Transparency and conditions for exercising the rights of individuals
The administrator shall provide information to persons in a concise, transparent, comprehensible and easily accessible form, in clear and simple language.
The controller strives to ensure that the persons are aware of the personal data processed by him and that the persons fully and completely understand and are informed in connection with the processing in accordance with the requirements of the GDPR and the Bulgarian legislation.
The administrator shall provide the information to persons in writing or otherwise, including, where appropriate, by electronic means. If the person has requested this, the information may be given orally, provided that the person’s identity has been proved by other means.
The administrator shall provide individuals with free information on the action taken on a request for their right of access, rectification, deletion, restriction of processing, portability, objection and automated decision-making, without undue delay and in any case within one month of receiving the request.
If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests. The administrator shall inform the person of any such extension within one month of receipt of the request, indicating the reasons for the delay. Where the person concerned submits a request by electronic means, the information shall, where possible, be provided by electronic means, unless the person has requested otherwise.
If the Administrator does not take action on the request, the Administrator shall notify the person without delay and at the latest within one month of receiving the request of the reasons for not taking action and of the possibility to file a complaint to a supervisory authority and seek protection in court.
Where the person’s requests are manifestly unfounded or excessive, in particular because of their recurrence, the Administrator may either:
– to charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the requested action, or
– refuse to take action on the request.
Right of access for persons
Each person has the right to receive confirmation from the Administrator whether personal data related to him are processed, and if so, to have access to the data and the following information:
– the purposes of the processing;
– the relevant categories of personal data;
– the recipients or categories of recipients to whom the personal data are or will be disclosed (including in third countries or international organizations);
– where possible, the estimated period for which the data will be stored and, if this is not possible, the criteria used to determine this period;
– the existence of the right to require the Administrator to correct or delete personal data or to restrict the processing of personal data related to the affected persons, or to object to such processing;
– the right to appeal to the Commission for Personal Data Protection;
– where personal data are not collected by the persons themselves, any available information on their source;
– the existence of automated decision making, incl. profiling, and at least in these cases essential information about the logic used, as well as the significance and intended consequences of this processing for individuals.
When personal data are transferred to a third country or to an international organization, persons have the right to be informed of the appropriate safeguards in connection with the transfer.
The administrator provides the person with a copy of the personal data that are being processed. For additional copies requested by individuals, the Administrator may charge a reasonable fee based on administrative costs. Where a person submits a request by electronic means, the information shall, where possible, be provided in a widely used electronic form, unless the person has requested otherwise.
Right of adjustment
Any person whose data is processed by the Administrator has the right to ask the Administrator to correct inaccurate personal data related to him without undue delay. Taking into account the purposes of the processing, the person has the right to supplement the incomplete personal data.
Right to delete
Any person whose data is processed by the Administrator has the right to request from the Administrator the deletion of the personal data related to him without undue delay, and the Administrator has the obligation to delete without undue delay the personal data when:
– personal data are no longer needed for the purposes for which they were collected or otherwise processed;
– the person has withdrawn his consent on which the data processing is based and there is no other legal basis for the processing;
– the person objects to the processing and there are no legal grounds for the processing to take precedence;
– personal data have been processed illegally;
– personal data must be deleted in order to comply with a legal obligation that applies to the controller;
– personal data