The General Data Protection Regulation of the EU was introduced on 25 May 2018 resulting in the most essential changes in the regulatory framework governing data protection over the last two decades. Based on the principle for personal data protection at the design phase and adoption of risk-based approach GDPR was developed to meet the requirements of our digital era. 21st century implies wider technology use, new definition of what personal data is and enormous increase in data cross-border processing. The new regulation seeks to standardize the framework for data protection and its processing in the EU by providing individuals with stronger and coherent rights for access and control of their personal data.
We, Happy EAD, Company ID 103924544, with address in Bulgaria, Varna Province, Varna Municipality, 9000 Varna, Odesos District, 25 Tzar Osvoboditel Blvd., are committed to guarantee the security and protection of the personal data processed by us as well as to introduce a compatible and consistent approach to data protection. We have always had a stable and efficient policy for data protection in compliance with the existing regulatory framework and observing the principles for data protection. Nonetheless, we accept our obligations for update and expansion of this policy to respond to the requirements of the GDPR and the amendments to the Personal Data Protection Act within the context of the adopted and effective Regulation 2016/679.
HAPPY EAD is committed to developing processes for personal data protection within our competence and is involved in the activities developing mechanisms for data protection that are efficient, target-oriented and demonstrate understanding of and harmony with the GDPR.
This introduction reveals our preparation and goals linked to GDPR observance and covers the development and implementation of new roles, policies, procedures, controls and measures for data protection to ensure maximum and constant compliance.
HOW IS HAPPY EAD PREPARING FOR GDPR
HAPPY EAD has a uniform level of data protection and security in our organization. Our preparation involved:
• IT audit – implementation of full scale company IT audit to identify and assess personal data stored with us, its origin, purpose and reason for processing, and if disclosed – the third party.
Policies and procedures – implementation of new policies and procedures for data protection to comply with the requirements and the standards of the GDPR and the regulatory framework for data protection, including:
Personal data protection – our core document on the policy and procedures for data protection has been processed to comply with the standards and requirements of GDPR. Measures have been undertaken for reporting and management guaranteeing we understand and adequately cover and substantiate our obligations and responsibilities with special attention on the principle for data protection at the design phase and protection of the rights of individuals.
Data storage and erasure – we have updated our policy and timeline for data storage to ensure that we fulfill the principles for data minimization and storage restriction and also that the personal data is stored, archived and destructed consistently and ethically. We have special procedures for erasure to comply with the new obligation originating from the Right to erasure and we are aware of when these or other rights of the data subjects are enforced along with all exclusions, time periods for reaction and the notification duties.
Breach of data security – our procedures triggered with data security breach guarantee the existence of protection measures as well as measures for identification, assessment, investigation and reporting of any breach of personal data as early as possible. Our procedures are sustainable and are communicated to all employees. They inform employees of the reporting channels and the steps to follow.
Data transfer and disclosure to third parties – our points where we store or transmit personal data are supplied with reliable procedures and measures enabling data protection, encryption and integrity maintenance.
Data access request – we have remodeled our procedures for data access to apply the revised time periods for requested data provisioning and ensure that this is done for free. Our new procedures specify in details how is the data subject checked, what steps are taken upon data access request processing, what exclusions are made and a set of templates for answers, to guarantee that the communications with the data subjects are compatible, consistent and adequate. Legal basis for personal data processing – we review all processes and activities covering personal data processing to identify the legal basis for processing and guarantee that each grounds is adequate to the activity it concerns. Where applicable, we also maintain reports about our processing activities and guarantee that our liabilities under Article 30 of the GDPR have been complied with.
• Our Personal Data Protection Policy seeks compliance with GDPR while guaranteeing that all parties whose personal information has been processed by us have been informed why do we need their data, of their related rights, the third party their data has been shared with and the protection measures for their data protection.
Obtaining a consent – we have remodeled our procedures for consent when personal data is received, to guarantee that people understand what do they provide, why and how is their data used. We also seek to present clear and defined ways for obtaining consent for receipt of a certain information, as well as to describe the basic rights, and requests each user may address to us.
• We have developed strict procedures for proof of consent and we may furnish evidence that we have confirmation of the options for inclusion and receipt of specific data as well as registrations concerning date and time, or easy to understand and accessible manner for consent withdrawal at any moment.
• Also, we remodeled the definition and processes for direct marketing, including introduction of separate additional consent for provisioning of a direct marketing as well as introduction of clear mechanisms for inclusion of marketing subscriptions, clear notes and manners for unsubscribing from subsequent marketing materials and activities.
We implement assessment of the impact on data protection at the locations where high-risk personal data is processed by us. We have developed strict procedures and models assessing impact and fully complying with Article 35 of the GDPR. We have introduced processes reporting each assessment, allowing for assessment of the risk originating from the processing activities as well enabling the application of mitigation measures to reduce the risk associated with data subjects.
• In the cases where we need to engage third parties processing personal data for us (for example payroll, collection of information, hosting, etc.) we have signed joint agreements for personal data processors and the checking procedures to ensure that they (as well as we) understand our liabilities under the GDPR. These measures integrate initial and ongoing checks of the services delivered, the need of processing activities, the implemented technical and organizational measures and GDPR compliance.
• Special categories of personal data – when we receive and process information from a special category of personal data we do this in compliance with Article 9 of the GDPR. We have high-level encryption and protection of all such data. Special categories of personal data are processed only when necessary and only if legal reasons exist under Article 9, Para.2 of the GDPR. When we count on consent for processing personal data this is an explicit consent confirmed with a signature. The data subject is entitled to change or withdraw his/her consent which is clearly defined.
Rights of personal data subjects
In addition to the above rules and procedures, individuals may enforce their personal data protection rights by using our request forms available at our seat or on our website.
All our clients/counterparties may, at any time, request information about:
What personal data do we store for you;
• For what purposes is personal data processed;
• Categories of the relevant personal data;
• Third parties to whom personal data is disclosed;
• How long do we plan to store the relevant personal data;
• If we did not obtain the data from you directly, information about our source;
• Right to correction or filling in inaccurate or incomplete data and the procedure for requesting that;
• Right to request erasure of personal data (where applicable) or to restrict processing in compliance with the regulatory framework for data protection as well as the opportunity to decline any direct marketing and receive information about any automatic decision making;
• Right to file a complaint, or seek judicial protection, or contact competent officials resolving similar cases.
IT security and technical and organizational measures
HAPPY EAD takes very seriously the protection of personal information and undertakes all reasonable and protection measures to safeguard and secure personal data processed by us.
We have adopted stable rules and procedures ensuring information security to protect personal data from unauthorized access, change, disclosure or destruction and we have introduced several levels of measures including SSL, access control, password policy, encryption, pseudonymization, practices, restrictions, IT certification, etc.
Teodora Popova, CEO