Poverty policy Екип ЦПП February 6, 2020
Privacy policy

I. GENERAL
Art. 1. (1) The Legal Aid Centre Voice in Bulgaria, hereinafter referred to only as

“CLA” shall be a non-profit legal entity registered in public benefit activities, founded to support and protect the rights of migrants and refugees in the territory of the Republic of Bulgaria, as well as the rights of similar groups in need by providing pro bono legal assistance and advice, conducting individual litigation and is registered under the Bulgarian Registry Act 175641035.

“CLA” has its registered office in the town of. Sofia and management address. 1, Mladost 1, Bl.92, Floor 13, App.90
The “CLA” processes personal data in connection with its activities and determines the purposes and means of processing. In this case, “CLA” acts as a personal data controller.
(5) In cases where the “CLA” processes personal data for purposes determined independently by a third party or the purposes are determined jointly by the “CLA” and a third party, the “CLA” shall have the status of either a processor (if the purposes are determined by the person who commissioned the processing) or a co-controller.

Art. 2. These Internal Rules of the “CLA” shall govern the organisation of the processing and protection of personal data in the performance of the organisation’s activities.

Art. 3. (1) “Personal data” means any information relating to an identified natural person or an identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a

‘Processing of personal data’ means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘personal data record’ means any structured set of personal data, regardless of its type and medium, which is accessed
according to certain criteria, whether centralised, decentralised or distributed according to a functional or geographical principle.

Art. 4. (1) The “CLA” is a controller of personal data within the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679.

As a personal data controller, when processing personal data, the “CLA” shall comply with the data protection principles laid down in the General Data Protection Regulation (EU) 2016/679 and the legislation of the European Union and the Republic of Bulgaria.
Art. 5. (1) The personal data protection principles are:

Lawfulness, fairness and transparency – processing on a lawful basis, in the exercise of due diligence and when informing the data subject;
Purpose limitation – collection of data for specified, explicit and legitimate purposes and prohibition of further processing in a manner incompatible with those purposes;
Data minimisation – data to be relevant, related to and limited to what is necessary in relation to the purposes of the processing;
Accuracy – keeping up to date and taking all reasonable steps to ensure that inaccurate data is erased or rectified in a timely manner, taking into account the purposes of the processing;
Limitation of storage – data to be processed for a minimum period in accordance with the purposes. Retention for longer periods is acceptable for archiving purposes in the public interest, scientific or historical research or statistical purposes, provided that appropriate technical and organisational measures are implemented;
Integrity and confidentiality – processing in a way that ensures an appropriate level of security of personal data, with appropriate technical or organisational measures in place;
Accountability – the controller is accountable and must be able to demonstrate compliance with all principles relating to the processing of personal data.
If the specific purpose or purposes for which personal data are processed by the “CLA” do not or no longer require the identification of the data subject, the “CLA” is not obliged to maintain, acquire or process additional information to identify the data subject for the sole purpose of demonstrating compliance with the requirements of Regulation 2016/679.

Art. 6. The “CLA” shall organise and take measures to protect personal data against accidental or unlawful destruction, against unauthorised access, against alteration or dissemination and against other unlawful forms of processing of personal data. The measures taken shall take account of current technological developments and the risks associated with the nature of the data to be protected.

Art. 7. The “CLA” shall implement adequate protection of personal data, which shall include:

Physical protection;
Personal protection;
Documentary protection;
Protection of automated information systems and networks.
Article 8. (1) Personal data shall be collected for specific purposes which are defined by law, shall be processed lawfully and in good faith and shall not be further processed in a manner incompatible with those purposes. Further processing of personal data for archiving purposes in the public interest, scientific, historical research or statistical purposes shall not be considered incompatible with the original purposes.

Personal data shall be stored on paper, technical and/or electronic media only for as long as is necessary for the performance of the powers, legal obligations of the “CLA” and/or its normal functioning.
The collection, processing and storage of personal data in the records of the “CLA” shall be carried out on paper, technical and/or electronic media in a centralised and/or distributed manner in premises in accordance with the security measures provided for and the assessment of the appropriate level of security of the record concerned.
Art. 9. Where the hypotheses of Article 6, par. 1, б. “b” to ” f” of Regulation 2016/679, the natural persons whose personal data are processed by the “CLA” shall sign a declaration of consent in a form (Annex No 1).

Art. 10. (1) Only the authorities of the “CLA” , in accordance with the powers conferred on them by law, and the authorised employees of the “CLA” , as well as processors to whom the controller has entrusted the processing of data from the relevant register under the terms of Article 28 of the General Data Protection Regulation, shall have the right of access to the personal data registers.

Authorisation of employees shall be based on a job description or by an explicit act of the President of the “CLA”
Employees shall be responsible for ensuring and guaranteeing regulated access to business premises and the protection of records containing personal data. Any deliberate breach of the rules and restrictions on access to personal data by staff may be grounds for disciplinary action against the employees concerned.
Officials shall not disseminate information about personal data which has come to their knowledge in the course of and in connection with the performance of their duties.
Art. 11. (1) Documents and files on which work has been completed shall be archived.

The permanent preservation for archiving purposes of documents containing personal data shall be carried out on paper in premises designated as archives for a period in accordance with the legislation in force.

(2) Electronic documents shall be stored on specialised servers, computer systems and/or external storage media. Back-up of personal data on technical media shall be carried out periodically by the processor/operator of personal data in order to keep the information on the persons concerned up-to-date and to ensure the possibility of recovery in the event of loss of the underlying media/system. Backup copies shall be stored at a different location from the location of the computer equipment processing the data. Access to the archives shall be restricted to the processor/operator and authorised officials.

Access to archived documents containing personal data shall be restricted to authorised persons and to the authorities of the “CLA” in accordance with the powers conferred on them by law.
Art. 12. (1) In the event of a record of unauthorized access to the personal data information files, or in the event of any other incident violating the security of personal data, the employee who has ascertained such violation/incident shall immediately report it to his/her immediate superior, who shall in turn, promptly inform the Data Protection Officer of the incident. Notification of an incident shall be made in writing, electronically, or by other means that allow the incident to be identified and comply with the requirement to notify the Data Protection Commission within 72 hours of becoming aware of the incident.

(2) The incident reporting and management process must include the recording of the incident, the time when it was identified, the person reporting it, the person to whom it was reported, the consequences of the incident and the measures taken to address it.

Art. 13. (1) Where the level of sensitivity of the information increases as a result of a change in its type or in the risks involved in its processing, the “CLA” may determine additional measures to protect the information in the personal data register concerned.

(2) Reports on the status, risks and level of sensitivity of the information shall be prepared every 2 years or when the nature of the personal data processed changes.

Art. 14. (1) After the purpose of processing the personal data contained in the records maintained by the “CLA” has been achieved, the personal data shall be destroyed in accordance with the procedures provided for in the applicable regulations and these Internal Rules.

In cases where the destruction of a personal data medium is necessary, the “CLA” shall implement the necessary actions for the erasure of personal data in a manner that precludes data recovery and misuse, such as:
Personal data stored on electronic media and servers shall be destroyed by permanent erasure, including the overwriting of the electronic media or physical destruction of the media;
Paper documents containing data shall be destroyed by shredding.
Destruction shall be carried out by staff authorised by an express written act of the Chairman of the “CLA” and after notification to the Data Protection Officer
A record of the destruction of personal data and personal data media shall be drawn up and signed by the officials referred to in paragraph 1. 3, in accordance with the model in Annex 2.
Art. 15. (1) Access to personal data shall be granted to persons only if they have the right to such access in accordance with the legislation in force.

(2) Third parties shall be granted access to personal data processed at the “CLA” , provided that there is a legal basis for the processing of personal data (e.g. court, prosecutor’s office, NRA, NSSI, Supreme Bar Council, National Legal Aid Bureau, etc.).

DECLARATION OF CONSENT by the DATA SUBJECT

The undersigned ……………………………………………………, with address: …………………………………………………., hereby declare that I give my consent to the CENTRE FOR LEGAL ASSISTANCE VOICE IN BULGARIA to process my personal data for the purposes of:

……………………………………………………………………………………………………………..,

by means which comply with the provisions of the General Data Protection Regulation (EU) 2016/679, applicable European Union law and the legislation of the Republic of Bulgaria on the protection of personal data.

I am aware that I can withdraw my consent at any time.

I am aware that withdrawing my consent at a later date will not affect the lawfulness of the processing based on the consent I have now given.

I have been informed that I have the right to be informed about the data collected from me, to have access to it, to have my data corrected or deleted, to have the processing of my data restricted and to object to certain processing of my personal data.

Date: ……………………….

Declarant: …………………………………..

/…………………………………………../

DECLARATION OF CONSENT by the DATA SUBJECT

The undersigned ……………………………………………………, with address: …………………………………………………., hereby declare that I give my consent to the CENTRE FOR LEGAL ASSISTANCE VOICE IN BULGARIA to process my personal data for the purposes of:

……………………………………………………………………………………………………………..,

by means which comply with the provisions of the General Data Protection Regulation (EU) 2016/679, applicable European Union law and the legislation of the Republic of Bulgaria on the protection of personal data.

I am aware that I can withdraw my consent at any time.

I am aware that withdrawing my consent at a later date will not affect the lawfulness of the processing based on the consent I have now given.

I have been informed that I have the right to be informed about the data collected from me, to have access to it, to have my data corrected or deleted, to have the processing of my data restricted and to object to certain processing of my personal data.

Date: ……………………….

Declarant: …………………………………..

/…………………………………………../