Latest News

PRIVACY POLICY

Approved by: ……………..
Manager
“AVE BULGARIA LOGISTICS” LLC

PRIVACY AND PERSONAL DATA PROTECTION POLICY OF “AVE BULGARIA LOGISTICS” LLC

INTRODUCTION

“AVE BULGARIA LOGISTICS” LLC (hereinafter the “Company” or the “Controller”) is a limited liability company registered in the Commercial Register with the Registry Agency under UIC 203003174, with registered office and address of management: Sofia, “Studentski” district, “Malinova dolina” residential complex, bl. 29, entrance “V”, as well as head office at: Sofia, 9 “Vitoshki kambani” St., 3rd floor. The company website is www.avebulgaria.com.

“AVE BULGARIA LOGISTICS” LLC’s main business activity is “Forwarding and transport transactions in the country and abroad,” and the Company may carry out any other activity not prohibited by law. As a freight forwarder, the Company operates mainly in Europe and Asia, and organizing transports to America is not uncommon. It does not own transport vehicles—the assigned cargo is organized through subcontractors: road carriers, airlines, and shipping lines. The services offered are specialized and related to the core activity: transport of goods by air, land and sea, customs representation, organization of urgent shipments, “Onboard Courier,” consolidation, handling, packaging, distribution, as well as consulting services related to these activities—transport (unimodal or multimodal), consolidation, warehousing, handling, packaging or distribution of goods and cargo, and the provision of consulting services connected thereto. Forwarding services also include logistics services carried out through modern technologies related to the transport, handling or storage of goods and cargo, i.e., end-to-end supply chain management. In cases of storage, subcontractors with their own warehouses are again used.

“AVE BULGARIA LOGISTICS” LLC is a personal data Controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter the “GDPR”), and the Bulgarian Personal Data Protection Act (hereinafter the “PDPA”).

With this Privacy and Personal Data Protection Policy (hereinafter the “Policy”), “AVE BULGARIA LOGISTICS” LLC recognizes the inviolability of the individual and endeavors to protect against unlawful processing of personal data of natural persons. In accordance with Bulgarian legislation, the GDPR, and best practices, “AVE BULGARIA LOGISTICS” LLC has taken the necessary technical and organizational measures to protect the personal data of natural persons.

Familiarization with this Policy prior to using our services is necessary, since the provision of services involves the collection of certain categories of personal data that “AVE BULGARIA LOGISTICS” LLC needs to fully provide the services.

PURPOSES AND SCOPE OF THE POLICY

With this Privacy and Personal Data Protection Policy, “AVE BULGARIA LOGISTICS” LLC aims to inform natural persons regarding:

  • the purposes and means of processing personal data;

  • the recipients or categories of recipients to whom the data may be disclosed;

  • the legal basis for processing personal data /the mandatory or voluntary nature of providing the data/, as well as the consequences of refusing to provide them;

  • information about the right of access, the right to rectification and erasure of the collected data.

TERMS AND DEFINITIONS

“Personal data” – any information related to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Special categories of personal data” – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

“Processing” – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Controller” – any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU law or by the law of a Member State, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

“Joint Controllers” – where two or more Controllers jointly determine the purposes and means of processing personal data, they are joint Controllers.

“Processor” – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

“Register” – any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

“Data subject” – any living natural person who is the subject of personal data stored by the Controller.

“Data subject’s consent” – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Child” – the GDPR defines a child as anyone under the age of 16, although this may be reduced to 13 under Member State law. The processing of a child’s personal data is lawful only if a parent or guardian has given consent. The Controller makes reasonable efforts to verify, in such cases, that the holder of parental responsibility for the child has given or authorized consent.

“Profiling” – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

“Personal data breach” – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Main establishment” – the Controller’s headquarters in the EU will be the place where it takes the main decisions as to the purposes and means of its data processing activities. For a Processor, its main establishment in the EU will be its administrative center. If the Controller is established outside the EU, it must designate its representative in the jurisdiction in which the Controller operates to act on its behalf and liaise with supervisory authorities.

“Recipient” – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as “recipients”; the processing of those data by those public authorities shall comply with applicable data protection rules according to the purposes of the processing.

“Third party” – any natural or legal person, public authority, agency or body other than the data subject, the Controller, the Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process personal data.

“Data Discloser” – a party to a contract that transmits to a Recipient personal data of natural persons which it processes.

LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA, SOURCES OF PERSONAL DATA, AND RETENTION PERIOD

“AVE BULGARIA LOGISTICS” LLC processes personal data on the following grounds:

  • Based on the data subject’s freely given, informed and explicit consent;

  • Where there is a legal obligation to process the data;

  • Upon conclusion or performance of a contract, as well as actions preceding the conclusion of a contract;

  • Where necessary to protect the vital interests of the natural person or the legitimate interest of the Controller, provided it does not conflict with the lawful interests of the natural person.

“AVE BULGARIA LOGISTICS” LLC processes personal data provided by employees, assignors, suppliers, clients, counterparties and other natural persons to whom the data relate in connection with the provision of services within its scope of activity, as well as for the preparation and conclusion of contracts.

“AVE BULGARIA LOGISTICS” LLC also processes personal data that were not obtained from the natural person to whom they relate, but were provided by a third party in connection with a specific service, whereby the person providing these data to “AVE BULGARIA LOGISTICS” LLC undertakes to:

  • provide the third party with the Controller’s details;

  • inform the third party of the purposes, the categories of data provided and the categories of recipients of those data;

  • provide information on the right of access and rectification of personal data of the person to whom the data relate.

Personal data are stored for a period necessary according to the purposes for which they were collected or for a period established by a statutory act.

MEANS, PRINCIPLES AND PURPOSES OF PROCESSING

“AVE BULGARIA LOGISTICS” LLC processes personal data through a set of actions that may be performed by automated or other non-automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, provision, updating or combination, blocking, erasure and destruction.

“AVE BULGARIA LOGISTICS” LLC processes personal data independently or by assigning processing to Processors, by written contract determining the purposes and scope of the obligations assigned by the Controller to the Processor, provided there is a relevant legal basis in accordance with the requirements of the GDPR/PDPA. Processors on behalf of “AVE BULGARIA LOGISTICS” LLC may be, for example, the Controller’s employees, whose rights and obligations in relation to the processing of personal data are duly regulated in the Controller’s internal acts as well as in the respective job descriptions. Processors may also be third parties outside the Controller’s structure to whom personal data processing has been assigned on behalf of the Controller.

The listed processing activities are carried out in compliance with the following principles:

  • lawfulness, fairness and transparency of personal data processing;

  • purpose limitation of personal data processing;

  • data minimization (proportionality) in personal data processing;

  • accuracy and up-to-dateness of processed personal data.

In connection with statutory obligations and pre-contractual and contractual relations, in carrying out its activity, “AVE BULGARIA LOGISTICS” LLC processes personal data of its employees, clients and third parties for the following purposes:

  • administration of employment relations: personal data of job applicants and employees regarding an existing employment relationship (processing most often results from the Controller’s statutory obligations arising from the specifics of the legislation governing its activity, financial-accounting activity, pension, health and social insurance activity, human resources management, automatic exchange of information in the field of taxation and others);

  • administration of contractual relations and organization of transport and related services: personal data of persons prior to a service contract and of clients (including where explicit consent is given or processing is necessary for the performance of obligations under a contract to which the natural person is a party, as well as actions preceding the conclusion of a contract and undertaken at the request of the person).

CATEGORIES OF PERSONAL DATA PROCESSED

Categories of personal data that “AVE BULGARIA LOGISTICS” LLC processes to carry out its activity:

  • Related to the physical identity of natural persons – name, Unified Civil Number (EGN), passport data, driver’s license data, address, phone, e-mail, etc.;

  • Related to economic identity – property and financial status, participation and/or ownership of shares, securities in companies, presence of public liabilities, data necessary for identification for the purposes of the tax legislation of the jurisdiction where the person is a tax resident, tax identification number issued by that jurisdiction, functions of controlling persons, etc.;

  • Related to social identity – education, employment, citizenship, permanent residence;

  • Related to family identity – marital status, family relations, etc.;

  • Personal data relating to health status – processed in connection with the administration of employment relations in the Company.

Personal data relating to the health status of employees or job applicants are processed only in connection with the performance of statutory obligations of “AVE BULGARIA LOGISTICS” LLC in the field of labor and social security legislation, in compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and/or a legal act of the Republic of Bulgaria governing the matter.

“AVE BULGARIA LOGISTICS” LLC does not process personal data that:

  • reveal racial or ethnic origin;

  • reveal political, religious or philosophical beliefs, membership in political parties or organizations, associations with religious, philosophical, political or trade union purposes;

  • relate to genetic and biometric data processed solely for the purpose of identifying a natural person;

  • relate to a natural person’s sex life or sexual orientation or to the human genome.

REGISTERS

“AVE BULGARIA LOGISTICS” LLC maintains the following registers of personal data processing activities:

  • Personnel

  • Counterparties

  • Clients

  • Video surveillance

RIGHTS OF DATA SUBJECTS

Right to information, access to personal data, and data portability

The data subject has the right to information about the purposes of processing his or her personal data, provided at the time of collection and upon subsequent change of the processing purposes.

The data subject has the right to request confirmation as to whether his or her personal data are being processed and to receive information regarding the type of personal data processed by “AVE BULGARIA LOGISTICS” LLC that personally concern him or her. This information shall be provided regardless of where the personal data are processed. The data subject may submit a request for access to personal data to the Controller, including through the Data Protection Officer (DPO) of “AVE BULGARIA LOGISTICS” LLC.

Where the processing of personal data is carried out by automated means, the data subject also has the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used, machine-readable and interoperable format, and to transmit those data to another controller. This right applies when the data subject has provided the personal data on the basis of his or her consent or the processing is necessary due to a contractual obligation. The right does not apply when the processing is based on a legal ground other than consent or contract. When exercising this right, “AVE BULGARIA LOGISTICS” LLC assists the subject by providing, where possible, the personal data processed for him or her in the desired format, which must be structured, commonly used and machine-readable. This information is provided by “AVE BULGARIA LOGISTICS” LLC to the subject in accordance with established rules and statutory requirements.

Right to rectification

If the stored personal data are inaccurate or incomplete, the data subject may request that they be corrected.
Data subjects are responsible for providing accurate personal data to the Controller. In addition, the data subject should inform the Controller of any relevant changes in his or her personal data, including but not limited to changes in address or name.

Restriction of processing

At any time during the processing of personal data, the data subject may ask the Controller to restrict the use of his or her personal data for part or all of the processing purposes for which the subject has given consent.

The data subject has the right to request that the Controller restrict the processing of his or her data in the following cases:

  • the accuracy of the personal data is contested by the data subject, for a period enabling verification of the accuracy of the personal data;

  • the processing is unlawful, but the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

  • the Controller no longer needs the personal data for the purposes of the processing, but the data are required by the data subject for the establishment, exercise or defense of legal claims;

  • the data subject has objected to processing pending the verification whether the Controller’s legitimate grounds override those of the data subject.

When processing has been restricted pursuant to the conditions in the previous paragraph, such data shall, with the exception of storage, be processed only with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person, or for reasons of important public interest.

Refusal of a request for information, rectification, or restriction of processing

If a request for information, rectification, or restriction of processing is refused, the data subject shall be informed of the reason for the refusal.
The refusal is made in the form of the request submitted by the subject and shall be reasoned.

Right to erasure (“right to be forgotten”)

The data subject has the right to request the Controller to erase personal data concerning him or her, and the Controller has the obligation to erase them without undue delay where:

  • the data are no longer necessary for the initial purpose and there is no new lawful purpose;

  • the lawful basis for processing is the data subject’s consent and he or she withdraws that consent, and there is no other legal basis for processing;

  • the data subject objects to the processing and there is no other legal basis for processing;

  • the personal data have been unlawfully processed;

  • the personal data must be erased in order to comply with a legal obligation under the legislation applicable to the Controller;

  • the personal data have been collected in relation to the offer of information society services to a child data subject.

When exercising this right, the Controller informs the subject how the erasure will affect their relationship going forward.

The right to erasure shall not apply insofar as processing is necessary:

  • for compliance by the Controller with a legal obligation requiring processing under applicable legislation; or

  • for the establishment, exercise or defense of the Controller’s legal claims.

Right to object

The data subject has the right to object to the processing of personal data concerning him or her. The Controller shall cease processing personal data unless it demonstrates that there are compelling legitimate grounds for the processing to continue.

In addition, every data subject has the right to object if his or her personal data are used for advertising purposes (direct marketing) or for market or public opinion research. In such case, the personal data shall be blocked and not used for the relevant purposes.

Withdrawal of consent to personal data processing

The data subject has the right to withdraw his or her consent to the processing of personal data at any time by a separate request addressed to the Controller.
The Controller informs the subject how the erasure will affect their relationship going forward.

Requests and complaints. Remedies available to the data subject

The data subject has the right to submit requests and complaints to the Controller related to the processing of his or her personal data, to which the Controller responds in accordance with the adopted procedure.

To exercise these rights, the data subject contacts the Controller through a free-text request or by using forms adopted by the Controller, sent to the e-mail office@viptrans.org or by letter to the address: Sofia, Krasno Selo district, 40 “Praga” Blvd., floor 1, to which the Controller responds in accordance with established rules and statutory requirements.

Right to express consent to the processing of his or her personal data

The Controller accepts that consent is present only in cases where the data subject has been fully informed about the planned processing and has expressed his or her consent without being pressured. Consent obtained under pressure or based on misleading information is not a valid basis for processing personal data.

Consent cannot be inferred from a lack of response to a message to the data subject. There must be active communication between the Controller and the subject for consent to exist. The Controller must be able to demonstrate that consent for the processing activities has been obtained.

In most cases, consent to the processing of personal data is obtained by the Controller using standardized consent documents, for example, but not limited to: when signing a contract, during recruitment, upon employment of an employee.

When processing personal data of children, the Controller must obtain authorization from the holders of parental responsibility (parents, guardians, etc.). This requirement applies to children under 16 years of age (unless the Member State has provided for a lower age limit, which may not be lower than 13 years).

Right of representation

The data subject may authorize another person to exercise the rights under Sections 8.1 to 8.8 of this Policy.
The authorization must be explicit and made in writing.
On each exercise of the data subject’s rights, the representative is obliged to present a copy of his or her power of attorney to the Controller or to the Processor acting on behalf of the Controller.

GENERAL PRINCIPLES RELATED TO THE PROCESSING AND SECURITY OF PERSONAL DATA

Lawfulness of processing

The processing of personal data is permissible only if the data subject has consented to it, if there is a legal obligation to process the data, upon conclusion or performance of a contract, where necessary to protect the vital interests of the natural person or the legitimate interest of the Controller, provided it does not conflict with the lawful interests of the natural person. The lawfulness of processing personal data is a precondition for the transfer of personal data.

Consent must be declared in writing or on the basis of other legally permissible means, and the data subject must be informed in advance of the purpose of the processing and the possibility of transferring personal data to third parties. Emphasis is placed on the granting of consent when it is included in other declarations so that it is clear to the data subject.

Purpose specification

Personal data may be collected only for the exhaustively listed purposes and may not be processed for purposes other than those provided.
The purpose of collecting and processing the data must be observed by the Controller in any further processing and storage of such data.
Changes in purpose are permissible only with the data subject’s consent or if this is permitted by the domestic law of the respective country from which the personal data were obtained.

Data minimization

The processing of personal data must be necessary for the intended purpose.
Where possible and cost-effective for the intended protective purpose, options for anonymization or pseudonymization of personal data should be used at an early stage.

Data quality

Personal data must be factually correct and, where necessary, kept up to date.
The Controller takes appropriate and reasonable measures to correct or delete incorrect or incomplete data.

Data security

The Data Controller implements appropriate technical and organizational measures to ensure the required level of data security.
These measures relate in particular to computers (servers and workstations), networks and communication links and applications, and are incorporated into the IT security management system through appropriate measures to protect such data from accidental deletion, unauthorized deletion or loss (information in this regard is presented in Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union).

Confidentiality of processing

Only authorized personnel who have committed to comply with data confidentiality requirements are allowed to participate in the processing of personal data.
Employees are prohibited from using such data for personal purposes or providing them to unauthorized companies and third parties. Unauthorized in this context also includes the use of personal data by employees who do not need access to such data to perform their job duties.
The obligation of confidentiality continues to apply after the termination of employment / civil / service relationships with the Controller.

SECURITY MEASURES FOR PERSONAL DATA

“AVE BULGARIA LOGISTICS” LLC ensures the security of personal data in accordance with the principles set out in the GDPR/PDPA by taking appropriate and sufficient technical and organizational measures to protect data from loss, theft, misuse, as well as from unauthorized access, disclosure, alteration or destruction.

Technical measures for the protection of personal data

To ensure sufficient protection of processed personal data, “AVE BULGARIA LOGISTICS” LLC uses technical measures such as, but not limited to, anti-virus protection, a firewall, encryption options, and others.
The Controller defines secure zones for storing physical media containing personal data, with access determined according to procedural rules.
The Controller introduces the following measures to limit access to physical data media—for example, but not limited to: installing high-security locks on the doors of the Controller’s office and on the doors providing access to the building where the office is located; locking cabinets containing paper-based data media.

Organizational measures for the protection of personal data

“AVE BULGARIA LOGISTICS” LLC adopts internal rules that determine the sensitivity levels of processed personal data (information), based on which separate categories of personal data are created and processed for specific purposes. Separate categories of personal data are grouped into personal data registers. The internal rules determine both the order of access to these registers and the persons who have the right to access them, respectively to process the personal data stored in them.

The Controller adopts procedural rules determining measures and the order for physical access and protection of personal data, which are mandatory for all employees who process personal data.

All personal data should be accessible only to those employees / processors whose duties include processing the specific data, and access is exercised only in accordance with the adopted internal access control rules.

All employees of the Controller are responsible for ensuring security in the storage of the data they process, and for ensuring that the data are stored securely and are not disclosed under any circumstances to third parties, unless the Controller has granted such rights to those third parties under a written contract or a confidentiality clause.

The Controller introduces a “clean desk” policy, with which all employees who process personal data are familiar and comply. Paper records must not be left where they can be accessed by unauthorized persons and may not be removed from designated secure premises without express permission. As soon as paper documents are no longer necessary for the current work in processing personal data, they must be archived in the appropriate manner, and if there is no basis for their archiving, they must be destroyed in accordance with the established procedure.

Personal data may be deleted or destroyed only in accordance with the procedure adopted by the Controller. Paper records whose processing period has expired shall be shredded and destroyed as “confidential waste.” Data on the hard drives of unused personal computers must be erased or the drives destroyed, in accordance with the established procedures.

The processing of personal data outside the Controller’s premises is carried out according to the relevant procedural rules and is permissible with the express written consent of the immediate supervisor of the personal data processor or of the Controller.

By internal act, the Controller determines the rules for controlling the separation of personal data. These rules contain measures to ensure that data collected for different purposes can be processed separately by authorized employees/persons.

In connection with measures ensuring the protection of personal information against accidental destruction or loss, the Controller defines procedures for restoring the availability of personal data after a physical or technical incident. To fulfill these obligations, the Controller provides the necessary technical means such as, but not limited to, servers, computer network, cloud storage.

DATA PROTECTION OFFICER

“AVE BULGARIA LOGISTICS” LLC appoints a Data Protection Officer (DPO). The DPO is an internal person at the Controller. The role of this person is to monitor compliance with this Policy within the Controller’s enterprise and to ensure the ability to demonstrate the compliance of personal data processing with data protection legislation.

The DPO develops and implements the data protection requirements in accordance with the provisions of this Policy. The DPO manages security and risk regarding compliance with this Policy.

The DPO is responsible for administering and processing requests and complaints submitted by data subjects to the Controller. The DPO provides the Controller’s employees with the necessary explanations regarding compliance with personal data protection.

The DPO periodically prepares and presents reports to the Controller regarding the application of this Policy, the regulatory provisions governing personal data protection, as well as the compliance of the personal data protection ensured within the enterprise with the regulatory requirements in this field.

STORAGE, DESTRUCTION AND INVENTORY OF PERSONAL DATA

Storage

“AVE BULGARIA LOGISTICS” LLC does not store personal data in a form that permits identification of data subjects for a period longer than necessary for the processing for which the data subject’s consent has been given and for the purposes for which they were collected. Storing personal data for a longer period is also permissible without the explicit consent of the data subject if provided for by a statutory act of domestic legislation or EU law.

The Controller may store data for a longer period than necessary for the processing for which consent has been given in cases where personal data will be processed for archiving purposes in the public interest, scientific or historical research, and for statistical purposes, and only with the implementation of appropriate technical and organizational measures to guarantee the rights and freedoms of the data subject.

The retention period for each category of personal data, grouped in a separate register, is determined in a procedure adopted by the Controller. This procedure specifies the criteria used to determine the retention period, including any legal obligations imposed on the Controller regarding data storage.

The procedure for data storage and destruction, as well as the rules for destroying information on physical media, applies in all cases.

Destruction

Personal data must be securely destroyed in accordance with the principle of ensuring an appropriate level of security and the procedure adopted by the Controller.
Compliance with the procedure is mandatory to guarantee protection against unauthorized or unlawful processing and against accidental loss, destruction or damage to the data, by applying appropriate technical or organizational measures.

Inventory and risk assessment

The Controller performs data inventory and risk assessment as part of its approach to addressing possible risks in processing the collected personal data.
During the data inventory and processing, a risk assessment of personal data is carried out, the methodology and elements of which are regulated by a procedure adopted by the Company. Determining risks according to this methodology also applies to processing undertaken by other persons/organizations on behalf of the Controller.

Where it is established that a type of processing may lead to a high risk to the rights and freedoms of natural persons, in particular through the use of new technologies, and taking into account the nature, scope, context and purposes of the processing, before proceeding with processing, the Controller performs a Data Protection Impact Assessment (DPIA) in accordance with the procedure adopted by the Company for impact assessment with respect to data protection and the methodology laid down therein for carrying out the impact assessment.

Where the DPIA has established/indicated that the processing operations lead to a high risk which the Controller cannot mitigate with appropriate measures considering available technology and implementation costs, prior to processing, consultation with the supervisory authority (the CPDP – Commission for Personal Data Protection) shall be carried out.

The DPO performs periodic review of the initially inventoried data and revises the information entered in the “Record of Processing Activities” in view of any changes in the Controller’s activities.

TRANSFER OF PERSONAL DATA TO THIRD PARTIES

The personal data Controller has the right to disclose processed personal data only to the following exhaustively listed categories of persons:

  • the natural persons to whom the data relate;

  • persons whose right of access is provided for in a statutory act; or

  • persons whose right arises under a contract.

For the purpose of providing services, the Controller discloses information/necessary personal data for the performance of a contractual obligation undertaken towards the data subject. The Controller provides personal data to third parties who provide services on its behalf based on an explicit written instruction/written contract. These third parties are not entitled to use or disclose the data beyond the purposes for which they were provided, except when necessary to perform services on behalf of the Controller or to comply with legal requirements. The purposes for processing the personal data provided are expressly defined in the written instruction/written contract under which the data were provided to the third party. The third parties (personal data processors) are obliged to ensure the necessary technical and organizational measures for the protection of the personal data provided by the Controller or greater.

The Controller discloses personal data to its subsidiaries and joint partners based on an explicit written instruction or written contract. These persons may use the information for the purposes described in this Privacy Policy. With the data subject’s explicit consent, the data may be shared with third parties under a written contract for their own purposes, such as offering products and services that may be of interest to the data subject.

The Controller discloses personal data to competent authorities/persons for the purpose of organizing the protection of its legal rights and interests when initiating order for payment, arbitration, safeguard, claim and other proceedings.

The Controller discloses personal data about subjects whose personal data it processes when it is obliged to do so by law, subordinate legal act, international treaty or an act of EU law, or in connection with judicial proceedings, in response to a request from state authorities (e.g., law enforcement or investigative authorities), or in case of suspected serious and unlawful infringement of the legal rights and interests of data subjects.

TRAINING

Taking into account the regulation of personal data protection and the enhanced measures introduced by the GDPR/PDPA, “AVE BULGARIA LOGISTICS” LLC recognizes the need for initial and subsequent training of its personnel whose duties include processing personal data of natural persons on behalf of the Controller.

The initial and subsequent trainings aim to inform employees about the established rules and procedures for compliance with this Policy and the applicable legal framework in the field of personal data protection, as well as other issues related to personal data protection and privacy.

Through employee training, the goal is to achieve awareness of existing or newly arising requirements regarding personal data protection, as well as the measures taken by the Controller in accordance with them.

OBLIGATIONS AND ROLES

The Data Protection Officer monitors the proper allocation of responsibilities of employees in relation to data protection in accordance with the Controller’s rules and procedures for processing personal data.

The DPO must ensure that all employees who have ongoing duties related to personal data and processing operations, as well as those with permanent/regular access to personal data, demonstrate compliance with personal data protection requirements.

Employees must be able to demonstrate competence in their understanding of compliance requirements and how they are applied within the Controller’s organization.

The DPO is responsible for ensuring that these employees are informed about all issues related to personal data in accordance with the scope of their professional duties by organizing ongoing training when there is a change in the data protection legal framework or in the Controller’s scope of activity, as well as when introducing new procedures/measures for personal data protection by the Controller.

The Controller encourages training and awareness measures by providing the necessary resources and facilities.

The DPO acquaints and informs employees about the importance of data protection in performing their direct duties and in accordance with their role in the organization.

The DPO makes efforts and undertakes activities to ensure that employees understand how and why the rules and procedures are applied in the Controller’s organization for personal data processing, for which he/she compiles the relevant reports/protocols.

The DPO participates in the development of training and awareness programs both for all personnel and for each specific role in the organization that relates to personal data processing.

The DPO creates a system for periodic verification of awareness and for updating employees’ knowledge in connection with changes in data protection requirements.

Employees have the right to access specific training on personal data processing related to their permanent job roles and responsibilities and in accordance with the rules and procedures adopted by the Controller.

Employees have the right to access specific training on all information security requirements and procedures applicable to data protection and data processing within their daily job roles and responsibilities, including reporting personal data breaches.

Employees receive training on handling requests and complaints from data subjects related to personal data protection and processing, in accordance with the Controller’s rules and procedures.

The DPO organizes training for all responsible persons and employees.
The DPO documents each training conducted by preparing a list/protocol of attendees at the respective trainings, held at an appropriate time according to the Controller’s activity.

Initial training of employees is conducted upon the entry into force of this Policy, as well as upon hiring new employees whose job duties include personal data processing.
Subsequent trainings are conducted periodically (at least once every 6 months) or when there is a change in the data protection legal framework/ a change in the Controller’s scope of activity regarding personal data processing, or when introducing new measures/procedures for protection.

FINAL PROVISIONS

This Policy was updated and adopted by the managers of “AVE BULGARIA LOGISTICS” LLC on 02.09.2024 and is in force from the same date.

Data subjects may familiarize themselves with this Policy at the office of “AVE BULGARIA LOGISTICS” LLC: Sofia, 9 “Vitoshki kambani” St., 3rd floor.

Data Protection Officer at “AVE BULGARIA LOGISTICS” LLC is:
Name: Vesela Slavchova Stoykova
Address: village of Bistritsa, Sofia Municipality, 6 “Shibil” St.
E-mail address: vesela.stoykova@avebulgaria.com