General data protection policy and electronic employment instructions
Electronic employment file
The electronic employment file provides the possibility of remote signing of documents between Employer and Employee with a Qualified Electronic Signature, electronic delivery, and electronic storage. A qualified electronic signature has the same legal force as a manually placed one and has the highest level of security. All documents between Employer and Employee are signed with a Qualified Electronic Signature (QES), issued by Eurotrust, the electronic service provider licensed for Europe. Registration and signing of employment documents are absolutely free for the employee.
To sign the appointment documents, you need to complete the following steps:
- Download the Evrotrust application on your mobile phone and follow the instructions from the presentation “How to get a QES?”. The process is very easy, you only need an ID card, and it takes about 3 minutes. Make sure you are in a bright place for the app to read your ID details.
- When registering, enter an up-to-date personal e-mail address, to which you will receive an activation link.
- When registering, enter a phone number, then confirm it in the application with the SMS code sent to you for this purpose.
- After completing the registration, confirm that you have done it and let us know the e-mail you registered with.
More information about the qualified electronic service provider Evrotrust can be found here.
If you have questions or problems when registering with Evrotrust, you can contact their call center on the following phones: +359 2 486 04 37; +359 2 448 58.
General data protection policy
I. Induction
- General regulation for the protection of personal data
Regulation (EU) 2016/679 of the European Parliament and of the Council repealed the Directive 95/46/EC (General Data Protection Regulation). This has a direct impact and implies a change in the legislation of the member states in the field of personal data protection. The purpose of the regulation is to protect the ‘rights and freedoms’ of natural persons and to ensure that personal data is not processed without their knowledge and, where possible, that it is processed with their consent.
- Scope outlined by the General Data Protection Regulation
Material scope – This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
Territorial scope – rules of the General Regulation will apply to all data controllers established in the EU who process personal data of natural persons in the context of their activity. It will also apply to non-EU controllers who process personal data for the purpose of offering goods and services or if they monitor the behavior of data subjects who reside in the EU.
- Definitions
‘Personal Data’ – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Processing’ – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Restriction of Processing’ – the marking of stored personal data with the aim of limiting their processing in the future;
‘Profiling’ – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
‘Pseudonymisation’ – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
‘Filing System’ – any structured set of personal data that are accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis;
‘Controller’ – the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘Processor’ – a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller;
‘Recipient’ – a natural or legal person, public authority, agency, or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing;
‘Third Party’– a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
The definitions for each of the above are given in Art. 4 of GDPR.
II. Privacy Policy Declaration
- Accedia JSC management is committed to ensuring compliance with EU legislation and state members with regard to personal data processing and “rights and freedoms” protection of natural persons for which Accedia JSC gathers and processes personal data in accordance with GDPR.
- In accordance with the regulation, other relevant documents as well as other processes and procedures are described in this policy.
- Regulation (EU) 2016/679 and this policy refer to all personal data processing functions, including those performed on personal data of customers, employees, suppliers, and partners and any other personal data that the organization processes from different sources.
- The Data Protection Officer is responsible for revising the “Register of Processing Activities” annually for any changes in the activities of Accedia JSC as well as any additional data protection requirements. This register is available upon request by the supervisory authority.
- This policy applies to all employees (and interested parties) of Accedia JSC as well as external suppliers. Any violation of the Regulation will be considered a violation of labor discipline, and in case there is an assumption of a committed crime, the matter will be submitted for consideration in the shortest possible period to the relevant state authorities.
- Partners and third parties who work with or for Accedia JSC and have or may have access to personal data, are expected to familiarize themselves with, understand, and comply with this policy. Third parties are allowed access to personal data stored by Accedia JSC after a confidentiality agreement is signed. That imposes on the third-party obligations no less burdensome than those undertaken by Accedia JSC, and this gives Accedia JSC the right to carry out inspections of compliance with the imposed agreement with the relevant obligations.
III. Obligations and Roles Regarding Regulation (EU) 2016/679
- Accedia JSC is (data controller and/or data processor) according to Regulation (EU) 2016/679.
- Accedia top management and all members of the management or supervisory bodies are responsible for developing and promoting good practices in the processing of information in Accedia JSC.
- Data protection officer is a role defined in Regulation (EU) 2016/679. Data protection officer in Accedia JSC is part of the top management and reports to the Senior Management / Board of Directors for the management of personal data within the organization and ensures the ability to demonstrate compliance with data protection legislation and good practice.
This reporting includes:
- developing and implementing the requirements of REGULATION (EU) 2016/679 as required by this policy;
- security and risk management in relation to policy compliance.
- The Data Protection Officer (DPO) is appointed to take responsibility for Accedia JSC’s compliance with this policy on a day-to-day basis. DPO is responsible for ensuring that both the organization of Accedia JSC as well as the activities of each member of the management team (within their area of responsibility) comply with the requirements of Regulation (EU) 2016/679.
- The DPO has specific responsibilities in relation to procedures such as the GDPRPR03- Procedure for managing data subject requests and is the point of contact for the controller’s employees seeking clarification on any aspect of data protection compliance. All mentioned procedures in this policy are internal procedures for establishing the order and control of the processes that the responsible persons (those who have signed a specific Declaration of confidentiality when working with personal data) carry out in relation to the processing of personal data by Accedia JSC.
- Compliance with data protection legislation is responsibility of all Accedia JSC employees that process personal data.
- The training policy of Accedia JSC determines specific requirements for training and awareness related to the specific roles of the employees of Accedia JSC.
IV. Data Protection Principles
All processing of personal data is carried out in accordance with the data protection principles set out in Article 5 of Regulation (EU) 2016/679. Accedia JSC policies and procedures aim to ensure compliance with these principles.
- Personal data will be processed lawfully, fairly, and in a transparent manner
Lawfully – the controller will identify a lawful basis before personal data is processed. This is often referred to as “grounds for processing”, for example, “consent”.
Fairly – for the processing to be carried out fairly, the data controller will provide certain information to the data subjects as far as is practically possible. This applies regardless of whether the personal data is obtained directly from the data subjects or other sources.
In a transparent manner – the controller will follow the rules regarding the provision of confidential information to data subjects in articles 12, 13, and 14 of the GDPR. They are detailed and specific, emphasizing that privacy notices are understandable and accessible. The information will be communicated to the data subject in an understandable form, using clear and understandable language.
The rules for notifying the data subject are defined in the Procedure for data processing transparency.
The specific information that will be provided to the data subject includes at least:
- data that identifies the controller and the contact details of the controller and, if any, that of the controller’s representative;
- DPO contacts;
- the purpose of the processing for which the personal data is intended as well as the legal basis for the processing;
- the period for which the personal data will be stored;
- the existence of the following rights – to request access to the data, amendment, deletion (right to be forgotten), limitation of processing, as well as the right to object to the conditions (or lack thereof) in relation to the practice of these rights;
- personal data categories;
- the recipients or categories of recipients of personal data, where this is applicable;
- whether the controller intends to transfer the personal data to a recipient in a third country and the level of data protection (where applicable);
- any additional information necessary to ensure fair processing.
- Personal data is collected only for specific, defined, and lawful purposes
The data obtained for specific purposes must not be used for a purpose that differs from those officially announced to the supervisory authority as part of the Register of Data Processing Activities (Art. 30 GDPR) of Accedia JSC. A procedure for transparency in the processing of personal data determines the rules.
- Personal data must be adequate, relevant, and limited to what is necessary for the processing of the data and to what is necessary for the relevant purpose. (minimum necessary principle)
- DPO is responsible for ensuring that Accedia JSC does not collect information that is not strictly needed for the purpose for which it was obtained.
- DPO ensures that all data collection methods are reviewed by (internal audit/external experts) on an (annual) basis to ensure that the data collected continues to be adequate, relevant, and not excessive.
- Personal data must be accurate and up to date at all times, and measures are taken to enable immediate (within the possible technical solutions) deletion or correction
- The data held by the data controller must be reviewed and updated when necessary. Data that is likely to not be accurate should not be stored.
- DPO is responsible for ensuring that all staff are trained in the importance of collecting and maintaining accurate data.
- It is also the duty of the data subject to declare that the transmitted data for storage by Accedia JSC is accurate and up to date. Completion of a form by the data subject intended for the controller will include a statement that the data contained therein is accurate as of the date of submission.
- Employees (customers/others) should be required to notify Accedia JSC of any changes in circumstances so that personal data records can be updated. Accedia JSC has the responsibility to ensure that any notification regarding a change in circumstances is recorded and action is taken.
- DPO is responsible for ensuring that appropriate procedures and policies are in place to maintain the accuracy of the personal data, considering the volume of data collected, the rate at which this volume may change, and other relevant factors.
- The DPO will review the retention periods of all personal data processed by Accedia JSC at least on an annual basis, referring to the data inventory, and identify any data that is no longer required in the context of the registered purpose. This data will be securely destroyed in accordance with the controller’s procedures and policies.
- The DPO is responsible for complying with data correction requests within one month (Procedure for the Management of Subject Requests). This deadline can be extended by another two months for complex requests. If Accedia JSC decides not to comply with the request, the DPO must respond to the data subject to explain the reason for refusal and inform the data subject of his right to submit a complaint with the supervisory authority and seek legal protection.
- The DPO is responsible for taking appropriate measures to inform third-party organizations in cases where they have inaccurate or out-of-date personal data, that the information is inaccurate or out-of-date and it is not to be used to make decisions about people ( also inform the relevant parties); and forward any amendments of personal data to the third parties where necessary.
- Personal data must be stored in such a form that the data subject can be identified only for as long as is necessary for the processing
- Where personal data is retained after the date of processing, it will be stored in an appropriate manner (minimized, encrypted, pseudonymized) to protect the identity of the data subject in the event of a data breach.
- Personal data will be kept in accordance with the Data Retention and Destruction Procedure. After the retention period has ended, then the personal data must be reliably destroyed as noted in the procedure.
- Personal data must be processed in a way that guarantees adequate security (Art. 24, Art. 32 of GDPR)
The DPO will carry out a risk assessment, taking into account all the circumstances related to the data management or processing operations of Accedia JSC.
When determining how appropriate this processing is, the DPO will also consider the extent of potential harm or loss that may be caused to natural persons (e.g. staff or customers) if a security breach occurs, as well as any likely reputational damage to the controller, including a possible loss of customer confidence.
DPO will consider the following when assessing appropriate technical measures:
- Password security;
- Automatic locking of idle workstations in the network;
- Remove access rights for USB and other portable storage media;
- Antivirus software and firewalls;
- Role-based access rights, including temporary assigned staff;
- The protection of devices that leave the premises of Accedia JSC, such as laptops or others;
- Local and wide area network security;
- Privacy-enhancing technologies, such as pseudonymization and anonymization;
- Identification of appropriate international security standards suitable for Accedia JSC.
The DPO will consider the following when assessing the appropriate organizational measures:
- The levels of appropriate training in Accedia JSC;
- The measures that take into account the reliability of employees (for example, attestation evaluations, recommendations, etc.);
- Data protection inclusion in employment contracts;
- Identification of disciplinary measures when there is a data processing violation;
- Regular inspection of personnel for compliance with security standards;
- Control of electronic and paper-based records physical access;
- Following a “Clean Workplace” policy;
- Storage of database paper in closed cabinets;
- Limiting the use of portable electronic devices outside the workplace;
- Limiting employees’ use of personal devices in the workplace;
- Accepting clear rules for creating and using passwords;
- Regular creation of backup copies of personal data and physical storage of media with copies outside the office;
- Imposing contractual obligations on counterparty organizations so that they take appropriate security measures when transferring data outside the EU.
These controls are defined considering the identified risks to personal data, as well as the potential for harm to the natural persons whose data is being processed.
- Compliance with the accountability principle
Regulation (EU) 2016/679 includes provisions that promote accountability, governance and complete the transparency requirements. According to the Principle of Accountability, Art. 5, par. 2 the controller declares that he can prove that he complies with the other principles in the GDPR and expressly states that this is his responsibility.
Accedia JSC will demonstrate compliance with data protection principles by applying data protection policies, implementing appropriate technical and organizational measures, as well as adopting data protection techniques at the design stage and data protection by default, assessment and data protection risk management, personal data breach notification procedure and all other necessary records, according to GDPR.
V. Data Subject Rights
- Data subjects have the following rights in relation to data processing as well as the data recorded about them:
- To request confirmation whether personal data related to them is being processed and, if so, to obtain access to the data, as well as information who are the recipients of this data;
- To request a copy of their personal data from the controller;
- To request from the controller to amend their personal data when it is inaccurate, as well as when the data is no longer up to date;
- To demand from the controller the deletion of personal data (right “to be forgotten”);
- To request from the controller to limit the processing of personal data, in which case the data will only be stored, but not processed;
- To object to the processing of their personal data;
- To object to the processing of personal data concerning them for direct marketing purposes;
- To file a complaint with a supervisory authority if they believe that any of the provisions of the GDPR have been violated;
- To request and be provided with their personal data in a structured, commonly used and machine-readable format;
- To withdraw their consent to the processing of their personal data at any time with a separate request addressed to the controller;
- Not to be the subject of automated decisions that affect them to a significant extent, without the possibility of human intervention;
- To oppose to automated profiling that occurs without their consent.
- Accedia JSC provides resources to guarantee the execution of these rights by the data subject:
- Data subjects may make data access requests as described in the Procedure for Managing Requests from Subjects; this procedure also describes how Accedia JSC will ensure that the response to the data subject’s request meets GDPR requirements.
- Data subjects have the right to submit complaints to Accedia JSC, related to the processing of their personal data, the processing of a request from the data subject, or an appeal by the data subject, related to the manner of processing complaints in accordance with the Procedure for the Ways of communication on complaints and requests from the data subject.
VI. Consent
- Accedia JSC will treat as “consent” any freely expressed, specific, informed, and unambiguous indication of the will of the data subject, by means of a statement or a clear confirming action, which expresses their consent to the personal data related to them being processed. The data subject may withdraw their consent at any time unless there is an alternative lawful basis for processing.
- Accedia JSC treats as “consent” only the cases in which the data subject has been fully informed about the planned processing and has expressed their consent without any pressure being exerted on them. Consent obtained with any form of pressure or based on misleading information will not be a valid basis for processing personal data.
- Written consent must be obtained through the Procedure for obtaining consent for the processing of personal data of data subjects for special categories of data unless there is an alternative lawful basis for processing.
- In most cases, consent for the processing of personal and special categories of data is obtained by Accedia JSC using standard consent documents.
- When Accedia JSC processes the personal data of children, permission must be obtained from those exercising parental rights (parents, guardians, etc.). This requirement applies to children under the age of 16 (unless the Member State has a lower age limit, which cannot be lower than 13 years).
VII. Data Security
- All employees are responsible for ensuring the security of the storage of the data for which they are responsible and which Accedia JSC holds. Employees are also responsible for the data being stored securely and not disclosed under any circumstances to third parties unless Accedia JSC has granted such rights to these third parties by entering into a confidentiality agreement/clause.
- All personal data will be accessible only to those who need it, and access can only be granted in accordance with established access control rules. All personal data will be treated with utmost security and stored:
- in a private room with controlled access; and/or in a closed cabinet or filing cabinet; and/or
- if it is computerized, protected by a password in accordance with the internal requirements specified in the organizational and technical measures for information access control and/or
- stored on portable computer media that is protected in accordance with organizational and technical measures for information access control.
- Rules have been established to ensure that computer screens and terminals cannot be viewed by anyone other than Accedia JSC authorized employees. All employees are trained and accept relevant contractual clauses to comply with the organizational and technical access measures, as well as workstation locking rules before they are granted access to information of any kind.
- Paper records will not be left where they can be accessed by unauthorized people and cannot be removed from designated office premises without permission. As soon as paper documents are no longer required for ongoing customer support work, they will be destroyed in accordance with established procedures and protocols.
- Personal data may be deleted or destroyed only in accordance with the Data Retention and Destruction Procedure. Paper records that have reached their retention date should be shredded and destroyed as “confidential waste”. Data on the hard drives of redundant personal computers must be erased or the drives destroyed according to established policies/procedures.
- Processing personal data “outside of the office” holds a potentially greater risk of loss, theft, or breach of personal data. Personnel must be specifically authorized to process the data outside of the controller’s premises.
VIII. Disclosure of Data
- Accedia JSC must ensure conditions under which personal data is not disclosed to unauthorized third parties, which includes family members, friends, government authorities, even investigative ones if there is reasonable doubt that they are not required according to the established order. All employees must be cautious when asked to disclose personal data about another person to a third party. It is important to consider whether the disclosure of the information is related or not to the needs of the activity carried out by the organization.
Employees are provided with special training and periodic briefings to avoid the risk of such violations.
- Any third-party requests to provide data must be supported by appropriate documentation. The DPO must specifically authorize such data disclosures.
IX. Data Storage and Destruction
- Accedia JSC does not store personal data related to the purposes for which the data is collected in a form that allows the identification of subjects for a longer period than is necessary.
- Accedia JSC may store data for longer periods of time only if the personal data will be processed for archiving purposes, for purposes in the public interest, scientific or historical research, or for statistical purposes, and only if there are appropriate technical and organizational measures to guarantee of the rights and freedoms of the data subject.
- The storage period for each category of personal data will be displayed in the Procedure for storing and destroying the data as well as the criteria used to determine this period, including any legal obligations to Accedia JSC to keep the data.
- Accedia JSC will apply the Procedure for storing and destroying data in all cases, as well as the rules for destroying information on unused recording media.
- Personal data will be destroyed in a secure manner, in accordance with the principle for ensuring an appropriate level of security (Article 5, par. 1 b of GDPR) by applying appropriate technical or organizational measures (“integrity and confidentiality”) – including protection against unauthorized or unlawful processing or against accidental loss, destruction or damage.
X. Data Transfer
- Any export of data from within the EU to countries outside the EU (referred to in the General Regulation as “third countries”) is illegal unless there is an appropriate “level of protection of the fundamental rights of the data subjects.
The transfer of personal data outside the EU is prohibited unless one or more of the specified warranties or exceptions apply, such as to countries in the European Economic Area. (EEA), which is broader in scope than the EU, and also includes non-EU countries (Liechtenstein, Norway and Iceland). However, these countries apply EU regulations through a decision of the Joint Committee, as in the case of the Common Regulation.
- Adequacy decision
The European Commission may assess third countries, territories, and/or specific sectors in third countries in order to assess whether there is an adequate level of protection of the rights and freedoms of natural persons. In these cases, no permission is required.
Countries that are members of the European Economic Area (EEA), but not the EU, are accepted as eligible for an adequacy decision (Art. 45 par. 8).
- EU-U.S. Privacy Shield
If Accedia JSC wants to transfer personal data from the EU to a third party in the USA, Accedia must check whether the other company has signed the “Privacy Shield” Framework Agreement with the US Department of Commerce.
The US Department of Commerce is responsible for managing and administering the Privacy Shield and ensuring that companies meet their commitments. In order to be certified by the Ministry, the companies must have a policy for protection of the personal data in accordance with the principles of the GDPR, e.g. use, store, and transfer personal data in accordance with a set of strict data protection rules and precautions.
- Standard Contractual Clauses
Accedia JSC may adopt the approved by the European Commission standard contractual clauses for data protection when transferring data outside the European Economic Area. If Accedia JSC accepts the standard contractual clauses approved by the relevant supervisory authority, there is automatic recognition of adequacy.
- Exceptions
In the absence of an adequacy decision, US Privacy Shield membership, mandatory company rules, and/or contractual clauses, the transfer of personal data to a third country or international organization will only take place under one of the following conditions:
- the data subject has consented to the transfer after being informed of the possible risks of such transfers;
- the transmission is necessary for the execution of a contract between the data subject and the controller or for the execution of pre-contractual measures taken by request of the data subject;
- the transmission is necessary for the signing or execution of a contract signed between the controller and another natural person or legal entity in the interest of the data subject;
- the transmission is necessary for important reasons of public interest;
- the transmission is necessary for the establishment, exercise, or defense of legal claims;
- the transfer is necessary to protect the vital interests of the data subject or other natural persons, where the data subject is physically or legally unable to give consent;
- the transfer is made from a register which, under EU law or the law of the Member States, is intended to provide information to the public and is available in general for reference by the public or by any person who can demonstrate that they have a legitimate interest in doing so, but only to the extent that the reference conditions laid down in Union law or the law of the Member States are fulfilled in the particular case.
XI. Register of Data Processing (Data Inventory)
- Accedia JSC has created a data inventory process as part of its approach to address the risks and opportunities in the process of complying with the policy for compliance with Regulation (EU) 2016/679. During the data inventory in Accedia JSC and during the work process, the following are established:
- business processes that use personal data;
- sources of personal data;
- the number of data subjects;
- a description of the categories of personal data and the elements of each category;
- processing activities;
- the purpose of the processing for which the personal data is intended;
- the legal basis for the processing;
- the recipients or categories of recipients of the personal data;
- the main systems and places of storage;
- all personal data that is subject to transfers outside the EU;
- storage and deletion periods.
- Accedia JSC is aware of the risks associated with the processing of certain types of personal data.
- Accedia JSC assesses the level of risk for natural persons related to the processing of personal data.
- DPO makes a periodic (annual or shorter term if deemed necessary) review of the initially inventoried data, revises the information entered in the “Register of processing activities” in the light of any changes in the activities of Accedia JSC.
Accedia JSC administers labor relations with employees entirely electronically according to the “Ordinance on the type and requirements for the creation and storage of electronic documents in the labor file of the worker or employee.