Rules for the exercise of rights by the personal data subjects
These rules (the “Rules”) specify the order and procedure for natural persons whose personal data are processed by MEXON OOD (Ltd), (hereinafter “MEXON”, “We”, the “Company”) to exercise their rights under the personal data protection law.
Part 1. General Provisions
- MEXON shall process and protect the personal data it collects in the course of its normal business operations fairly and lawfully and for the purposes such data were collected.
- The employees processing personal data for the purpose of manufacture and sale of the products made by the Company and for the purpose of customer service, as well as the employees whose duties include the processing of personal data relating to MEXON’s human resources and counteragents, shall adhere to the following principles while processing such data:
- Personal data shall be processed lawfully and fairly;
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected and processed in the course of human resources management;
- Personal data shall be accurate and, where necessary, kept up to date;
- Personal data shall be erased or rectified when it is established that they are inaccurate with regard to the purposes for which they are processed;
- Personal data shall kept in a form which permits identification of the concerned natural person for no longer than is necessary for the purposes for which the personal data are collected and processed.
- The employees processing personal data shall attend initial and regular trainings for data confidentiality and shall get acquainted with applicable law.
Part 2. Definitions
The terms listed below shall have the following meaning:
“Personal data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Applicable law” means the European Union legislation and the Bulgarian laws that are relevant to the personal data protection (the Personal Data Protection Act, etc.);
“Data subject” means an identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Regulation (ЕU) 2016/679” means Regulation (ЕU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as published in the Official Journal of the European Union on 4 May 2016.
Part 3. Rights of the data subjects
The data subjects shall have the following rights with respect to their personal data:
- Right of access;
- Right to rectification;
- Right to data portability;
- Right to erasure (“right to be forgotten”);
- Right to restriction of processing;
- Right to object to the processing of personal data;
- Right of the data subject not to be subject to a decision based solely on automated processing, whether or not it includes profiling.
- Right of access
- Upon request, MEXON shall provide to the data subject the following information:
- whether or not MEXON is processing that subject’s personal data;
- copy of the subject’s personal data which are processed by MEXON, and
- confirmation of the data undergoing processing.
- The confirmation given under Art. 3.1.1.3 should include the following information about the personal data processed by MEXON:
- the purpose of processing;
- the categories of personal data concerned;
- the recipients and the categories of recipient to whom the personal data have been or will be disclosed, in particular the recipients in third countriesor international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including or not profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
- where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
- The confirmation of data being processed should contain the same information which MEXON shall provide to data subjects by means of confidentiality notice.
- Upon the data subject’s request MEXON shall provide a copy of the personal data undergoing processing.
- When providing a copy of the personal data, MEXON will not disclose the following categories of data:
- the personal data of third parties unless they have given explicit consent to do so;
- data which are considered trade secret, intellectual property or confidential information;
- other data protected under applicable law.
- The right of access by the data subject shall not adversely affect the rights and freedoms of others or hinder the fulfillment of MEXON’s legal obligations.
- Right to rectification
3.2.1. Data subject may request the rectification of their personal data which are processed by MEXON, and to have any inaccurate or incomplete personal data made accurate or complete.
3.2.2. If the request for rectification of personal data is approved, MEXON shall inform the other recipients to whom such data have been disclosed (for instance, State authorities, service providers) to enable them to note such rectification in their records too.
- Right to erasure (“right to be forgotten”)
- Upon request, MEXON shall erase the personal data if any one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the data subject objects to the processing of personal data for the purpose of direct marketing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation to which MEXON is subject.
- MEXON shall not be obliged to erase personal data to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation of MEXON;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3) of Regulation (ЕU) 2016/679;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with article 89 (1) of Regulation (ЕU) 2016/679, in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defense of legal claims.
- Right to restriction of processing
- The data subject shall have the right to obtain restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, the restriction of processing shall apply for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- MEXON no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
- the data subject has objected to processing on the grounds of the legitimate interest of MEXON pending the verification whether the legitimate grounds of the controller override those of the data subject.
- MEXON shall have the right to process personal data whose processing has been restricted only for the following purposes:
- for data storage;
- with the data subject’s consent;
- for the establishment, exercise or defense of legal claims;
- for the protection of the rights of another natural person; or
- for reasons of important public interest.
- When a data subject has obtained restriction of processing for any of the purposes mentioned in Art.3.4.1 above, MEXON shall informed the data subject before the restriction of processing is lifted.
- Right to data portability
- The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to MEXON, in a structured, commonly used and machine-readable format.
- Upon request, the personal data may be transmitted to another controller as specified by the data subject, wheretechnically feasible.
- The data subject may exercise the right to data portability, where:
- the processing is based on the data subject’s consent;
- the processing is based on a contract;
- the processing is carried out by automated means.
- The right to data portability shall not adversely affect the rights and freedoms of others.
- Right to object
- The data subject shall have the right to object at any time to the processing of personal data concerning him or her by MEXON, on any of the following grounds:
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by MEXON or by a third party;
- processing includes profiling.
- MEXON shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
- Right to object to processing of personal data for direct marketing purposes
- Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
- Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
- Right to human intervention in the automated decision-making
- At this stage MEXON does not perform any automated decision-making.
- If MEXON is to make any automated individual decisions at any time in the future, regardless of whether or not such decisions were made using profiling, where such decisions may give rise to legal consequences to natural persons or considerably affect them similarly, such persons shall have the right to request to contest the decision by human intervention and to express his or her point of view.
- MEXON shall provide to the natural persons who are subjected to automated decision-making meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Part 4. Order and procedure for exercising rights by data subjects
- Data subjects may exercise the above rights by lodging a request for exercising a right.
- Data subjects may use any of the following means to lodge their requests for exercising a right:
- On-line, to the following e-mail address; dataprivacy@mexon.bg;
- In any one of MEXON offices;
- By mail – addressed to MEXON head office: Bulgaria, Plovdiv County, Plovdiv Municipality, Plovdiv Town 4003, Severen District, 266 Vasil Levski St.
- The request for exercise of rights relating to the safeguarding of personal data, should include the following information:
- Person’s identification – name and personal ID number (if applicable);
- Contact data – address, telephone number, e-mail;
- Request – describe what is requested.
- MEXON shall come back to the data subject with information about the actions taken with respect to the request for exercise of rights within one month as of receipt of the request.
- That period may be extended by two months where necessary, taking into account the complexity and number of the requests lodged by the data subject, and MEXON shall inform the concerned data subject of any such extension within one month as of receipt of the request, together with the reasons for the delay.
- MEXON will not be required to review a request if it is not in a position to identify the data subject.
- Where MEXON has reasonable doubts concerning the identity of the natural person making the request, MEXON the controller may request the provision of additional information necessary to confirm the identity of the data subject.
- Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, MEXON may either charge a reasonable fee taking into account the administrative costs of providing the information or refuse to act on the request. MEXON shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
- Request by data subjects for the exercise of rights, which have already been fully satisfied or requests, which greatly copy already satisfied requests, regardless of the periods or time intervals that passed from one request to the next one, will be considered excessive unless there occurred a change in the data or in the other parameters of processing after the first request has been satisfied. For example, where a request has been satisfied and another request for the exercise of the same right is lodged and no new information has been filed in between them and no additional data about the subject are being processed, then such a request will be considered excessive because of its repetitive character. In such cases MEXON may refuse to act on the request or may charge a reasonable fee taking into account the administrative costs of providing the information.
- Where access to personal data has been refused, MEXON must specify the reasons for such refusal and shall inform the data subject about his/her right to lodge a complaint with the Personal Data Protection Committee.
- Where the request has been lodged by electronic means, whenever possible the information should also be provided by electronic means unless the data subject requested otherwise.
These Rules shall take effect on 23.05.2018.