Data access procedures

Tango SHM EOOD
PROCEDURE FOR REQUEST FOR ACCESS TO SUBJECT DATA

1. Request for Access to Data of a Subject ("RAED")
An Entity Data Access Request (RAED) is any request made by a natural person or by a legal representative of a natural person for information held by the company about that person. The request for access to a data object entitles data subjects to view their personal data as well as to request copies of the data.
A request for Access to Entity Data (RAED) must be made in writing. In general, verbal requests for information from a person are not considered RAED. In the event that a formal request for access to data on a person is made orally to a member of the staff of the Company, further guidance should be sought from the Secretary, who will review and approve all requests for access to data.
The request for access to a data object can be made in any of the following ways: through the feedback form on sexwell.bg; at [email protected] or in writing at 1407 Sofia, 47 Cherni Vrah Blvd., Sexwell office. RAEDs made online should be treated like any other request for access to data about an object upon receipt, although the company will not provide personal data through social media channels.

2. The Rights of Data Subjects
The access of data subjects includes the following rights:
• Information if the data controller stores any personal data about them.
• To receive a description of the data stored for them and if it is admissible and practical - a copy of the data.
• To be informed of the purpose (s) for which the data are processed and where they came from.
• To be informed whether the information is disclosed to someone other than the original recipient of the data and, if so, the identity of those recipients.
• Right to data portability. Data subjects may request that their personal data be transferred to them or to a third party in a machine-readable format (Word, PDF, etc.). However, these requests can be fulfilled only if the data in question are: 1) provided by the data subject to the Company; 2) are processed automatically and; 3) are processed on the basis of consent or performance of a contract.
• If the data is used to make automated decisions about the data subject - to be informed what logic the system uses to make these decisions and to be able to request human intervention.
The company must respond to data subjects who request access to their data within 30 calendar days of receiving the request for access to data, unless local law requires otherwise.

3. Requirements for valid RAED
In order to be able to respond in a timely manner to data access requests of the data subject, the data subject must:
• Submit your request using an Entity Data Access Request (RAED) form.
• Provide the company with sufficient information to verify its identity (to ensure that the person requesting the information is the data subject or his authorized representative).
Subject to the exceptions set forth in this document, the Company will provide information to data subjects whose requests are in writing (or otherwise expressly permitted by local law) and have been received by a person whose identity can be validated by the Company.
However, the company will not provide data if the identification and retrieval of information takes too much resources and time. Requests are more likely to be successful when they are specific and targeted to specific information.
Factors that may help narrow the scope of the search include identifying the likely holder of the information (eg by specifying a specific department), the period in which the information was generated or processed (the narrower the period, the more - the request is likely to be successful) and specifically about the nature of the data requested (e.g. a copy of a specific form or e-mails from a specific department).

4. RAED Process
4.1. Request

Upon receipt of RAED, the data operator will confirm the request. The applicant may be asked to complete an Entity Data Access Request (RAED) form to enable the company to find relevant information.
4.2. Identity verification
The Registrar should verify the identity of anyone doing the RAED to ensure that the information is provided only to the person entitled to do so. If the RAED applicant has no longer verified his / her identity, he / she will be asked to provide two forms of identification, one of which must be a photo identification and the other an address confirmation.
If the applicant is not the data subject, written confirmation that the applicant is authorized to act on behalf of the data subject is required.
4.3. Information on Request for Access to Subject Data
Upon receipt of the required documents, the person receiving the request shall provide the Registrar with all necessary information in support of the RAED. When the Data Protection Officer is satisfied with the information available to him on the case provided by the requesting person, the Data Protection Officer shall notify the applicant that his RAED will be responsible within 30 calendar days. The 30-day period starts from the date on which the necessary documents are received. The applicant will be informed in writing by the Registrar if there is a deviation from the 30-day deadline due to extraordinary events.
4.4. View Information
The Data Protection Officer will contact and request the required information (s) from the relevant department (s) as requested in RAED. This may include an initial meeting with the relevant department to proceed with the request if necessary. The department storing the information must return the required information by the deadline imposed by the data protection officer and / or a new meeting should be arranged with the information review department. The Data Protection Officer will determine whether there is information that may be subject to exemption and / or if the consent of a third party is required.
The Data Protection Officer must ensure that the information is reviewed / received within the set deadline to ensure that the 30 calendar day period is not breached. The Registrar will complete a "Data Disclosure Form" to document compliance with the requirement for 30 days.

4.5. Response to the Access Request
The Data Protection Officer will provide the final answer together with the information received from the department (s) and / or a declaration that the Company does not have the requested information or that an exception applies. The Data Protection Officer will ensure that the written response is sent back to the applicant. This will be by email,
unless the applicant has indicated another way in which he wishes to receive the reply (eg standard mail). The company will provide information only through secure channels. When paper copies of information are sent, they will be securely sealed and sent with a return receipt.
4.6. Archiving
Once the response is sent to the applicant, the RAED will be considered closed and archived by the Data Protection Officer.
The procedure is presented as a diagram in the annex to this document.

5. Exceptions
A person is not entitled to access information recorded for another unless he or she is an authorized representative or under parental responsibility.
The company is not obliged to respond to requests for information, unless sufficiently detailed information is provided to allow the location of the information to be identified and to verify the identity of the data subject submitting the request.
In the general case, the Company does not disclose the following type of information after receiving a Request for Access to Data of an Entity:
• Information about other people - A Data Access Request to a Subject may include information that relates to a natural person or individuals other than the data subject. Access to such data will not be granted unless the participants consent to the disclosure of their data.
• Recurring requests - Where a similar or identical request in respect of the same data subject has been executed within a reasonable time and where there has been no significant change in the personal data held in relation to that data subject, any further request made within a period of six months from the initial request will be considered a second request and the Company will not provide an additional copy of the same data (under normal circumstances).
• Publicly available information - The Company is not obliged to provide copies of documents that are already in the public domain.
• Opinions given confidentially or protected by copyright law - The Company is not obliged to disclose personal data stored in connection with a data subject, which is in the form of an opinion given confidentially or protected by copyright law.
• Privileged documents - Any privileged information held by the Company must not be disclosed in response to RAED. In principle, privileged information includes any document that is confidential (eg direct communication between a client and his lawyer) and is created for the purpose of obtaining or providing legal advice.

6. Refusal of a Request for Access to Data of a Subject
There are situations in which individuals are not allowed to see information related to them. For example:
• If the information is stored only for the purposes of statistics or research and when the results of statistical work or research are not provided in a form that identifies any of the participants.
• Requests made for purposes other than data protection may be rejected.
If the responsible person refuses a request for access to a site on behalf of the company, the reasons for the rejection must be clearly stated in writing. Any person dissatisfied with the outcome of the request for access to it has the right to ask the Data Protection Officer to review the reasons for the refusal.

7. Responsibilities
The overall responsibility for ensuring RAED compliance is borne by the data protection officer.
If the Company acts as a data controller to the data subject who submits the request, the RAED Act will be addressed based on the provisions of this procedure.
If the Company acts as a data processor, the data protection officer will forward the request to the respective data controller, on whose behalf the Company processes personal data of the data subject submitting the request.