PRIVACY POLICY AND PROTECTION OF PERSONAL DATA IN WINDBG OOD

     WINDBG Ltd is a commercial company registered in the Commercial Register of the Registration Agency under EIC 207189251, with headquarters and management address, Varna 9000, Slivnitsa Blvd. No. 75, phones 0896742494, 0893679076, e-mail radoslav.kalchev@windbg .eu and onnik.merdinyan@windbg.eu and, website www.windbg.eu

     WINDBG conducts educational activities based on the approval of courses, teachers and educational materials by the Global Wind Organization and in accordance with national and international legislation regarding training and additional qualification.

     WINDBG is a personal data controller within the meaning of the Personal Data Protection Act.

     This Privacy Policy is based on the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 regarding the protection of natural persons in the processing of personal data. In it you will find comprehensive information on the purposes, grounds and means of processing your personal data, the categories and types of personal data processed, the types of personal data registers maintained and the categories of recipients to whom they are provided in the performance of the Center's activities.

      

  1. Objectives and scope of the Policy

Article 1. With this privacy and personal data protection policy, WINDBG takes into account the inviolability of the individual and makes efforts against unlawful processing of personal data of individuals. In accordance with the applicable legislation, WINDBG implements the required technical and organizational measures to protect the personal data of natural persons.

Art. 2. With this privacy and personal data protection policy, WINDBG aims to inform natural persons about the legal grounds and purposes of processing their personal data, the recipients to whom their data may be disclosed, the mandatory and voluntary nature of providing the data, as well as the consequences of refusing to provide such, the information about the right of access to their personal data, the right to correct and delete their personal data and the procedure for this, the right to information in the event of an infringement on the personal data of the staff or course participants detected by WINDBG.

 

  1. Terms and definitions

Art. 3. In terms of this Policy:

  1. Personal data is any information relating to a natural person who is identified or can be identified directly or indirectly through an identification number or through one or more specific features (names, address, e-mail address, e-mail, health status data and etc. )
  2. Processing of personal data is any action or set of actions that can be performed with regard to personal data by automatic or other means, such as: collection, recording, organization, storage, adaptation or modification, recovery, consultation, use, disclosure by transmission, distribution, provision, update, combination, blocking, deletion or destruction.
  3. Register of personal data – a structured set of personal data accessible according to certain criteria.
  4. Personal data processed in WINDBG

Art. 4. (1) WINDBG, as a personal data administrator, processes categories of personal data structured in three registers (Courses register, labor and financial-accounting register and register of recordings of video recordings of educational classes)

(2) WINDBG collects and processes personal data provided by natural persons in connection with the provision of educational products, as well as for the preparation and conclusion of labor, civil, etc. types of contracts.

(3) WINDBG also processes personal data that was not received by the person to whom it relates, but was provided by a third party in connection with the provision of an educational product, in which cases WINDBG undertakes to: provide data for WINDBG, to provide information about the purposes and categories of data provided and the categories of recipients of this data, upon official request, to grant the right of access, correction and deletion of data from the person to whom it does not apply.

Art. 5. The categories of personal data provided for identification and in fulfillment of legal requirements, depending on the specific educational service (seminar, test, course), which are collected, processed and stored by WINDBG are:

  1. Physical identity: name, social security number, passport data, phone and email, health data.
  2. Social identity – education, citizenship, additional qualification, employment, internship.
  3. Data on the state of health: personal data related to the physical or mental health of an individual, including the provision of health services that provide information on his state of health;
  4. Data collected when paying to WINDBG - part of a credit or debit card number, bank account and other payment information collected and processed in connection with making a payment by bank transfer, EGN, three names of the student.

Art. 6. Data prepared and generated by WINDBG in the process of providing educational services:

- protocol for completed course

- certificate of completed course

- handling customer complaints

- results of written and practical exams, tests, etc.

- official notes and references in connection with the service used

- contracts, declarations, forms, invoices

  1. Processing of personal data

Art. 7. As a personal data administrator, WINDBG processes personal data as a set of actions that can be performed with respect to personal data by automatic and other non-automatic means, such as: collection, recording, organization, storage, adaptation, amendment, restoration, consultation, use, disclosure or transmission, distribution, provision, update or combination, blocking, deletion, destruction under the following principles:

  • Lawful processing, in good faith and in a transparent manner with respect to the data subject;
  • Are collected for specific and legitimate purposes and are not subsequently processed in a manner incompatible with these purposes; (further processing for archiving or statistical purposes is not considered incompatible with the original purposes "purpose limitation");
  • Appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");
  • The data are accurate and, if necessary, kept up-to-date; all reasonable measures are taken to ensure the timely deletion or correction of inaccurate personal data, taking into account the purposes for which it is processed ("accuracy");
  • They are stored in a form that allows the identification of the data subject for a period no longer than is necessary for the purposes for which the personal data are processed; or for statistical purposes, when appropriate technical and organizational measures are applied, in order to guarantee the rights and freedoms of the data subject ("restriction of storage");
  • Processed in a manner that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organizational measures ("integrity and confidentiality");

- Are processed in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organizational measures ("integrity and confidentiality");

WINDBG is responsible and able to demonstrate compliance with the requirements for ("accountability").

    WINDBG processes personal data independently, and the rights and obligations of the processors of personal data are regulated in internal company procedures, instructions and orders.

Art. 8 Purposes and legal grounds for processing personal data:

     8.1. When registering for training in a relevant course, test or methodological seminar, in connection with which WINDBG is obliged to identify its customers, request, check and store documents confirming compliance with the set entry standards for relevant training, such as:

- ID;

- diploma for completed education;

- certificate of legal capacity /if the person has one/;

- medical certificate of health fitness;

- certificates certifying compliance with qualification requirements;

- previous professional experience and experience,

for which he keeps copies of the relevant documents with the exception of identity documents - identity card and/or seaman's passport. The term of storage of the documentation is described in the relevant procedure under the QMS of WINDBG.

   8.2. In connection with the obligations for identification and automatic exchange of information for the purposes of administration of the conducted training, WINDBG discloses data of course participants to third parties / National Revenue Agency, Ministry Internal Affairs/, according to the established requirements of the national legislation.

    8.3. Preparation of proposals for trainings and provision of information to the client about services used by him

    8.5. Provision of information about the client and services used by him upon inquiry/request/verification by a competent authority

    8.6. For issuing payment documents

    8.7. For certification of age, education, qualification and health fitness when concluding an employment contract.

    8.8. For personnel under employment and civil contracts – tax insurance control by the relevant competent authorities.

    8.9. To update personal data of students;

    8.10. To analyze customer history and prepare a user profile;

    8.11. For servicing and responding to inquiries and complaints;

    8.12. To carry out processing by data processors - assignment, reporting, acceptance, payment;

    8.13. To ensure protection and security of WINDBG resources;

    8.14. Provision of information to the Consumer Protection Commission and the Personal Data Protection Commission in connection with the fulfillment of obligations arising from the relevant laws.

    8.15. Provision of information to the court and third parties within the framework of court proceedings.

    Art. 9. The processing of personal data by WINDBG is permissible, except in cases where it is necessary for the fulfillment of a legally established obligation of WINDBG as a personal data controller, and when the natural person to whom the data refers has expressly given his consent, or the processing is necessary for the performance of obligations under a contract to which the natural person to whom the data refers or to whom the data belong is a party, as well as for actions preceding the conclusion of a contract and taken at the request of the person.

     Art. 10. WINDBG Ltd processes the relevant data provided with the express written consent of the client for their processing for the following purposes:

     - to include name, photographs, video recordings and other forms of presence in advertising and media publications of WINDBG as a result of customers' participation in courses, etc.

      - to receive and/or provide information/offers for products and services of third parties, if such information is expressly requested by the person or if the person has expressed his consent to receive such information.

      Art. 11. WINDBG Ltd processes personal data for the purposes of the following legitimate interests:

       - profiling of customers for the purposes of direct marketing in order to make offers upon expiration of certificates or requirements for new training, as a result of current regulatory changes;

       - measurement and evaluation of the achieved key indicators – conducted courses and trained course participants from the relevant categories, measuring the effectiveness of advertising;

       - preparation of the information published on the website of WINDBG;

       - preparation and storage of statistical information

  1. Consequences of refusal to provide personal data

Art. 12. Explicit consent of the natural persons whose data is processed is not required when their provision is required on a regulated legal basis - CSR, CT, Accounting Act, VAT Act, internal rules for payment of courses at the cash desk or by bank transfer road and other regulatory documents.

Failure to provide personal data prevents WINDBG from:

- concludes labor and civil contracts;

- enroll and enroll a student in a course without presenting the mandatory documents proving compliance with the entrance standards;

- to issue the relevant payment documents.

Art. 13. The data and documents required by employees processing personal data are in accordance with the educational products offered by WINDBG and are mandatory. In case of refusal to voluntarily submit required personal data, WINDBG will not be able to provide its educational product, prepare and conclude a contract.

  1. Disclosure of Personal Data

Art. 14. As a personal data controller, WINDBG has obligations and the right to disclose processed personal data only to the following categories of persons:

  1. the natural person to whom the data refer;
  2. persons for whom the right of access is provided for in a regulatory act or
  3. persons for whom the right arises by virtue of a contract.

Categories of third parties that access and process your personal data:

Art. 14.1. Personal data processors who, based on a legal requirement, have direct/indirect access to your personal data:

- Global Wind Organization

  - NRA;

- transport companies - when providing transport in a relevant course - names of the course participant/instructor;

- persons maintaining equipment and software used to process personal data;

- banks servicing payments made by customers;

- licensed security companies processing video recordings from WINDBG facilities;

- persons providing services for organizing, storing, indexing and destroying archives on paper and/or electronic media;

- persons performing consulting and auditing services in various fields.

Art. 14.2. Other personal data controllers to whom WINDBG provides personal data, processing the data on its own basis and on its own behalf:

- Competent authorities that, by virtue of a normative act, have the authority to demand from WINDBG the provision of information, including personal data, for example: a Bulgarian court or a court of another country, various supervisory, regulatory authorities, authorities with powers to protect national security and public order.

- Insurers – when concluding insurance, when concluding an employment contract

Art. 15. Rights of customers and employees of WINDBG Ltd in connection with the processing of personal data and actions for their exercise:

15.1. Access to personal data and information of the type described in this Personal Data Privacy Policy and request to provide information from WINDBG Ltd what type and for what purposes they are processed;

15.2. Correcting personal data when it is inaccurate and/or incomplete in view of the purposes of the processing;

15.3. Deletion of personal data, but only in the following cases:

- upon expiry of the period for which it is legally established that they must be stored by WINDBG Ltd, and the same are no longer needed for the purposes for which they are processed;

- withdrawal of consent for their processing;

- the processing of personal data is recognized as illegal;

- national or European legislation requires this.

15.4. Limiting the processing of personal data in any of the following cases:

- when disputing the accuracy of personal data for the period necessary for WINDBG Ltd to check their accuracy;

- found unlawful processing, but stated desire only to limit the processing, not complete deletion;

  - stated desire to store the personal data, even though WINDBG Ltd no longer needs them for the purposes of processing and due to the expiration of the established terms for their collection, as they will be used to establish, exercise and defend legal claims;

- in the event of an objection to the processing of personal data for the period of the verification of its validity.

15.5 Request for transfer of provided personal data, including receiving it from WINDBG Ltd in a structured, widely used and machine-readable format and transferring it to another personal data controller.

The right to portability concerns personal data for which the following conditions apply:

- data processing is based on express written consent or a contractual obligation

- the processing is carried out in an automated way

  15.6. Objection to WINDBG at any time and for personal reasons in view of the specific situation against the processing of personal data that relate to the person concerned, and which is based on the need to perform a task of public interest or in the exercise of official powers, which have been provided to us, or which we have indicated that we are processing in our legitimate interest.

    When the objection raised is against the processing of personal data for the purposes of direct marketing, including profiling for this purpose, WINDBG Ltd will terminate their use for this purpose.

    When the objection raised is against the processing of personal data for other purposes, WINDBG Ltd will respond within 15 working days whether it considers the same to be justified and, accordingly, whether it has stopped the processing of the relevant personal data for these purposes.

15.7. Withdrawal of consent to the processing of personal data at any time when their processing is based only on the consent of the person and not on a legally established requirement, after stating an express desire in writing.

15.8. Sending a complaint to the Commission for the Protection of Personal Data, in case the rights in connection with the processing of the personal data of the person are violated by the company of WINDBG Ltd.

         Art. 16. WINDBG Ltd, as a personal data administrator, has the right to refuse deletion of personal data when the processing of the specific data is for the purpose of:

       - to exercise the right to information;

       - to fulfill legal obligations and requirements;

       - archiving for statistical purposes;

       - establishing, exercising or defending legal claims.

  Art. 17. Obligations of WINDBG Ltd in the event of a breach of personal data security

  17.1. In the event of a violation of the security of personal data, WINDBG not later than 72 hours after its establishment, notifies the CPLD in writing according to the established in Art. 33 of Regulation 2016/679 reg.

  17.2. In the event that the personal data security breach identified by WINDBG Ltd is likely to create a high risk for the rights and freedoms of natural persons, WINDBG notifies the data subject of the discovered security breach as established in Art. 34 of Regulation 2016/679 reg.