Menu
Close
Privacy Policy
Article 1
(1) The rules in force (Regulation) have been drafted in accordance with Regulation (EU)
2016/679 of the European Parliament and of the Council of 27 April 2016 ("Regulation") on the protection
of individuals with regard to the processing personal data and for the free circulation of such data.
(2) The Rules define the order in which AvalancheJob, with a VAT number: 139995275 collects,
processes, structures, stores, modifies, retrieves, discloses by transmission, dissemination or other
means by which data is made available, the types, limits and / or deletion of personal data for the
purposes of its activity.
(3 ) Depending on the situation, "Company" can process data as an administrator or processor.
Article 2.
These rules shall govern:
(1) the principles and mechanisms for processing personal customer data.
(2) the obligations of authorized persons processing personal data and their liability in case of non-
fulfillment of these obligations;
(3) The rights of the individuals whose data are processed by granting, opposing and withdrawing
consent, as well as the management of requests for the enjoyment of other rights of the data subject ·
(4) The necessary technical and organizational measures to protect personal data from unauthorized
processing.
(5) the rules for the transfer of personal data to third parties in Bulgaria and abroad ·
(6) Technical resources applied to the processing of personal data.
DATA ADMINISTRATOR
Article. 3.
(1)"AvalancheJob" with PIC number 139995275, is the administrator of personal data within the
meaning of the Regulation and processes only the data required for the conduct of its commercial
activity.
DATA SUBJECTS AND CATEGORIES OF PERSONAL DATA
Article 4.
(1) The Company collects and processes personal data necessary for the fulfillment of its rights
and obligations as an employer, service provider and contractor in accordance with the requirements of
the applicable legislation. The personal data processed by the Company are classified in records of
processing activities containing personal data processing rules concerning:
• employees / staff and contractors under civil contracts
• clients
• service providers
(2) The following personal data are collected for individuals who are subject to employment / civil or
legal relationships in the company:
a) Identification: Name, VAT number, date of birth, fixed and / or current address, telephone, ID or
passport number, e-mail
b) Education and vocational training; data on education, professional experience, professional and
personal qualifications and skills ·
c) Health Data: Health Status, Workplace Assessment Commission Decisions, Medical Certificates,
Hospital Documents, and any related documentation;
d) Other information: bank account details, criminal record;
(3) As regards individuals, clients of the company, the following personal data are collected:
• Name, VAT number, date of birth, fixed and / or current address, telephone, ID or passport number, e-
mail
(4) The individuals, the company's service providers, collect the necessary data for the conclusion and
execution of the service contracts of the company by external providers, as follows:
• Name, VAT number, date of birth, fixed and / or current address, telephone, ID or passport number, e-
mail
(5) The Company processes sensitive data only to the extent necessary to fulfill its specific rights and
obligations in the field of labor law and social security legislation.
OBJECTIVES AND PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
Article 5.
The purposes of processing personal data are:
(1) The fulfillment of the obligations of AvalancheJob resulting from the lawful management of human
resources, payment of salaries and fulfillment of the employer's obligations to deduct and pay
employee’s health and social security contributions, taxes and other rights and obligations of the
Company as an employer.
(2) managing customer relations and providing services,
(3) the conclusion and execution of contracts with suppliers for the provision of services to the Company.
Article 6.
Personal data shall be processed in a lawful, conscientious and transparent manner in
accordance with the following principles:
(1) The subject of the data is informed in advance about the processing of his or her personal data.
(2) Personal data are collected for specific, accurate and legitimate purposes and will not be further
processed in a manner incompatible with these purposes.
(3) Personal data corresponds to the purposes which it is collected for.
(4) Personal data must be accurate and, if necessary, to be updated.
(5) Personal data are deleted or corrected when they are found to be inaccurate or incompatible with
the purposes for which they are processed.
(6) Personal data shall be kept in a form which permits the identification of the persons concerned, for a
period not exceeding the time necessary for the purposes for which they are processed.
Article 7.
For the lawful processing of the data, at least one of the following conditions shall exist:
(1) The data subject has given his / her consent.
(2) Processing is necessary for the performance of a contract to which the data subject is subject or for
taking action upon the request of the data subject prior to the conclusion of the contract.
(3) Processing is necessary to comply with a legal obligation applicable to the processor.
(4) Processing is necessary to protect the vital interests of the data subject or another person.
(5) Processing is necessary for the fulfillment of a public interest task.
(6) Processing is necessary for the purposes of the legitimate interests of the processor, unless the
interests or fundamental rights and freedoms of the data subject override those interests.
REGISTERS
Article 8. (1) For the reasons stated in Article. 30 of the Regulation The Company maintains the following
registers of the data processing activities of natural persons:
1."Staff" Register.
2. "Customer" Register.
3. "Suppliers" Register.
Article. 9. (1) General description of the "Staff" registry:
1. Personal data of employees / contractors and contractors under the political conventions referred to
in Article 1.4, par. 2 of this Regulation.
2. The sources from which the data is collected are: the natural persons to whom the data refer, with
their explicit consent.
(2) Technological description of the register:
1. Data carriers - Registry data is processed on paper and / or on technical means (computer). Once
collected and processed, the paper data is sorted into separate files stored in our office. Data in technical
means is stored and handled only on computers housed in our database with access control.
2. Processing technology - Registry data is provided by natural persons when applying for employment
under a labor contract or following a political contract with a natural person and enrolled directly in
labor or political contracts, supplementary agreements, and other documents that certify service
duration, official notes, reports, certificates, correspondence, etc.
3. Storage period - all items in the "Staff" registry are kept for a period of five years from the expiry of
the employment contract or political contract with the person concerned, except for the items of the
accounting records which, according to the law, must be kept for 50 years.
4. Services provided - data of the "staff" register are not provided outside the scope of their processing,
with the exception of: upon express request and order of the person or his heirs within the storage
period; if required by law and / or in case of need of protection of the public interest - to the state bodies
in the performance of their official duties (tax officers, NSSG employees, labor inspector, police, etc.); in
court cases - to a legal representative or directly to the court strictly observing the provisions of the law
and the applicable rules.
(3) The impact assessment shall be carried out periodically every two years or when the nature of the
processed personal data and the number of persons affected.
Article 10. (1) General Description of the Customer Register:
1. The personal data of the clients referred to in the article. 4, par. (3) of this Regulation.
2. The sources of data collection are: from customers - the natural persons to whom the data refer, with
their explicit consent, in person or, in some cases, with the consent of their representative.
(2) Technological description of the register:
1. Data carriers - Registry data is processed on paper and / or on a technical medium (computer). Once
collected and processed, the paper data is sorted into separate files stored in our office. Data in a
technical medium is stored and handled only on computers housed in our database with access control.
2. Storage period - all elements of the "Clients"registry are retained for a period of time determined by a
regulatory act or, failing that, no later than five years from the date of conclusion of the service contract
or from which the person first submitted statement - consent to the processing of his data as a client of
the Company.
3. Services provided - Data from the "Clients" registry are not provided outside the scope of their
processing, with the exception of: upon express request and order of the person or his heirs within the
storage period; if required by law and / or in case of need of protection - the public bodies in the
performance of their official duties (tax officers, employees of the NSSG, labor inspector, police, etc.);
(3) The impact assessment shall be carried out periodically every two years or when the nature of the
processed personal data and the number of persons affected are altered.
Article. 11.
(1) General description of the Suppliers Register:
1. Personal data of the natural persons referred to in Article. 4, par. (3) of this Regulation.
2. The sources from which data is collected are: from natural persons, with their explicit consent or in
accordance with the requirements of applicable law.
(2) Technological description of the register:
1. Data carriers - Registry data is processed on paper and on technical media (computer).
2. Processing technology: After being collected and processed, the paper data is sorted into separate
files located in a separate room with access control. Data on a technical medium is stored and processed
only on a computer with access control. The data is used for mailing, preparing, reviewing mail and
sending a reply to the sender.
3. Storage period - All records are kept for a period of 5 years after delivery, unless otherwise provided
for by law.
4. Services Provided - Data from the Suppliers Register is not provided outside the scope of their
processing, with the exception of: upon express request and order of the person; if required by law and /
or in case of need of protection of the public interest; the execution of their official duties (tax officers,
employees of the NSSG, labor inspector, police, etc.); in court cases - to a legal representative or directly
to the court.
(3) The impact assessment shall be carried out periodically every two years or when the nature of the
processed personal data and the number of persons affected
Article 12. If the data subject / employee, customer or provider / request that his data be deleted before
the expiry of the storage period prescribed by these rules, the data is deleted within 30 days of
submission application, unless this is legally permissible or there are other limitations.
CONSENT
Article 13.
(1) The data subject agrees with the processing if he expresses this clearly and unequivocally,
in a categorical manner - by a statement or other confirmatory act.
(2) Data subjects may at any time withdraw their consent for processing and revocation will be accepted
in due course. If there is no other requirement for the legitimacy of processing, with the withdrawal of
consent, data processing is terminated.
(3) The company maintains consent statements, while data processing operations are carried out on this
basis in order to comply with the principle of accountability.
PROCEDURES FOR THE PROCESSING OF PERSONAL DATA
Article 14.
(1) Personal data relating to the three categories of persons referred to in this Regulation shall
be collected during the recruitment of staff, the submission of a service request or the conclusion of a
contract, when concluding, amending and terminating the contracts. The data of each employee /
employee of the Company is stored in personal files and some data may be stored or processed by
technical means. The data from competitions and interviews are stored in technical and / or printed
media as needed.
(2) Personal files are stored in special filing rooms located in the office of the person responsible for the
processing of personal data. Access to the office is provided only to the person authorized to process the
personal data by creating a special request to enter the premises through a key, other appropriate
means and / or escort device.
(3) The person authorized to process personal data shall take all organizational and technical measures
for the preservation and protection of personal files and relevant information, including the limitation of
their availability to outsiders and unauthorized employees.
(4) Employee records, as well as the details of the company's customers and suppliers, are not exported
outside the company building.
RIGHTS OF DATA SUBJECTS
Article 15.
(1) Everyone has the right to request access to his or her personal data, including the request
to confirm the processing of the data relating to him, to be informed of the purposes of such processing,
the data categories and the recipients of the data, and for the purposes of the processing of personal
data concerning him / her.
(2) The right of access is granted at the request of the person concerned, which is received at the
registered office of the Company or in the official e-mail.
(3) Everyone has the right to request the deletion, correction or exclusion of his or her personal data if
the processing does not meet the requirements of the law.
(4) Everyone has the right to object in writing to the processing and / or disclosure of personal data to
third parties without the necessary legal basis.
(5) The Company shall notify the applicant, within two weeks of receipt of an application in accordance
with the preceding paragraphs, of the legal grounds for the application. If the Company finds that there
are legal grounds for granting the application, it shall also inform the person and the manner in which he
can exert his / her right.
(6) Data subjects are also entitled to:
- withdraw their consent for processing at any time;
- oppose the use of their personal data for direct marketing purposes;
- request information on the basis of which their personal data is processed for the processing of a non
EU / EEA processor;
- oppose a decision taken entirely on the basis of automated processing, including formatting;
- be informed of a breach of data protection, which may lead to a high risk to their rights and freedoms;
- lodge complaints with the regulatory body;
- in some cases, receive or request the transfer of their personal data to third parties in a structured,
machine-readable form (transport right).
MEASURES FOR THE PROTECTION OF PERSONAL DATA
Technical measures
Article 16.
(1) All premises where personal data are stored and processed have access control means.
The possible technical means of access control are:
- plant safety;
- key;
- video surveillance;
- a policy of accepting external agents at the company's premises only with an accompanying member of
the company's staff.
(2) The company's facilities are insured with fire-fighting measures in accordance with the Bulgarian
legislation.
Document protection measures
Article 17.
(1) The Company shall establish procedures for the processing of personal data, the regulation
of access to data, the destruction procedures and the storage deadlines detailed in this Regulation. For
individual categories of data, pseudonymisation may be envisaged at the proposal of the person
responsible for personal data.
(2) Reproduction and distribution of documents or files containing personal data must be carried out
only by authorized personnel in case of need.
Personal protection measures
Article 18.
(1) Persons who exercise the protection and processing of personal data shall:
- assume non-dissemination of personal data to which they have access;
- familiarize themselves with the company's legal framework, internal rules and policies on the
protection of personal data;
- undergo training to respond to situations that threaten data security;
- are informed about the risks associated with the personal data managed by the company;
- undertake not to share critical information with each other and with external partners other than the
procedure established by these rules.
Measures for the protection of automated information systems and cryptographic protection
Article 19.
(1) Access to the operating system containing personal data files shall be restricted to persons
whose duties or specific tasks require access. Access is only by password.
(2) Electronic databases are protected by logical security features, such as an automatically updated
virus protection program, firewalls, and more.
(3) Backup of personal data in a technical medium is done periodically to store the information.
Article 20.
(1) Protection of electronic data from unauthorized access, damage, loss or destruction
committed intentionally by a person or in case of technical malfunctions, accidents, disasters, etc. is
provided by storing information:
- entering passwords for computers that provide access to personal data and files that contain personal
data- antivirus programs, checks for illegally installed software;
- Periodic checks of database integrity and updating of system information, maintenance of the data
access system;
- periodical data archiving in technical media, keeping information in print (archival copies).
(2) The person responsible for personal data shall report periodically to the management of the company
the measures taken to ensure the level of security in the processing of personal data.
SECURITY BREACHES
Article 21.
(1) Persons detecting signs of data security breach shall immediately report to the controller of
personal data by providing him with all available information.
(2) The person responsible for personal data shall immediately check the entry submitted in an attempt
to determine whether a security breach has occurred and which data is affected.
3) The person responsible for personal data shall immediately report to the Director of the Company
the information available on the breach of security, including information on the nature and timing of
the event, the type of damage, the measures taken at the moment and the measures he/she deems
necessary to take.
(4) After consulting with the company's management, the person responsible for personal data takes
measures to prevent or mitigate the impact and data recovery capabilities.
(5) In case of urgency, if the coordination with the administration slows down the reaction and causes
serious damage, the Data Protection Officer may, at his / her discretion, take measures to prevent or
mitigate the consequences of the breach of security. In this case, the person responsible for personal
data will immediately notify the administration of the measures taken and follow the monitoring
instructions received.
Article 22.
(1) If the breach of security creates a risk to the rights and freedoms of the data subjects and
after being approved by the company's management, the person responsible for personal data organizes
the notification to the Commission for the Protection of Personnel Data (CPDP).
(2) CPDP notification must be made without undue delay and, where possible, no later than 72 hours
after the initial knowledge of the breach.
(3) The CPDP notice contains the following information:
(a) a description of the breach of security; the categories and approximate number of persons and
categories of data concerned and the approximate amount of relevant personal data files;
(b) the name and contact details of the person responsible for personal data;
(c) a description of the possible consequences of the breach of security;
(d) a description of the measures taken or proposed to address the breach of security, including
measures to mitigate possible adverse effects.
(4) In the event that the violation of personal data may pose a high risk to the rights and freedoms of
individuals, the person responsible for personal data shall inform without delay and in accordance with
applicable law the persons concerned.
Article 23.
(1) The Company shall maintain a security breach record containing the following information:
(a) date of the infringement
(b) description of the offense - source, type and size of the relevant data, cause of the breach (if any);
(c) a description of the notifications made: notification of the CPDP and affected persons, if they have
been
(d) the measures taken to prevent and mitigate the adverse consequences for the data subject and the
Company
(e) measures taken to limit the likelihood of subsequent security breaches.
(2) The file is kept electronically by the person responsible for the personal data.
PROVISION OF PERSONAL DATA TO THIRD MEMBERS
Article 24.
(1) The Company may, if necessary, provide personal data to third parties acting as processors
under an explicit agreement.
(2) In case of providing data to employees, clients or processing service providers, the Company:
(a) requires adequate guarantees from the processor to comply with legal requirements and good
practices for the processing and protection of personal data
(b) conclude a written agreement or other legal act having the same effect as the processor's duties and
meets the requirements of the Article. 28 of Regulation (EC) 2016/679
(c) inform the natural persons whose data will be provided to the processor.
(3) Processing of personal data by processors outside the EU / EEA is possible only if:
(a) The European Commission has adopted a decision confirming that the country in which the transfer
takes place provides for an adequate level of protection of the rights and freedoms of the data subjects
(b) Appropriate safeguards are in place - such as the FCC, the standard contractual clauses approved by
the European Commission, the approved code of conduct or the certification mechanism
(c) The data subject has given his explicit consent to the transfer after being informed of the potential
risks or
(d) Transfers are necessary for one of the purposes listed in the Regulation, including the performance of
a contract with the entity, the protection of the public interest, the establishment and defense of legal
disputes, the protection of the vital or legitimate interests of the data subject when he is physically or
legally incapable of giving consent.
DESTRUCTION OF DATA
Article 25.
(1) The destruction of personal data shall be done by the Company or by an authorized person
without undermining the rights of the persons to whom the data subject to destruction and in
accordance with the provisions of the relevant regulatory acts
(2) Information in the registers shall be destroyed once the processing objectives have been achieved
and the need for storage is eliminated.
(3) The destruction of data in print media is by cutting with a shredder or other suitable device / tool.
Electronic data are erased from the computer database in a non-recoverable way.
PERSONS RESPONSIBLE FOR COLLECTING, PROCESSING AND STORING PERSONAL DATA AND ACCESS
TO PERSONAL DATA
Article 26.
The person responsible for the personal data and the persons processing the personal data on
behalf of the company are natural or legal persons who have the necessary competence and are
appointed and / or authorized by a written act.
Article 27.
The person responsible for processing, storing and deleting personal data in the Company,
who is also a contact person for the purposes of the Regulation, is Irina Aslanov, contact telephone: 0030
2310 327 761, email adress: info@avalanchejob.com and has the following responsibilities:
- To help the Company and the persons processing the personal data in fulfilling their obligations to
protect personal data by ensuring the implementation and maintenance of the necessary technical and
organizational measures and means for the implementation of data protection;
- Ensure smooth operation of the aforementioned protection systems
- Control the entire process of data collection and processing
- Perform all reporting and data breach management obligations
- Periodically request information from data processors in relation to their collection, access and
processing
- To notify the Company in time of any irregularities found in connection with the fulfillment of its
obligations
- Destroy the papers and technical data in accordance with the law and the deadlines set out in this
Regulation
- Re-authorize natural or legal persons by a written act on the protection of personal data.
Article 28.
(1) The collection, processing, storage and protection of personal data shall be carried out
only by persons to whom it is expressly mentioned and whose duties or specific duties require so.
(2) When assigning activities requiring the processing of personal data by business registers, service
providers should comply with applicable legal requirements concerning the processing of personal data
and procedures in accordance with these rules.
(3) Access to personal data may also be made by the competent governmental bodies - court,
investigation, prosecutor's office, review bodies, etc. The abovementioned state bodies may request
data in a fixed order in relation to the exercise of their powers.
CHANGES IN THE INTERNAL RULES
Article 29.
The Company may change these Rules at any time. All changes must be notified immediately
to interested parties.
Article 30. For matters not covered by these rules, the provisions of Regulation (EC) 2016/679 of the
European Parliament and of the Council of 27 April 2016 and the Law on the protection of personal data.
These Regulations are approved on 25.05.2018 and come into force on the day of their signature.