We are a Bulgaria‐based service provider of accounting, tax advisory, tax compliance and payroll services. To perform our services, we receive personal data from our clients. In this case we act as a controller in the sense of the General Data Protection Regulation (GDPR) on the base of a written agreement for data processing with our clients. We may collect, use, store and transfer personal data about our employees and partners and in this case we act as a data administrator.
THE DATA WE COLLECT:
- Identity Data (names);
- Contact Data (E‐mail, address, telephone numbers etc.)
- Financial information (salaries, taxes, social security contributions, bank accounts etc.);
- Professional Data (education, trainings, professional qualifications and similar);
- Special categories personal data – health data (data that is only required for the calculation of statutory payroll contributions and taxes under the Bulgarian law).
HOW WE COLLECT PERSONAL DATA:
- We receive personal data from our clients on the base of a written agreement for provision of accounting, tax advisory, tax compliance or payroll services;
- We receive personal data directly from our employees and partners.
HOW WE USE PERSONAL DATA:
- We use personal data to perform a contract with our clients;
- We use personal data to perform a contract with our employees and partners;
- We use personal data necessary for our legitimate interests;
- We use personal data when we have to comply with legal obligations.
- We do not rely on consent as a legal basis of processing.
- When we act as a data controller and receive personal data from our clients, we disclose it in accordance with the specific instructions received by the respective client. Usually, we provide personal data to the relevant state authorities under the Bulgarian law, such as the tax authority, labour authorities, national social insurance institute and other similar.
- When we act as a data administrator, we disclose personal data to third parties only when this is required by law.
- We do not use sub‐contractors and we do not make international transfers of personal data of our employees and partners.
- We may make international transfers of personal data of our clients only when we are authorities to do so in writing.
We are certified to ISO 27001 (Information security) and our compliance certificate can be reviewed on https://www.chronika.com/. We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. The access to personal data is limited to those employees who are assigned to specific tasks and authorized to have such access. If you think that any part of our process is not secure please email us at email@example.com.
- We retain personal data within the periods, required by the Bulgarian law for the purposes of accounting, payroll and other compliance obligations.
- We retain personal data of our clients in accordance with the instructions we receive and we retain it no longer than the end of the contract with the respective client.
YOUR RIGHTS UNDER THE GDPR:
You have the following rights under the GDPR, in certain circumstances and subject to certain exclusions, in relation to your personal data:
- Right to access ‐ you have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
- Right to rectification‐ you have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.
- Right to erasure ‐ you have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.
- Right to restrict or object to processing ‐ you have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
- Right to data portability ‐ you have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable format.
- Right to withdraw consent ‐ if we are processing personal data based on your consent, you may withdraw that consent at any time.
COMPLAINTS ABOUT PRIVACY:
If you have any complaints about our privacy practices, please feel free to send in details of your complaints to firstname.lastname@example.org. We take complaints very seriously and will respond shortly after receiving written notice of your complaint.
You also have the right to complain to the data protection authority, the Commission for data Protection, email@example.com, Web‐site: www.cpdp.bg, Registry fax: +3592/91‐53‐525
The policy is updated on:
20 December 2019