Personal data protection policy of “The National Council for Self-Regulation” association

What is the present document

For us, at the “National Council for Self-regulation” Association, the protection of personal data is a main priority.

The present document (hereinafter referred to as „the Policy”) is intended to provide you with information on how we, at the „National Council for Self-Regulation” Association, in our capacity of personal data controller, process your data in the course of our relationships and how you can exercise your rights under Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter referred to as “the Regulation”).
Who we are

The „National Council for Self-Regulation” Association, with Unified Identification Code (UIC): 175815315, with registered offices and management address: Sofia, Tsar Osvoboditel Blvd. No. 14, 1st floor, UIC Nr. 175815315 (hereinafter referred to as the „National Council for Self-Regulation” Association or „the NCSR”) is a non-commercial association working in the public benefit. 

The „National Council for Self-Regulation” Association is a personal data controller.
Contact data

If you have any questions or want to clarify something about the processing of your personal data or if you want to exercise any of your rights, you can contact us at the following coordinates: 
Address: Sofia, Tsar Osvoboditel Blvd. No. 14, 1st floor
E-mail: office@nss-bg.org 
Phone: +359886695616

Webpage: http://www.nss-bg.org/     
Which of your data do we process? 

The „National Council for Self-Regulation” Association processes the following data: 
first and family name;
contact data: e-mail address, physical address and phone number;
any other personal information that you provide, which includes without the following being exhaustive: confirmation for participation in events organized by the NCSR; invoicing information; registration for receiving newsletter subscriptions and others.
IP address: when visiting the NCSR website, your IP address is automatically recorded and used only for administration of the system and for statistical purposes in order to optimize the use of the site. Depending on the circumstances, the collection of IPs may allow analysis of the visits of users to the site. The NCSR does not combine IP addresses with any other information about the site visitors and cannot assign a specific IP address to a specific individual. The NCSR cannot identify a specific site visitor by its IP address. Your IP address is registered when you visit the NCSR website, but the utilized analytics software only uses this information to track the number of visitors to the site.

For what purposes do we process your data?

The data provided by you is processed for the following purposes: 
registration and processing of received complaints and signals from citizens for violations of the National Ethical Standards For Advertising And Commercial Communication In Republic of Bulgaria;
communication with the complainants;
fulfilling the goals of the Statute and completing the composition of the Management Board; the Ethics Committee; The Board of Appeal; Expert groups.
labor relations;
communication with partners and suppliers, including the sending of a newsletter and event invitations;
provision of information and access to services that you have requested from the NCSR yourself or which we, at the NCSR, have deemed to be of interest to you and when you have agreed to receive such communication from us;
job application: processing of documents for job application/internship at the NCSR.
Who we share your data with?

The „National Council for Self-Regulation” Association does not sell or disclose your personal information to third parties except in the cases listed below. Subject to the „need-to-know principle”, only a limited number of representatives of the NCSR have access to your personal data, all of whom have an obligation to maintain confidentiality regarding personal data.

The „National Council for Self-Regulation” Association may disclose your personal data to: 
public authorities – within the limits of their powers and for the purposes of fulfilling the requirements contained in the regulatory framework;
Self-regulatory bodies located in the territory of another Member State of the European Union – this hypothesis applies only when a complaint is submitted to the NCSR that falls within the scope of activity of another self-regulatory body outside the Republic of Bulgaria. In this case, the NCSR refers the complaint to the European Advertising Standards Alliance (EASA) through its Cross-Border Complaints System. From that moment on, EASA’s rules on personal data protection shall apply. You can read those rules at: http://www.easa-alliance.org/about-easa/privacy-policy. 
All self-regulatory bodies, members of EASA, guarantee that they maintain appropriate technical and organizational measures for the protection of personal data.
The receiving self-regulatory authority in whose jurisdiction the dispute falls is acting as the personal data controller during the processing of the complaint and the complaint file.
In the event that the dispute falls under the jurisdiction of a self-regulatory body outside the European Economic Area, and in particular Turkey, the NCSR must obtain the express consent of the complainant before sending the complaint file.
When sending the complaint/complaint file, the NCSR provides the receiving self-regulatory authority with the following information:
▪ Names, address and contact data of the complainant
▪ Country of the complainant
▪ Reference identification number in the country of the complainant
▪ Source of complaint (consumer, competitor / industry CC Plug-in, NGO, others)
▪ Country of origin of the media
▪ Country of origin of the advertiser
▪ Name of the advertiser 
▪ Country of origin of the self-regulatory authority
▪ Reference identification number in the country of origin
▪ Title of the advertising campaign
▪ URL address
▪ Complaint issue (misleading advertisement, personal data protection, social responsibility, taste and dignity, others)
▪ Summary of the complaint
▪ Product/service category
▪ Information for the advertisement
▪ Documents
• Copy of the complaint:
• Copy of the advertisement:
• Translation
• Copy of the letter to a competent self-regulatory authority
• Documents accompanying the investigation of the complaint

third parties – by exception and solely on the basis of contractual relations with the NCSR;

When providing personal data to a third party (the processor), the NCSR: 
Requires guarantees for compliance with the legal requirements and good practices for personal data processing;
Concludes a written agreement or another legal act with identical effect, which governs the obligations of the processor.
Strategy of the „National Council for Self-Regulation” Association for personal data protection

1. The „National Council for Self-Regulation” Association processes your personal data in compliance with the law. Personal data is processed only on the grounds provided for in Articles 6 and 9 of the Regulation and no exceptions shall be allowed in this respect.
2. The „National Council for Self-Regulation” Association aims to process your personal data in a transparent manner. Transparency restrictions are possible insofar as the purpose and meaning of the Regulation allow them.
Definitions

Within the meaning of this policy: 
„personal data“ means any information on the basis of which an individual can be identified, such as name, identification number, location data, online identifier, or by one or more features specific to the physical, physiological, genetic, psychological, mental, economic, cultural or social identity of that individual;
„data subject“ means the individual who can be identified as a result of the processing of the respective data;
„processing“ means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as the collection, recording, organizing, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination, or otherwise making the data accessible, arranging or combining, limiting, deleting or destroying; 
„controller“ means a person who alone or jointly with other persons determines the purposes and means of the processing of personal data; the „National Council for Self-Regulation” Association has the capacity of a controller with regards to the personal data of the persons with whom it interacts to achieve its mission – participants in events; partners; sponsors; volunteers and others. All the personal data processed by the „National Council for Self-Regulation” Association is received voluntarily and within the framework of the respective relations;
„personal data processor“ means a person who processes personal data on behalf of the controller; partners and volunteers are in the capacity of processors of the personal data, which the „National Council for Self-Regulation“ Association has provided to them; however, by deviating from the instructions for handling of this data, processors may lose the capacity of „processors“ and acquire the capacity of „controllers“ with the associated increased duties and responsibilities;
Principles

During the processing of personal data, the „National Council for Self-Regulation” Association is guided by the following principles:
Personal data is processed lawfully and in good faith;
Personal data is collected and used for specific, well-defined and legitimate purposes;
Personal data must be relevant and not excessive;
Personal data must be correct and, where necessary, kept up to date;
Personal data must be stored no longer than necessary;
The rights of the data subjects must be respected;
Personal data must be stored securely protected from unauthorized access, accidental loss or damage;
There must be a trace for each data-related operation to identify who, when and how processed the data.
Grounds for processing

The „National Council for Self-Regulation” Association processes personal data only if and to the extent that at least one of the following conditions applies:
 
a) the data subject has provided consent for the processing of his/her personal data by the „National Council for Self-Regulation” Association for one or more specific purposes; consent must be freely expressed, specific, informed and unambiguous; it can be expressed through a statement or a by clear affirmative action;
b) processing is necessary for the performance of a contract concluded between the „National Council for Self-Regulation” Association and the data subject, or for taking steps at the request of the data subject prior to the conclusion of a contract; 
c) processing is necessary to comply with a legal obligation that applies to the „National Council for Self-Regulation” Association; 
d) processing is necessary in order to protect the vital interests of the data subject or of another individual; 
e) processing is necessary for the performance of a task of public interest or for the exercise of official powers conferred on the „National Council for Self-Regulation” Association;
How is personal data stored and processed?

Personal data is stored on paper and in electronic form. Access to personal data is provided only to those NCSR representatives who need such access in order to achieve the goals described above or who are required by law to have access to personal data. 

The processing of personal data may include the collection, recording, organizing, structuring, storage, retrieval, consulting, use, and disclosure by transmission, publication on a website, or any other way in which personal data becomes available, sorting or combining, limiting, deleting or destroying. The NCSR uses a part of these types of personal data processing.
Data subjects’ rights


Right to be informed who, how and why processes your data
The NCSR publishes the relevant information on its website: http://www.nss-bg.org/  

Right of access:
You have the right to receive confirmation from the NCSR whether it is processing your personal data and, if so, you have the right to access it, you have the right to receive a free copy of the data (except in cases of excessive and repeated inquiries), and you have the right to receive a description of the main characteristics related to the processing of your personal data.


Right of rectification:
You have the right to rectify or request the NCSR to rectify, without undue delay, inaccurate, incomplete or outdated personal information.
Right of erasure
In certain cases, you may request from the NCSR to delete your personal data without undue delay. For example, when: 
(i) the data is no longer necessary for the purposes that it was collected and processed for;
(ii) you object to the processing;
(iii) if the data is processed unlawfully; or 
(iv) the data should be erased for the purpose of compliance with a legal obligation under the EU, the Bulgarian legislation or the legislation of another country.

The law provides for cases when the NCSR may refuse to delete your personal data.

Right to restriction of processing:
You may ask the NCSR to restrict the processing in the following cases:
1. When you challenge the accuracy of the personal data (the restriction applies for a certain period of time, which allows to check the accuracy of the data);
2. When the processing is improper but you do not want the data deleted, only restricted; 
3. When the NCSR no longer needs your personal data for processing purposes, but you request to receive the data in order to establish, exercise or defend legal claims;
4. When you object to the data processing and you expect the NCSR to verify whether the legitimate grounds for processing have priority over your interests. 

Right to object:
You have the right, at any time, on grounds relating to your particular situation, to object to the processing of your personal data. This right may only be exercised for your personal data processed on the basis of the legitimate interests of the NCSR. If the objection is well-founded, the NCSR will suspend the processing unless it shows that there are compelling legal grounds for the processing that have priority over your interests. 

Right to data portability:
You have the right to receive your personal data in a structured, widely used and machine-readable format for transfer to another data controller.

Right to lodge a complaint:
You have the right to file a complaint with the Personal Data Protection Commission (PDPC), which is the competent public authority in this field.
Right not to be subject to profiling
You have the right not to be the subject of a decision based solely on automatic processing.


Right of withdrawal of consent 
You have the right to withdraw your consent at any time by sending a written notice to the NCSR.


Right to compensation of damages
In case of breach of the data protection regulations, you are entitled to compensation for the damage caused.

Submission of a request or complaint

You can exercise your rights by sending a request or complaint in writing, by letter or email to the NCSR (e-mail: office@nss-bg.org), at any time, on the grounds of your particular case or circumstances, which you should indicate in the complaint.
The request or complaint should allow the data subject to be identified, and at least the following information must be provided when submitting them: 1) the three names of the data subject; 2) Personal Identification Number; 3) physical and/or e-mail address at which the subject wishes to receive a reply; 4) contact telephone; 5) description of the request (in free text). At the discretion of the subject, additional documents may be attached to the request or complaint.
The „National Council for Self-Regulation” Association has the obligation to consider your request within 1 month, and if any of the provisions of the Regulation conferring rights on the entities can be applied to it, then it should be done. 
In the event that the data subject is not entitled to exercise his/her right, then within 1 month after receiving the request, a representative of the „National Council for Self-Regulation” Association should send a well-founded refusal to the data subject.

Time limits for the storage of personal data

The „National Council for Self-Regulation” Association applies the following time limits to personal data storage:

(i) 1 (one) year: 
all personal data provided by natural persons in connection with the registration of their complaint is stored for a period of 1 (one) year, after which it is transformed into nameless data (pseudonymized), unless there is a legal basis for further processing, such as a legal dispute;
personal data contained in working versions of documents;
personal data contained in records supporting internal processes in the „National Council for Self-Regulation” Association;
personal data provided by data subjects for the purpose of application for job recruitment announcements – in case that no labour agreement has been signed with the person concerned;
all other documents for which a longer storage period is not provided for in these Rules.
(ii) 50 (fifty) years: personal data for which there is a statutory obligation to be retained for such a period, including:
payrolls and the information related to them – for a period of 50 (fifty) years from  January 1st of the reporting period following the reporting period to which they relate; 
(iii)  Until consent is withdrawn: All personal data provided for the purpose of communication and receipt of communications by the NCSR shall be stored until the moment in which the subject withdraws his/her consent for receiving messages from the NCSR. The data subject may withdraw his/her consent at any time.

Protecting Your Data

The „National Council for Self-Regulation” Association provides and maintains appropriate technical and organizational measures to protect personal data against unauthorized access or misuse and/or against its accidental loss, modification, disclosure, access and/or corruption or copying. These measures are intended to ensure the continued protection and privacy of personal data. The NCSR reassesses the measures on a regular basis in order to ensure continued security of the personal data.
The NCSR provides physical and logical protection of personal data as specified below.

Physical protection of the personal data

The „National Council for Self-Regulation” Association implements the following measures to ensure the physical protection of personal data:
restricts the physical access to the premises where personal data is stored (access is only provided to authorized representatives of the „National Council for Self-Regulation” Association within the scope of their duties through the use of locks and other means for physical access);
implements a “clean-desk” policy whereby all documents containing personal data should be stored in locked cabinets;
keeps its paper file archive in specially equipped rooms for its protection in the case of fire or flood;
the exchange of paper documents containing personal data with persons external to the „National Council for Self-Regulation” Association, is carried out only in sealed envelopes and through the use of authorized representatives and trusted subcontractors, etc.
strict compliance with the internal rules1, according to which only a limited number of staff at the NCSR Secretariat are allowed to access and may add, delete or modify your data. The NCSR Secretariat does not disclose the personal data of the complainants to anyone.
Personal protection

The „National Council for Self-Regulation” Association applies the following measures to ensure the personal protection of personal data:
1. Prohibition on the sharing of critical information (identifiers, access passwords, and others) between staff and any other persons, who are not unauthorized for this;
2. The NCSR has declared its consent to a non-disclosure obligation.

Logical protection of personal data

The „National Council for Self-Regulation” Association applies the following measures to ensure the logical protection of personal data:
It restricts logical access to information systems through which personal data is processed and stored (access is only provided to authorized representatives of the „National Council for Self-Regulation” Association within the scope of their duties by using individual usernames and passwords).
The present policy was adopted on 25.05.2018 and was amended on 20.11.2018. Any change in the policy will be announced by posting it on the website of the „National Council for Self-Regulation” Association at www.nss-bg.org.