Impact Drive Foundation Privacy Policy
1. General
Ensuring the confidentiality of personal data of third parties received in the process of carrying out the activities of the Impact Drive Foundation is carried out in accordance with EU Regulation 679/2016 and LPPD.
Ensuring the confidentiality of our users' data is important to the foundation. In our team we constantly strive to improve the quality and vision of our website www.impactdrive.eu in order to make it as convenient and useful for our users. At all times, we take care to ensure the secure use of the Foundation's website in order to reliably protect the privacy of users of www.impactdrive.eu using one of the most modern and developed platforms (wix.com), providing high level of data security and full compatibility with EU Regulation 679/2016 and other international standards in this field
2. Analysis and use of personal data collected and processed by the Impact Drive Foundation
The Foundation collects and processes the following personal data
-
Name, address, e-mail, contact phone
-
PIN, data for identity document
-
Data revealing racial or ethnic origin, health status, marital status
3. Personal data, collection, use and protection
3.1. Personal data is collected for:
-
employment and non-employment contracts
-
organization of trainings, courses, research conducted by the foundation
-
implementation of projects for which the foundation is a beneficiary or partner
-
digital communications.
-
processing in the accounting system of the foundation, according to the applicable regulations
-
providing data to the competent public authorities, in relation to the applicable labor, social, tax legislation
3.2. Personal data shall be provided to - public authorities, in accordance with applicable law, certified auditors or other verifying authority, donors, contracting authorities in accordance with contractual obligations
3.3. Period of storage of personal data. Personal data is stored as follows:
-
payrolls, employment contracts, documents included in the employment file - 50 years
-
non-employment contracts, bills paid, official notes - at least 5 years after the end of the respective financial year to which they refer, archived, according to the internal rules of the foundation
-
contracts with donors, assignors, partners, invoices - up to a minimum of 5 years after the end of the respective financial year in the archives of the foundation. The retention period may be longer in accordance with the contractual obligations and the rules of the programs on the received financing in case the period under the programs of the provided financing is longer than 5 years.
-
the documentation related to the application for implementation of public procurements - until the decision of the public body, which has organized the procedure for selection of a contractor. In case of appeal - until the end of the respective proceedings
-
personal data (e-mail, questionnaires, attendance lists) related to ongoing trainings, courses and other initiatives, if they are not related to the implementation of contracts financed by external sources. - up to 1 year after the implementation of the respective initiative, after which they are deleted and destroyed.
3.4. Method of storing personal data
-
Payrolls, employment records are stored on electronic and paper media
-
Non-employment contracts and related documents, contracts with contracting authorities, donors, partners and related documents, data in connection with training, courses, are stored on a separate external disk
-
Personal data related to ongoing trainings, projects, etc. (name, e-mail and contact phone) are stored in electronic form on an external disk
-
A copy of the accounting registers is made monthly in a specially organized archive disk space. Every year, after the end of the respective financial year, a copy of the accounting records is made on an external disk.
-
Personal data stored on paper are processed by an authorized person. shall be stored in a separate protective cabinet until the expiration of the term under item 3.3.
-
All personal data stored on a technical medium are processed and stored by a person authorized by the foundation, who has adequate protection for access to the relevant data.
-
After the expiration of the terms under item 3.3, the data on paper and technical media shall be destroyed in an approved manner.
3.5. Security measures
Only a person authorized by the foundation has the right to access the processing of the registers with personal data.
Outside the authorized persons, the right of access to the registers with personal data, other than those indicated in item 3.2, may be obtained only by the bodies of the criminal proceedings by order, according to the provisions of the Penal Code.
4. Rights of personal data subjects
-
Individuals whose personal data are processed have the following rights:
-
Right to be informed of the data identifying the controller, the purposes of the processing of personal data, the recipients or categories of recipients to whom the data may be disclosed, the mandatory or voluntary nature of the provision of personal data and the consequences of refusing to provide it.
-
Right of access to data relating to individuals. In cases when personal data may be disclosed to a third party when granting the right of access to the data subject, the controller shall be obliged to provide partial access to them without disclosing data about the third party.
-
Right to correct or supplement inaccurate or incomplete personal data.
-
The right to delete personal data, the processing of which does not meet the regulated requirements or has no legal basis (expired storage period, withdrawn consent, fulfilled the original purpose for which the data were collected, etc.), as well as the right to requested that third parties to whom the personal data of the person have been disclosed be notified of any deletion, rectification or blocking that has taken place, except where this is not possible or involves excessive effort.
-
Right to object to the controller against the processing and / or disclosure of personal data of the subject if there is a legal basis for this. Right to be notified before his personal data are disclosed to third parties if there is a legal basis for this.
-
Right to defense before the CPDP https://www.cpdp.bg or in court.
5. Procedure for exercising rights
-
Individuals exercise their rights by submitting a written application to the Impact Drive Foundation (on paper or by e-mail) containing at least the following information:
- Name, address and other data for identification of the respective natural person;
-
Description of the request;
-
Preferred form for providing information;
-
Signature, date of application and correspondence address.
The entire procedure for exercising the rights of an individual in relation to their personal data is free of charge for the person.
In order to avoid abuses, when submitting an application by an authorized person, a notarized power of attorney shall be attached to the application.
-
The term for consideration of the application and ruling of the foundation on it is 14 days, starting from the day of submitting the application, respectively 30 days, when more time is needed for collecting the requested data and in view of the complexity of the request.
-
The Foundation shall prepare a written reply and communicate it to the applicant in person - against a signature or by post / courier with a return receipt, taking into account the applicant's preferred form of providing the information.
-
When the data subject to the application do not exist or their provision is prohibited by law, the applicant shall be denied access to them.
-
In the event that Impact Drive does not respond to the applicant within the prescribed time limits or the applicant is not satisfied with the response received and / or considers that his rights related to personal data protection have been violated, he has the right to exercise his right to protection before the competent authorities. organs.
6. Consequences of refusal to provide personal data
-
Explicit consent of individuals whose data are processed is not required if the controller has a legal basis for the processing of personal data. Such grounds are, for example, a statutory obligation in connection with the requirements of labor, tax and social security legislation, the Obligations and Contracts Act, the Accounting Act, the Anti-Money Laundering Measures Act, the Anti-Terrorist Financing Measures Act, etc.
-
In case of refusal to voluntarily provide the requested personal data, Impact Drive will not be able to fulfill its statutory or contractual obligations.
For the purposes of this Policy:
Personal data - means any information relating to an identified natural person or a natural person that can be identified directly or indirectly, in particular by an identifier such as a name, an identification number or by one or more specific features.
Processing of personal data - means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collection, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing through transmitting, distributing or otherwise making the data available, arranging or combining, restricting, deleting or destroying it.
Personal data administrator - is an Impact Drive Foundation, which alone or jointly / by assigning another person processes personal data.
Register with personal data - is any structured set of personal data, accessible according to certain criteria, according to the Internal Rules of the Impact Drive Foundation, which can be centralized or decentralized and is distributed on a functional basis.
This Privacy Policy of the Impact Drive Foundation was approved by a decision of the Management Board on 15.05.2018 and enters into force on the same date.