I. Introduction

1. General regulation on personal data protection

Regulation (EU) 2016/679 (General Data Protection Regulation) replaces Directive 95/46 / EC on data protection. It has direct effect and implies an amendment to the legislation of the member states in the field of personal data protection. Its purpose is to protect the “rights and freedoms” of individuals and to ensure that personal data are not processed without their knowledge and, where possible, that they are processed with their consent.

2. Scope outlined by the General Data Protection Regulation

Substantive scope (Article 2) – this Regulation applies to the processing of personal data in whole or in part by automatic means, as well as to the processing by other means of personal data (eg manual and paper) that are part of a personal data register or which are intended to form part of a register of personal data.

Territorial scope (Article 3) – the rules of the General Regulation will apply to all data controllers established in the EU who process personal data of individuals in the context of their activities. It will also apply to non-EU controllers who process personal data for the purpose of offering goods and services or if they monitor the behavior of data subjects residing in the EU.

3. Concepts

“Personal data” – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is an identifiable person, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more features specific to the natural, the physiological, genetic, mental, intellectual, economic, cultural or social identity of that individual;

“Special categories of personal data” – personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the unique identification of an individual, health data or data on the sexual life of an individual or sexual orientation.

“Processing” means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission , disseminating or otherwise making the data accessible, arranging or combining, restricting, deleting or destroying it;

“Administrator” – any natural or legal person, public authority, agency or other entity that alone or jointly with others determines the purposes and means for the processing of personal data; where the purposes and means of such processing are determined by EU law or the law of a Member State, the controller or the specific criteria for determining it may be laid down in Union law or in the law of a Member State;

“Data subject” – any living natural person who is the subject of personal data stored by the Administrator.

“Consent of the data subject” – any freely expressed, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or clearly confirming action expressing his consent to the processing of personal data relating to him;

“Child” – The General Regulation defines a child as anyone under the age of 16, although this may be reduced to 13 by the law of the Member State. The processing of a child’s personal data is lawful only if a parent or guardian has given consent. The administrator shall make reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given or is authorized to give his or her consent.

“Profiling” means any form of automated processing of personal data, in the form of the use of personal data for the assessment of certain personal aspects relating to an individual, and in particular for the analysis or forecasting of aspects relating to the performance of professional duties. of that individual, his economic condition, health, personal preferences, interests, reliability, behavior, location or movement;

“Violation of the security of personal data” – a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed;

“Main place of establishment” – the seat of the controller in the EU will be the place where he takes the main decisions on the purpose and means of his data processing activities. With regard to the processor, his main place of establishment in the EU will be his administrative center.

If the administrator is based outside the EU, he must appoint a representative in the jurisdiction in which the administrator works to act on behalf of the administrator and to deal with supervisors. (Article 4 item 16) of the ORD

“Recipient” – a natural or legal person, public authority, agency or other entity to which personal data are disclosed, whether a third party or not. At the same time, public authorities which may receive personal data in the context of a specific investigation in accordance with Union law or the law of a Member State shall not be considered as “recipients”; the processing of such data by those public authorities complies with the applicable data protection rules in accordance with the purposes of the processing;

“Third party” means any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and persons who, under the direct supervision of the controller or the processor, have the right to process personal data. ;

II. Declaration on personal data protection policy

1. The management of ADD-BULGARIA Ltd. undertakes to ensure compliance with the legislation of the EU and the Member States regarding the processing of personal data and the protection of the “rights and freedoms” of the persons whose personal data ADD-BULGARIA Ltd. collects and processes. under the General Data Protection Regulation (Regulation (EU) 2016/679).

2. In accordance with the General Regulation, other relevant documents as well as related processes and procedures are described in this policy.

3. Regulation (EU) 2016/679 and this policy apply to all personal data processing functions, including those performed on personal data of customers, employees, suppliers and partners, and any other personal data that the organization processes from various sources.

4. The Data Protection Officer shall be responsible for reviewing the “Register of Processing Activities” annually in the light of any changes in the activities of ADD-BULGARIA OOD, as well as any additional requirements, data protection impact assessments. This register must be available at the request of the supervisory authority.

5. This policy applies to all employees / workers (and stakeholders) of ADD-BULGARIA Ltd. as external suppliers. Any breach of the General Regulation will be considered a breach of labor discipline, and if there is a suspicion of a crime, the matter will be referred to the relevant public authorities as soon as possible.

6. Partners and third parties who work with or for ADD-BULGARIA Ltd., as well as who have or can have access to personal data, will be expected to get acquainted, understand and comply with this policy. No third party may access personal data stored by ADD-BULGARIA OOD without first concluding a data confidentiality agreement, which imposes on the third party obligations no less burdensome than those imposed by ADD-BULGARIA OOD. has undertaken, and which gives the right to ADD-BULGARIA Ltd. to carry out inspections of compliance with the obligations imposed by the agreement.

III. Obligations and roles under Regulation (EU) 2016/679

1. ADD-BULGARIA Ltd. is a data administrator and data processor according to Regulation (EU) 2016/679.

2. The top management and all members of the management or supervisory bodies of ADD-BULGARIA OOD are responsible for developing and promoting good practices in the field of information processing in ADD-BULGARIA OOD;

3. The data protection officer, with a role defined in Regulation (EU) 2016/679, must report to the Manager of ADD-BULGARIA OOD for the management of personal data within the organization and for ensuring the possibility of proving compliance with data protection legislation and good practices.

This CPD reporting includes:

· Developing and implementing the requirements of REGULATION (EU) 2016/679 as required by this policy;

· Security and risk management in relation to policy compliance.

4. The Data Protection Officer, which the Board of Directors considers appropriate, qualified and experienced, is appointed to assume responsibility for the compliance of ADD-BULGARIA OOD with this policy on a daily basis. The CPD is directly responsible for ensuring that, as a whole, the organization of ADD-BULGARIA Ltd. and the activities of each member of the management staff, which is carried out within its area of responsibility, comply with the requirements of Regulation (EU) 2016/679 .

5. The CPD has specific responsibilities with regard to procedures such as the “Subject Request Management Procedure” (GDPR_PROC_02) and is a contact point for the controller’s staff who request clarifications on any aspect of data protection compliance.

Compliance with data protection legislation is the responsibility of all employees of ADD-BULGARIA Ltd. who process personal data.

7. The training policy of ADD-BULGARIA OOD (Training policy (GDPR_POL_02)) determines the specific requirements for training and information in connection with the specific roles of the employees of ADD-BULGARIA OOD.

IV. Principles of data protection

All processing of personal data must be carried out in accordance with the principles of data protection set out in Article 5 of Regulation (EU) 2016/679. The policies and procedures of ADD-BULGARIA Ltd. aim to ensure compliance with these principles.

1. Personal data must be processed lawfully, in good faith and transparently

Legitimate – to identify a legal basis before it can process personal data. They are often referred to as “grounds for processing”, such as “consent”.

In good faith – in order for the processing to be in good faith, the data controller must provide certain information to the data subjects as far as practicable. This applies regardless of whether the personal data are obtained directly from the data subjects or from other sources.

Regulation (EU) 2016/679 increases the requirements for what information should be available to data subjects that is covered by the “transparency” requirement.

Transparent – The General Regulation includes rules on the provision of confidential information to data subjects in Articles 12, 13 and 14 of the DPA. They are detailed and specific, emphasizing that privacy notices are understandable and accessible. The information must be communicated to the data subject in an intelligible form, using clear and comprehensible language.

The rules for notifying the data subject of ADD-BULGARIA Ltd. are defined in the Procedure for transparency in the processing of personal data (GDPR_PROC_02) and the notification is recorded in a Sample Privacy Statement (notification for confidential treatment of personal data) (GDPR_FORM_01).

The specific information to be provided to the data subject must include at least:

· Data that identify the administrator and the contact details of the administrator and, if any, of the administrator’s representative;

· The contacts of the CPD;

· The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

· The period for which the personal data will be stored;

· The existence of the following rights – to request access to the data, correction, deletion (“right to be forgotten”), restriction of processing, as well as the right to object to the conditions (or lack thereof) in connection with the exercise of these rights;

· The categories of personal data;

· The recipients or categories of recipients of personal data, where applicable;

· Where applicable, whether the controller intends to transfer personal data to a recipient in a third country and the level of data protection;

· Any additional information necessary to ensure fair processing.

2. Personal data may only be collected for specific, explicit and legitimate purposes

The data obtained for specific purposes must not be used for a purpose that differs from those officially announced to the supervisory authority as part of the Register of Data Processing Activities (Article 30 of the Law on Data Processing) of ADD-BULGARIA OOD. A procedure for transparency in the processing of personal data (GDPR_PROC_02) sets out the relevant rules.

3. Personal data must be adequate, relevant, limited to what is necessary to process them for that purpose. (principle of minimum necessary)

· The Data Protection Officer is responsible for ensuring that ADD-BULGARIA Ltd. does not collect information that is not strictly necessary for the purpose for which it was obtained.

· All data collection forms (electronic or paper), including data collection requirements in new information systems, must include a bona fide declaration or a link Privacy Statement (Privacy Notice) (GDPR_FORM_01) and be approved by the CPD.

· The Data Protection Officer will ensure that, on an (annual) basis, all data collection methods are reviewed by an internal audit to ensure that the data collected continue to be adequate, relevant and not excessive. the impact on data protection (GDPR_PROC_09).

4. Personal data must be accurate and up-to-date at all times, and the necessary efforts must be made to enable immediate (within the scope of possible technical solutions) deletion or rectification.

The data stored by the data controller should be reviewed and updated as necessary. Data should not be stored in cases where it is likely to be inaccurate.

· The Data Protection Officer is responsible for ensuring that all staff are trained in the importance of collecting and maintaining accurate data.

· Also, it is the obligation of the data subject to declare that the data they transmit for storage by ADD-BULGARIA Ltd. are accurate and up-to-date. The completion of a form by the data subject intended for the controller will include a statement that the data contained therein are accurate as of the date of submission.

· Employees / employees must be required to notify ADD-BULGARIA Ltd. of any changes in circumstances so that personal data records can be updated. It is the responsibility of ADD-BULGARIA Ltd. to ensure that any notification of a change in circumstances is recorded and action is taken.

· The data protection officer is responsible for ensuring that appropriate procedures and policies are in place to maintain the accuracy and timeliness of personal data, taking into account the volume of data collected, the speed at which it may change, and other relevant factors.

· At least on an annual basis, the Data Protection Officer will review the retention periods of all personal data processed by ADD-BULGARIA OOD, referring to the data inventory and will identify all data that are no longer required in the context of the registered purpose. This data will be reliably destroyed in accordance with the procedures and rules of the administrator.

· The Data Protection Officer is responsible for compliance with data correction requests within one month (Subject Request Management Procedure (GDPR_PROC_03)), which can be extended by another two months for complex requests. BULGARIA Ltd. decided not to comply with the request. The Data Protection Officer must respond to the data subject to explain his / her reasons and inform him / her of his / her right to file a complaint with the supervisory authority and to seek legal protection.

· The data protection officer is responsible for taking appropriate measures, in cases where third party organizations have inaccurate or outdated personal data, to inform them that the information is inaccurate or outdated and not to be used to make decisions about individuals, to inform the relevant parties; and forward any correction of personal data to third parties where necessary.

5. Personal data must be stored in such a form that the data subject can only be identified for as long as is necessary for the processing.

· When personal data is retained after the date of processing, it will be stored in an appropriate manner (minimized, encrypted, pseudonymized) to protect the identity of the data subject in the event of a data breach.

· Personal data will be stored in accordance with the Procedure for storage and destruction of data (GDPR_PROC_07) and after their storage period has expired, they must be securely destroyed in accordance with the procedure specified in this procedure.

· The Data Protection Officer must specifically approve any retention of data that exceeds the retention period defined in the Data Retention and Destruction Procedure (GDPR_PROC_07) and must ensure that the justification is clearly defined and complies with the requirements of data protection legislation. This approval must be in writing.

6. Personal data must be processed in a way that ensures adequate security (Article 24, Article 32 of the ORD)

The Data Protection Officer will perform an impact assessment (risk assessment), taking into account all the circumstances related to the operations of data management or processing by ADD-BULGARIA OOD.

In determining whether the processing is appropriate, the Data Protection Officer should also consider the extent of any harm or loss that may be caused to individuals (eg staff or customers) if a security breach occurs, and any probable damage to the reputation of the administrator, including a possible loss of customer confidence.

In assessing appropriate technical measures, the Data Protection Officer will consider the following:

· Password protection;

· Automatic locking of inactive workstations in the network;

· Remove access rights for USB and other removable storage media;

· Antivirus software and firewalls;

· Access rights based on roles, including those of temporary staff

· The protection of devices that leave the premises of the organization, such as laptops or others;

Security of local and wide area networks;

· Privacy enhancement technologies, such as pseudonymization and anonymization;

· Identification of appropriate international security standards suitable for ADD-BULGARIA LTD.

In assessing the appropriate organizational measures, the Data Protection Officer will take into account the following:

· The levels of appropriate training in ADD-BULGARIA OOD;

· Measures that take into account the reliability of employees (eg attestation assessments, recommendations, etc.);

· The inclusion of data protection in employment contracts;

· Identification of disciplinary measures for violations with regard to data processing;

· Regular inspection of staff for compliance with relevant security standards;

· Control of physical access to electronic and paper-based records;

· Adopting a “clean workplace” policy;

· Storage of database paper in lockable wall cabinets;

· Restricting the use of portable electronic devices outside the workplace;

· Restricting the use of personal devices by employees in the workplace;

· Adopting clear rules for creating and using passwords;

· Regular backup of personal data and physical storage of media with copies outside the office;

· Imposing contractual obligations on counterparty organizations to take appropriate security measures when transferring data outside the EU.

These controls are selected on the basis of the identified risks to personal data, as well as the potential for harm, to the data subjects.

7. Observance of the principle of accountability

Regulation (EU) 2016/679 includes provisions that promote accountability and manageability and complement transparency requirements. The principle of accountability in Art. 5, para. 2 requires the administrator to prove that he observes the other principles in the ORD and explicitly states that this is his responsibility.

ADD-BULGARIA Ltd. will prove compliance with the principles of data protection by implementing data protection policies by joining codes of conduct, implementing appropriate technical and organizational measures, as well as by adopting data protection techniques at the stage of the design and protection of default data, personal data protection impact assessment, personal data breach notification procedure, etc.

V. Rights of data subjects

1. Data subjects shall have the following rights with regard to the processing of data as well as the data recorded for them:

· Make requests to confirm whether personal data related to him are being processed and, if so, to have access to the data as well as information on the recipients of this data.

· To request a copy of his personal data from the administrator;

· To ask the administrator to correct personal data when they are inaccurate and when they are no longer up to date;

· To request from the administrator deletion of personal data (right “to be forgotten”);

· To ask the administrator to limit the processing of personal data, in which case the data will only be stored, but not processed .;

· To object to the processing of his personal data;

· To object to the processing of personal data concerning him for the purposes of direct marketing.

· To file a complaint to a supervisory body if it considers that any of the provisions of the ORD is violated;

· To request and be provided with personal data in a structured, widely used and machine-readable format;

· To withdraw his consent for the processing of personal data at any time with a separate request addressed to the administrator;

· Not to be subject to automated decisions that affect it significantly, without the possibility of human intervention;

· To oppose automated profiling, which happens without his consent;

2. ADD-BULGARIA Ltd. provides conditions to ensure the exercise of these rights by the data subject:

· Data subjects may make requests for access to data as described in the procedure for the Procedure for managing data subjects (GDPR_PROC_03); this procedure also describes how ADD-BULGARIA Ltd. will ensure that the response to the data subject’s request meets the requirements of the General Regulation.

· Data subjects have the right to submit complaints to ADD-BULGARIA OOD, related to the processing of their personal data, the processing of a request by the data subject and an appeal by the data subject regarding the manner of processing the complaints in accordance with the Procedure for the means of communication in case of complaints and requests from the data subject (GDPR_PROC_04).

VI. Consent

1. “Consent” ADD-BULGARIA Ltd. will mean any freely expressed, specific, informed and unambiguous indication of the will of the data subject, through a statement or clearly confirming action, which expresses his consent to the personal data related to him to be processed. The data subject may withdraw his consent at any time.

2. ADD-BULGARIA Ltd. means by “consent” only the cases in which the data subject has been fully informed about the planned processing and has expressed his / her consent without any pressure being exerted on him / her. Consent obtained under duress or on the basis of misleading information will not be a valid basis for the processing of personal data.

3. Consent cannot be inferred from the absence of a response to a communication from the data subject. There must be active communication between the administrator and the subject in order for there to be consent. The controller must be able to prove that consent has been obtained – through a confidentiality notice, which must be explicitly accepted by the data subject, for the processing activities.

4. For special categories of data, explicit written consent must be obtained. Procedure for obtaining consent for the processing of personal data (GDPR_PROC_06) of data subjects, unless there is an alternative legal basis for processing.

5. In most cases the consent for processing of personal and special categories of data is obtained routinely from ADD-BULGARIA OOD, using standard documents for consent during the recruitment of new staff, etc ..

6. When ADD-BULGARIA Ltd. processes personal data of children, permission must be obtained from those exercising parental rights (parents, guardians, etc.). This requirement applies to children under the age of 16 (unless the Member State has provided for a lower age limit, which cannot be lower than 13 years).

VII. Data security

1. All employees are responsible for ensuring the security of data storage for which they are responsible and which ADD-BULGARIA Ltd. holds, as well as that the data is stored securely and not disclosed under any circumstances to third parties. , unless ADD-BULGARIA Ltd. has not granted such rights to this third party by concluding a contract / confidentiality clause.

2. All personal data must be accessible only to those who need them, and access may be granted only in accordance with established rules for access control. All personal data must be treated with the utmost security and must be stored:

· In a private room with controlled access; in a locked cabinet or in a file cabinet;

· Password protected in accordance with the internal requirements specified in the organizational and technical measures for controlling access to information;

· Stored on portable computer media, which are protected in accordance with the organizational and technical measures for controlling access to information – encrypted.

3. To create an organization to ensure that computer screens and terminals cannot be viewed by anyone other than the authorized employees of ADD-BULGARIA Ltd. All employees are required to be trained and to accept the relevant contractual clauses / declaration of compliance with the organizational and technical measures for access, as well as the rules for locking workstations, before being granted access to information of any kind.

4. Records on paper shall not be left where they can be accessed by unauthorized persons and may not be removed from the designated office premises without express permission. As soon as the paper documents are no longer needed for the ongoing customer support work, they must be destroyed in accordance with an established procedure / rules and appropriate protocol.

5. Personal data may only be deleted or destroyed in accordance with the Data Retention and Destruction Procedure (GDPR_PROC_07). Paper records that have reached the date of storage must be cut and disposed of as “confidential waste”. The data on the hard disks of the redundant personal computers must be deleted or the disks destroyed according to the established rules / procedures.

6. The processing of personal data “outside the office” poses a potentially higher risk of loss, theft or breach of personal data. Staff must be specifically authorized to process data outside the administrator’s premises.

VIII. Data disclosure

1. ADD-BULGARIA Ltd. must provide conditions under which personal data are not disclosed to unauthorized third parties, which includes family members, friends, government agencies, even investigators, if there is reasonable doubt that they are not required in the prescribed manner . All employees must be careful when asked to disclose stored personal data of another third party. It is important to consider whether or not the disclosure is related to the needs of the organization’s business.

Employees need to undergo special training and periodic briefings in order to avoid the risk of such a violation.

2. All requests from third parties for the provision of data must be supported by appropriate documentation and all such disclosures must be specifically authorized by the Data Protection Officer.

IX. Data storage and destruction

1. ADD-BULGARIA Ltd. does not store personal data in a form that allows the identification of subjects for a longer period than necessary, in relation to the purposes for which the data were collected.

2. ADD-BULGARIA Ltd. may store data for longer periods only if the personal data will be processed for archiving purposes, for purposes of public interest, scientific or historical research and for statistical purposes, and only in the performance of appropriate technical and organizational measures to guarantee the rights and freedoms of the data subject.

3 The retention period for each category of personal data will be set out in the Data Retention and Destruction Procedure (GDPR_PROC_07) as well as the criteria used to determine this period, including any legal obligations, ADD-BULGARIA Ltd. to retain the data.

4. Procedure for storage and destruction of data (GDPR_PROC_07), as well as the rules for destruction of information on unused recording media in ADD-BULGARIA Ltd. will be applied in all cases.

5. Personal data must be securely destroyed in accordance with the principle of ensuring an appropriate level of security (Article 5 (1) (f) of the General Regulation) – including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. , applying appropriate technical or organizational measures (“integrity and confidentiality”);

X. Data transfer

1. Any export of data from within the EU to non-EU countries (referred to in the General Regulation as “third countries”) is illegal, unless there is an appropriate level of protection of the fundamental rights of data subjects.

The transfer of personal data outside the EU is prohibited unless one or more of the following guarantees or exceptions apply:

2. Adequacy decision

The European Commission may assess third countries, territory and / or specific sectors in third countries to assess whether there is an appropriate level of protection of the rights and freedoms of individuals. No permission is required in these cases.

Countries that are members of the European Economic Area (EEA) but not the EU are considered eligible for an adequacy decision.

3. EU-U.S. Privacy Shield

If the Organization wishes to transfer personal data from the EU to a third country in the United States, it must verify that the organization has signed the Privacy Shield Framework Agreement with the US Department of Commerce.

The US Department of Commerce is responsible for managing and administering the Privacy Shield and ensuring that companies meet their commitments. In order to be certified by the ministry, companies must have a personal data protection policy in accordance with the principles of the ORD, e.g. use, store and transfer personal data in accordance with a set of strict data protection rules and safeguards.

4. Mandatory company rules

ADD-BULGARIA Ltd. may adopt approved mandatory corporate rules for data transfer outside the EU. This requires their submission to the relevant supervisory authority for approval.

5. Standard contractual clauses

ADD-BULGARIA Ltd. may accept approved standard contractual clauses for data protection when transferring data outside the European Economic Area. If ADD-BULGARIA Ltd. accepts standard contractual clauses approved by the relevant supervisory authority, there is an automatic recognition of adequacy.

6. Exceptions

In the absence of an adequacy decision, membership in the US Privacy Shield, mandatory company rules and / or contractual terms, the transfer of personal data to a third country or international organization is subject to only one of the following conditions:

· The data subject has explicitly agreed to the proposed transfer after being informed of the possible risks of such transfers;

· The transfer is necessary for the performance of a contract between the data subject and the controller or for the performance of pre-contractual measures taken at the request of the data subject;

· The transfer is necessary for the conclusion or execution of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

· The transfer is necessary for important reasons of public interest;

· The transfer is necessary for the establishment, exercise or defense of legal claims;

· The transfer is necessary in order to protect the vital interests of the data subject or of other persons where the data subject is physically or legally incapable of giving his or her consent;

· The transmission is made by a register which, under EU or Member State law, is intended to provide information to the public and is available for consultation by the general public or by any person who can demonstrate a legitimate interest in doing so, but only in so far as the conditions of reference laid down in European Union law or in the law of the Member States are fulfilled in the present case.

XI. Data processing register (data inventory)

.1. ADD-BULGARIA Ltd. has created a data inventory process as part of its approach to address the risks and opportunities in the process of complying with the policy of compliance with Regulation (EU) 2016/679. During the inventory of the data in ADD-BULGARIA OOD and in the working flow of data the following are established:

· Business processes that use personal data;

· Sources of personal data;

· The number of data subjects;

· Description of the categories of personal data and the elements of each category;

· Processing activities;

· The purposes of the processing for which the personal data are intended;

· The legal basis for the processing;

· The recipients or categories of recipients of personal data;

· The main systems and storage places;

· All personal data that are subject to transfers outside the EU;

· The terms for storage and deletion.

2. ADD-BULGARIA Ltd. is aware of the risks associated with the processing of certain types of personal data.

3. ADD-BULGARIA Ltd. assesses the level of risk for persons involved in the processing of their personal data. Data protection impact assessments are performed in connection with the processing of personal data by ADD-BULGARIA OOD and in connection with the processing undertaken by other organizations on behalf of ADD-BULGARIA OOD (Procedure for assessment of the impact on data protection) GDPR_PROC_09)

4. ADD-BULGARIA Ltd. manages all risks identified by the impact assessment in order to reduce the likelihood of non-compliance with these rules.

When the type of processing may lead to a high risk for the rights and freedoms of individuals, in particular through the use of new technologies and taking into account the nature, scope, context and purposes of the processing, before processing ADD-BULGARIA Ltd. should to assess the impact of the envisaged processing operations on the protection of personal data. An overall impact assessment may consider a set of similar processing operations that pose similar high risks.

5. When, as a result of the Impact Assessment, it is clear that ADD-BULGARIA Ltd. will start processing personal data that due to high risk could cause harm to data subjects, the decision whether to continue processing or not must be submitted. for review by the Data Protection Officer.

6. If the CPD has serious concerns about the potential harm or danger, or about the amount of relevant data, it should escalate the matter to the supervisory authority.

7. The data protection officer shall make a periodic (annual) review of the initially inventoried data, review the information entered in the “Register of processing activities” in the light of any changes in the activities of ADD-BULGARIA OOD.