Rules on the Exercise of Rights of Data Subjects
These rules (“Rules”) set forth the conditions and order under which individuals whose details are processed by GOTMAR AD (“GOTMAR”, “We”) may exercise their rights pursuant to the Data Protection Act.
Part 1: General Principles
- GOTMAR processes and protects personal data collected during the performance of its activities in a fair and legal way for the intended use of their collection.
- The employees processing personal data for the purposes of labour, service and other contracts, distribution of petroleum products, signing and performance of contractual obligations under contracts with contracting parties as part of their job duties, shall observe the following principles in the processing of personal data:
- i) Personal data are processed legally and conscientiously.
- ii) Personal data are collected for specific, clearly set and legal purposes and are not further processed in a way incompatible with these purposes.
- iii) Personal data collected and processed for human resource management are equivalent, related to and not exceeding the purposes they are collected for.
- iv) Personal data are correct and updated, if necessary.
- v) Personal data are deleted or corrected if it is found that they are incorrect or disproportionate to the purposes they are processed for.
- vi) Personal data are maintained in a form allowing identification of the relevant natural persons for a period no longer than necessary for the purposes such data are processed.
- The employees processing personal data have initial and periodic confidentiality training and are acquainted with applicable law.
Part 2: Definitions
The definitions below have the following meaning:
“Personal data” means any information related to an identified natural person or a natural person that may be identified directly or indirectly, more specifically by identifier such as name, identification number, location data, online identifier or by one or more factors specific to the physical, physiological, genetic, psychological, mental, economic, cultural or social identity of that natural person;
“Applicable law” means the law of the European Union and the Republic of Bulgaria relevant to data protection;
”Profiling” means any form of automated processing of personal data such as using personal data to evaluate certain personal aspects related to the natural person, in particular, to analyze or predict aspects concerning this natural person performance at work, his/her economic situation, health, personal preferences, interests, reliability, behaviour, location or movement;
”Data Subject” means any natural person that may be identified directly or indirectly by identifier such as a name, identification number, location data, online identifier or by one or more factors specific for the physical, physiological, genetic, psychological, mental, economic, cultural or social identity of that natural person;
“Regulation (ЕС) 2016/679” means Regulation (ЕС) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), published in the Official Journal of the European Union on 4 May 2016.
Part 3: Rights of Personal Data Subjects
Personal data subjects have the following rights regarding their personal data:
- i) Right of access;
- ii) Right of correction;
- iii) Right of data portability;
- iv) Right of deletion (right “to be forgotten”);
- v) Right to request restriction of processing;
- vi) Right to object to the processing of personal data;
- vii) Right of the data subject not to be the subject of a decision based solely on automated processing, including profiling.
Right of access
- On request, GOTMAR shall provide the following information to the data subject:
- i) Confirmation whether GOTMAR processes the personal details of the person or not;
- ii) A copy of the person’s data processed by GOTMAR; and
- iii) Explanation about processed data.
2.2. The explanation in art. 2.1.(iii) includes the following information on the personal data processed by GOTMAR:
- i) purpose of processing;
- ii) relevant personal data categories;
- iii) recipients or categories of recipients to which personal data will be disclosed, more specifically the cross-border recipients or international organizations;
- iv) if possible, the planned period for which personal data will be processed; if impossible, the criteria used for setting this period;
- v) the existence of the right to correct or delete personal data or limit the processing of personal data related to the data subject, or to object against such processing;
- vi) right to appeal before a supervisory body;
- vii) when personal data is not collected from the data subject, all available information about their source;
- viii) the existence of automated decision-making, including profiling and information on the logic used as well as the significance and consequences from this processing for the data subject;
- ix) when personal data is transferred cross-border or to an international organization, the data subject has the right to be informed of the relevant guarantees for the transfer.
- The explanation about processed data includes the information provided by GOTMAR to data subjects by a privacy notice.
- On request of the data subject, GOTMAR may provide a copy of currently processed personal data.
- When providing a copy of personal data, GOTMAR may not disclose the following data categories:
- i) Personal data of third parties unless such parties have expressed their explicit consent for this;
- ii) Data which are business secret, intellectual property or confidential information;
- iii) Other information protected by applicable law.
- Provision of access for data subjects should have no effects on the rights and freedoms of third parties and may not lead to violation of GOTMAR’s legal obligations.
4.1. If access requests are clearly ungrounded or exaggerated, especially if repeated, GOTMAR may charge a reasonable fee for the administrative costs for provision of information or reject the request for access.
4.2. GOTMAR shall decide individually whether a request is ungrounded or exaggerated.
4.3. In case of refusal of access to personal data, GOTMAR shall present reasons for its refusal and inform the data subject of the subject’s right to submit a complaint to the Commission for Personal Data Protection.
Right of correction
5.1. Data subjects may request the correction of their personal data processed by GOTMAR in case that such data are incorrect or incomplete.
5.2. In case that personal data correction is performed, GOTMAR shall inform the other recipients to which such data are disclosed (e.g. state bodies, service provider) so that they can reflect the relevant changes, too.
Right of deletion (right “to be forgotten”)
- On request, GOTMAR shall delete personal data if any of the following grounds is present:
- i) Personal data are no longer necessary for the purposes they are collected for or for processing in another way;
- ii) The data subject withdraws his consent on which data processing is grounded and there are no other legal grounds for processing;
- iii) The data subject objects against processing and there are no legal grounds for processing with higher priority;
- iv) Personal data are processed illegally;
- v) Personal data must be deleted for the purpose of complying with GOTMAR’s legal obligations;
- vi) Personal data are collected for provision of services to information society of children pursuant to article 8, paragraph 1 of Regulation (ЕС) 2016/679.
- GOTMAR is not obliged to delete personal data if their processing is necessary:
- i) For exercise of the right to freedom of expression and the right to information;
- ii) Compliance with GOTMAR’s legal obligations;
- iii) For the public interest in the field of public health and in compliance with article 9, paragraph 2, letters h) andi), as well as article 9, paragraph 3 of Regulation (ЕС) 2016/679;
- iv) For the purposes of archiving in public interests, for scientific or historical studies or for statistical purposes pursuant to article 89, paragraph 1 of Regulation (ЕС) 2016/679, as far as there is probability that the right of deletion will make it impossible to achieve purposes of this processing or will severely impede their achievement; or
- v) For the purpose of establishment, exercise or protection of legal claims.
Right to request restriction of processing
- The data subject has the right to request restriction of processing when one of the following is applied:
- i) The accuracy of personal data is disputed by the data subject for a period allowing the controller to check the accuracy of personal data;
- ii) Processing is illegal but the data subject does not want their deletion and instead requests restrictions on their use;
- iii) The controller does not need personal data for the purposes of processing anymore but the data subject requests them to establish, exercise or defend legal claims;
- iv) The data subject objects to the processing on the grounds of GOTMAR’s legal interests and an inspection is in progress whether the legal grounds of the controller have priority over the interests of the data subject.
- GOTMAR may process personal data whose processing is limited only for the following purposes:
- i) For data storage;
- ii) With the consent of the data subject;
- iii) For establishing, execution and defense of legal claims;
- iv) For protection of the right of another natural person; or
- v) For good reasons of public interest.
- When a data subject has requested restriction of processing and some of the grounds in art.1. above are in place, GOTMAR shall inform the subject before cancellation of restriction of processing.
Right to data portability
8.1. The data subject has the right to receive the personal data that personally concerns him or her and which he or she has presented to GOTMAR, in a structured, widely used and machine-readable format.
8.2. On request, such details may be transferred to another controller specified by the data subject, if technically possible.
8.3. The data subject may exercise the right to data portability in the following cases:
| i) Processing is grounded on the consent of data subject;|
ii) Processing is grounded on contractual obligations;
iii) Processing is automated.
8.4. The right to data portability shall not adversely affect the rights and freedoms of others.
Right to object
- The data subject may object against the processing of his/her personal data by GOTMAR if the data are processed on one of the following grounds:
- i) Processing is necessary for the performance of tasks of public interest or for the exercise of official rights given to the controller;
- ii) Processing is necessary for purposes related to the legal interests of GOTMAR or third parties;
- iii) Data processing includes profiling.
- The controller shall stop processing personal data unless there are sufficient legal grounds for continuation which have priority over the interests, rights and freedoms of the data subject or for the establishment, enforcement or defense of legal claims.
Right to object to personal data use for the purposes of direct marketing
10.1. When personal data are processed for the purposes of direct marketing, the data subject has the right to object any time against personal data processing for such purposes, including against profiling for the purposes of direct marketing.
10.2. If the data subject objects against processing for the purposes of direct marketing, processing of personal data for such purposes shall be stopped.
Right of human intervention in automated decision-making
11.1. In the cases when GOTMAR makes automated individual decisions including or excluding profiling, which decisions result in legal consequences for natural persons or affect them significantly in a similar way, such persons may request review of the decision with human intervention and express their point of view.
11.2. GOTMAR gives natural persons – subject of automated decision-making, significant information about the logic used, the meaning and expected consequences of such processing for the person.
Part 4: Procedure for exercising the rights of data subjects
12.1. Data subjects may exercise their rights pursuant to these Rules by submitting a request for the exercise of the relevant right.
12.2. Requests for the exercise of the rights of data subjects may be submitted as follows:
- i) Electronically to the following email address: firstname.lastname@example.org
- ii) At an office of GOTMAR
- iii) By mail to the address of GOTMAR’s headquarters: Bulgaria, 4190 Saedinenie, 3 Shipka St.
12.3. The request for the exercise of the personal data rights must contain the following information:
- i) Identification of the person – name and Personal ID Number.
- ii) Contact details – address, phone, email
- iii) Request – description of the request
13.1. GOTMAR shall present the information on the activities undertaken in connection with the request for the exercise of the rights of data subjects within one month after receiving the request.
13.2. If necessary, this period may be extended by another two months considering the complexity and number of requests of a person. GOTMAR shall inform the person of any such extension of the period within one month after receiving the request, specifying the reasons for delay.
13.3. GOTMAR is not obliged to comply with a request if it is impossible to identify the data subject.
13.4. GOTMAR may request additional information necessary for confirmation of the data subject’s identity if there are reasonable suspicions for the identity of the natural person submitting a request.
13.5. If the request is submitted electronically, if possible the information shall be provided by electronic means unless the data subject requests otherwise.