PRIVACY POLICY AND PROTECTION OF PERSONAL DATA at
Global Marketing Services LTD
I. Introduction
Global Marketing Services LTD (hereby referred to in short as "the company" or "the Administrator") is a company registered in the Commercial Register at the Registry Agency with UIC (Unique Identification Code): 206450369, with a corporate office and headquarters address: city of Sofia, Boulevard Tsarigradsko shose 54B and website https://gms.work/
Global Marketing Services LTD. operates in the field of outsourcing services. Global Marketing Services LTD. is a Personal Data Administrator according to Regulation (EU) 2016/679 of the European Parliament and the Council dated 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter "GDPR") and the Personal Data Protection Act (hereinafter "PDPA").
With this Confidentiality and Data Privacy Policy (hereinafter referred to as the "Policy"), Global Marketing Services LTD. recognizes the right to personal privacy and makes every effort to protect against unauthorized processing of personal data of individuals. In accordance with the Bulgarian legislation, GDPR and good practices, Global Marketing Services LTD. has undertaken the necessary technical and organizational measures for the protection of the personal data of individuals.
It is necessary to become familiar with the present Policy before using our services, as their provision is related to the collection of certain categories of personal data needed by Global Marketing Services LTD for the full provision of the services.
1. Purposes and scope of the Policy
Global Marketing Services LTD aims to inform persons with the present Confidentiality and personal data protection Policy regarding:
● The purposes and means of personal data processing;
● The receivers or categories of receivers, to whom the data can be disclosed;
● The basis of personal data processing /the obligatory or voluntary nature of data sharing/, as well as the consequences of refusing to share them;
● Information about access rights, rights to correction and deletion of the stored data.
2. Terms and definitions:
1. "Personal data"- any information related to an identified or identifiable person ("data subject"); an identifiable person is a person which may be identified, directly or indirectly, more specifically via an identifier such as a name, an identification number, location data, an online identifier or according to one or more characteristics specific to the physical, physiological, genetic, mental, intellectual, economic, cultural or social identity of that individual;
2. "Special categories of personal data" - personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the unique identification of an individual, health data or data on the sexual life of an individual or sexual orientation.
3. "Processing"- means any operation or a set of operations carried out with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making the data accessible, arranging or combining, restricting, deleting or destroying;
4. "Administrator"- any person or legal entity, public authority, agency or any other structure which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU law or the law of a Member State, the Administrator or the specific criteria for its determination may be laid down in the law of the Union or in the law of a Member State;
5. "Joint Administrators" - when two or more Administrators jointly determine the purposes and means of personal data processing, they are joint Administrators;
6. "Processor of personal data" - a person or a legal entity, public authority, agency or other entity that processes personal data on behalf of the Administrator.
7. Register"- means any structured set of personal data accessed according to certain criteria, whether centralized, decentralized or distributed according to a functional or geographical principle.
8. "Data subject" - any living person who is the subject of personal data stored by the Administrator.
9. "Consent of the data subject"- any freely expressed, specific, informed and unambiguous indication of the data subject's will, by means of a statement or clear confirmatory action expressing his or her consent to the processing of personal data relating to him or her;
10. "Profiling"- any form of automated processing of personal data, expressed by the use of personal data for assessment of certain personal aspects relating to an individual, and in particular for analyzing or forecasting aspects relating to the performance of professional duties by that person, his economic condition, health, personal preferences, interests, reliability, conduct, location or movement;
11. "Personal data security breach" - a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed;
12. "Main settlement location" - the seat of the Administrator in the EU will be the place where he takes the main decisions for the purpose and means of his data processing activities. Regarding the personal data processor, his main settlement location in the EU will be his administrative center. If the Administrator is based outside the EU, he must appoint a representative in the jurisdiction in which the Administrator works, who can act on behalf of the Administrator and to deal with the supervisory authorities.
13. "Recipient"- a person or a legal entity, public authority, agency or any other body to which personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the context of a specific investigation in accordance with Union law or the law of a Member State are not considered "recipients"; the processing of such data by those mentioned public authorities complies with the applicable rules for the protection of data according to the purposes of processing;
14. "A Third Party"-any person or legal entity, public authority, agency or any other body other than the data subject, the Administrator, the processor of personal data and persons who have the right to process personal data under the direct supervision of the Admimistrator or the processor of personal data.
3. Legal basis for the processing of personal data, personal data sources and a storage term for the collected personal data:
Global Marketing Services LTD processes data on the following bases:
● Based on the free, informed and expressed agreement of the data subject;
● At the presence of a legal obligation to process the data;
● At signing or completing a contract, as well as for actions preceding the signing of a contract;
● When this is necessary to protect the vital interests of the individual or the legitimate interests of the Administrator, provided that it does not conflict with the legitimate interests of the individual
Global Marketing Services LTD processes personal data provided by employees, clients, customers, suppliers, contractors and other individuals to whom the data relate in connection with the provision of services from the scope of its activities, as well as for the preparation and signing of contracts.
Global Marketing Services LTD also processes personal data which has not been received by the individual to whom they relate, but are provided by a third party in connection with a specific service, and the person who provided this data to Global Marketing Services LTD undertakes:
1. to provide the third party with data about the Administrator;
2. to notify the third party of the purposes, categories of data provided and categories of recipients of such data;
3. to provide information on the right of access and correction of personal data to the person to whom it relates.
Personal data is stored for a period necessary for the purposes for which it was collected or for a period established in a regulation.
In cases when the subject of personal data has given consent for direct marketing, the personal data is stored until the same unsubscribes or requests to be unsubscribed.
4. Means, principles and aims of the processing:
4.1. Global Marketing Services LTD processes personal data via a set of actions which could be performed by automatic or other non-automatic means, such as collecting, recording, organizing, storing, adapting or modifying, restoring, consulting, usage, disclosure via transmitting, distributing, providing, updating or combining, blocking, deletion and destruction.
Global Marketing Services LTD processes personal data independently or by delegation to data processors, and determines in a written contract the objectives and scope of obligations assigned by the Administrator to the data processor, at the presence of a relevant legal basis in accordance with the requirements of GDPR / PDPA. Processors on behalf of Global Marketing Services LTD are, for example, the employees of the Administrator, whose rights and obligations in connection with the processing of personal data of individuals are duly regulated in internal acts of the Administrator as well as in the job descriptions of respective employees. Processors are also third parties outside of the Administrator’s structure, who have been delegated to process personal data on behalf of the Administrator.
4.2. The processing actions mentioned are carried out in compliance with the following principles:
1. Legal basis for the processing of personal data;
2. Necessity of the processing of personal data;
3. proportionality of the processing of personal data;
4. relevance of the processed personal data;
4.3. In connection with the fulfillment of statutory obligations and pre-contractual and contractual relations, in carrying out its activities, Global Marketing Services LTD processes personal data of its employees, customers and third parties for the following purposes:
- administration of labor relations: personal data of job applicants and employees in connection with an existing employment relationship (data processing is most often due to the implementation of statutory obligations of the personal data Administrator arising from the specific requirements of the legislation governing its activity, financial and accounting activity, pension, health and social security activity, human resources management activity, automatic exchange of information in the field of taxation, etc).;
- administration of contractual relations: personal data of persons prior to a service contract and current customers (including where explicit consent has been given or processing is necessary to fulfill obligations under a contract to which the data subject is a party, as well as for actions prior to signing a contract and undertaken at the request of the person).
- for the purposes of development of our business - to develop new products and services that we can offer to our customers, to develop marketing and advertising activities, to study the requirements of our customers in order to form new products that we can we offer them. This way we strive to expand our market share, increase the quality of our services and your satisfaction as our customers.
5. Categories of processed personal data and registers
5.1. Categories of personal data, which Global Marketing Services LTD processes to conduct its business:
1. Related to the physical identity of individuals – name, PIN (Personal Identification Number), passport data, address, phone, е-mail, IP address, etc.;
2. Related to social identity – education, job occupation, citizenship;
3. Related to family identity – marital status, family relations, etc.;
4. Other personal data, which can be provided for the purpose of receiving a service to Global Marketing Services LTD
5.2. The personal data being processed are structured in the following registers:
● Register „Personnel“;
● Register „Suppliers”;
6. Rights of data subjects:
6.1 The right to information
Each data subject has the right to request information about the type of personal data processed by Global Marketing Services LTD., which affect him personally. This information should be provided regardless of where the personal data are processed. The data subject may make any such request for information to an employee of the Administrator Global Marketing Services LTD. The designated official must assist the subject by providing him, if possible, with the personal data processed for him in the format he wishes, which should be structured in a widely used and adapted format for machine reading. The data subject has the right to information for the purposes of processing his personal data, which is provided to him during the collection of his personal data and in the subsequent change of the purposes of processing.
6.2 A request for correction
If the personal data stored are incorrect or incomplete, the data subject may request that they be corrected. The data subjects are responsible for providing correct personal data to the Administrator. In addition, the data subject should inform the Administrator of any relevant changes to his / her personal data (such as changes in the address or name of the subject).
6.3 Usage restriction
At any time during the processing of personal data, the data subject may request that the Administrator restricts the use of his personal data for a part or all of the purposes of the processing for which the subject has given his consent.
6.4 Refusal of a request for information, correction or restriction of the processing of personal data
If the request for information, correction or restriction of processing is refused, the data subject will be informed of the reason for the refusal. The refusal is made in the form of the request submitted by the subject and should be motivated.
6.5 Right to be deleted ("right to be forgotten")
Each person has the right to request from the Administrator the deletion of the personal data related to him, and the Administrator has the obligation to delete them without undue delay. In exercising this right by the data subject, the Administrator shall indicate to the subject how the deletion will affect the relationship between them in the future.
6.6. Right to object
Every data subject has the right to object to the processing of personal data concerning him or her. The Administrator shall terminate the processing of personal data, unless he proves that there are grounds for continuing the processing.
6.7. Withdrawal of consent for personal data processing
The subject of personal data has the right to withdraw his consent to the processing of his personal data at any time with a separate request addressed to the Administrator. The administrator indicates to the subject how the deletion will affect the relationship between them in the future.
6.8. Questions and complaints / legal remedies
In cases where the personal data subject believes that the Administrator violates the applicable regulations, he has the right to contact the Administrator to clarify the issue. Of course, he has the right to lodge a complaint with the Personl Data Protection Commission and a regulatory body within the EU.
Applications for access to information or for correction are submitted personally by the personal data subject or by a person expressly authorized by him, through a notarized power of attorney. An application may also be submitted electronically, in accordance with the Electronic Document and Electronic Signature Act.
The administrator responds to the request within 14 days of its submission. If a longer period is objectively necessary - in order to collect all the requested data and this seriously complicates our work, this period can be extended to 30 days. With his decision the Administrator gives or denies access and / or the information requested by the applicant, but always explains his answer.
6.9. The right to consent to the processing of one’s personal data
The Administrator accepts the presence of "consent" only in cases where the data subject has been fully informed about the planned processing and has expressed his consent without being pressured. Consent obtained through pressure or on the basis of misleading information is not a valid basis for the processing of personal data.
Consent cannot be inferred from the lack of response to a message to the data subject. There must be active communication between the Administrator and the subject in order for consent to be present. The administrator should be able to prove that consent has been obtained for the processing activities.
In most cases, consent to the processing of personal data is routinely obtained by the Administrator, using standard consent documents, for example, when a new customer signs a contract or during the recruitment of new staff.
6.10. Right to representation
The data subject may authorize another person to exercise the rights under pt. 6.1. to pt. 6.9. of current policy. The authorization should be explicit and notarized in writing. In each exercise of the rights of the data subject, the proxy is obliged to present a copy of his power of attorney to the Administrator or to the processor of personal data on behalf of the Administrator.
II. Personal data security:
Global Marketing Services LTD ensures the security of personal data in accordance with the principles set out in the GDPR / PDPA by taking appropriate and sufficient administrative, technical and organizational measures to protect data from loss, theft, misuse as well as unauthorized access, disclosure, alteration or destruction.
7. General principles, related to the processing and security of personal data:
7.1. Admissibility of data processing
The processing of personal data is permissible only if the data subject has agreed to it, if there is a legal obligation to process data, when signing or completing a contract, when necessary to protect the vital interests of the individual or the legitimate interest of the Administrator, provided that it does not contradict the legitimate interests of the individual. The admissibility of the processing of personal data is a prerequisite for the transfer of personal data.
Consent must be declared in writing or based on other legally permissible means, and the data subject must be informed in advance of the purpose of the processing and the possibility of transferring personal data to third parties. When included in other declarations, the obtaining of consent is emphasized so that it is clear to the data subject.
7.2. Intended purpose
Personal data may only be collected for the purposes listed exhaustively and may not be processed for purposes other than those intended. The purpose of data collection and processing must be complied with by the Administrator in additional processing and storage of such data. Changes to the purpose are permissible only with the consent of the data subject or if permitted by the local law of the country where the personal data were obtained.
7.3. Data saving
The processing of personal data must be necessary for the intended purpose. The possibilities available for the anonymization or introduction of pseudonymization for personal data must be used at an early stage, as far as possible and cost-effective for the intended protective purpose.
7.4. Data quality
Personal data must be factually accurate and, as far as necessary, up-to-date. The Administrator shall take appropriate and reasonable measures to correct or delete incorrect or incomplete data.
7.5. Data security
The data administrator implements appropriate technical and organizational measures to ensure the necessary data security. These measures relate in particular to computers (servers and workstations), networks, and communication links and applications, which are incorporated into the IT security management system. Appropriate measures are taken to protect this data from accidental erasure, unauthorized erasure or loss. Full information is provided in Directive (EU) 2016/1148 of the European Parliament and of the Council dated 6 July 2016 on the measures for a high overall level of security for networks and information systems in the Union.
7.6. Confidentiality of data processing
Only authorized personnel who have undertaken to comply with the requirements of data confidentiality have the right to participate in the processing of personal data. Employees are prohibited from using such data for personal purposes or providing it to unauthorized companies and third parties. Unauthorized in this context also means the use of personal data by employees who do not need access to such data in order to perform their official duties. The obligation of confidentiality continues to apply even after termination of employment / civil / official legal relations with the Administrator.
8. Administrative and technical measures for protection of personal data:
Global Marketing Services LTD uses administrative and technical measures to protect personal data it processes through its employees or provides for processing to third parties - personal data processors. These measures are as follows:
8.1. All employees of the Administrator are responsible for ensuring the security of the storage of the data they process, as well as for ensuring that the data is stored securely and not disclosed under any circumstances to third parties, unless the Administrator has granted such rights to these third parties on the basis of a written contract or a confidentiality clause;
8.2. In order to ensure adequate protection of the personal data processed by the Administrator, all necessary organizational and technical measures provided for in the applicable legislation, as well as good practices and technologies for the purpose of data protection shall be applied. The information is stored on a separate domain and in a database, and only persons working on the specific transaction have access to the information, respectively they have grounds for access to the information. Access is gained by entering a username and a password, with technological possibility provided for tracking the access sessions. The Administrator has at his disposal physical, electronic and procedural means of protection that comply with his legal obligations regarding the protection of personal data that he processes.
8.3. In order to ensure sufficient protection of the processed personal data, Global Marketing Services LTD uses the following technical measures (virus protection, firewall, an option for encryption / coding);
8.4. The administrator introduces measures guaranteeing the protection of personal information against accidental destruction or loss;
8.5. The Administrator establishes procedures for restoring the availability of personal data following a physical or technical incident. In order to fulfill these obligations, the Administrator provides the necessary technical means (servers, a computer network, cloud space), for which the protective measures under point 8.3 of this section are taken.
9. Administrative and organizational measures for personal data protection:
9.1. The Аdministrator introduces the following measures for restricting access to physical data carriers- (for example, locks with a high level of protection installed on the doors of the Administrator's office, as well as on the doors providing access to the building in which the office is located; locking of the cabinets where the paper carriers of the created registers are located);
9.2. The Administrator introduces a "clean desk" policy. Paper records should not be left out within reach of unauthorized persons and should not be removed from designated protected areas without express permission. As soon as paper documents are no longer needed for the ongoing work on personal data processing, they should be archived in the appropriate way, and if there is no need to archive them, they should be destroyed;
9.3. Personal data may be deleted or destroyed. Paper records with expired processing terms should be shredded and disposed of as "confidential waste". The data on the hard disks of unused personal computers must be deleted or the disks destroyed according to the established procedures;
9.4. Personal data processing outside the sites of the Administrator is carried out in accordance with the relevant procedural rules and is permissible with the express written consent of the direct supervisor of the processor or the Administrator.
III. Storage, destruction and inventory of personal data:
10. Storage
10.1. Global Marketing Services LTD does not store personal data in a form that allows the identification of subjects for a period longer than necessary for the processing for which the consent of the data subject is given and in view of the purposes for which it was collected. Storage of personal data for a longer period is permissible without the explicit consent of the data subject, if provided for in a regulation of domestic law or European Union law;
10.2. The Administrator may store data for a longer period than necessary to carry out the processing for which consent has been given and in cases where personal data will be processed for archiving purposes in the public interest, scientific or historical research and for statistical purposes, and only in the implementation of appropriate technical and organizational measures to guarantee the rights and freedoms of the data subject;
10.3. The storage period for of each category of personal data, located in a separate register, is determined in a procedure adopted by the Administrator (Procedure for storage and destruction of data). This procedure specifies the criteria used to determine the retention period, including any legal obligations imposed on the Administrator with regard to data storage.
10.4. The procedure for storage and destruction of data, as well as the rules for destruction of information on physical carriers shall apply in all cases.
11. Destruction
Personal data must be destroyed securely, in accordance with the principle of guaranteeing an adequate level of security. Compliance with the procedure is mandatory in order to guarantee protection against unauthorized or unlawful processing and against accidental loss, destruction or damage of data, by applying appropriate technical or organizational measures.
IV. Providing personal data to third parties
12.1. The Administrator of personal data has the right to disclose the personal data being processed only to the following exhaustively listed categories of persons:
а). individuals, to whom the data relates;
б). persons for whom the right of access is provided for in a regulation or
в). persons for whom the right derives by virtue of a contract;
12.2. In order to provide services, the Administrator provides information / necessary personal data / for the fulfillment of a contractual obligation to the personal data subject. The Administrator provides personal data to third parties who provide services on his behalf on the basis of an explicit written instruction / written contract. These third parties may not use or disclose the data beyond the purposes for which they were provided to them, except when necessary to provide services on behalf of the Administrator or to comply with legal requirements. The purposes for processing the personal data provided are explicitly defined in the written instruction / written contract on the basis of which the data were provided to the third party. Third parties (personal data processors) are obliged to provide the necessary or extended technical and organizational measures for the protection of personal data provided by the Administrator;
12.3. The Administrator shares the received personal data with his branches, companies within his group and joint partners on the basis of an explicit written instruction or a written contract. These persons may use the information for the purposes described in the present Policy for the protection of personal data. When the express consent of the data subject has been granted, the same may be shared with third parties on the basis of a written contract, for their own purposes, such as offering products and services that may be of interest to the data subject;
12.4. The Administrator shares personal data with competent authorities / persons in order to organize the protection of his legal rights and interests in initiating injunction, arbitration, non- contentious, claims and other proceedings;
12.5. The Administrator shall disclose personal data of subjects whose personal data it processes when required to do so by law, a regulation, an international treaty or an European Union law act, or in connection with legal proceedings, in response to a request by public authorities, ( for example, law enforcement or investigative bodies), or in a case of serious and unlawful infringement upon the legitimate rights and interests of legal entities.
V. Education
13. Aim
Taking into account the regulation for protection of personal data of individuals as well as the enhanced personal data protection measures introduced by PDPA, Global Marketing Services LTD recognizes the need for initial and subsequent training of its staff, whose responsibilities include the processing of personal data of individuals on behalf of the Administrator. The initial and subsequent training sessions are aimed at informing the employees about the established rules and procedures for the observance of this Policy and the applicable legislation in the field of personal data protection, as well as other issues related to personal data protection and privacy.
Employee and staff training sessions aim inform them of the already existing or emerging requirements for personal data protection, as well as the measures taken by the Administrator in accordance with them.
VII. Transitional and final provisions:
14.1. The present Policy has been adopted with a Decision № 1 dated 03.06.2022 of Global Marketing Services LTD and it becomes effective on 04.06.2022.
14.2. Personal data subjects may access the present policy at the Administrator’s office, located in the city of Sofia, “Tsarigradsko shose” Blvd. № 54B, Graphics building, 1 fl., as well as on the Administrator’s website www.gms.work
14.3. In order to implement the most current protection measures and to comply with applicable law, the Administrator will regularly update the present personal data protection Policy. We invite you to regularly review the current version of this personal data protection Policy, to be constantly informed about how the Administrator cares for the protection of personal data collected by him.
3. The contact person on issues related to personal data protection at Global Marketing Services LTD is:
name: Nevin Hasan Duffy
address: city of Sofia, „Tsarigradsko shose“ Blvd. № 54B, Graphics building, 1 fl.
e- mail: nevinduffy@gmail.com