Internal Rules

INTERNAL RULES

For the collection, processing, and protection of personal data in

“eJeudi” LTD., UIC  206033660

Chapter One

General Rules

Art. 1 (1) These internal rules apply to the collection and processing of personal data within the meaning of the Personal Data Protection Act and are issued based on art. 23, paragraph 4 of the Law on Protection of personal data and art. 19 Item 2 of Ordinance No. 1 of 30.01.2013 on The minimum level of technical and organizational measures and the permissible type of protection of personal data regarding Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter only “Regulation 2016/679” or “GDPR”).

(2) The processing of personal data is any action or set of actions that may be carried out with regard to personal data by automatic or other means, such as collection, recording, organization, storage, adaptation or alteration, restoration, consultation, use, disclosure or transmission, dissemination, updating or combination, blocking, erasure or destruction of data.

(3) The processing of personal data also consists of providing access to certain information only to persons whose duties or specifically assigned tasks to require such access.

(4) in cases where “eJeudi” Ltd. processes personal data the subjects – individuals, sign a declaration of consent. In the case of online consent to the processing of personal data, the signature is replaced by an explicit checkmark filled in by the personal data subject. With the same entities give their consent and declare that the provision of their data is voluntary and that they are aware of their rights under the PDPL and Regulation (EU) 2016/679 and give explicit and unconditional consent to the personal data provided by them to be collected, processed and transferred to third parties.

Art. 2 (1) These internal rules are intended to regulate:

  1. The mechanisms for keeping, maintaining and protecting registers storing personal data in “eJeudi”  Ltd., hereinafter referred to as “the company”, in order to ensure the integrity of the individual and private life, by ensuring the protection of data of individuals with the unlawful processing of personal data relating to them in the process of free movement of data;
  • The types of registers to be kept in the company and their description;
  • The necessary technical and organizational measures to protect personal data contained in the records of unlawful processing (accidental or unlawful destruction, accidental loss or alteration, unlawful disclosure or access, unauthorized alteration or dissemination, and any other unlawful forms of processing of personal data).

Art. 3 (1) Personal data is any information relating to a natural person who is identified or can be identified, directly or indirectly, by an identification number or by one or more specific indications.

(2) Personal data shall be collected for specified and legitimate purposes, processed lawfully and in good faith and may not be further processed in a manner incompatible with those purposes.

Art. 4 Personal data shall be maintained in a form which permits identification of the natural persons concerned for no longer than is necessary for the purposes for which the data are processed. Personal data that will be kept for a longer period for historical, statistical, or scientific purposes shall be kept in a form that prevents individuals from being identified.

Chapter Two

PROCESSING OF PERSONAL DATA

Art. 5 (1) The processing of personal data is any action or set of actions that may be carried out with respect to personal data by automatic or other means, such as collection, recording, organization, storage, adaptation or alteration, restoration, consultation, use, disclosure or transmission, dissemination, provision, updating or combination, blocking, erasure or destruction of data.

(2) The processing of personal data also consists of providing access to certain information only to persons whose duties or specific tasks require such access.

(3) The processing of personal data is permissible only in cases where any of the following conditions are met:

  1. Processing is necessary for the fulfillment of a statutory obligation of the administrator of personal data;
  2. The natural person to whom the data relate has given his/her explicit consent;
  3. Processing is necessary for the performance of obligations under a contract to which the natural person to whom the data relates is a party, as well as for acts prior to the conclusion of a contract and undertaken at his request;
  4. Processing is necessary to protect the life and health of the natural person to whom the data relate;
  5. Processing is necessary for the performance of a task carried out in the public interest;
  6. Processing is necessary for the exercise of the powers conferred by law on the administrator or a third party to whom the data are disclosed;
  7. Processing is necessary for the exercising of the legitimate interests of the data administrator or of a third party to whom the data are disclosed, except where the interests of the natural person to whom the data relate are overridden by those interests.

Art. 6 (1) The administrator entrusts the processing of the personal data to his employee.

(2) The persons processing Personal Data Act only on instructions from the administrator and in accordance with the PDPL, Regulation (EU) 2016/679, these internal rules and the privacy policy, unless otherwise provided in a statutory act.

Art. 7 (1) The personal data in the registers are collected by the administrator of personal data, respectively-the processor in paper or electronic form.

(2) for the need to collect personal data and the purposes for which the personal data will be used, the processor shall inform the person.

(3) Documents containing personal data, together with the annexes thereto, shall be processed in the registers by the processor and shall be kept in paper and/or electronic form.

(4) The collected data on a technical medium remains in separate files on the computer, and access to them is granted only to the processor of personal data.

(5) Paper media shall be arranged in personnel files or special folders and shall be submitted for verification of the legality of the established document and its validation by means of signatures of the relevant officials.

(6) Where necessary for the rectification or renewal of personal data, persons shall provide such information to the processor at their request based on a regulatory obligation.

(7) The processing of personal data is responsible for the authenticity of the copies of registers containing personal data.

Chapter Three

TYPES OF REGISTERS AND FORMS OF THEIR KEEPING

Art. 8 (1) The registers in which personal data are collected and stored in the company are:

Register “personnel” with sub-registers:

“employees under employment/civil contract”

“candidates for employees”

“Financial accounting “

Register “counterparties (Customers)”

Register “CCTV”

(2) The data groups in the registers relating to natural persons may be:

Physical identity-Name, PIN, ID card number, date, and place of issue, driving license number, date and place of issue, address, location, telephone, contact, photo, Internet profiles, IP address, e-mail address, etc.

Education-type of education, place, number, and date of issue of the diploma, additional qualification, certificates, etc.

Additional qualification – The data are provided by the persons on the basis of a regulatory obligation in all cases where necessary.

Occupational activity-Professional biography.

Medical data – the physiological, psychological state of the persons. Data is relevant when occupying positions and performing functions that require a particularly high level of responsibility, direct engagement, and immediate contact with people, including risk groups.

Criminal record-where is necessary to occupy a position in the company.

Video Imaging – Video footage of the existing CCTV system.

Art. 9 in the register “personnel”, the personal data of employees in “eJeudi” Ltd., employed in employment or civil relations during their activities in the execution of these contracts, are collected and stored with a view to:

  1. Individualization of labor and civil relations.
  2. Implementation of the normative requirements of the Labour Code, Social Security Code, Accountancy Act, the State Archive Act, etc.
  3. Use the collected data for the relevant persons for business purposes.
  4. For all activities related to the existence, modification, and termination of labor relations-to prepare any documents of the persons in this connection (contracts, additional agreements, documents, official notes, references, certificates, etc.).
  5. To establish contact with the person by telephone, to send correspondence relating to the performance of his duties under employment or civil contracts.
  6. For an accounting of the remuneration of the abovementioned persons under Labour and civil contracts.

Art. 10 The register shall be kept in paper and/or electronic form.

Art. 11 (1) The paper carriers of personal data are stored in folders (personnel cases) for each employee. The personnel cases are arranged in a special filing cabinet.

(2) The filing cabinet is housed in the company’s accounting in a room intended for the employment of employees, who are entrusted with these rules to be processing personal data.

(3) access to the personnel files shall be limited to the processors of personal data. The possibility of granting another person access to personal data during processing is restricted and expressly regulated in this internal rule.

Art. 12 (1) When keeping the register on technical media, personal data shall be entered in electronic form via a computer.

(2) The computer is connected to a local area network, with protected access to personal data, which is only immediate by the processors of personal data. When working with the data, data processing software is used, regarding the remuneration of the staff, including basic and additional salaries, tax and others (loan contributions, attachments, etc.), obligations, work experience, attendance and non-attendance days and the like. Software products are adapted to the specific needs of the personal data administrator.

(3) access to the operating system containing files for the processing of personal data only has the processors of personal data through a password to open these files. The protection of electronic data from unauthorized access, damage, loss, or destruction is ensured through the maintenance of antivirus programs, periodic archiving of data on individual disks, as well as keeping the information in paper form.

Art. 13 The following types of data are maintained in the Register:

  1. Physical identity-names, PIN, ID card number, date, and place of issue driving license number and date of issue, birth, address, telephone numbers.
  2. Education-a document for acquired education, qualification aptitude, where such are required for the position for which the person applies, etc.
  3. Work activity-according to the attached documents for work experience and professional biography.
  4. Medical data-a card for a preliminary medical examination for starting work, a document for job placement.
  5. Certificate of conviction when required to occupy the post.
  6. Personal Template form.

Art. 14. Personal data in the register “personnel” is collected upon entering/assigning work under the employment or civil relationship of a person in compliance with the statutory obligation-the provisions of the Labor Code and the secondary legislation for its implementation, the Social Security code, active in the Republic of Bulgaria and others in one of the following ways:

  1. Oral interview with the person (on admission or in the course of work).
  2. Paper-written documents-applications, applications for entry/performance of work under an employment or civil relationship, for modification or termination of such relations, on current issues in the process of work submitted by the person.
  3. From external sources (from legal, financial, insurance, tax, and other institutions in compliance with regulatory requirements).

Art. 15 in all cases where it is necessary on the basis of a regulatory obligation, persons whose data are compulsorily subject to processing in the Register shall submit the necessary personal data to the administrator and to the processors’ personal data. For the need to c personal data and the purposes for which it will be used, the administrator/processor informs the person.

Art. 16 In addition to those persons and, in those cases, limited access to personal data is also available to employees of the company in the processing of personal data of individuals concerning the preparation of payment documents relating to transfers of remuneration of persons employed in the company’s employment and civil relations in cash and bank accounts.

Art. 17 where personal data are required to be repaired or renewed, individuals shall provide those to the data administrator/processor at his request on the basis of a regulatory obligation.

Art. 18 In addition to the officials processing personal data, access is also given to the official directly involved in the formation and verification of the legality of the documents of the persons-chief accountant, accountant of the company for external accounting services. The processors of personal data shall be obliged to provide it with access upon request.

Art. 19 The employee’s files shall not be taken out of the company’s office. No third party shall have the right of access to the staff records of the company’s personnel unless it is duly required by a Public Authority. Access of these authorities to the personal data of individuals is lawful.

Art. 20 (1) The consent of the person is not required if the processing of his personal data is carried out only by or under the control of a competent national authority for personal data relating to the committing of criminal offenses, administrative violations, and unauthorized disabilities. Such persons shall be provided with access to personal data and shall, if necessary, be provided with appropriate conditions for working in the premise of the enterprise.

(2) The access of the supervising state authorities, duly authorized by the relevant documents-written instructions of the relevant authority stating the reason, the names of the persons, and for the purpose of their activities, is necessary to ensure access to staff personnel files.

Art. 21 A person’s decision to grant or deny access to personal data for the person concerned shall be communicated by the administrator to the third parties within 30 days of the filing of the application, resp. the request.

Art. 22 For failure to comply with the obligations imposed on the relevant officials under these rules and under the Personal Data Protection Act, disciplinary sanctions are required under the Labour Code and, where the failure to comply with the obligation is ascertained and established by a proper authority, the administrative penalty provided in the Personal Data Protection Act. If, as a result, the actions of the person concerned in the processing of personal data are resulting in damage to a third party, the same may be held liable under the general civil law or in criminal proceedings if what is done is a more serious act for which criminal liability is provided.

Art. 23. Archiving of personal data on a technical medium is carried out periodically every 30 (days) by the processor in order to keep the information about the relevant persons in a current form.

Art. 24 (1)  Register “Counterparties”  contains personal data about individuals, as well as persons representing legal persons-names and PIN, as well as personal data of the individuals-names, PIN, ID card number and date of issue, address by ID card.

(2) Where necessary for the purpose of carrying out the services provided by “eJeudi” EOOD personal data shall be collected in the Register “counterparties”, such as:

  1. E-mail address
  2. Facebook profile

(3) The data provided shall be kept for a period of 5 years or until it expires, or until an explicit request by the counterparty for its deletion is made, unless a longer retention period is available by law.

(4) Access to the personal data thus collected shall have the administrator of the personal data and the processors in relation to the service provided to the counterparty.

(5) The personal data of counterparties shall not be exported outside the administrator’s premises, except where they are required to be made available to the Court, State or municipal office, banking institution, accounting, or courier company. No official or third party shall be entitled to access the personal data of the company’s counterparties unless it is properly requested by the competent State authorities. These authorities’ access to the personal data of individuals is lawful.

Art. The decision to grant or deny access to personal data for the person concerned shall be communicated by the administrator to the third parties within 30 days of the filing of the application, resp. the request, or within the relevant legal timeframe, if a special procedure provided by law is applicable.

Art. 26 archiving of personal data on a technical medium shall be carried out periodically every 30 days by the processor in order to preserve the information of the persons concerned in a current form.

Art. 27. In addition to the administrator and processors personal data, limited access to personal data also has the  Company’s accounting officers in processing personal data concerning the posting of invoices to which the company is a publisher or recipient, banking institutions in connection with the realization of payments with customers, courier companies to send shipments and/or imposed cash.

Art. 28 In the “CCTV” register are stored videos obtained in the process of CCTV in the company’s office and the corresponding designated areas of CCTV outside it as commercial sites, service, and others.

Art. 29  (1)  With the current internal rules for processing, storage, and protection of personal data in CCTV in the office of  “eJeudi”  Ltd and video surveillance at the respective designated locations outside the company’s office, the order for processing, storage, and protection of personal data, which are created through the use of CCTV system in the office of others, is determined.

(2) The internal rules shall govern:

  1. The rules for obtaining, processing and storing personal data;
  2. The procedures for maintaining and protecting personal data;
  3. The rights and obligations of individuals who process personal data in the CCTV process;
  4. The order for the realization of the right of awareness of the natural persons whose personal data are collected and stored in the video surveillance process;
  5. The order for the realization of the right to access the personal data collected, processed, and stored in the process of CCTV in the company’s office and its adjacent areas.

Art. 30 Cameras are stationary and do not allow tracking of persons.  The used CCTV technique does not allow the recording of sound or listening to sound in real-time.

Art. 31  (1)  These internal rules are intended to create such legal form and organization in the process of processing and storing personal data in CCTV, ensuring to the fullest extent their protection from unauthorized access, alteration or distribution, accidental or unlawful destruction, accidental loss, and other unlawful forms of processing.

Art. 32 All forms of filming, recording, and others, harming the ethical rules and affecting human dignity, are in contradiction with the PDPL and article 127, para. 2 of the Labor Code, and are prohibited by these internal rules.

Art. 33 The manager of “eJeudi” Ltd determines the scope of the monitored areas. The monitored areas exclude all sanitary facilities, restrooms, rooms for mothers with children, nursing rooms, and other premises whose surveillance would be contrary to the rules of morality.

Art. 34  (1)  in the process of CCTV, all personal data obtained by automatic 24-hour CCTV (video image) for the movement of persons during their visit to the observed areas, as well as employees and visitors in the corridors and the approaches of the  Office of  “eJeudi”  Ltd., and rooms with a certain status are stored.

(2) Video Image recordings are stored in a separate location on a recorder, in a locked, restricted space.

(3) Employees and other persons visiting surveillance zones shall be informed of this by prominently displayed information boards.

Art. 35  (1)  The personal data are necessary for the protection of order in the office and the security of the employees of the company and the persons visiting the office of the company, for providing the necessary information to the competent State authorities, as well as for the activities of  “eJeudi”  Ltd. As an employer.

(2) Personal data are provided on the basis of the implementation of the normative acts regulating the need to provide personal data.

Art. 36  (1) the processing of personal data in the process of video surveillance is any recording, use, reproduction, usage in connection with the processing of other types of data, updating, maintenance, etc., of the collected personal data.

(2) For the purposes of these internal rules, the processing is ongoing, daily (24 hours, 7 days a week) and within the prescribed period.

(3) Everyday processing and processing within the specified period of personal data is carried out by the employees authorized to process the data.

(4) The personal data processed are professional secrecy and are prohibited from distributing to third parties in any form.

(5) It Is prohibited for employees outside the authorized to process personal data related to the video surveillance process.

Art. 37  (1)  In case it is necessary for  documents/records containing personal data from  The Register  “CCTV” to be moved outside, from one structure to another, this is done after ordering the  manager  of  “eJeudi”  Ltd.,  by a courier appointed by him,  as:

1. Media containing personal data shall be encrypted and carried in sealed envelopes. The placing in the envelope and its sealing shall be made personally by the official processor who has the right of access to the data concerned.

2. The opening of the envelope shall be made personally by the person who has access to the relevant data and for which the envelope is intended after the courier is satisfied that he transmits them to the correct person.

3. The sealing of envelopes and their opening shall be prohibited by persons who do not have the right access to the personal data concerned.

4. The affixing, sealing of envelopes, and their opening shall be prohibited in the presence of persons who have no legal basis for access to the personal data concerned.

Art. 38 (1) Personnel processing personal data in CCTV in the office of “eJeudi” Ltd. are the persons responsible for CCTV and the persons having access to the results of video surveillance, as well as the manager of “eJeudi” Ltd.

(2) Employees processing personal data are obliged:

1. To process and store the personal data in good faith, complying with the requirements of the PDPL and preventing them from spreading or becoming aware of persons who are not entitled to it;

2. To maintain personal data in the form of their creation for a period no longer than necessary for the purposes for which such data are processed;

3. To use the personal data to which they have access, in accordance with the purposes for which they are collected and not to further process them in a manner incompatible with those purposes;

4. To process personal data;

5. After processing of documents and other materials containing personal data, to place them in the designated places and to adhere to the principle “everything not expressly permitted is prohibited”.

6. Update the Register of personal data (if necessary and when it is assigned by a competent employee);

7. To allow the right of access of the persons to the processed personal data;

8. To support “eJeudi” Ltd in relation to the Commission for Protection of personal data.

9. Observe the order of preservation and destruction of video recordings.

(3) The personnel Processing the personal data is prohibited from exporting videos from security cameras, as well as filming, making audio and video recordings from computers or monitors with telephones or other technical devices.

(4) The dissemination of information shall also be considered as commenting on issues relating to video surveillance with outsiders or with employees of other departments not having the necessary powers.

(5) This prohibition also applies to the removal of documents and files from the workstations of the employees processing personal data in video capture.

(6) The intentional actions of the employees in relation to the processed personal data in video capture can be criminal in nature, if they lead to pecuniary and other damages for “eJeudi” Ltd.

(7) In establishing intentional actions, persons will Be subject to the most stringent administrative penalties and judicial liability.

(8) All data from the video surveillance process, which are personal data within the meaning of the PDPL and are made available to the processing employees, in or on the occasion of the performance of their duties, are professional secrecy and are not distributed in any form whatsoever, except in cases of a lawful request by a public authority.

(9) The personnel processing the personal data shall be liable to “eJeudi” Ltd and the data subject, because of unlawful acts, or omissions, material, and non-material damages.

(10) If, as a result of the actions of the relevant employee processing personal data, there is resulting damage to a third party, the same may be held liable under general civil law, or in criminal order if what is done constitutes a punishable crime.

Art. 39 (1) “eJeudi” Ltd. has an obligation to inform any person before collecting his/her personal data for/in certain circumstances.

(2) “eJeudi” Ltd informs the individuals about the video surveillance by means of information boards, placed in appropriate places and privacy notice.

(3) The personal data are provided voluntarily by the persons when they enter the office of “eJeudi” Ltd or during the passage through the respective locations with CCTV.

Art. 40 (1) The storage of personal data collected through video surveillance is carried out in accordance with these internal rules.

(2) The storage of personal data is performed on a recording device and access is protected by a password.

(3) Only employees using such data in their capacity as persons processing personal data are entitled to Access.

(4) The Access password is individual and allows the traceability of the performed actions.

(5) Software products that are used in the processing of personal data are adapted to the specific requirements of the PDPL and antivirus programs are used.

Art. 41 (1) Archiving of the personal data of the recording device is done daily.

(2) The resulting videos shall be kept for a period of 10 days.

(3) Destruction is done by automatic overlapping the record.

(4) Video Recordings containing data about a violation of public policy or crime are transmitted in the appropriate order of law enforcement authorities on request or at the initiative of the manager of “eJeudi” Ltd.

(5) The video recordings under para. 4 shall be kept indefinitely.

(6) The room in which the video surveillance Recorder is located in a secure area with its own locking and limited access by individuals.

Art. 42 (1) the right of access to video surveillance data shall be:

  1. The administrator of personal data.
  2. The persons, processors, and operators of personal data-the employees of the technical operations of data processing and control.
  3. The representatives of public authorities acting within the limits of their powers,  duly authorized by appropriate documents (written instructions of the relevant authority), stating the grounds and the names of the persons who need to be provided with access to the personal data.

(2) Any person whose personal data is processed under “CCTV” has the right to access them by the order specified in the Privacy Policy and the Act.

(3) Access to their personal data has all the individuals subject to CCTV in the event that the allotted storage time has not elapsed.

Art. 43 (1) access to personal data from video surveillance has all public and judicial authorities which, by virtue of a law or a special normative act, are entitled to such access.

(2) “eJeudi” Ltd is obliged to provide the requested by the authorities under para. 1 and in the circle of their competencies access to personal data from video surveillance without written or oral permission of their holder.

(3) In cases where in lawsuits led by or against “eJeudi” Ltd. has appointed judicial expertise, access of the relevant expert person is allowed only upon presentation of a judicial certificate stating the type and nature of the personal data and the documents containing them.

Art. 44 (1) The access of the public authorities to the personal data is made after notification to the manager of “eJeudi” Ltd. (or his authorized employee).

(2) The Manager shall assess the legality of the access requested and authorize or prohibit it.

(3) The documents shall be provided personally to the representatives of the bodies referred to in paragraph 1 in a manner that ensures the protection of personal data.

(4) The representatives of the bodies referred to in paragraph 1 shall exercise their right of access in the presence of an authorized official who shall not impede the activities of the competent authorities but shall fulfill the obligations of  “eJeudi”  Ltd. Related to the protection and protection of the personal data provided within the meaning of the PDPL.

Chapter Four

MEASURES ENSURING THE LEVEL OF SECURITY

Art. 45  (1) In order to guarantee the level of security in  “eJeudi”  Ltd a complex of technical and organizational measures are taken, aimed to protect personal data against accidental or unlawful destruction, or accidental loss, unauthorized access, alteration or dissemination, as well as other unlawful forms of data processing.

(2) The measures under par. 1 include the following means of protection of personal data:

  1. Program and hardware: development and implementation of a system for restricting access to personal data; Protection of electronic data from unauthorized access, damage, loss or destruction through the maintenance of anti-virus programs, periodic archiving of data on individual electronic media, and by storing the information in paper form; The data on the server is archived by the responsible official with the appropriate qualifications; Data on isolated computers is archived by the operator of the computer (the processor);
  • Physical: Locking of premises in non-working hours and regulating access to them; Locking in the specified cases of cabinets for storing information relating to personal data; Provision of security guard through alarm system of the building and the working premises where personal data carriers are stored and computer and communication tools are located;
  • Organizational: Enabling the identification of the person responsible for security in the case of mid-level security measures; Development and implementation of procedures for the creation of backups and data recovery – for measures at mid-level security; Developing and implementing a system for reporting, managing and responding to incidents.
  • Normative: compliance with legal requirements and implementation of procedures for the protection of technical and information resources from accidents, accidents, and disasters (fire, flood, etc.); Ensuring effective mechanisms to control compliance with the internal rules and the relevant normative acts in the company.

(3) The measures under para 1 and 2 take account of current technological advances and provide a level of protection that corresponds to the risks inherent in the processing and the type of protected data.

Art. 46 all actions that result in or may lead to unauthorized deletion, destruction, or alteration of “eJeudi” personal data in electronic form or in paper form are prohibited.

Art. 47  (1) After achieving the purpose of the processing of personal data or before the termination of the processing of personal data,  “eJeudi”  Ltd destroys them, or transfers them to another administrator, by prior notice to the Commission for protection of personal data, if the transfer is provided for in law and the purposes of the processing are identical.

(2) After achieving the purpose of the processing of personal data “eJeudi” Ltd. stores them only if this is provided by law.

(3) In cases where after achieving the purpose of processing “eJeudi” Ltd. Wants to store the processed personal data as anonymous data for purposes under article 25, paragraph 3 of the PDPL, it informs the PDPC.

Art. 48 (1) In the event of an accident (unforeseeable circumstance likely to affect the security of personal data) the person becoming aware of the incident shall report immediately.

(2) Incidents shall be kept by the processor, in which it must be recorded the estimated time or period of occurrence, the time of establishment, the time of reporting, and the name of the official who carried out the report.

(3) After analysis, the consequences of the incident and the measures taken to remove them are recorded.

(4) In cases of need for data recovery, the procedure is executed after the written permission of the person on the protection of personal data, which is reflected in the data backup and recovery log.

(5) In cases of compromised passwords, it is replaced with a new one, the event is reflected in the incident log.

Chapter Five

PROVISION OF PERSONAL DATA

Art. 49 (1) The administrator provides personal data in compliance with statutory obligations.

(2) Every individual has the right of access to personal data relating to him, stored and processed in the company.

(3) in exercising its right of access, the individual has the right at any time to request the administrator of the personal data:

  1. Confirmation of whether data relating to it are being processed, information for the purposes of such processing, of the categories of data and of the recipients or categories of recipients to whom the data are disclosed.
  2. A communication to it in an intelligible form containing the personal data processed and any available information on their source.
  3. Information on the logic of any automated processing of personal data relating to it, at least in the case of automated decisions.

Art. 50 (1) The right of Access is exercised by written application/or application by electronic means in accordance with the Law on Electronic documents and electronic signature/to the company. The application itself and the processing of the application is free of charge.

(2) The application shall contain:

  1. Name, address, and other data to identify the natural person concerned.
  2. A description of the request.
  3. The preferred form for providing the information;
  4. A signature, date of submission of the application and address for correspondence;
  5. The application is submitted by an authorized person.

(3) The application is filed in “eJeudi” Ltd.

(4) When submitting an application for access to personal data, the representative of the administrator and the persons authorized by him/her shall examine the applications and order of the processor to ensure that the person has requested access to his or her preferred form.

Art. 51. (1) The time limit for examining the application and replying shall be 14 days from the day of the request, respectively 30 days, when a longer period for collecting all the requested data of the person is objectively required, and this seriously hampers the activity of the administrator.

(2) Within the time limits laid down, on the person’s application the personal data administrator shall decide to provide complete or partial information or give a reasoned refusal to grant it.

Art. 52. Access to the person’s data is provided in the form of:

  1. Oral reference.
  2. Written reference.
  3. Review of data by the person himself or his authorized representative.
  4. Provide a copy of the requested information.

Art. 53  (1) In the case of a request for erasure, blocking of personal data due to unlawful processing not complying with the Personal Data Protection Act, the Administrator shall make a decision and carry out the appropriate action within 14 days from the submission of the application or a reasoned refusal to carry them out.

(2) Upon request for notification to third parties to whom the personal data for deletion, rectification, blocking have been disclosed, the administrator shall take a decision within 14 days and shall inform the third parties without delay or give a reasoned refusal to make the notification.

Art. 54 The access to the personal data registers of officials directly involved in the clearance and verification of the legality of the documents of the persons responsible for the respective portfolio in which the registers are kept shall be lawful. The processor shall be obliged to provide them with access on request.

Art. 55  (1) Registers containing personal data shall not be exported outside the premises of the administrator, unless their submission to the court is necessary, a state or municipal body, a banking institution or a courier company in connection with the contractual relationship with the clients whose personal data are subject to protection. No third party has the right of access to the personal data registers unless data are properly requested by judicial authorities (court, prosecution, investigative authorities) or other authorized public authorities.

(2) The consent of the person is not required if the processing of his personal data is carried out only or under the control of a competent national authority for personal data relating to the committing of criminal offenses, to administrative violations and to unauthorized disabilities.

(3) The decision to grant or deny access to personal data for the person concerned shall be communicated by the administrator to the third parties within 30 days of the submission of the request.

Chapter Six

RIGHTS AND OBLIGATIONS OF EMPLOYEES PROCESSING PERSONAL DATA

Art. 56 (1) The Employees of “eJeudi” Ltd are obliged to observe and enforce the provisions of the internal rules in accordance with their job descriptions.

(2) The processor undertakes to provide access to the electronic databases only in respect of the authorized Employees (definition of access rights to the levels, passwords for access to the program environment, passwords for opening the files).

(3) The processor undertakes to ensure adequate protection of electronic data by maintaining a backup, activating antivirus protection.

Art. 57  (1) For the processing of registers containing personal data, the official signs a declaration that he is familiar with the REGULATION of (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), with these internal rules and the protection of personal data processed by it.

(2) for failure to comply with the obligations incumbent upon the relevant officials of these internal rules and under Regulation (EU) 2016/679 of the EP and of the Council of 27 April 2016 (GDPR), disciplinary sanctions are imposed under the Labour Code and other specialized laws, and where the failure to comply with the relevant obligation has been ascertained and established by a competent authority, as provided for under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and the Data Protection Act (Administrative penalty). If as a result, the actions of the person concerned in the processing of personal data are resulting in damage to a third party, the same may be held liable under the general civil law or in criminal proceedings if what is done is a more serious act for which criminal liability is provided.

ADDITIONAL PROVISIONS

§ 1 for the purposes of these internal rules:

1. “Personal Data administrator” is “eJeudi” Ltd., represented by its manager Milos Radivojevic

2. “Processing of personal data” means any action or set of actions which may be carried out in respect of personal data by automatic or other means, such as collection, recording, organization, storage, adaptation or alteration, restoration, consultation, use, disclosure by transmission, dissemination, provision, updating or combination, blocking, erasure or destruction.

3 “Processor” means officials of an undertaking designated by an order of the manager.

4 “Register of personal data” means any structured set of personal data accessible by specific criteria, centralized, decentralized, or functional or geographic.

FINAL PROVISIONS

§ 2. The provisions of the existing Regulations shall apply to matters not covered by these internal rules.

§ 3. The internal rules shall enter into force on the day of their approval.

§4. The internal rules shall be approved, supplemented, amended, or revoked by order of the manager of “eJeudi” Ltd.