Rules on the privacy of personal data of natural persons using the Recruitment Portal of Tavex EOOD
Last update: 10 March 2020
I. GENERAL PROVISIONS.
(1) These Rules on the privacy of personal data of natural persons using the Recruitment Portal of Tavex EOOD (‘the Rules’) will inform you of the activities of Tavex EOOD regarding the processing of your personal data when you have access to and use the Recruitment Portal of Tavex EOOD (‘the Portal’) to apply for a specific vacancy published by Tavex EOOD. These Rules describe the rights and obligations laid down in the Bulgarian Personal Data Protection Act (‘PDPA’) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, ‘GDPR’). These Rules are without prejudice to, and do not restrict or revoke, your rights arising from the abovementioned legal instruments.
(2) If you have any doubts or comments on these Rules, or wish to contact us in connection with other matters concerning your personal data, you may contact our Data Protection Officer at: 1505 Sofia, Oborishte District, 48 Sitnyakovo Blvd., Serdika Centre Mall, Level -1, email: firstname.lastname@example.org, or on telephone: +359 2 988 86 66.
(3) The Portal is registered in the name of and managed by Tavex EOOD, having its registered office in Sofia, 1505, Oborishte District, 48 Sitnyakovo Blvd., Serdika Centre Mall, Level -1, email: email@example.com, or on telephone: +359 2 988 86 66, registered in the Trade Register with the Registry Agency under Company No. (EIK): 200779475, represented jointly and individually by the Managers Magardich Harutiun Baklayan and Kuno Rääk (‘Tavex’, ‘the Company’ or ‘we’).
(4) ‘Personal data’ means any information that may be used for direct or indirect identification of a natural person, in particular an identifier such as a name, an identification number, location data, an online identifier, factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Personal data processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(5) Tavex respects the following principles in the processing of your personal data:
(i) legality, fairness and transparency;
(ii) restriction of the purposes of processing;
(iii) relevance to the purposes of the processing and minimisation of the data collected;
(iv) accuracy and update of the data;
(v) storage limitation with a view to achieving the objectives;
(vi) integrity and confidentiality of processing and ensuring an appropriate level of personal data security;
(6) As a data controller, Tavex meets all the requirements governing the protection of personal data and collects only data of individuals as far as necessary, and protects them responsibly and lawfully. Tavex applies technical and organisational measures with respect to its staff, premises, software, hardware, networks, encryption, control, reporting, monitoring, vulnerability checks, etc. We have provided comprehensive and reliable physical, personal, documentary and cryptographic protection of personal data we process against unauthorised or accidental access, loss, alteration, disclosure or destruction of data, as corresponding to the risks. All our employees are bound with confidentiality obligation with regard to the personal data to which they have access in the course of their work.
(7) We will process certain of your personal data you provide when applying for a job through the Portal. In addition to the personal data collected via the Portal, we may collect further personal data about you to the extent permitted or required by the Bulgarian laws for purposes related to your specific job application/s. We collect your personal data to allow you to apply for job via the Portal.
II. CATEGORIES OF PERSONAL DATA PROCESSED BY TAVEX AND PERSONAL DATA STORAGE PERIOD.
(1) When you apply for a job through the Portal, we collect your personal data as follows:
(i) information you are provide or update when completing fields / forms in the Portal:
• permanent address,
• place and date of birth,
• telephone number,
• type and level of education and/or professional qualifications,
• name and location (city) of educational institutions, schools, etc. attended,
• publicly available information that we receive, including, but not limited to, in case you provide us with a link to your Facebook or other profile in a social network/third party application, to the extent such technical feasibility is available on the Portal;
(ii) information you provide when you report a technical issue regarding the Portal or contact us on another occasion. You can provide such information in writing (via the contact form) or by telephone. If you contact us, we may keep a record of the correspondence;
(iii) details of visits to the Portal, including, but not limited to, date and time of access to the Portal, visited pages, IP address, hardware and software used, traffic data, location data, blog and other communication data and resources used, e.g. time and date and IP address of consent to these Rules;
(iv) if you have access to the Portal via a mobile device, we can process data about your location, as well as information about this device, e.g. an identification number and type of your device. If you do not wish us to receive your location details, you may turn off the relevant functions of your device enabling tracking, if the device offers such a possibility.
(3) When applying for a job via the Portal, you may provide us with additional details about you, such as a CV with a photo, a motivation letter, attachments (e.g. diplomas, certificates of completed training, references from previous employers, etc.), as well as information on your professional experience and education, your professional certificates, language skills, geographical mobility, and what communication channel you used to access the Portal, and other additional information.
(4) When administering the Portal, Tavex does not collect or intentionally process:
(i) personal data of persons under the age of 18, and personal data of persons with limited legal capacity or incapacitated persons;
(ii) special categories of (sensitive) personal data revealing racial or ethnic origin, political, religious or philosophical beliefs, trade union membership, nor genetic, biometric data, data concerning health, sex life, sexual orientation, criminal convictions or breaches of users of the Portal.
If we become aware that we have collected such personal data, we will take steps to erase and destroy them as soon as possible.
(5) Further processing of your personal data. In addition to the provisions of paragraphs 1 to 4 above, your personal data may be processed when this is necessary to meet the statutory obligations of Tavex (pursuant to Article 6(1)(c) of the General Data Protection Regulation) and to protect legitimate interests of Tavex (pursuant to Article 6(1)(f) of the General Data Protection Regulation), such as identification, exercise or defence of legal rights of Tavex or any other member of the corporate group of Tavex. Your personal data will also be processed in the operation and management of IT systems of Tavex that are hosted internally or externally.
(6) The processing of your personal data is necessary for your application for your selected job position through the Portal, as well as for you to be taken into account in subsequent selection of candidates to be carried out by Tavex. The provision of personal data for each of the above purposes is voluntary and is based on your explicit consent to this document. You are not obliged to provide your personal data, but if you do not, the process of applying for a job through the Portal will not be possible, nor will we have the opportunity to take your application into account in our future selection procedures.
III. LEGAL GROUNDS FOR THE PROCESSING OF PERSONAL DATA.
(1) Depending on the purpose for which data are used, the legal grounds for processing your personal data may be one or more of the following:
(i) your consent to the processing of your personal data for one or more specific purposes (based on Article 6(1)(a) of the General Data Protection Regulation), in which case your personal data are processed under the conditions and within the time limits laid down in these Rules and in the respective consent;
(ii) the need to protect and pursue the legitimate interests of Tavex or of a third party (pursuant to Article 6(1)(f) of the General Data Protection Regulation). These legitimate interests may include ensuring the proper functioning and use of the Portal by you and other users, maintenance and administration of the Portal, settlement of disputes, detection and prevention of malicious acts, detection of and solving technical or functionality issues, development and improvement of the Portal, communication with you, including by electronic means, on important issues regarding the Portal, reception and handling of any alerts or requests from you for further information, implementation and protection of the rights and legitimate interests of Tavex and Tavex corporate group companies, including by judicial review, and assistance in the exercise and protection of the rights and legitimate interests of other users of the Portal or affected third parties.
(iii) fulfilling legal obligations on Tavex (on the basis of Article 6(1)(c) of the General Data Protection Regulation).
IV. YOUR RIGHTS.
Regarding the processing of your personal data, you have the following rights which you can exercise by sending a paper request to the Tavex’s mailing address first written above or by e-mail at: firstname.lastname@example.org. The request should be in free text and, if needed, our Data Protection Officer will provide with you with full assistance to write your request. Tavex commits to promptly implement your requests concerning your personal data. Any application, inquiry or request, or any other communication received in connection with the personal data protection will be addressed within one month and, where a longer period is needed, you will be kept informed of the extension and of the reasons for the delay. To avoid abuse, we reserve our right to request additional data or actions from you in order to establish the identity of the applicant and the data subject to which the request relates, such as the presentation of an identity card.
(1) The right to request access to the personal data concerning you, in particular to request from the Company:
(i) confirmation as to whether personal data concerning you are processed;
(ii) information on the purposes of such processing, the categories of personal data, the recipients or categories of recipients to whom personal data concerning you are disclosed;
(iii) a communication in a comprehensible form containing the personal data concerning you, and any available information as to their source;
(iv) information about the logic involved in any automated processing of personal data concerning you, in case this is available.
The granting of access to your personal data is free of charge, but Tavex reserves the right to charge an administrative fee in case of repetitive or excessive requests.
(2) The right to request the Company to erase, rectify or block your personal data the processing of which fails to comply with the requirements of the Personal Data Protection Act, and to request the Company to notify third parties to whom your personal data have been disclosed of any erasure, rectification or blocking, except where this is impossible or involves a disproportionate effort.
(3) The right to request Tavex for your personal data to be erased without undue delay (‘right to be forgotten’) in case of any of the following grounds:
(i) personal data are no longer needed for the purposes for which they were collected or otherwise processed;
(ii) when you object to the processing, in cases where the processing of your personal data is necessary for the purposes of the legitimate interests of Tavex or of a third party, or where your personal data are processed for direct marketing purposes, and there are no overriding legitimate grounds for the processing;
(iii) where the processing has been unlawful;
(iv) where your personal data must be erased in order to comply with a legal obligation under the European Union or Member State law to which Tavex is subject;
(v) where you have withdrawn your consent on which the processing is based and there is no other legal ground for the processing;
(vi) where your personal data have been collected in relation to the offer of information society services.
In these cases Tavex may refuse to erase your personal data for the following reasons:
(A) for exercising the right of freedom of expression and information;
(B) for compliance with a legal obligation which requires processing by Union or Member State law to which Tavex is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in Tavex;
(C) for reasons of public interest in the area of public health;
(D) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
(E) for the establishment, exercise or defence of legal claims.
Tavex does not erase data which it has a legal obligation to retain, including for defence in connection with legal claims raised against Tavex or for enabling Tavex to demonstrate its rights.
(4) The right to request Tavex to limit the processing of your personal data when any of the following situations exists:
(i) you contest the accuracy of the personal data, for a period allowing Tavex to verify the accuracy of such personal data;
(ii) the processing is unlawful, but you do not wish for your personal data to be erased, but only the use of such data to be restricted;
(iii) Tavex no longer needs the personal data for processing purposes, but you require them to establish, exercise or defend your legal claims;
(iv) you have objected to the processing pending verification whether the legitimate grounds of Tavex override your interests.
Where the processing of your personal data has been restricted following your request to this effect, such data, with the exception of storage, will only be processed by Tavex with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural person, or for reasons of important public interest of the European Union or of a Member State.
Where you have required the processing of your personal data to be restricted, Tavex will inform you before the restriction of processing is lifted.
(5) The right, at any time and on grounds relating to your particular situation, to object to the processing of personal data concerning you which are necessary for the purposes of the legitimate interests of the Tavex or a third party, including profiling based on such interests. In these cases, Tavex will cease to process your personal data, unless it can prove that compelling legitimate grounds exist for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
(6) The right to receive the personal data concerning you, which you have provided to Tavex, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the Tavex (‘right to data portability’), where the processing is carried out in an automated manner and is:
(i) based on your consent to the processing of your personal data for one or more specific purposes, or
(ii) necessary for the performance of a contract to which you are a party, or
(iii) necessary for steps to be taken following your request before the conclusion of any such contract.
When exercising your right to data portability, you are entitled to direct transfer of your personal data from Tavex to another controller where technically feasible.
The exercise of your right to data portability does not affect the right to erasure of your personal data (‘right to be forgotten’) and could not be exercised if it would adversely affect the rights and freedoms of others.
(7) The right not to be subject to a decision based solely on automated processing of your personal data, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the grounds provided in the applicable data protection law for doing so are met and appropriate safeguards are provided for the protection of your rights, freedoms and legitimate interests.
(8) The right to ask Tavex to inform you of all recipients to whom the personal data for which rectification, erasure or restriction of processing has been requested have been disclosed. Tavex may refuse to provide this information if this would be impossible or would involve a disproportionate effort.
(9) Right to be notified by Tavex without undue delay when a breach of the security of your personal data may result in a high risk to your rights and freedoms, including the right to be informed of the measures taken or to be taken.
Tavex is under no obligation to inform you if:
(i) it has taken appropriate technical and organisational measures to protect the data affected by the breach of security;
(ii) it has subsequently taken measures to ensure that the breach does not result in a high risk to your rights;
(iii) the notification would require disproportionate efforts.
(10) The right to be informed if Tavex has found that, for whatever reason, it is unable to fulfil its obligations under these Rules or under the current data protection laws.
(11) The right to be notified in advance in the event of a merger, acquisition or sale of Tavex’s assets affecting the processing of your personal data.
(12) The right to contact the Data Protection Officer of Tavex at: 1505 Sofia, Oborishte District, 48 Sitnyakovo Blvd., Serdika Centre Mall, level -1, email: email@example.com, telephone: +359 2 988 86 66.
(13) The right to lodge a complaint with the competent supervisory authority, in particular in the Member State of your habitual residence, place of employment or place of the alleged infringement, if you consider that your data protection rights have been infringed. Lodging of such a complaint will be without prejudice to any other administrative or legal remedies you may have. The competent supervisory authority in the Republic of Bulgaria is: Commission for Personal Data Protection, address: 1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd., telephone: +359 2 915 35 18, email: firstname.lastname@example.org, email@example.com, website: www.cpdp.bg. The competent supervisory authority in Romania is: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, аdresa: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, cod postal 010336, Bucuresti, Romania , e-mail: firstname.lastname@example.org, site web: www.dataprotection.ro Nr. Tel.: +40.318.059.211.
(1) In order for the Portal to operate according to the functionality intended by the Tavex team, and also to improve your experience on the Portal and customise your visits, sometimes we keep small data files called ‘cookies’ in your device. This is a standard practice widely used on almost all sites around the world. This section explains how we do this.
(2) What are ‘cookies’?
Cookies are small text file saved by your browser on the hard disk of your device. They make it possible to identify the user’s device and to ensure proper behaviour on a webpage, in accordance with his or her individual preferences. This improves the functionality of the Portal. For example, cookies can keep the password for each session so that you do not need to enter it at each visit. Cookies typically include the name of the website, the time for storage on the terminal equipment, and a unique number. In certain cases, cookies also allow personal identification of users.
Cookies are used to adapt the content of the Portal to the preferences of the user and to optimise the use of the Portal. They are also used to create anonymous statistics (on user’s behaviour on the Portal) in order to improve the structure, design, image and content of the Portal.
(4) What types of cookies do we use?
Tavex uses the following types of cookies:
(i) ‘session cookies’, which are temporary, and your device normally deletes them when you leave the relevant webpage, close your web browser, or when they turn off your device; and
(ii) ‘permanent cookies’, which are stored on your device for a fixed period, which is indicated in the parameters of the cookies and may exceed one year, or until you delete them manually. These cookies can be reused the next time you visit the Portal.
(5) Tavex may also allow third-party cookies to be used (‘third-party cookies’). These are cookies relating to software products, recording anonymous statistical data about the user (Google Analytics, CrazyEgg, Kissmetrics, etc.).
Alternatively, third-party cookies can be linked to ‘social’ keys and attachments allowing for the sharing of pages and the interaction with social networks. For the operation of these tools, social networks (such as Facebook, Twitter, Instagram, etc.) may record cookies via the Portal to interact with the user’s anonymised profile in a network or to add data to the information collected in a way and for purposes described in their respective policies and websites.
Tavex has no access to or control of cookies that have been used and provided by third parties. These Rules do not relate to the way in which a third party collects and treats such information. Please read the relevant policies of the third parties concerned, so that you are aware of their practices and behaviour.
(6) Personal data collected by cookies may only be used for the performance of specific functions in the Portal relating to the user. Personal data are encrypted to prevent unauthorised access to them and to guarantee anonymity to the user using the Portal.
(7) How to control and/or delete cookies?
Most sites automatically accept cookies, but if you do not wish to accept them, you can set your browser to reject them. Most web browsers allow the control of cookies through the browser’s settings. You can usually find these settings in the menu ‘Options’ or ‘Preferences’ (Options, Settings, Preferences). You can delete all cookies that are already retained in your device, and you can set most browsers to completely block them. If you do this, however, you may have to manually adjust some preferences each time you visit a website, and also some services and functionalities may not work. Unfortunately, in most cases there is no universal option to prohibit cookies without limiting the functionality they add to the relevant website.
(8) To find out more about cookies, including how to control them, you can visit http: //aboutcookies.org.
VI. PROVISION OF PERSONAL DATA TO THIRD PARTIES.
(1) In some cases, in order to fulfil legal obligations, to comply with an authority’s order, or to protect and pursue the legitimate interests (rights, property, security) of Tavex or of a third party, or to ensure the technical and resource operation of the Portal, we may be obliged, or need may arise, to disclose personal data from you to third parties, such as our trusted partners or competent authorities, from the following categories:
(i) competent state or local authorities and their administrations, such as the Commission for Personal Data Protection, the authorities of the Ministry of Interior, judicial or tax authorities;
(ii) external consultants acting as personal data controllers, such as lawyers, accountants, auditors;
(iii) providers of IT services, hosting services, services supporting our databases, technical equipment, software and applications which may contain data on you (sometimes related to access to your personal data for the fulfilment of these tasks). In particular, the hosting service of the physical servers ensuring the operation of the Portal is managed by the company Amazon Web Services EMEA Société À Responsabilité Limitée (SARL), country of establishment: Grand-Duché de Luxembourg (European Union Member State), address: 38 Avenue John F. Kennedy, L-1855 Luxembourg, number in a trade and/or tax register: Registre De Commerce Et Des Sociétés (R. C. S.) De Luxembourg: B 186284, Autorisation d'établissement en qualité de commerçante n° 10048410 • TVA n* LU 26888617, email: https://aws.amazon.com/, https://aws.amazon.com/tax-help/european-union/;
(iv) other legal entities of the Tavex corporate group; all legal entities of this group are registered and established in European Union Member States and/or parties to the Agreement on the European Economic Area. Within each of these legal entities, access to your personal data is only granted to authorised staff whose duties require such access;
(v) Please note that all Member States of the European Union and all countries which are parties to the Agreement on the European Economic Area ensure an adequate level of protection of the personal data of natural persons equivalent to that of the Republic of Bulgaria because they are subject to the European Union legislation, in particular the General Data Protection Regulation (GDPR).
(2) Tavex may provide your personal data to third parties that are unrelated to Tavex for the performance of only and exclusively predetermined and specific purposes of processing, provided that such third parties commit to ensure an adequate level of protection of personal data, comply with the requirements of the European and national regulations in force, and our instructions in accordance with these Rules, and refrain from processing your personal data for any other purpose, except in relation to the services we provide.
VII. MISCELLANEOUS. AMENDMENT AND ACCESS TO THE RULES.
(1) When, in the job application process, you add the personal data of another natural person, or when communicating such data to a Tavex’s employee, you declare that you have the necessary authorisation and consent from that other person, and that you have informed him or her and made him or her aware of these Rules before doing so.
(2) In the event that any provision of these Rules proves to be invalid or inapplicable, the other provisions will remain valid and applicable.
(3) All matters not covered by these Rules are subject to the provisions of the applicable legislation in force. Any disputes arising from or relating to these Rules will be resolved by the relevant local and subject-matter competent court.
(4) Tavex reserves the right at any time to amend and/or supplement these Rules, and the date of their last update will be indicated at the beginning of the document. Any amendments will enter into force immediately after their publication on the Portal, unless otherwise specified in the updated version of the Rules. You must periodically visit this page to review these Rules. These Rules may be updated at any time without specific notification to the users of the Portal. Tavex will not be liable if a user of the Portal is not acquainted with the most recent version of these Rules.