INTERNAL RULES FOR THE PROTECTION OF PERSONAL DATA

at Private Kindergarten "Tuti 2011" Ltd.

Chapter One 

GENERAL PROVISIONS

1. The internal rules for personal data protection at Private Kindergarten "Tuti 2011" Ltd. define the applicable requirements for personal data protection, the procedure for organizing personal data protection obligations, and guaranteeing the rights of data subjects, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the Personal Data Protection Act (PDPA) and other legal requirements for data protection arising from European Union law or the legislation of the Republic of Bulgaria.

2. (1) The personal data controller is Private Kindergarten "Tuti 2011" Ltd., with correspondence address in Sofia, Lozenets district, 1421, 28 Chervena Stena Street, e-mail address tuti@tuti-bg.com. (2) Pursuant to Article 37, paragraph 1, item "a" of Regulation (EU) 2016/679 in connection with § 1, item "a" of Regulation (EU) 2016/679 in connection with § 1, item "a" of Regulation (EU) 2016/679 in connection with § 1, item "a" of Regulation (EU) 2016/679 in connection with

 (2) Pursuant to Article 37, paragraph 1, letter "a" of Regulation (EU) 2016/679 in connection with § 1, item 17 of the Additional Provisions of the Personal Data Protection Act, the controller shall appoint a data protection officer and notify the Commission for Personal Data Protection (CPDP) of the appointed data protection officer in accordance with the form and content of the notification approved by the CPDP. The controller shall publish the contact details of the data protection officer.

3. Private Kindergarten "Tuti 2011" Ltd. applies all principles related to the processing of personal data under Article 5 of Regulation (EU) 2016/679, regardless of which personal data register and on what legal basis the processing is carried out:

•    lawfulness, fairness, and transparency;

•    purpose limitation;

•    data minimization;

•    accuracy;

•    storage limitation;

•    integrity and confidentiality;

•    accountability.

4. (1) Access to personal data shall be granted only to persons whose official duties or specific tasks require such access, in accordance with the "need to know" principle and after familiarization with the regulatory framework in the field of personal data protection and the internal rules, policies and procedures for the protection of personal data and the risks to personal data processed by the controller.

(2) The job descriptions of employees working with personal data shall include obligations not to disclose the data to which they have gained access in the course of or in connection with the performance of their duties.

5. At Private Kindergarten "Tuti 2011" Ltd., the personal data processed is distributed according to a functional principle in the following personal data registers within the meaning of Article 4(6) of Regulation (EU) 2016/679:

1. "Children/Students" register.

2. "Human Resources" register.

3. "Suggestions, Reports, Complaints, and Requests" register.

4. "Counterparties" register.

5. "Video surveillance" register.

6. "Initiatives" register.

Chapter Two 

DESCRIPTION OF PERSONAL DATA REGISTERS

6. (1) The "Children/Students" register processes the personal data of children/students who apply for and are admitted to the "Tuti 2011" Private Kindergarten Ltd., as well as their parents/guardians/caregivers and personal doctors for the purpose of:

1. guaranteeing the right to education;

2. complying with regulatory requirements arising from the Pre-school and School Education Act, the Child Protection Act, Regulation No. 8 of 11.08.2016, and other regulatory acts;

 (2) The categories of personal data processed are recorded in the register of processing activities in accordance with Article 30, paragraph 1 of Regulation (EU) 2016/679.

(3) The data is processed on paper and technical media.

 (4) The data shall be provided by the parents/guardians upon application.

 (5) The data shall be processed by the administrator, director, deputy director, teachers, medical personnel, and accountant.

 (6) The administrator shall be responsible for controlling access to the register.

7. (1) The Human Resources register processes the personal data of job applicants and staff for the following purposes:

1. to identify the parties to employment and non-employment legal relationships;

2. complying with regulatory requirements (Labor Code, Social Security Code, Accounting Act, Income Tax Act, Public Education Act with regard to public councils, etc.);

3. activities related to the establishment, amendment, and termination of legal relationships; preparation of documents; contact; accounting and payments.

 (2) The categories of personal data processed shall be entered in the register of processing activities.

 (3) The data shall be processed on paper and on technical media.

 (4) The data shall be provided by the persons when applying for/concluding contracts and shall be entered in the relevant documents.

 (5) The data shall be processed by: a human resources officer, chief accountant/accountant, legal advisor.

(6) The human resources officer shall control access to the register.

8. (1) The register "Proposals, signals, complaints, and requests" processes personal data of persons who submit requests, complaints, proposals, and other similar documents to Private Kindergarten "Tuti 2011" Ltd. for the following purposes:

1. identifying the complainant/petitioner/applicant;

2. establishing contact regarding the relevant proceedings;

3. fulfilling regulatory obligations.

(2) The categories of data are reflected in the register of processing activities.

 (3) The data shall be processed on paper and technical media.

 (4) The data shall be received from natural persons and/or competent authorities.

 (5) The data shall be processed by the administrator and/or legal advisor.

 (6) The administrator of the educational activity shall control access.

9. (1) The "Counterparties" register processes the personal data of natural persons who are contractors under civil contracts or representatives of parties to a contract for the purposes of:

1. identifying the parties to the contract;

2. performing the contract;

3. fulfilling regulatory obligations regarding accounting and taxes.

 (2) The categories of data are reflected in the register of processing activities.

 (3) The data is processed on paper and technical media.

 (4) The data is provided by the persons to whom it relates.

 (5) The data shall be processed by: the administrator, the chief accountant/accountant, and the legal advisor.

(6) The chief accountant shall control access to the register.

10. (1) The "Video Surveillance" register processes the personal data of visitors and employees within the scope of video surveillance at Private Kindergarten "Tuti 2011" Ltd. in accordance with the Opinion of the CPDP reg. No. P-5375/2017 of 30.04.2018, for the purpose of:

1. increasing the safety of children/staff and protecting property;

2. protecting the public interest – safety, life, and health.

(2) The categories of data are reflected in the register of processing activities.

 (3) The data shall be processed on a technical medium.

 (4) The data shall be provided by passing through the video surveillance areas.

 (5) The data shall be processed by: the director/administrator, IT support (if available).

 (6) The administrator shall control access.

11. (1) The "Initiatives" register processes the personal data of children/students and their relatives participating in initiatives organized or conducted at Private Kindergarten "Tuti 2011" Ltd. for the purpose of:

1. individualizing participants;

2. public disclosure with informed and specific consent in compliance with Regulation (EU) 2016/679 and Article 25c of the Personal Data Protection Act;

3. reporting on the activities of the initiative.

(2) The data shall be processed on paper and technical media.

 (3) The data shall be provided by the persons and/or parents/guardians.

(4) Draft regulations and materials for initiatives shall be agreed with the data protection officer.

(5) The data shall be processed by the employees involved in the initiative, in accordance with the "need to know" principle.

 (6) The administrator shall control access.

Chapter Three 

GUARANTEEING THE RIGHTS OF THE DATA SUBJECT

12. (1) The data subject shall have the following rights under Articles 13-22 of Regulation (EU) 2016/679:

1. right to information;

2. right of access;

3. right to rectification;

4. right to erasure (right to be forgotten);

5. right to restriction of processing;

6. right to data portability;

7. right to object;

8. right not to be subject to automated individual decisions, including profiling.

(2) Private Kindergarten "Tuti 2011" Ltd. guarantees the rights under the Regulation by ensuring the receipt and timely consideration of requests, identifying the data subject, and applying the restrictions provided for.

 (3) Private Kindergarten "Tuti 2011" Ltd. provides information on the rights and the procedure for exercising them as part of its policy of transparency towards data subjects.

13. (1) The data subject exercises the rights under Articles 15-22 of Regulation (EU) 2016/679 by submitting a written request to Private Kindergarten "Tuti 2011" Ltd.

(2) A request may also be submitted electronically under the conditions of the applicable laws.

 (3) The request shall contain the details specified in Article 37c of the Personal Data Protection Act.

14. (1) Requests shall be reviewed by a designated unit/employee, seeking assistance from the data protection officer if necessary.

 (2) Registration and review shall be carried out in accordance with an internal procedure to guarantee the rights of data subjects.

 (3) Information and correspondence shall be signed by the manager of Private Kindergarten "Tuti 2011" Ltd. or by a person authorized by him.

(4) At the request of the data subject, information may be provided orally upon proof of identity.

15. (1) Under the conditions of Article 34 of Regulation (EU) 2016/679, where a security breach is likely to result in a high risk or is required by the CPDP, the official shall prepare a draft communication to the data subjects.

 (2) The communication shall be recorded in the register of personal data security breaches.

Chapter Four

ORDER FOR THE PERFORMANCE OF THE ADMINISTRATOR'S OBLIGATIONS

Section I 

Data Protection Officer

16. (1) The officer designated under Article 37 of Regulation (EU) 2016/679 shall meet the requirements of the Regulation, the Personal Data Protection Act, and the opinions of the Commission for Personal Data Protection.

 (2) The controller shall notify the CPDP of the identifier and contact details of the officer and of any subsequent changes.

17. (1) In addition to the functions under Article 39 of the Regulation, the officer shall:

1. keep a record of processing activities (Article 30);

2. keep a register of security breaches;

3. prepare notifications to the CPDP in case of breaches (Article 33);

4. prepare communications to data subjects (Article 34);

5. propose updates to the information under Articles 13 and 14.

(2) The officer shall act independently and report annually on his or her activities to the director of Private Kindergarten "Tuti 2011" Ltd.

Section II 

Provision of transparent information

18. (1) The director approves the content of the information under Articles 13 and 14, which is prepared and maintained by the official.

(2) The information is published on the website and on the notice board of Private Kindergarten "Tuti 2011" Ltd.

19. All employees of Private Kindergarten "Tuti 2011" Ltd. are required to be familiar with the transparency policy; the official shall provide explanations when necessary.

Section III 

Appropriate technical and organizational measures

20. (1) Private Kindergarten "Tuti 2011" Ltd. conducts a risk analysis of the rights and freedoms of individuals from the processing of personal data.

(2) The analysis is reviewed at least every two years or when changes occur.

(3) Based on the analysis, the effectiveness of security measures is assessed.

21. (1) The controller shall carry out a data protection impact assessment (DPIA) in the cases referred to in Article 35 of the Regulation.

 (2) The official shall assist in carrying out the assessment and shall justify cases where it is not necessary.

 (3) In the absence of a requirement for a DPIA, a written justification shall be prepared.

Section IV 

Register and reporting

22. (1) The register of processing activities shall be maintained in accordance with Article 30 of the Regulation using the template (Annex 2).

 (2) The official shall keep the register up to date and ensure access to it by the CPDP.

23. The official shall assist the controller in implementing the principle of accountability (Article 5, paragraph 2).

Section V 

Cooperation with the CPDP

24. (1) Upon request, Private Kindergarten "Tuti 2011" Ltd. cooperates with the CPDP (Article 31).

(2) The official is the point of contact with the CPDP and consults on issues related to implementation.

25. (1) Under the conditions of Art. 36, para. 1 of the Regulation and Art. 12, para. 2 of the Personal Data Protection Act, Private Kindergarten "Tuti 2011" Ltd. shall conduct preliminary consultations with the CPDP.

(2) The director shall be assisted by the official, who shall justify the need and prepare the documents.

26. (1) In the event of a security breach that may give rise to a risk, the director of Private Kindergarten "Tuti 2011" Ltd. shall notify the CPDP within 72 hours (Article 33).

 (2) The official assists in clarifying the circumstances and preparing the notification.

(3) Each breach shall be documented in the register (Annex 3).

Section VI

Assignment of activities to processors

27. (1) When planning to assign processing activities to external persons, the official shall assess the quality of "personal data processor" under Art. 4, item 8 and propose contractual clauses under Art. 28.

28. (1) Contracts with processors shall be concluded in writing; their content shall comply with Article 28 of the Regulation.

Section VII 

Transfer of data to third countries/international organizations

29. (1) The transfer shall be carried out only under the conditions of Articles 44-49 of the Regulation and where there is a legal basis for processing.

 (2) The official shall provide a reasoned opinion to the director on the applicable conditions.

(3) The information referred to in Articles 13 and 14 shall include the intention to transfer and the applicable safeguards.

FINAL PROVISION

Sole paragraph. The internal rules are issued on the basis of Articles 24 and 29 of Regulation (EU) 2016/679.

APPENDICES

Appendix 1

to Article 4, paragraph 3 of the Internal Rules for Personal Data Protection

CONFIDENTIALITY DECLARATION

The undersigned .................................. .......................................................................

(full name of the person)

in my capacity as (please indicate the applicable option)

 employee of Private Kindergarten "Tuti 2011" Ltd., holding the position of ...................................

 contractor under Contract No. ....../...... ...... 20...... for ...................................

 member of the Public Council of Private Kindergarten "Tuti 2011" Ltd.

 member of the Board of Trustees of Private Kindergarten "Tuti 2011" Ltd.

I UNDERTAKE:

1.    1. to comply with the requirements for personal data protection under Regulation (EU) 2016/679, the Personal Data Protection Act, and the internal rules of the kindergarten;

2.    2. not to disclose personal data to which I have access;

3. 3. to process personal data only in accordance with my official duties and not to allow security breaches.

With this declaration, I confirm that I am familiar with the Internal Rules for Personal Data Protection at Private Kindergarten "Tuti 2011" Ltd.

Date: ...... ...... 20...... Signature: ...................................

City/town: .................................. .

Appendix 2

To Article 22, paragraph 1 of the Internal Rules for Personal Data Protection

REGISTER OF PERSONAL DATA PROCESSING ACTIVITIES

pursuant to Article 30, paragraph 1 of Regulation (EU) 2016/679

Personal data controller: Private Kindergarten "Tuti 2011" Ltd.

Contact details of the controller: Sofia, Lozenets district, 1421, 28 Chervena Stena St. tuti@tuti-bg.com

Data protection officer: ........................................ (name, position, contact details)

Date    Personal data register    Purposes of processing    Legal basis    Categories of subjects Categories of personal data    Categories of recipients    Transfer to third countries    Processing activities    Deletion periods    General description of measures

Important: Recommendations for completing the register:

4. 1. Article 30(1) of Regulation (EU) 2016/679 provides for the information in columns 3, 5, 6, 7, 8, 10, and 11.

5.    2. Column 1 – date of entry.

6.    3. Column 2 – personal data register.

7.    4. Column 3 – purpose(s) of the processing (e.g., human resources, accounting, video surveillance).

8.    5. Column 4 – legal basis under Article 6 and/or Article 9 of the Regulation.

9.    6. Column 5 – categories of subjects (employees, children, parents, contractors, etc.).

10.    7. Column 6 – categories of personal data (identification, health, etc.).

11.    8. Column 7 – categories of recipients (NAA, NSSI, municipalities, processors, etc.).

12.    9. Column 8 – data to be transferred to third countries/international organizations (if any).

13.    10. Column 9 – processing activities (collection, storage, provision, etc.).

14.    11. Column 10 – deletion periods/criteria.

15.    12. Column 11 – general description of measures (personal, physical, documentary, IT, cryptographic).

Annex 3

To Article 26(3) of the Internal Rules on Personal Data Protection

REGISTER OF PERSONAL DATA SECURITY BREACHES

No.    Register    Nature of the breach    Location    Time of occurrence    Time of discovery    Data categories/number of records    Categories of subjects    Subjects in other countries    Media Notification to the supervisory authority    Notifications to data subjects    Reasons for delay    Adverse consequences    Measures taken

16.    1. Column 1 – serial number of the breach.

17.    2. Column 2 – register affected.

18.    3. Column 3 – nature: deletion, loss, alteration, unauthorized access, etc.

19.    4. Column 4 – place of occurrence.

20.    5. Column 5 – estimated time of occurrence.

21.    6. Column 6 – time of discovery.

22.    7. Column 7 – data categories and number of records.

23.    8. Column 8 – categories of subjects and number.

24.    9. Column 9 – subjects in other countries (if any).

25.    10. Column 10 – media: paper, electronic systems, etc.

26.    11. Column 11 – notification to the supervisory authority and date.

27.    12. Column 12 – communications to subjects.

28.    13. Column 13 – reasons for delay.

29.    14. Column 14 – adverse consequences.

30.    15. Column 15 – measures taken.