Private policy



  1. General Data Protection Regulation


Regulation (EU) 2016/679 (General Data Protection Regulation) replaces the Data Protection Directive 95/46/EC. It has direct effect and implies an amendment to Member States’ data protection legislation. Its purpose is to protect the ‘rights and freedoms’ of individuals and to ensure that personal data is not processed without their knowledge and, where possible, that it is processed with their consent.

  1. Scope outlined by the General Data Protection Regulation Material scope (Article 2)

This Regulation shall apply to the processing of personal data wholly or partly by automatic means and to the processing by other means of personal data(e.g. manually and on paper) which form part of a personal data record or which are intended to form part of a personal data record.

Territorial scope (Article 3) – the rules of the General Regulation apply to all data controllers established in the EU that process personal data of individuals in the context of their activities.


  1. Definitions


“Personal data” means any information relating to an identified natural person or an identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, psychological, economic, cultural or social identity of that natural person.

“Special categories of personal data” – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.

“Processing” means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;


“Administrator” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the controller or the specific criteria for its determination may be laid down in Union or Member State law;


“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;


“Data Subject” – any living individual who is the subject of personal data held by the Administrator.

“Consent of the data subject” – any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by means of a statement or a clear affirmative action, consenting to the processing of personal data relating to him or her;


“Child” – The General Regulation defines a child as anyone under the age of 16 although this can be reduced to 13 by Member State law. The processing of a child’s personal data is only lawful if a parent or guardian has given consent. The data controller shall make reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given or authorised consent.


“Profiling” – any form of automated processing of personal data consisting in the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of that natural person’s professional duties, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;


“Personal data breach” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is transmitted, stored or otherwise processed;


“Principal establishment” – the administrator’s EU headquarters will be the place where it makes the main decisions about the purpose and means of its data processing activities. With regard to the processor, its main establishment in the EU will be its administrative centre.

If the controller is established outside the EU, it must appoint a representative in the jurisdiction in which the controller operates to act on the controller’s behalf and deal with supervisory authorities (Article 4 (16) of the GDPR).


“Recipient” – the natural or legal person, public authority, agency or other body to whom the personal data is disclosed, whether or not a third party. At the same time, public authorities which may receive personal data in the framework of a specific investigation in accordance with Union or Member State law are not considered to be ‘recipients’; the processing of those data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing;


“Third party” – any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or the processor, are entitled to process the personal data;

Data Protection Policy Statement

  1. The management of POLYFIELDS Ltd. is committed to ensuring compliance with EU and Member State legislation regarding the processing of personal data and the protection of the “rights and freedoms” of individuals whose personal data POLYFIELDS Ltd. processes, in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) and applicable legislation in the Republic of Bulgaria.
  2. In accordance with the General Regulation, other relevant documents such as related processes and procedures are described in this policy.
  3. Regulation (EU) 2016/679 and this policy apply to all personal data processing functions, including those carried out on personal data of customers, employees, suppliers and partners and any other personal data that the organisation processes from a variety of sources.
  4. The Data Protection Officer shall be responsible for reviewing the “Register of Processing Activities” annually in light of any changes to the activities of POLYFIELDS LTD, and any additional requirements, data protection impact assessments. This register must be available at the request of the supervisory authority.
  5. This policy applies to all employees and Stakeholders of POLIFIELDS Ltd. Any breach of the General Regulations will be treated as a breach of employment discipline, and in the event that there is an allegation of a criminal offence, the matter will be referred to the RBL for consideration within the statutory timeframe.
  6. Partners and third parties who work with or for POLYFIELDS Ltd, and who have or may have access to personal data, should be aware of this policy. No third party may have access to personal data held by POLYFILDS Ltd without first entering into a data confidentiality agreement which imposes on the third party obligations no less onerous than those which POLYFILDS Ltd has undertaken and which entitles POLYFILDS Ltd to carry out checks on compliance with the obligations imposed by the agreement.


Duties and roles under Regulation (EU) 2016/679

  1. POLYFIELDS Ltd. is the controller and processor of personal data in accordance with Regulation (EU) 2016/679.
  2. The senior management of POLYFIELDS Ltd. is responsible for developing and promoting best practices in the area of information processing in POLYFIELDS Ltd.;
  3. The Data Protection Officer (attached job description) at POLYFIELDS Ltd is responsible for the management of personal data within the organisation and for ensuring that compliance with data protection legislation and good practice can be demonstrated.

This OZD reporting includes:

  • develop and implement the requirements of REGULATION (EU) 2016/679 as required by this policy;
  • security and risk management in relation to policy compliance.
  1. Compliance with data protection legislation is the responsibility of all employees of POLYFIELDS Ltd. who process personal data.
  2. The POLYFIELDS Ltd Regulatory Training Policy sets out the specific training and awareness requirements in relation to the specific roles of POLYFIELDS Ltd employees.

Data protection principles

All processing of personal data is carried out in accordance with the data protection principles set out in the Regulation. The policies and procedures developed by POLYFIELDS Ltd aim to ensure compliance with these principles..


    1. Personal data must be processed lawfully, fairly and transparently

Lawful – to identify a lawful basis before it can process personal data. These are often referred to as ‘processing grounds’, for example ‘consent’.

Fair processing – for processing to be fair, the data controller must provide certain information to data subjects, as far as practicable. This applies whether the personal data are obtained directly from the data subjects or from other sources.

Transparent – The General Regulation includes rules on the provision of confidential information to data subjects in Articles 12, 13 and 14 of the GDPR. They are detailed and specific, placing emphasis on privacy notices being understandable and accessible. The information must be communicated to the data subject in an intelligible form, using clear and understandable language.

The rules for the notification of the data subject by POLYFIELDS Ltd are set out in GDPR IP 2 Transparency Procedure for the Processing of Personal Data. The specific information to be provided to the data subject must include, as a minimum:

    • data identifying the administrator and the contact details of the controller and, if any, of the controller’s representative;
    • the contacts of the OZD;
    • the purposes for which the personal data are processed and the legal basis for the processing;
    • the period for which the personal data will be stored;
    • the existence of the following rights – to request access to the data, rectification, erasure (right to be forgotten), restriction of processing, as well as the right to object to the conditions (or lack thereof) relating to the exercise of these rights;
    • personal data categories;
    • the recipients or categories of recipients of personal data, where applicable;
    • where applicable, whether the administator intends to transfer the personal data to a recipient in a third country and the level of data protection;
    • any additional information necessary to ensure fair processing.


  1. Personal data may only be collected for specific, explicit and legitimate purposes

Data obtained for specific purposes must not be used for a purpose that differs from those officially notified to the supervisory authority as part of the Register of Data Processing Activities of POLYFIELDS Ltd. GDPR IP 2 Transparency Procedure for the Processing of Personal Data sets out the relevant rules.

  1. Personal data must be adequate, relevant, limited to what is necessary for the processing for the relevant purpose (principle of minimum necessary)
  • The OZD is responsible for ensuring that POLYFIELDS Ltd does not collect information that is not strictly necessary for the purpose for which it was obtained.
  • All data collection forms (electronic or paper), including data collection requirements in new information systems, must include a declaration of fair processing or a link to the GDPR F 1 Privacy Statement.


  1. Personal data must be accurate and up-to-date at all times, and reasonable efforts must be made to allow for its erasure or correction without delay (within the limits of possible technical solutions).
  • The data held by the data administrator must be reviewed and updated as necessary. Data should not be stored where it is likely to be inaccurate.
  • The OZD, with the assistance of the Human Resources Department and the Head of IT Infrastructure, conducts staff training on the policy and the data protection regulation.
  • It is also the duty of the data subject to declare that the data they transmit for storage by POLYFIELDS LTD are accurate and up-to-date. Completion of a form by the data subject intended for the controller will include a statement that the data contained therein is accurate as of the date of submission.
  • Employees, (clients/others) are required to notify POLYFIELDS LTD of any changes in circumstances to enable records of personal data to be updated. It is the responsibility of POLYFIELDS LTD to ensure that any notification of a change of circumstances is recorded and acted upon.
  1. Personal data must be kept in such a form that the data subject can be identified only for as long as is necessary for the processing.
  • Where personal data is retained beyond the date of processing, it will be stored appropriately (minimised, encrypted, pseudonymised) to protect the identity of the data subject in the event of a data breach.
  • Personal data will be retained in accordance with the Company’s established data retention and destruction procedures and, once it has passed its retention period, it must be securely destroyed in the manner specified in this procedure.
  • The OZD shall approve any retention of data that exceeds the retention period defined in GDPR IP 7 Data Retention and Destruction Procedure and accompanying information security policies and must ensure that the justification is clearly defined and complies with the requirements of data protection legislation. This approval must be in writing.
  1. Personal data must be processed in a way that ensures appropriate security.

The company has carried out a risk assessment of the processing of personal data.

Appropriate technical measures such as:

  • Password protection;
  • Automatic locking of idle workstations on the network;
  • Restrict access rights for USB and other portable storage media;
  • Antivirus software and firewalls;
  • Role-based access rights, including those of temporarily assigned staff;
  • The protection of devices that leave the organisation’s premises, such as laptops or other;
  • Security of local and wide area networks;
  • Privacy enhancing technologies such as pseudonymisation and anonymisation;
  • Identification of appropriate international security standards suitable for POLYFIELDS Ltd.


Organisational measures include:

  • Levels of appropriate training in POLYFIELDS Ltd.;
  • Measures that take into account the reliability of employees (e.g. appraisals, references, etc.);
  • Data protection in employment contracts;
  • Identification of disciplinary measures for data breaches;
  • Regular vetting of staff for compliance with relevant security standards;
  • Control of physical access to electronic and paper-based records;
  • Compliance with a “clean workplace” policy[1];
  • Storage of paper database in lockable wall cabinets;
  • Restrict the use of portable electronic devices outside the workplace;
  • Limiting employee use of personal devices in the workplace;
  • Adoption of clear rules for the creation and use of passwords;


  1. Compliance with the principle of accountability


POLYFIELDS Ltd will demonstrate compliance with data protection principles by implementing data protection policies, subscribing to the implementation of appropriate technical and organisational measures as well as adopting data protection techniques at the design stage and data protection by default, risk assessment, data breach notification procedure etc.


Data subjects’ rights

  1. Data subjects have the following rights in relation to the processing of data as well as the data recorded about them:
  • To request confirmation as to whether personal data relating to him or her is being processed and, if so, to obtain access to the data as well as information as to who the recipients of that data are.
  • Request a copy of their personal data from the controller;
  • Request the administrator to rectify personal data when it is inaccurate or no longer up-to-date;
  • Request the administrator to erase personal data (right to be forgotten);
  • To request the administrator to restrict the processing of personal data, in which case the data will only be stored but not processed.;
  • To object to the processing of his or her personal data;
  • Object to the processing of personal data concerning him or her for direct marketing purposes.
  • Lodge a complaint with a supervisory authority if it considers that any provision of the GDPR has been infringed;
  • To request and be provided with personal data in a structured, commonly used and machine-readable format;
  • To withdraw consent to the processing of personal data at any time with a separate request to the administrator;
  • Not be subject to automated decisions that significantly affect it without the possibility of human intervention;
  • Oppose automated profiling that occurs without their consent;


  1. POLYFIELDS LTD shall provide conditions to ensure the exercise of these rights by the data subject.:
  2. Data subjects may make data subject access requests as described in the attached GDPR IP 3 Data Subject Request Management Procedure.


Data subjects have the right to lodge complaints with POLYFIELDS LTD relating to the processing of their personal data, the processing of a request by the data subject and an appeal by the data subject concerning the manner in which complaints are processed in accordance with GDPR IP 4 Procedure for means of communication for complaints and requests by the data subject.