INTERNAL RULES

OF ACCOUNTING HOUSE M EOOD

On the Personal Data Protection Measures in accordance with Regulation 2016/679

I. GENERAL PROVISIONS

Art. 1. (1) Accounting House M EOOD, hereinafter referred to as „SKM“, is a legal entity registered in accordance with the BULSTAT Register Act under BULSTAT number: 130885095.

(2) The domicile of Accounting House M EOOD is in the city of Sofia and the registered address is at 104 Academic Ivan Evstatiev Geshov Boulevard, entrance А, floor 4, office 6, Sofia.

(3) Being a legal entity incorporated in compliance with the law, SKM also carries out activities regulated by the Accountancy Act, the Independent Financial Audit Act, the Tax and Social Insurance Procedure Code, and other statutory regulations.

(4) SKM processes personal data in connection with its activity and defines itself the objectives and tools for their processing. In this case, SKM acts as a data controller.

(5) In cases where SKM processes personal data for purposes determined individually by a third party, SKM has the position of the data processor (operator of personal data) if the objectives are determined by the person who has assigned the processing.

Art. 2. The Internal Rules of SKM regulate the organisation of the processing and protection of personal data of workers/employees, including job applicants to work in SKM, of the counterparties and partners of SKM, as well as of all other groups of individuals with whom SKM enters into relationships in carrying out its activities. 

Art. 3. (1) ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors.

(2) ‘Data processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, such as recording, organisation, structuring, storage, adaptation or alteration, consultation, use, alignment or combination, restriction, erasure or destruction.

(3) ‘Filing system’ means any structured set of personal data, regardless of its type and medium, which is accessible according to specific criteria.

Art. 4. (1) SKM is a data controller within the meaning of art. 4, item 7 of General Data Protection Regulation (EU) 2016/679.

(2) Being a data controller, when processing personal data SKM complies with the data protection principles stipulated in the General Data Protection Regulation (EU) 2016/679 as well as the law of both the EU and the Republic of Bulgaria. 

Art. 5. (1) Principles relating to protection of personal data are:

  1. Lawfulness, fairness and transparency personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject;
  2. Purpose limitation personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  3. Data minimisationpersonal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. Accuracy – personal data shall be kept up to date and every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. Storage limitationpersonal data shall be processed for periods of minimum duration in view of the purposes for which the personal data are processed. Personal data may be stored for longer periods subject to implementation of the appropriate technical and organisational measures;
  6. Integrity and confidentialitypersonal data shall be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures;
  7. Accountability – The controller shall be responsible for, and be able to demonstrate compliance with all personal data processing principles.

(2) If the purpose or purposes for which SKM processes personal data do not or do no longer require the identification of a data subject, SKM shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation 2016/679.

Art. 6. SKM shall organise and act appropriately to protect the personal data from accidental or unlawful destruction, unauthorised access, alteration or dissemination, or other form of unauthorized processing. Those measures should take into account the state-of-the-art technology and risks relating to the nature of the personal data to be protected.

Art. 7. SKM shall apply adequate personal data protection measures, comprising:

  1. Physical protection;
  2. Personal protection;
  3. Documentary protection;
  4. Protection of automated information systems and networks;
  5. Cryptographic protection, if necessary. 

Art. 8. (1) Personal data shall be collected for specified, explicit and legitimate purposes; they shall be processed lawfully and fairly with a specific purpose directly related to the fulfilment of the statutory obligations and/or normal business activity of SKM, and may not be processed further in a manner that is incompatible with those purposes.

(2) Personal data shall be stored in a paper, technical and/or electronic form only for the periods that are necessary in order to exercise the authorities, legal obligations of the SKM and/or its normal operations.

(3) Personal data shall be kept no longer than is necessary for the purposes for which the personal data are processed or until the expiration of the term defined in the effective law.

(4) Documents containing personal data, the time limits for storage of which have expired and that are not necessary for the normal functioning of SKM or for the establishment, exercise or defence against legal claims shall be destroyed in an appropriate and secure manner (e.g. cut, electronic deletion and other appropriate methods adapted to the physical data media).

(5) Access to filing systems shall be restricted and shall be granted only to authorised staff in accordance with the “Need to know” principle.

Art. 9. Where the hypotheses of art. 6, para. 1, letter “b” – “f” of Regulation 2016/679 are not satisfied, the natural persons whose personal data are processed by SKM shall sign a declaration of consent in a standard form (Appendix 1). 

Art. 10. (1) The General Manager and authorised employees of the SKM shall have a right of access to the filing systems in accordance with the powers conferred on them by law, as well as employees processing personal data to whom the controller has assigned the processing of data from the relevant filing system in compliance with the provisions of art. 28 of the General Data Protection Regulation.

(2) Staff shall be responsible for ensuring and guaranteeing regulated access to business premises, and preserving filing systems; for the purpose, employees sign Confidentiality Declarations of a standard form (Appendix 2). Any deliberate breach of the rules and restrictions on access to personal data by staff may be grounds for imposing disciplinary sanctions in respect of the employees concerned.

(3) Officials shall not be entitled to disseminate personal data, which has become known to them in the course of and in connection with the performance of their duties.

Art. 11. (1) Documents on which the work has been completed shall be archived.

(2) Long-term storage for the purposes of archiving documents containing personal data shall be carried out in paper form within the premises of SKM for periods compliant with the legislation in force. The premises where the archives are stored are equipped with fire extinguishers. The building where SKM is hosted has a 24-hour security guard and the premises where the archives are stored are locked mandatorily.

(3) Documents on electronic media are stored on a dedicated server. Archiving of documents on a technical medium is carried out automatically with a view to keeping the information available to the persons concerned within the relevant statutory time limits and in order to ensure the possibility of recovery in the event of a loss of the base carrier/system. Archive copies are stored on a separate device.

(4) Access to archived documents containing personal is provided only to authorised persons of SKM in accordance with the powers conferred on them by law.

Art. 12. (1) In order to protect paper, technical and information resources, all employees must comply with the fire safety rules.

(2) Employees shall receive a mandatory instruction to get familiar with the fire safety rules once a year. A Protocol of a standard form shall be drawn up for the briefing carried out, in accordance with Appendix 3

Art. 13. (1) Upon establishing unauthorised access to the sets of personal data or in any other incident breaching the security of personal data, the employee who has found this violation / incident shall report it to the General Manager forthwith. The notification of an incident shall be carried out in writing, electronically or in any other way, which allows it to be established and to comply with the requirement to notify the Commission of Personal Data Protection within 72 hours of becoming aware of the incident.

(2) The process of reporting and incident management shall mandatorily include the registration of the incident, the time of its establishment, the person reporting it, the person to whom it was reported, the consequences thereof and the remedial measures.

Art. 14. (1) After the purpose of processing the personal data contained in the filing system maintained by SKM has been fulfilled and upon the expiration of the relevant period, the personal data shall be destroyed in compliance with the procedures laid down in the applicable legislation and these Internal Rules.

(2) In cases where a personal data carrier is required to be destroyed, SKM shall take the necessary actions for the deletion of personal data in a way that excludes recovery and abuse thereof, such as:

  1. Personal data stored on electronic media and servers shall be destroyed by permanent deletion;
  2. Paper documents containing data shall be destroyed by cutting

(3) A Protocol of a standard form, as provided for in Appendix 4, to be signed by the relevant employee, shall be drawn up with respect to the destruction of personal data and personal data carriers.

Art. 15. Any legal entity, whose personal data SKM processes by assignment should sign a personal data agreement or contract of a standard form pursuant to Appendix 5, including the clauses laid down in art. 28, para. 2-4 of the General Data Protection Regulation.

Art. 16. Third parties shall have access to personal data processed by SKM only if there is a legal basis for the processing of personal data (e.g. court, prosecution, NRA, NSSI, Ministry of Interior, etc.).

II. personal data protection measures

Art. 17. SKM ensures physical protection through a set of appropriate technical and organisational measures to prevent any unauthorised access and protection of the building and premises, in which personal data processing actions are carried out.

Art. 18. Premises where personal data are processed are premises where personal data are collected, processed and stored with a view to ensure normal business processes. Access to such premises shall be physically restricted and controlled – only to employees that need to know in order to perform their duties and if their job position permits access to the relevant premises and the relevant filing system. External persons shall not be allowed access to such premises.

Art. 19. The technical means used to physically protect personal data in SKM are in line with the legislation in force and the level of impact of these data. All physical areas with paper and electronic records are restricted to employees who must have access based on the “Need to know” principle in order to fulfil their working obligations.

Art. 20. The access to electronic data processing systems is restricted by unique user identifiers and passwords, and the electronic media, including the server, are adequately protected.

Art. 21. The principal technical measures for physical protection of SKM include:

  1. 24hour security guards to cover the area of the building;
  2. an armoured door for the office;
  3. use of professional safety locks and locking mechanisms;
  4. lockers;
  5. fireextinguishers in the office premises.

Art. 22. (1). The principal personal data protection measures applicable by SKM include:

  1. Obligation of employees to familiarise themselves with the legal framework in the field of personal data protection and these Internal Rules.
  2. Prohibition to share sensitive information (identifiers, passwords, etc.) between staff and any other unauthorised persons;
  3. Declarationofconsent not todisseminatepersonal 

Art. 23.  The principal personal data documentary protection measures include:

Personal data that needs to be recorded in certain blank documents and/or forms relating to ensuring compliance with the requirements of the effective legislation or directly related to carrying out the normal business activity of SKM, or to the conclusion of contracts, the performance of contracts, the exercise of statutory rights and statutory obligations, shall be stored in a paper form;

Art. 24. (1) The protection of the server and the internal network of SKM includes a set of applicable technical and organisational measures to prevent unauthorised access to the systems and/or networks in which personal data are created, processed and stored.

(2) The principal protection measures include:

  1. Identification and authentication using unique user accounts and passwords for each person accessing the network and resources of SKM. The purpose of this measure is to regulate access levels and to introduce access in accordance with the “Need to know” principle;
  2. Filing systems management in view of the purpose to limit access to the relevant filing system only to persons who are directly charged with and/or engaged in view of their job to keep, maintain and process data in this filing system;

(3) Access to the internal network shall be restricted only to employees and/or persons expressly authorised by the General Manager of SKM. Access to the network and personal data processed shall be provided for the purpose of carrying out their direct official duties and shall comply with the “Need to know” principle. The minimum security level for access to internal networks requires identification with a unique user name and password.

(4) The responsibilities associated with the implementation of an access administration are assigned to persons possessing the required qualification. They are obliged to take adequate measures to minimize the risk of unauthorised (physical and/or remote) access to the networks of SKM, including the using of firewalls and other adequate measures and tools. Responsibilities also include activities related to the approval of the installation of all network access devices, technologies and software, including switches, routers, wireless access points, network access points, internet connections, connections to external networks and other devices, technologies and software allowing access to the internal networks of SKM.

(5) Protection against malicious software (malware) includes:

  1. The use of standard configurations for each computer and/or network platform, such as the system and, where possible and applicable, the application software is controlled, installed and maintained by an IT company authorised by the management of SKM. It is prohibited to install software products without the explicit approval of the IT company engaged by SKM.
  2. Use the built-in functionality of the operating system and/or hardware that are set up only by the IT Company of SKM. Any change and/or deactivation of the protection systems by unauthorised persons is prohibited.
  3. Activation of automatic protection and scanning for malicious software, and refreshing antivirus definitions. Users are not allowed to deny automatic software processes that update virus definitions.
  4. Prohibition of data transmission from infected computers. In case of suspected or detected infection of a computer system, the user is required to notify the SKM management and to cease all actions for the operation and / or transmission of information from the infected computer (via external media, e-mail and / or other electronic exchange devices of information). Until malicious software is removed, the infected computer should be immediately isolated from the internal network.

(6) The policy of creating and maintaining backups for recovery regulates:

  1. The primary purpose of the archiving is to prevent the loss of personal information that would impede the normal functioning of SKM and breach the legal requirements of the company.
  2. The information is backed up in a suitable media outside of the server and allows full data recovery in case of loss of their primary media;
  3. Archiving is done automatically at a pre-set interval;
  4. The period for storage of individual archives is in compliance with the legislation in force.

(7) Remote access to the internal network of SKM is not allowed.

Art. 25. (1) With regard to personal data, data protection measures are also implemented by cryptographic capabilities of operating systems, database management software, and Transcend Elite specialised software when required.

(2) Encryption is also used to protect personal data that is transmitted by SKM electronically to the NSSI, NRA and other similar establishments where required.

III. BASIC RULES AND MEASURES TO ENSURE PERSONAL DATA PROTECTION UPON COMPUTER PROCESSING

Art. 26. (1) Computer access through the local network to files containing personal data shall be vested only to officials with Regulated Rights and such access shall be possible only from their physical place of work through a specially designated computer and after identification using the name and password for access to the system. At the end of the workday, employees shall switch off their local computer.

(2) SKM implements adequate technical and administrative control measures (IP limitation, MAC address, physical location, unique user name and password, setting up all workstations in auto-lock mode in the absence of activity for more than 1 minute), thus ensuring that only authorised employees gain access to the data in order to perform their assigned functions.

(3) The identification of authorised persons to work with personal data shall mandatorily include identification with a unique user account containing the user name and password, access rights to the system and utilization of its resources.

(4) The user account is locked after three unsuccessful attempts for registration in the system and only the authorized IT company can unlock it.

(5) In order to enhance the security of access to information, employees shall mandatorily change their passwords at intervals specified by SKM, but not exceeding 3 months. If the grounds of the right to access personal data are no longer present, the rights of the persons concerned shall be suspended (including by deleting the account).

(6) Systems processing and/or storing personal data include a control system that registers the following actions in a log: attempts to enter and effective entry and exit from the system, user actions in the process of each work session, password changes.

Art. 27. (1) The hardware used for the storage and processing of personal data meets contemporary requirements and allows for archiving and retrieval of both the data and the working condition of the environment.

(2) Where there is a need to repair computer equipment, the provision of the equipment to the service organisation shall be carried out without the devices on which personal data are stored.

Art. 28. (1) SKM uses software protected by copyright only. The installation and/or use of any other type of software with unauthorised copyrights is prohibited. The software is updated by the relevant providers on a regular basis and meets contemporary requirements in terms of reliability.

(2) Only software installed by a person authorised by management of SKM or the IT company of SKM is used on business computers. The mere installation of any other type of software is prohibited.

(3) When a new software product for processing personal data is installed, the capabilities of the product shall be tested and checked with a view to complying with the requirements of Regulation 2016/679 and the Personal Data Protection Act, and ensuring the maximum protection of data from unauthorised access, loss, damage or destruction.

Art. 29. The staff assigned to sign official correspondence with a qualified electronic signature (QES) shall not be entitled to provide their QES to third parties, and respectively, to share their PIN with third parties.

IV. FILING SYSTEMS MAINTAINED AND THEIR MANAGEMENT

Art. 30. SKM maintains the following filing systems:

  1. Employees and Staff Register in which the following types of personal data are entered:
    • Physical identity – names, Personal ID Number, identity card number, date and place of issue, date of validity, address, contact telephone number;
    • Social identity – data on education and additional qualification relating to and required by the particular job, and professional resume;
    • Family identity – family status data of the person in pursuance of applicable statutory requirements;
    • Economic identity – bank account numbers;
    • Personal data regarding the person’s criminal record – a certificate of conviction depending on the job position;
    • Health data – medical certificated, data contained in sick notes presented by employees themselves as data subjects, decisions of Territorial Expert Commission on Disability / National Medical Expert Commission, etc.
  2. Contractors and Partners Register in which the following types of personal data are entered:
    • Physical identity – names, Personal ID Number, identity card number, date and place of issue, date of validity, contact telephone number of the General Manager or representative of the Contractor/Partner;
    • Economic identity – bank account numbers, if required (for example, in case of sole proprietors).
  3. Register ‘Clients with which/whom SKM is in pre-contractual relationships’ in which the following types of personal data are entered:
    • Physical identity – names, address, contact telephone number of the General Manager or representative of the Customer;
    • Economic identity – no such information is required.

Art. 31. For processing data from the registers enumerated in art. 30 above, SKM shall keep a Register of processing activities of a standard form pursuant to Appendix 6.

V. RIGHTS AND DUTIES OF data processors

Art. 32. (1) SKM has no obligation to designate Data Protection Officer. The General Manager of SKM carries out this activity.

(2) The General Manager of SKM, in her capacity of a Data Protection Officer, shall have the following rights and duties:

  1. ensure the proper keeping of registers in accordance with the measures envisaged to ensure adequate protection;
  2. ensure compliance with the specific protection and access control measures;
  3. liaise with the Commission on Protection of Personal Data when required;
  4. ensures the required technical resources for processing of personal data;
  5. approves and if necessary, updates these Rules.

Art. 33. The employees of SKM shall be obligated:

  1. to process personal data lawfully and fairly, and in accordance with these Rules;
  2. to use the personal data to which they have access only for the purposes for which they are collected and not further processed in a manner incompatible with those purposes;
  3. to delete or correct personal data where it is found that they are inaccurate or disproportionate in respect of the purposes for which they are processed;
  4. maintain personal data in a form, which allows identification of the natural persons concerned, for a period not exceeding the time required for the purposes for which such data are processed.

Art. 34. (1) For non-compliance with the provisions of these Internal Rules, employees shall be subject to disciplinary liability.

(2) If, as a result of the actions of a personal data officer, damages have been caused to SKM or to a third party, the latter may seek damages under the procedures laid down in general civil law.

VІ. ADDITIONAL PROVISIONS

Art. 35. All employees of SKM must familiarize themselves with these Internal Rules and comply with them on a daily basis when carrying out their duties and tasks assigned.

Art. 36. (1) Any matter not governed in these Internal Rules shall be subject to the provisions of the General Data Protection Regulation (EU) 2016/679, the effective EU law and the personal data protection legislation of the Republic of Bulgaria.

(2) Appendices to these Internal Rules are standard forms of the following documents, which shall be drawn up on the occasion and when processing personal data:

Appendix 1Declaration of consent regarding data processing (to be signed when the processing is taken place on other grounds, other than those specified in art. 6 of Regulation 2016/679);

Appendix 2Confidentiality Declaration;

– Appendix 3 – a standard form of Protocol on mandatory instructions for familiarisation with the fire safety rules

– Appendix 4 – a standard form of Protocol on the destruction of personal data and personal data carriers

– Appendix 5 – Data Processing Agreement / Contract;

– Appendix 6 – Register of processing activities.

Art. 37. These Internal Rules were approved on 22 May 2018.