Tango SHM EOOD
1. Purpose, scope and users
Tango SHM EOOD, hereinafter referred to as the "Organization" or the "Company", seeks to comply with applicable laws and regulations related to the protection of personal data in the countries in which the Company operates. This policy sets out the basic principles by which the company processes the personal data of users, customers, suppliers, business partners, employees and others, and specifies the responsibilities of business departments and employees during the processing of personal data.
This policy applies to the company and its directly or indirectly controlled wholly-owned subsidiaries that operate within the European Economic Area (EEA) or process the personal data of data subjects in the EEA.
The users of this document are all employees, permanent or temporary, and all contractors who work on behalf of the Organization.
2. Basic principles concerning the processing of personal data
The data protection principles outline the main responsibilities of the organizations processing personal data. Article 5 (2) of the EU GDPR states that "the administrator shall be responsible and able to demonstrate compliance with the principles."
2.1. Legality, Honesty and Transparency
Personal data must be processed lawfully, fairly and transparently in relation to the data subject.
2.2. Restriction of Purpose
Personal data must be collected for specific, explicit and lawful purposes and not processed in a way that is incompatible with those purposes.
2.3. Data minimization
Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. The company should apply anonymity or pseudonymation of personal data, if possible, to reduce the risks for the data subjects concerned.
Personal data must be accurate and, if necessary, updated; reasonable steps must be taken to ensure that inaccurate personal data, taking into account the purposes for which they are processed, are deleted or corrected in a timely manner.
2.5. Limitation of Storage Periods
Personal data must be kept no longer than the time required for the purposes for which it was provided
personal data are processed.
2.6. Integrity and Confidentiality
Taking into account the state of technology and other available security measures, the cost of implementation, the likelihood and severity of risks associated with personal data, the Company must use appropriate technical or organizational measures to process personal data in a way that ensures adequate security of personal data. personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access or disclosure.
Data controllers must be accountable and able to demonstrate compliance with the principles set out above.
3. Building Data Protection in Business Processes
In order to demonstrate compliance with data protection principles, the Organization must build data protection in its business activities / processes.
3.1. Notification of the Data Subject
See the Guidelines for Conscientious Processing section below
3.2. Choice and Consent of the Data Subject
See the Guidelines for Conscientious Processing section below
The company should strive to collect as little personal data as possible. If personal data are collected by a third party, the data operator must ensure that personal data are collected legally.
3.4. Use, Store and Remove
The purposes, methods, limitation of storage and retention period of personal data must correspond to the information contained in the privacy notice.
The company must maintain the accuracy, integrity, confidentiality and relevance of personal data based on the purpose of the processing. Adequate safeguards designed to protect personal data must be used to prevent the theft or misuse of personal data and to prevent the breakage of personal data. The data operator shall be responsible for compliance with the requirements listed in this section.
3.5. Disclosure to Third Parties
When a company uses the services of a provider or business partner (third party) to process personal data on its behalf, the data operator must ensure that this provider provides security measures to protect personal data that are adequate to the related parties. with them risks. For this purpose, the GDPR compliance questionnaire must be used by the processor.
The company must contractually require the provider or business partner to provide the same level of data protection. The Provider or the business partner must process only personal data necessary for him to fulfill his contractual obligations to the Company or by order of the Company, and not for other purposes. When the Company processes personal data together with an independent third party, the Company must explicitly specify its respective responsibilities and the third party in the relevant contract or other legally binding document, such as the Agreement on data processing by suppliers.
3.6. Cross-border transfer of personal data
Before transferring personal data outside the European Economic Area (EEA), adequate safeguards must be used, including the signing of a data transfer agreement as required by the European Union, and, if necessary, permission from the relevant authority. data protection.
The undertaking receiving the personal data must comply with the principles for the processing of personal data set out in the cross-border data transfer procedure.
3.7. Right of Access by Data Subjects
When acting as a data controller, the data controller is responsible for providing data subjects with a mechanism that allows them to have reasonable access to their personal data and must allow them to update, correct, delete or transmit their personal data if is applicable or required by law. The access mechanism will be further described in the procedure for requesting access to the data subject.
3.8. Data portability
Data subjects have the right to receive on request a copy of the data they have provided to us in a structured format and to transmit this data to another controller free of charge. The data controller is responsible for ensuring that these requests are processed within one month, are not excessive and do not affect the personal data rights of others.
3.9. The right to be Forgotten
Upon request, data subjects have the right to receive from the company the deletion of their personal data. When the Company acts as a Data Administrator, the Data Operator must take the necessary actions (including technical measures) to inform the third parties who use or process this data (the Data Processor) to comply with the request.
4. Guidelines for Conscientious Processing
Personal data must only be processed with the express permission of the data controller. The company must decide whether to perform a data protection impact assessment for each data processing activity in accordance with the Data Protection Impact Assessment guidelines.
4.1. Notices to Data Subjects
During or before the collection of personal data for any kind of processing, including, but not limited to, the sale of products, services or marketing activities, the data controller is responsible for informing data subjects of the following: the data and personal information provided from data subjects, is used by sexwell.bg for order management, for delivery of products and services, for payment processing, for communication with data subjects about orders, products, services and promotional offers, product and service recommendations.
Also, sexwell.bg uses this data and information to improve the e-shop to avoid or prevent fraud or abuse to the detriment of the SITE, as well as to enable third parties to perform technical support, logistics and other services for SITE. This information is provided through a Privacy Notice.
When sharing personal data with a third party, the data controller must ensure that the data subjects have been notified through a Privacy Notice.
When personal data are transferred to a third country, in accordance with the Cross-Border Data Transfer Policy, the privacy notice must reflect this and clearly indicate where and which personal data are transferred.
When sensitive personal data are collected, the data controller must ensure that the privacy notice explicitly states the purpose for which these sensitive personal data are collected.
4.2. Obtaining Consent
Where the processing of personal data is based on the consent of the data subject or on other legal grounds, the data controller shall be responsible for maintaining such consent. The data controller is responsible for giving consent to the data subjects who have to give their consent and must inform and ensure that their consent (where the consent is used as a legal basis for processing) can be withdrawn at any time. .
Where personal data records are required to be corrected, amended or destroyed, the data controller must ensure that these requirements are processed within a reasonable time. The data operator must also record the requests and keep a log of them.
Personal data should only be processed for the purposes for which they were originally collected. In case the Company wants to process the collected personal data for another purpose, the Company must seek the consent of its data subjects in a clear and short time.
Any such request must include the original purpose for which the data were collected, as well as the new or additional purpose (s). The request must also include the reason for the change of purpose (s). The Data Protection Officer shall be responsible for compliance with the rules in this paragraph.
Now and in the future, the data operator must ensure that collection methods comply with relevant laws, good practices and industry standards. The data operator is responsible for creating and maintaining a register of privacy notices.
5. Organization and Responsibilities
The responsibility for ensuring proper processing of personal data is borne by anyone who works for or with the Company and has access to the personal data processed by the company.
The main responsibilities in the processing of personal data are the following organizational roles and positions: data operator, secretary.
The Data Protection Officer (DPO) for the management of the personal data protection program and responsible for the development and promotion of personal data protection policies.
The data operator is responsible for:
- Ensure that all systems, services and equipment used for data storage meet acceptable security standards.
- Perform regular checks and scans to ensure that security hardware and software function properly.
The data operator is responsible for:
- Approval of all data protection declarations attached to messages, emails and letters.
- Answer any data protection inquiries from journalists or the media.
- When necessary, work with the Data Protection Officer to ensure that marketing initiatives adhere to data protection principles.
The Secretary is responsible for:
- Improving the awareness of employees about the protection of personal data of users.
- Organizing expert knowledge for personal data protection and training raising awareness of employees working with personal data.
- Protection of personal data of employees from end to end. This should ensure that employees' personal data is processed based on the legitimate business objectives and needs of the employer.
- The Registrar shall be responsible for transferring responsibilities for the protection of personal data to providers and for raising the level of awareness of providers for the protection of personal data, as well as for lowering the requirements for personal data to third parties who use them. The Procurement / Supply Department must ensure that the Company reserves the right to audit suppliers.
6. Audit and Accountability
The secretary and the data operator are responsible for checking / auditing how well the business departments implement this policy.
Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal obligations if his or her conduct violates laws or regulations.