PRIVACY NOTICE ON PERSONAL DATA PROCESSING HELD BY DINOVA RUSEV & PARTNERS LAW OFFICE
This Privacy Notice aims to provide information regarding what personal data of you is processed by Dinova Rusev & Partners Law Office (“DRP” or the “Law Office”) and how we use these data in relation to the performance of our business processes
Should you have any questions with this regard, please contact us at the following e-mail: office@drp-legal.com or at: 17, Vasil Aprilov Str., Sofia 1504, Republic of Bulgaria.
If you wish to confirm whether DRP processes your personal data or to access them you may also contact us by using the above contact details.
The terms as used in the document have the same meaning as defined in the EU General Data Protection Regulation.
INTRODUCTION
Dinova Rusev & Partners Law Office is a full-service law firm based in the Republic of Bulgaria, offering both companies and individuals a wide variety of legal services. Its core activities include legal services in number of different sectors, including but not limited to: Banking and Finance, Corporate and Commercial, Mergers and Acquisitions, Dispute Resolution, Energy, Real Estate, Data Protection, Employment.
We want the personal data processing of your personal data to be completely transperant and du eto this below you may find list of the categories of processed data, the purposes, legal basis and the terms for their processing as well as your rights in relation to your personal data.
CATEGORIES OF CONCERNED INDIVIDUALS (DATA SUBJECTS) AND PURPOSES OF DATA PROCESSING
For the performance of its activities DRP processes personal data of the following main categories of data subjects, in addition to the data subjects whose data are processed within internal employment and corporate relations:
This document will enable you to learn more about:
HOW, WHY AND WITHIN WHAT TIME LIMITS WE PROCESS YOUR PERSONAL DATA
The information below concerns both data subjects who provided their personal data to DRP personally and data subjects whose personal data have been provided to DRP by third parties (e.g. by its clients).
Dinova Rusev & Partners Law Office with BULSTAT 131428288, having its seat and registered address at: 17, Vasil Aprilov Str., Sofia 1504, Republic of Bulgaria, represented by Anelia Dinova, in its capacity of data controller, processes personal data as follows:
JOB APPLICANTS AT DRP
DRP processes the following categories of personal data of job applicants at the Law Office provided by them in the documents attached to their work application (CVs, diplomas and other documents evidencing qualification and education):
- physical identity data: name; address; phone number; email address; signature; picture; date of birth;
- social identity data: education; professional qualification; professional experience; any other information related to applying to the specific job announcement, including data contained in CVs, labour books, diplomas and other certificates; IT capabilities;
- family identity data: family status; family relations;
- cultural identity data: interests; hobbies.
Purpose, legal basis and time limit of processing:
DRP processes the listed data for the purposes of hiring personnel and on the legal basis of its legitimate interests for recruitment of the best personnel for its needs.
In result of the recruitment process DRP divides the job applicants to shortlisted, but not hired applicants and non-shortlisted applicants.
Regarding the non-shortlisted applicants, DRP keeps the respective personal data for a time period of not more than the closure of the respective recruitment procedure for which the data subject applied.
DRP keeps the CV and the personal data of shortlisted but not hired applicants for a period of 6 (six) months after the closure of the respective recruitment procedure for which the data subject applied.
During this period DRP will keep these shortlisted applicants’ personal data based on its legitimate interest to find the best candidates for the specific open positions and for the purpose of consideration for short-term future recruitment business needs.
At the end of the six months’ storage limitation period, or once Dinova Rusev & Partners receives an objection against keeping the shortlisted applicants’ personal data, the latter will be destroyed permanently without possibility for recovery.
You may find more information on the right of shortlisted applicants to object to the processing of their personal data for the purposes of further recruitment by DRP in Section II. What your rights are below.
CLIENTS OF THE LAW OFFICE & INDIVIDUALS WHOSE DATA HAVE BEEN PROVIDED BY OUR CLIENTS
DRP processes the types of personal data as listed below of the following categories of data subjects:
- DRP potential, past and current corporate clients’ official and legal representatives, their proxies, contact persons, employees, as well as potential, past and current individual clients of DRP;
- Individuals legally or factually related to DRP clients (including such that represent or are related to legal entities related to DRP clients):
The categories of processed personal data with this regard are:
- physical identity data: name; address; phone number; email address; signature; data contained in pictures; ID card/passport data, where:
- DRP only processes personal identity card/passport data if this is required by law (e.g. in relation to notary verified documents).
- economic identity data: bank account details; property data; data contained in pledge messages or other documents related to the enforcement of data subjects’ duties, origin of funds;
- social identity data: education; professional qualifications; professional experience; data related to the commencement of employment, including data contained in autobiographies, labour books, diplomas and other certificates, as well as in criminal records certificates; data associated with work related legal relationships, including any disciplinary violations and measures enforced on the data subject, discriminatory behavior, as well as work assessments;
- family identity data: family status, family relations ties; heirs’ relations;
- special categories of data: data related to data subjects’ health conditions contained in sick-leave notes, medical certificates, pre-employment medical exams documentation, decisions of expert doctors commissions, where:
- DRP processes this special category of data only if it is necessary for identifying and defending its clients’ rights and interests and/or for the provision of legal advices and/or filing legal claims on behalf of the client with this regard, as well as protection against claims against clients.
Purpose, legal basis and time limit of processing:
DRP may use the data above only for the following purposes:
- providing legal and consulting services;
- administering the performance of legal and consulting services;
- negotiation with current and potential clients and other contractors of DRP for provision of legal and consultancy services;
- control over the performance of the contractual and pre-contractual obligations;
- property management;
- debt collection;
- accounting and taxes, including the issue of invoices;
- administering of and protection against legal claims.
DRP processes these data on the legal basis of fulfilling legal, contractual and pre-contractual obligations with regards to the respective relations.
The time limits for processing personal data for these purposes is as follows:
- data contained in client files – up to six (6) years from the end of legal services provision;
- data contained in accounting registers and financial accounts – up to eleven (11) years;
- data contained in documents subject to tax inspections and needed for accounting purposes – up to eleven (11) years;
- data contained in documents necessary for contractual performance – up to six (6) years from the performance of the last assignment from the respective client or until the closure of initiated proceedings in cases of disputes, except where a law, court decision, contract or commercial practice require otherwise.
INDIVIDUALS WHOSE DATA ARE PROCESSED FOR THE PURPOSES OF ANTI-MONEY LAUNDERING MEASURES COMPLIANCE AND ANTI-TERRORISM FINANCING MEASURES
DRP is an entity obliged by law to ensure implementation of measures against money laundering and terrorism financing. In implementation of this statutory obligation, we processes the following categories of personal data of potential, past and current DRP corporate clients’ legal representatives, agents and beneficial owners of clients – legal entities/legal arrangements, past, current and/or potential individual clients – physical persons:
- physical identity data: name; date and place of birth; official personal identification number or another unique element for certification of identity, contained in an official identity document, the term of validity of which is not expired and which contains a photograph of the respective person; each nationality that the person has; state of permanent residence and an address; signature; ID card/passport data, where:
- DRP only processes personal identity card/passport data where required by the applicable anti-money laundering legislation and anti-terrorism financing legislation;
- DRP only keeps copies of personal identity card/passport data, if needed as per the applicable anti-money laundering legislation and anti-terrorism financing legislation;
- social identity data: data about professional activity;
- economic identity data: property; general financial condition; bank account number; origin of funds (where applicable under the anti-money laundering legislation and anti-terrorism financing legislation).
Purpose, legal basis and time limit of processing
We may use the data above only for the following purposes:
- performance of our legal obligations related to the identification of the DRP past and current clients as well as potential clients;
- money laundering prevention;
- terrorism financing prevention.
DRP processes these data on the legal basis of fulfilling its legal obligations under the Anti-money Laundering Act and Anti-terrorism Financing Act.
The time period for processing personal data for these purposes is as follows:
- up to six (6) years from the end of the client’s contractual or pre-contractual relationship with DRP, except for the cases where a law, court deed, state authority deed, contract or commercial practice require otherwise. For example: upon written instruction by the director of the Financial Intelligence Directorate with the State Agency of National Security, the above term can be further extended with up to 2 more years.
CONTRACTORS
DRP processes the following categories of personal data of DRP’s potential, current and/or past contractors’ legal representatives, agents, persons of contact, employees and subcontractors and/or contractors – physical persons:
- physical identity data: name; personal identification number; address; phone number; email address; signature; ID card/passport data, where:
- DRP only processes ID/passport data, if this is required by law (e.g. in relation to notary verified documents).
- social identity data: professional qualifications where required for the specific contractual performance.
- economic identity data: bank account details and general financial condition data.
From our contractors we receive such personal data (contact information) of employees or other persons to whom our contractors assigned to be contact persons under the respective contract. Our contractors who provided us these data are also personal data controllers of these categories of data and bear personal liability for provision of all needed information with this regard to the data subjects. Moreover, our contractors are obliged to ensure the accuracy of these data and keep them accurate all the time. This means that if any of the provided data are not accurate anymore we should be duly notified for this as soon as possible. Until the receipt of such notification, we accept that the provided contact information data are accurate and we may use them for the purposes below.
Purpose, legal basis and time limit of processing
We may use the data above only for the following purposes:
- signing, amending, supplementing, performing and termination of contracts;
- control over the performance of the contractual and pre-contractual obligations;
- property management;
- debt collection;
- accounting and taxation;
- administration of and legal claims defence.
DRP processes these data on the legal basis of fulfilling its legal, and contractual and pre-contractual obligations with regards to the respective relations.
The time period for processing personal data for these purposes are as follows:
- data contained in accounting registers and financial accounts – up to eleven (11) years;
- data contained in documents subject to tax inspections and needed for accounting purposes – up to eleven (11) years;
- data contained in documents necessary for contractual performance – up to six (6) years from the termination of the respective contract or until the closure of initiated proceedings in cases of disputes,
except where a law, court deed, contract or commercial practice require otherwise.
BUSINESS CONTACTS
If you provided any lawyer or employee of DRP with your business contact information via your business card or in any other way or this information is publically available, please note that it is possible that DRP has included this information of you in its business contacts list.
The above means that in case of business need, for the purpose of sending you holiday greetings or for providing you with information about our services, DRP may contact you but only in your official capacity in which we have your contact information.
DRP provides all necessary protections to its database with business contacts as for the personal data processed by the Law Office.
If you do not wish DRP to contact you as described above, please inform us at any of our addresses listed in the next Section II and your contact information will be deleted from our business contacts database.
YOUR RIGHTS
If you are a person, whose personal data are processed by DRP under any of the above circumstances, you have the following rights in this regard:
- All data subjects whose personal data are processed by DRP have the right:
- to be informed about the types of personal data processed by DRP;
- to access to and copy of their processed personal data;
- to correct or erase their personal data;
- to limit processing; and
- to portability of their data.
- If you are a job applicant at DRP invited to a job interview, but not hired, you also have the right to object to the processing of your personal data for the purposes of further recruitment by DRP. Upon receipt of your objection your personal data along with your job application will be deleted without possibility for further reproduction.
You can exercise any of the abovementioned rights by submitting a written request, in either of the following ways:
- via email to: office@drp-legal.com
- by letter, to the following post address: 17, Vasil Aprilov Str., Sofia 1504, Republic of Bulgaria.
You also have the right to complain about the processing of your personal data to the relevant authority, which for the Republic of Bulgaria is the Commission for Personal Data Protection.
CONTENTS OF YOUR APPLICATION
Your application for the exercise of any of your rights should contain at least your names and other identification information, if necessary, description of your request, preferred way of communication with you, address for correspondence, date of the application.
If the application is signed by a representative, the respective power of attorney document should be attached to the application.
DRP may contact you for additional information, if it needs to ensure your identity or further clarify your request.
WHO WE CAN SHARE/DISCLOSE YOUR DATA WITH
For the purposes of ensuring high level of security and professional assistance, we might provide the personal data of each of the above listed data subjects to the following third parties:
- legal, tax, accounting and other consultants;
- service providers supporting DRP’s electronic messaging system;
- service providers supporting hardware and software used by DRP for different purposes compatible with the purposes of the respective processing, such as accounting and taxation, work management, document management, etc.;
- other IT service providers;
- documents storage/archive service providers;
- banks and insurance companies (only if needed or assigned by the client and upon ensuring the attorney-client privilege and confidentiality, when applicable).
- competent authorities (such as the State Agency of National Security, etc. – only if needed or required and ensuring the attorney-client privilege and confidentiality, when applicable).
PROTECTION OF YOUR DATA
To protect the privacy of data and personally identifiable information, we maintain physical, personal, technical and administrative safeguards. We update and test our security technology on an ongoing basis. We limit access to your personal data to those employees and personal data processors who need to know that information to provide services to you. In addition, we train our personnel about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees’ privacy responsibilities.
USE OF DRP-LEGAL.COM WEBSITE
As is true of most other websites, DRP’s website collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of our website, including a history of the subsections you view. We use this information to help us design our site to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences. DRP’s website also uses cookies and web beacons. It does not track users when they cross to third party websites, does not provide targeted advertising to them, and therefore does not respond to Do Not Track (DNT) signals.
CHANGES AND UPDATES TO THIS PRIVACY NOTICE
As our organization and services change from time to time, this Privacy Notice is expected to change as well. We reserve the right to amend the Privacy Notice at any time, for any reason, without notice to you, other than the posting of the amended Privacy Notice at this website.
The present document represents privacy notice within the meaning of Art. 13 and Art. 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).