensuring that all staff are trained in the importance of accurate data collection and maintenance.
    • Also, it is the duty of the data subject to declare that the data he transmits for storage by the ADMINISTRATORS is accurate and up to date. Completing a form from the data subject to the administrator will include a statement that the data contained therein is accurate at the filing date.
    • Employees / workers (clients / others) are required to notify Administrators of any changes in circumstances so that they can update their personal data records. It is the responsibility of the Administrators to ensure that any notification of change of circumstances is recorded and action is taken.
    • The Data Protection Officer is responsible for ensuring that adequate procedures and policies are in place to maintain the accuracy and timeliness of personal data, taking into account the volume of data collected, the rate at which it may change, other relevant factors.
    • At least annually, the Data Protection Officer will review the storage times of all personal data processed by the ADMINISTRATORS by referring to the inventory of data and will identify all data that is no longer required in the context of the registered purpose. These data will be reliably destroyed in accordance with the administrator’s procedures and rules.
    • The Data Protection Officer / Data Protection Officer is responsible for complying with requests for data correction within one month. This deadline can be extended by another two months for complex requests. If the ADMINISTRATOR decides not to comply with the request, the Data Protection Officer must respond to the data subject in order to explain his reasons and to inform him of his right to complain to the Supervisory Authority and to seek legal protection.
    • The Data Protection Officer is responsible for taking appropriate measures in cases where third-country organizations have inaccurate or outdated personal data to inform them that the information is inaccurate or outdated and is not used for making decisions about individuals , to inform the parties concerned and to forward any corrections of personal data to third countries where necessary.
  4. Storage limitation:Personal data must be stored in such a form that the data subject can only be identified for as long as necessary for processing.
    • When personal data is retained after the date of processing, it will be stored appropriately (minimized) to protect the identity of the data subject in case of data breaches.
    • Personal data will be retained in accordance with the Data Storage and Destruction Procedure and after the storage period has passed, they must be reliably destroyed by the procedure specified in this procedure.
    • The Data Protection Officer must specifically approve any retention of data beyond the retention period defined in the Data Storing and Destruction Procedure and must ensure that the justification is clearly defined and complies with the requirements of the applicable law of the data. This approval must be in writing.
  5. Integrity and confidentiality:
    • Personal data shall be processed in such a way as to ensure an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures;
    • The Data Protection Officer assesses the risk by taking into account all circumstances related to the management or data processing operations of the ADMINISTRATORS.
    • In determining the suitability of the processing, the Data Protection Officer should also examine the extent of any damage or loss that may be caused to individuals (eg staff or customers) if a security breach occurs, as is the case and any likely damage to the reputation of the controller, including a possible loss of customer confidence.
  6. Compliance with the principle of accountability
    • Regulation (EU) 2016/679 includes provisions that promote accountability and manageability and complement transparency requirements. The principle of accountability in Art. 5, par. 2 requires the administrator to prove that he adheres to the other principles in the ARRD and explicitly states that this is his responsibility.
    • ADMINISTRATORS will demonstrate compliance with data protection principles by implementing data protection policies by adhering to codes of conduct, implementing appropriate technical and organizational measures, and by adopting data protection techniques at the design and protection stage default data, personal data protection impact assessment, personal data breach notification procedure, etc.

XIII. Practical exercise of rights by data subjects

  1. Administrators provide a practical opportunity to exercise the rights conferred by Regulation 2016/679 on data subjects:
    • the right of access to personal data processed by the company / organization;
    • the right to correct or supplement inaccurate or incomplete personal data;
    • the right to delete (“the right to be forgotten”) of personal data that are being handled unlawfully or by a faulty legal basis (expired storage period, withdrawn consent, accomplished original purpose for which they were collected, etc.);
    • right to limit processing – in the event of a legal dispute between the company / organization and the individual until its resolution and / or the establishment, exercise or protection of legal claims;
    • right to data portability – if processed in an automated manner on the basis of consent or contract. For this purpose, the data is transmitted in a structured, widely used and machine-readable format. If technically feasible, data may be transferred directly from one administrator to another. The right of portability covers only data provided personally by the data subject as well as personal data generated and collected from his activity.
    • right of objection – at any time and on grounds relating to the particular situation of the person, provided that there are no compelling legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject or trial;
    • the right not to be subject to a wholly automated solution involving profiling that produces legal consequences for the data subject or significantly affects it.
  2. Administrators have internally scheduled procedures for accepting, reviewing and responding within one month to requests from individuals for the exercise of their rights as data subjects and the establishment of an organization to implement them in practice.

XIV. Notification of breach of data security

  1. In the event of a personal data breach, Administrators, as an administrator of personal data, without undue delay, and where feasible – no later than 72 hours after he / she understands it, notify the personal data breach CPDP as supervisor Authority for the Republic of Bulgaria. , competent in accordance with Article 55, unless the personal data breach is likely to pose a risk to the rights and freedoms of individuals. The notification to the supervisory authority shall state the reasons for the delay where it is not filed within 72 hours.
  2. Administrators, as a personal data processor, notify the administrator without unnecessary delay, knowing that they are violating the security of personal data.
  3. The notification shall include at least the following:
    • a description of the nature of the personal data breach, including, where possible, the categories and approximate numbers of data subjects and categories concerned and the approximate amount of personal data records concerned;
    • indication of the name and contact details of the data protection officer or other contact point from which more information can be obtained;
    • a description of the possible consequences of the breach of personal data security;
    • a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate the possible adverse effects.
  4. Where and as far as it is not possible to submit the information at the same time, the information may be submitted in stages without further unnecessary delay.
  5. Administrators, as an administrator, document each violation of personal data security, including facts about privacy violation, its consequences, and actions taken to address it. This documentation enables the supervisor to verify compliance with Article 33 of the CRPD.

XV. Statement on privacy policy

  1. The Management of the Administrators is committed to ensuring compliance with EU and Member States’ legislation on the processing of personal data and the protection of “rights and freedoms” of persons whose data are collected and processed by Administrators under the General Data Protection Regulation (EC) 2016/679).
  2. In accordance with the General Regulation, other relevant documents, as well as related processes and procedures, are described in this policy.
  3. Regulation (EU) 2016/679 and this policy apply to all processing functions of personal data, including those concerning customer, employee, supplier and partner personal data, and any other personal data that the organization processes from different sources.
  4. The Data Protection Officer shall be responsible for reviewing the Registry of Processing Activities annually in the light of any changes to the Administrators’ activities as well as any additional requirements, data protection impact assessments. This register must be available at the request of the supervisory authority.
  5. This policy applies to all employees / employees and partners of the Administrators as external suppliers. Any violation of the General Regulation will be considered a violation of labor discipline, and if there is a presumption of a crime, the matter will be referred to the relevant state authorities as soon as possible.
  6. Partners and third parties who work with or for Administrators and who have or may have access to personal data will be expected to become familiar with, understand, and comply with this policy. No third party may access personal data stored by the Administrators without having previously entered into a data privacy agreement which impose on the third party obligations no less burdensome than those the Administrators have taken and which the right of the ADMINISTRATORS to carry out checks on compliance with the obligations imposed by the agreement.

XVI. Documentation and accountability

  1. Administrators have created a data inventory process as part of their approach to addressing risks and opportunities in complying with compliance policy with Regulation (EC) 2016/679. The inventory of data in the data workflow establishes:
    • business processes that use personal data;
    • sources of personal data;
    • the number of data subjects;
    • a description of the categories of personal data and elements in each category;
    • processing activities;
    • the purposes of the processing for which the personal data are intended;
    • the legal basis for the processing;
    • recipients or categories of recipients of personal data;
    • main systems and storage locations;
    • any personal data that is subject to transfers outside the EU;
    • the storage and deletion times.
  2. In relation to point 1, administrators shall periodically prepare and update the following documents under Regulation 2016/679
    • Internal register of the data processing activities of the organization with the following information:
      • the name and contact details of all joint administrators, representatives of administrators and the Data Protection Officer;
      • the purposes of processing;
      • a description of the categories of data subjects and categories of personal data;
      • the categories of recipients to whom personal data are or will be disclosed, including recipients in third countries or international organizations;
      • where applicable, the transfer of personal data to a third country or international organization, including the identification of that third country or international organization, documentation of appropriate safeguards;
      • the deadlines for deleting the different categories of data;
      • a general description of technical and organizational security measures.
    • Internal privacy policy of the organization (this document).
    • Contracts with personal data processorsto include all mandatory requisites under Art. 28 of the General Data Protection Regulation.
    • Other procedures and rules:
      • Procedure for managing the requests of the entities
      • Procedure for ways of communicating complaints
      • Procedure for obtaining consent to process the data and to withdraw consent from the data subject
      • A procedure for storing and destroying data, including risk assessment and the selection of appropriate technical and organizational measures
      • Rules for subcontracting
      • Notification procedure for breach of personal data security.
    • Declarations and contracts:
      • Request form from data subject
      • Declaration of consent of the data subject
      • Form of withdrawal of consent from the data subject
      • Declaration of consent by parent / guardian
      • Form of withdrawal of consent by parent / guardian
      • Administrators, as joint data controllers, shall define transparently each other their respective responsibilities for the implementation of the CRDM obligations, in particular as regards the exercise of the rights of the data subjects and their respective obligations to provide the information referred to in Articles 13 and 14 of the Regulation by means of an arrangement between them, reflected in a separate document.

XVII. Changes to this policy

  1. Any changes that may be made to this policy in the future will be posted on these sites.
  2. Last modified: April 14, 2020