Contacts
Български Български English English
logo About us Privacy policy

Privacy policy

MIKS-CONSTRUCTION Ltd. is a commercial company established and operating under the laws of the Republic of Bulgaria, registered in the Commercial Register of the Registry Agency with UIC 175159754, with its registered office and registered address in 1404 Sofia 2 Louis Eyer Str., represented by two managers jointly and severally, tel. +35929150101, fax +35929582949, e-mail: miks@miks-ps.bg website: https://miks.bg 

The subject of activity of the company is: Complex research, design, engineering, consulting and contracting activities in all fields of design and construction. The company specializes in the construction of prefabricated reinforced concrete structures. It primarily works on the construction and reconstruction of industrial, administrative, public and commercial buildings, logistics and service centers and infrastructure projects.

PREAMBLE
By this Policy, the management of MIKS-CONSTRUCTION Ltd. declares that it will endeavour to ensure the protection of the personal data of individuals in relation to the processing of their personal data, in accordance with their fundamental rights and freedoms and, in particular, the right to the protection of their personal data, in accordance with the requirements of "REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data" (GDPR), as well as acting.


TERMS AND DEFINITIONS USED

Art.1. For the purposes of this Policy:

  • "Personal Data" means any information relating to an identified natural person or an identifiable natural person (data subject). An individual may be identified directly or indirectly, by an identifier such as a name, identification number, location data, online identifier, by one or more attributes specific to that individual's physical, physiological, genetic, mental, psychological, economic, cultural or social identity.
  • "Processing of personal data" means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • "Personal data record" means any structured set of personal data which is accessed according to certain criteria, whether centralized, decentralized or distributed on a functional or geographical basis.
  • "Controller" means the specific legal entity MIKS-CONSTRUCTION Ltd., which alone or jointly with others determines the purposes and means of the processing of personal data.
  • "Processor" means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • "Recipient" means the natural or legal person, public authority, agency or other body to whom the personal data are disclosed. However, public authorities which may receive data in the framework of a specific investigation in accordance with Union or Member State law shall not be considered as 'recipients'.

POLICY OBJECTIVES AND SCOPE
Art.2. This Policy adopts the main objectives of the Regulation (GDPR):

  • To lay down the rules regarding the protection of natural persons in relation to the processing of personal data as well as the rules regarding the free movement of personal data.
  • To protect the fundamental rights and freedoms of natural persons, in particular their right to protection of personal data;
  • The free movement of personal data within the European Union is neither restricted nor prohibited for reasons relating to the protection of natural persons with regard to the processing of personal data.

Article 3. The data protection policy of MIKS-CONSTRUCTION Ltd. aims to:

  • To achieve compliance with applicable legislation regarding the protection of personal data and to follow established best practices;
  • To prescribe the mechanisms for keeping and maintaining records, to determine the corresponding level of protection of personal data, to provide for technical and organizational measures for the protection of personal data; 
  • To define the responsibilities and obligations of the processors and accessors of personal data working under the authority of the controller; 
  • Inform natural persons of the purposes of the processing of personal data, the recipients or categories of recipients to whom the data may be disclosed, the mandatory or voluntary nature of the provision of data, information on the rights of natural persons with regard to their personal data.

Article 4. The scope of the Policy follows the material and territorial scope of the Regulation (GDPR):

  • The Policy applies to the processing of personal data wholly or partly by automatic means as well as processing by other means (electronic, paper or other media).
  • The Policy applies to the processing of personal data in the context of the activities of MIKS-CONSTRUCTION Ltd. at the place of establishment of the Controller (Republic of Bulgaria), whether or not the processing takes place in the Union. 
  • The Policy does not apply to the processing of an individual's personal data in the context of a purely personal or household activity. 

OBLIGATIONS OF THE DATA CONTROLLER - MIKS-CONSTRUCTION Ltd.
Art.5. The obligations of the personal data controller include:

  • Adoption of internal rules and instructions for the processing of personal data;
  • Maintaining records of personal data processing activities;
  • Risk assessment based on: the nature, scope, context and purposes of the processing; the possible risks to the rights and freedoms of natural persons and their likelihood and severity; the consequences for the rights and freedoms of natural persons;
  • Impact assessment (where there is a likelihood of a high risk to the rights and freedoms of natural persons); periodic update of the impact assessment;
  • Determine the appropriate level of protection;
  • Prescribing and implementing specific measures to protect personal data, according to the specifics of the records kept and the level of protection determined.

As the controller, MIKS-CONSTRUCTION Ltd. implements the necessary technical and organizational measures for the protection of personal data in order to ensure an adequate level of protection appropriate to the nature of the personal data processed and the impact of a data breach.

  • Monitor compliance with the protection requirements and take remedial action in the event of a breach;
  • Notifying supervisory authorities of personal data breaches, and communicating such breaches to data subjects;
  • Assisting in the exercise of the supervisory functions of the Data Protection Commission.
  • Achieving compliance with the requirements of the Regulation (GDPR)- reporting.

PROCESSING OF PERSONAL DATA IN MIKS-CONSTRUCTION LTD
Art.6. In processing personal data, we apply the principles of the Regulation (GDPR):

 

  • Lawfulness, fairness and transparency
  • Personal data is collected and processed for specified, explicit and legitimate purposes ("Purpose Limitation")
  • Data is processed which is appropriate and limited to what is necessary in relation to the purposes ("Data minimization")
  • Accuracy and, where necessary, keeping data up to date. Ensuring timely erasure or rectification, taking into account the purposes for which the data are processed ('accuracy')
  • Retaining the data for no longer than is necessary for the purposes ('storage limitation')
  • Processing in a manner that ensures an adequate level of security of personal data, including against unauthorized or unlawful processing and against accidental loss, destruction or damage, implementing appropriate technical or organizational measures ('integrity' and 'confidentiality')

Art.7. MIKS-CONSTRUCTION LTD, as a Personal Data Controller, shall perform the following: 
Determines:

  • the type of personal data to be processed; 
  • the purposes for which such data will be processed; 
  • the means of processing and the corresponding levels of protection. 

Processes categories of personal data structured in separate registers, in accordance with Article 30 of the Regulation (GDPR), Bulgarian legal norms and this Policy. Processes personal data of employees, prospective employees, contractors, suppliers, customers, partners;

Art.8. The occasion for collecting personal data in MIKS-CONSTRUCTION Ltd. are:

  • With the consent of the data subject. In this case, the data subject gives clear and explicit consent to the processing of personal data for one or more specific purposes. Consent is valid when freely given, given for a specific purpose of processing, informed and unambiguous;
  • Where there is an agreed requirement;
  • Where there is a legal requirement or legal obligation on the controller;
  • Where processing is necessary for the protection of the vital interests of the data subject or of another natural person;
  • In the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • For the purposes of the legitimate interests of the controller or of a third party where these override the interests or fundamental rights of the data subject.

Article 9. (1) MIKS-CONSTRUCTION Ltd. processes personal data provided by the individuals to whom the data relate in connection with the appointment of employees on an employment contract, personnel selection procedures, assignment of work under a civil contract, preparation, conclusion, amendment and termination of contracts, compliance with legal requirements, in connection with the access regime and video surveillance on the territory of the company's sites.
Where personal data relating to a data subject is collected from the data subject (in the cases referred to in paragraph 1), the Controller shall provide the data subject with the following information at the time of receipt of the data:

  • Data identifying the Controller and contact details;
  • The purposes of the processing and the legal basis for the processing of the personal data;
  • The legitimate interests of the Controller or a third party where this is the basis for the processing;
  • The recipients of the personal data, if any;
  • Additional information necessary for fair and transparent processing, such as: retention period of personal data, information on the data subject's rights of access to rectification, erasure, restriction of processing, right to data portability, right to complain.

Art.10. (1) MIKS-CONSTRUCTION Ltd. may also process personal data that have not been obtained from the individual to whom they relate, but have been provided by a third party in connection with a legal or contractual requirement. In this case, the Data Controller shall provide the data subject with the information as in the previous Article, paragraph 2, as well as the source of the personal data. This information shall be provided by the Controller within a reasonable time, but at the latest:

  • Within one month of receipt of the data, taking into account the specific circumstances;
  • By the first contact with that data subject;
  • By the first disclosure of the personal data to another recipient.

(2) The conditions for the provision of information described in paragraph (1) shall not apply where and to the extent that the data subject already has the information or the provision of the information proves impossible or requires a disproportionate effort.
 

Art.11. (1) MIKS-CONSTRUCTION Ltd. processes personal data of natural persons in connection with:

  • Preparation, conclusion, modification and completion of contracts for performance, subcontracting, supplies and services;
  • Recruitment, conclusion of employment and civil contracts;
  • Accounting, financial and banking transactions;
  • Insurance of employees, movable and immovable property;
  • Activities and transactions with documents of title of movable and immovable property containing personal data;
  • Creation of video recording in case of video surveillance and/or pass regime on the territory of the company's sites.

Where there is a legal basis for the processing of personal data, the provisions of the Commercial Law, the Law on Obligations and Contracts, the Accounting Law, the Value Added Tax Law, the Spatial Planning Law, the Labour Code, the Social Insurance Code, the Health Insurance Law, the Insurance Code and Regulations, the Environmental Protection Law, the Waste Management Law, the Occupational Health and Safety Law, the Chamber of Builders Law and other applicable laws, regulations and subordinate regulations shall apply.
Art.12. The categories of personal data that are processed in MIKS-CONSTRUCTION Ltd. are differentiated by the specific activity or by a legal provision, for example the categories are:
"ordinary" personal data 

  • Names, address, field of birth, location, ID data, nationality, telephone, e-mail, IP address - as applicable by the Controller;
  • Data on education, qualification, legal capacity, position held and job function performed, work activity - experience and professional biography - applicable by the Controller;
  • Unique National Identity Number (UIN) - applicable by the Administrator;

"Special" (sensitive) personal data 

  • Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning sex life or sexual orientation - mostly not applicable by the Controller. Any processing of such data shall be carried out with the explicit consent of the data subject and under the conditions of Article 9 of the Regulation (GDPR);
  • Health data - applicable by the Administrator in connection with mandatory legal requirements under the Occupational Health and Safety Act, for the purposes of preventive and occupational medicine, for the assessment of the employee's working capacity (grounds under Article 9(2)(H) of the GDPR). The data in question is processed for the purposes mentioned by or under the authority of a professional bound by the obligation of professional secrecy under Union or Member State law or rules established by the national competent authorities (Article 9(3) GDPR).
     

Art.13. MIKS-CONSTRUCTION Ltd. processes personal data independently or by assigning a processor, determining the purposes and scope of the obligations assigned by the controller to the processor, subject to the existence of a relevant legal basis, in accordance with the requirements of the DPA and the Regulation (GDPR). 

  • The controller MIKS-CONSTRUCTION Ltd shall only use processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures in such a way that the processing is carried out in accordance with this Policy, the Regulation (GDPR) and more specifically the conditions in Article 28 and ensures the protection of the rights of data subjects.
  • The processing by the processor shall be governed by a contract which shall be binding on the processor vis-à-vis the Controller and which shall regulate the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the Controller. The processors of personal data on behalf of MIKS-CONSTRUCTION Ltd. are legal entities such as the Occupational Health Service, an insurance company, natural persons such as employees of the company, whose rights and obligations in relation to the processing of personal data are duly regulated in internal acts.

PURPOSE OF PROCESSING PERSONAL DATA
Art.14. The purpose of the processing of personal data is to uniquely identify individuals, current and future employees of the company, contractors, visitors and other related persons.
The purposes of processing personal data in MIKS-CONSTRUCTION Ltd. are most often determined by the fulfilment of statutory obligations of the Controller arising from the specific requirements of legislation in the field of construction, including occupational health and safety and environmental protection, financial and accounting activities, pension, health and social security activities, human resources management, insurance operations. 
The controller MIKS-CONSTRUCTION Ltd processes personal data of individuals for the purposes (mainly but not exhaustively) set out below:
Identification and exchange of information for the purposes of labour, social, health insurance and tax legislation in the country;

  • Preparation, conclusion, execution and termination of contractual relations related to the commercial activity of the company;
  • For the purposes of preventive and occupational medicine, for the assessment of the employee's working capacity;
  • For insurance purposes related to the protection of the health and life of employees, as well as for the protection of property owned or entrusted to the Administrator;
  • For bookkeeping, payment processing, financial purposes related to relations with banks and other institutions;
  • For the purpose of acquisition, use, sale, lease and other transactions with real estate and movable property;
  • For the purposes of access regimes and video surveillance of the Company's premises established in connection with the legitimate interests of the Administrator, such as the protection of property and the prevention of violations of internal rules;
  • For information and communication with employees, contractors, customers, contractors, suppliers, partners, etc.

The processing of personal data in MIKS-CONSTRUCTION Ltd., except in cases where it is necessary for the performance of a statutory obligation of the Controller, is permissible and where the individual to whom the data relate has given his or her explicit consent or the processing is necessary for the performance of obligations under a contract to which the individual is a party or a representative of a party, as well as for actions preceding the conclusion of a contract and undertaken at the request of the individual.
Where the processing is for purposes that require the data subject's consent, the controller should be able to demonstrate that the data subject has given his or her consent freely, informedly, for the purposes of the processing and to what extent. In the case of a declaration of consent drawn up in advance by the Controller, it must be in an intelligible and easily accessible form, in clear and plain language and should not contain unfair terms.

DISCLOSURE OF PERSONAL DATA
Art.15. MIKS-CONSTRUCTION LTD, as a Personal Data Controller, has the right to disclose the processed personal data to the following categories of persons:

  • The individuals to whom the data relate;
  • Individuals for whom the right of access is provided for in a legal act or an established regulatory requirement;
  • Individuals for whom the right arises under a contract.

Art.16. The processed personal data of customers and contractors of MIKS-CONSTRUCTION Ltd., as well as persons related to them, may be provided to other data controllers or processors in connection with the performance of specific tasks and contractual obligations, under the direction and on behalf of MIKS-CONSTRUCTION Ltd., by providing sufficient guarantees that the processing is carried out in accordance with the requirements of the Regulation (GDPR) and ensures the protection of the rights of data subjects.

SECURITY AND DATA PROTECTION
Art.17. The personal data controller MIKS-CONSTRUCTION Ltd. shall ensure security in the processing, access and exchange of personal data by:

  • Choosing appropriate technical and organizational measures to ensure the appropriate level of security of personal data protection, taking into account the state of the art, the scope, context and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons; 
  • The ability to ensure the confidentiality, integrity and availability and the sustainability of the processing of personal data.
  • Ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
  • Application of pseudonymization and encryption of personal data when required;
  • Regularly checking, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

Art.18. In assessing the appropriate level of security, account shall be taken of the risks associated with the processing of personal data, in particular the risks associated with accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

Art.19. The level of protection shall be a combination of technical and organizational measures. 
The levels of protection are directly related to the level of impact as follows:

  • Low level of protection - low impact (where the unlawful processing of personal data would jeopardize the privacy of an individual or group of individuals);
  • Medium level of protection - at medium impact (where unlawful processing of personal data could create a risk of interference with the racial or ethnic origin, political, religious or philosophical beliefs, membership of political parties or organizations, trade unions, health, sex life or human genome of an individual or group of individuals);
  • High level of protection - where there is a high impact (where unlawful processing of personal data could result in significant harm or identity theft to a large group of individuals or individuals holding senior public office, or permanent harm or death to an individual);
  • Extremely high level of protection - where the impact is extremely high (where the unlawful processing of personal data could result in significant harm or identity theft to a particularly large group of individuals, or permanent damage or death to a large group of individuals).

The levels of protection at MIKS-CONSTRUCTION Ltd, relative to the reciprocal impact levels, are predominantly defined as "Low" or "Medium" (mainly due to the processing of health-related data). 


Art.20. The types of data protection are:

  • Physical protection - a system of technical and organizational measures to prevent unauthorized access to buildings, premises and facilities where personal data are processed;

Basic organizational measures for physical protection - identification of the premises where personal data are processed and the premises where the elements of the communication and information processing systems are located, organization of physical access (low level); identification of controlled access areas (medium level); 
Basic technical measures for physical protection - locks, cabinets, equipment of premises, fire extinguishing means (low level); metal crates, controlled access areas, guarding or security system, means of perimeter protection (high level);

  • Personal protection - is a system of organizational measures in relation to individuals who process personal data under the direction of the controller;

Basic personal protection measures - knowledge of data protection regulations, knowledge of the dangers of data processing, agreement to undertake not to disclose personal data (low level); sharing of critical information between staff - identifiers, access passwords, training, staff training to respond to data security events (medium level);
Personal protection measures ensure that only individuals whose job duties require such access have access to personal data. Individuals shall sign a non-disclosure of personal data to which they have access.

  • Documentary protection - is a system of organizational measures when processing personal data on paper;

Basic documentary protection measures - identification of the records to be kept on paper, regulation of access to the records, conditions for processing personal data, determination of retention periods and procedures for destruction (low level); control of access to the records, rules for reproduction and dissemination (medium level); procedures for checking and controlling processing (high level).

  • Protection of automated information systems and/or networks - a system of technical and organizational measures to protect against unlawful forms of processing of personal data;

Basic measures - identification and authentication, records management, external links/connectivity, virus protection, copies/recovery backups, storage media, personal protection, retention periods for personal data and procedures for destruction/deletion/erasure of media (low level); telecommunications and remote access, maintenance/operation, physical environment/environment (medium level); policy, manuals and standard operating procedures, definition of roles and responsibilities, session controls, monitoring, contingency planning/ contingencies, staff training for response to data security events (high level).

  • Cryptographic protection - is a system of technical and organizational measures that are implemented to protect personal data from unauthorized access during transmission, distribution or provision.

Basic measures - standard cryptographic capabilities of operating systems, database systems, communication equipment (medium level); cryptographic key distribution and management systems, electronic signature (high level).

Art.21. In order to ensure the security and protection of personal data, the Controller shall take measures to ensure that the processor and any natural person acting under the authority of the Controller processes such data only on the instructions of the Controller, by providing sufficient guarantees that the processing is carried out in accordance with the requirements of the Regulation (GDPR) and ensures the protection of the rights of data subjects.
Art.22. In the event of a personal data breach, the Controller shall, without undue delay and where feasible within 72 hours of becoming aware of it, notify the breach to the competent supervisory authority - the Commission for Personal Data Protection. The notification shall be pursuant to Article 33 of the GDPR.
 

STORAGE PERIODS OF PERSONAL DATA
Art.23. The documents and information containing personal data, commercial and accounting information, documents on taxation, compulsory social security contributions, service records and other company documents containing personal data shall be kept by the Administrator for the following periods:

  • Payroll and employee records - 50 years;
  • Personal data of job applicants who have not been appointed - one month after the end of the competition for the position;
  • Accounting records, tax documents and financial statements - 10 years;
  • Personal data contained in construction contracts - 15 years from the date of issue of a valid commissioning document;
  • CCTV footage - one month;
  • Personal data relating to access regime - one month after the cessation of the access of the individual to the relevant site;
  • Work accident insurance policies - 50 years;
  • In all other cases - 5 years, unless another period is provided for by law or contract.

Art.24. After the expiration of the period of storage of personal data, the media of information (paper or technical) that are not subject to transfer to an archive fund may be destroyed.

RIGHTS OF INDIVIDUALS
Art.25. The controller MIKS-CONSTRUCTION Ltd. undertakes that it will take the necessary measures for transparent information, communication and conditions for the exercise of the data subject's rights to ensure compliance with the fundamental rights of data subjects under the Regulation (GDPR): 

  • Right to Information;
  • Right of access to personal data;  
  • Right to rectification - the data subject has the right to request rectification without undue delay of inaccurate personal data concerning him or her;
  • Right to erasure (right to be forgotten) - where the grounds set out in the GDPR are present (for example, if the personal data are no longer necessary for the purposes of the processing, or where it is suspected that the personal data have been unlawfully processed), the data subject has the right to request and obtain the erasure of personal data relating to him or her;
  • Right to restriction of processing - where the grounds set out in the GDPR are present (for example, where there is doubt about the accuracy of the personal data or where there is an objection to the purposes for which the personal data are processed), the data subject has the right to request the restriction of the processing of the personal data until a solution is found;
  • Right to object to processing - The data subject shall have the right to object at any time and on grounds relating to his or her particular situation to processing of personal data concerning him or her, and the controller shall terminate such processing, unless compelling legitimate grounds are demonstrated which override the interests and rights of the data subject.
  • Right to data portability from one controller to another controller; 
  • The right to limit automated decision-making, including profiling;
  • The right to lodge a complaint with a supervisory authority.

Art.26. Individuals shall exercise their rights by submitting a written application to the Data Controller.
The application shall be made in person by the data subject or by a person expressly authorized by him, unless a special law provides otherwise;
The application may also be made electronically in accordance with the relevant legal procedure, with an electronic signature;
The application shall contain at least the following information:

  • Name, address and other identifying data of the natural person;
  • A description of the request;
  • Preferred form of communication and action regarding the subject's rights;
  • Signature, date of submission, and mailing address.

Art.27. In the event of the death of an individual, his rights shall be exercised by his heirs, and a notarized certificate of heirs shall be attached to the application.

Art.28. The administrator shall accept the application and decide on it.

  • The time limit for examining the application and ruling on it shall be 14 days from the day of submission of the request, respectively 30 days when more time is needed to collect the requested data, in view of possible difficulties in the activities of the Administrator's company.
  • The Administrator shall prepare a written reply and communicate it to the applicant, either in person against signature or by post with acknowledgement of receipt, taking into account the applicant's preferred form of communication.
  • Where the data does not exist or its provision is prohibited by law, the applicant shall be refused access.
  • In the event that the Controller does not respond to the request for access to personal data within the prescribed time limits or the applicant is not satisfied with the response received, he shall be entitled to exercise his right of defence.

JOINT ADMINISTRATORS
Art.29. By virtue of Article 26 of the Regulation (GDPR), where two or more controllers jointly determine the purposes and means of processing, they are joint controllers. In this case, the companies MIKS-CONSTRUCTION Ltd and MIKS-PS Ltd are joint controllers.
MIKS-PS Ltd. is a commercial company established and operating under the laws of the Republic of Bulgaria, registered in the Commercial Register of the Registry Agency with UIC 121159149, with its registered office and registered address in 1404 Sofia 2 Louis Eyer Str., represented by two managers jointly and severally, tel. +35929150101, fax +35929582949, e-mail: miks@miks-ps.bg website: https://miks.bg
MIKS-PS Ltd. is engaged in complex research, design, engineering, consulting and contracting activities in all areas of construction, including industrial, administrative, public and commercial buildings, logistics and service centers and infrastructure projects. The company specializes in the transportation and installation of precast concrete structures, as well as the maintenance and management of machinery and road transport. MIKS-PS Ltd. is the main partner of MIKS-CONSTRUCTION Ltd., providing construction sites with mechanization, transport and assembly means. The two companies work closely together and perform common tasks under framework contracts.    

Art.29. The joint controllers MIKS-CONSTRUCTION Ltd. and MIKS-PS Ltd. shall, by means of an agreement between themselves, define in a transparent manner their respective responsibilities for fulfilling the obligations under the Regulation (GDPR), in particular as regards the exercise of the data subject's rights and their respective obligations to provide information.
The arrangement between the two companies duly reflects the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essential features of the arrangement shall be accessible to the data subject.
Notwithstanding the arrangement, the data subject may exercise his or her rights under the GDPR against either controller.

Art.30. This Policy is valid for both MIKS-CONSTRUCTION Ltd. and MIKS-PS Ltd. as joint administrators.

CONCLUSION
Through this Policy, we declare that we will apply Regulation (EU) 2016/679 (GDPR) in good faith and responsibly, taking into account the specific characteristics of the data processed and the particular needs of the company, applying protection measures to ensure the security, integrity and confidentiality of personal data.

The policy was approved by the company's directors on 25.05.2018.