DIVA PLUS EOOD – UIC 175013870 Sofia, Bakston District, Bl. 19, Entr. A, Apt. 6, Bulgaria | https://divaplus.org/

1. Purpose, Scope and Users

DIVA PLUS EOOD (the “Company”) strives to comply with all applicable laws and regulations relating to personal data protection in the countries where the Company operates.

This Policy defines the core principles by which the Company processes personal data of consumers, clients, suppliers, business partners, employees and other individuals, and sets out the responsibilities of business departments and employees during personal data processing.

The Policy applies to all employees, permanent or temporary, as well as all contractors working for or on behalf of the Company.

2. Reference Documents

This Policy is based on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and the applicable national legislation implementing GDPR.

It is related to: the Employee Data Protection Policy, Data Retention Policy, Data Protection Officer job description, data inventory and processing guidelines, individual access request procedures, data protection impact assessment, information security policies and breach notification procedures.

3. Definitions

Personal Data – any information relating to an identified or identifiable natural person via an identifier such as: name, identification number, location data, online identifier or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity.

Sensitive Personal Data – data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic and biometric data, health data, sex life or sexual orientation.

Data Controller – the natural or legal person which determines the purposes and means of the processing of personal data.

Data Processor – a person or entity that processes personal data on behalf of the Controller.

Processing – any operation or set of operations on personal data: collection, recording, storage, use, disclosure, erasure or destruction.

Pseudonymisation – processing of personal data in such a manner that they can no longer be attributed to a specific data subject without the use of additional information stored separately and protected by technical and organisational measures.

4. Core Principles for Processing Personal Data

DIVA PLUS EOOD is committed to processing personal data in accordance with the following principles:

  • Lawfulness, fairness and transparency – data is processed only on a lawful basis.
  • Purpose limitation – data is collected for specified and explicit purposes.
  • Data minimisation – only data necessary for the stated purposes is collected.
  • Accuracy – data is kept accurate and up to date.
  • Storage limitation – data is retained no longer than necessary.
  • Integrity and confidentiality – data is processed in a manner that ensures appropriate security against unauthorised access, loss or destruction.

5. Embedding Data Protection in Business Processes

DIVA PLUS EOOD integrates data protection into all business processes through the following measures:

  • Collecting the minimum amount of personal data necessary (data minimisation).
  • Ensuring the lawfulness and accuracy of collected data.
  • When engaging third parties for data processing, ensuring an adequate level of protection.
  • Applying appropriate safeguards for any cross-border transfer of personal data.
  • Data subjects have the right to access, rectify, erase, port their data and to be forgotten.

6. Guidelines for Fair Processing

Personal data must be processed only on a lawful basis. Prior to or at the time of collection, data subjects must be properly informed through a privacy notice regarding: the purposes of processing, recipients of the data and any potential transfer to third countries.

When processing is based on consent, the Company ensures that consent is documented and can be withdrawn at any time. Data may only be processed for the originally specified purposes. If the purpose changes, new consent must be obtained.

7. Organisation and Responsibilities

Responsibility for proper processing of personal data rests with all persons who work for or with the Company. The main roles are:

  • Data Controller – responsible for system security, approval of data protection declarations and interaction with the Data Protection Officer.
  • Data Protection Officer (DPO) – responsible for raising awareness, training employees and managing relationships with suppliers and third parties.
  • Employees – all employees are personally responsible for processing personal data in accordance with this Policy.

8. Actions in Case of Personal Data Breach

In the event of a suspected or actual personal data breach, an internal investigation must be immediately conducted and appropriate corrective measures taken.

When there is a risk to the rights and freedoms of data subjects, the competent supervisory authority must be notified without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

The competent supervisory authority is: Commission for Personal Data Protection (CPDP) Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd. | Tel: +359 2 9153518 | www.cpdp.bg

9. Audit and Accountability

Compliance with this Policy is reviewed periodically by the Data Controller. Violations may result in disciplinary measures and civil or criminal liability.

This Policy is adopted by the management of DIVA PLUS EOOD and enters into force from the date of its publication on the website https://divaplus.org/