TRANSPARENCY POLICY TOWARDS DATA SUBJECTS 

Private Kindergarten "Tuti 2011" Ltd. is an institution in the preschool and school education system, which implements education as a national priority and as a process involving training, upbringing, and socialization. In accordance with its status under the Pre-school and School Education Act, Private Kindergarten "Tuti 2011" Ltd. is a personal data controller and, in compliance with Regulation (EU) 2016/679, we provide you with the following information about the processing of personal data:

1. Information about the administrator and how to contact them

Private Kindergarten "Tuti 2011" Ltd. 

Contact details for the administrator:

Address: Sofia, 1421, Lozenets, 28 Chervena Stena Street

Email address: tuti@tuti-bg.com

Phone: +359 876 999 030

2. Contact details for the data protection officer

Address: Sofia, 1421, Lozenets, 28 Chervena Stena St.

Email address: tuti@tuti-bg.com

Phone: +359 876 999 030

3. Categories of personal data, purposes, and legal grounds for processing

Private Kindergarten "Tuti 2011" Ltd. processes personal data for the following purposes:

3.1. Ensuring the right to preschool and school education

The personal data of children/students applying for and admitted to Private Kindergarten "Tuti 2011" Ltd., as well as their parents/guardians/caregivers and personal doctors, is processed. The categories of personal data processed are defined in Regulation No. 8 of 11.08.2016 on information and documents for the preschool and school education system, covering data about the child/student, information about the process and results of education, support for the personal development of children and students, scholarships, diplomas, awards, sanctions, work in representative student organizations and forms of student self-government, participation in international mobility programs. The legal basis for the processing of personal data is compliance with a legal obligation applicable to the controller (the basis under Article 6(1)(c) of Regulation (EU) 2016/679). For special categories of data, such as health data, the basis for processing arises from reasons of important public interest in the cases provided for by law, namely for the protection of the life and health of children and students (the basis under Article 9, paragraph 2, b. "g" of Regulation (EU) 2016/679).

3.2. Human resources

For the purposes of human resources management, we process the personal data of job applicants, current and former employees. The data processed includes data for the identification of natural persons, data on education and qualifications, data on health status, contact details, as well as other data required in accordance with labor legislation, tax and social security relations, accounting reporting of activities, safe and healthy working conditions, and social issues. The legal basis for the processing of personal data is the fulfillment of legal obligations applicable to the controller (the basis under Article 6, paragraph 1, item "c," and for health data – the basis under Article 9, paragraph 2, item "b" of Regulation (EU) 2016/679).

3.3. Review of proposals, signals, complaints, petitions, requests

For this purpose, Private Kindergarten "Tuti 2011" Ltd. processes information contained in the relevant proposals, signals, complaints, petitions, requests. These may contain data on physical, economic, social, or other identity. The legal basis for the processing of personal data is the fulfillment of legal obligations applicable to the controller (the basis under Article 6, paragraph 1, item "c," and for health data – the basis under Article 9, paragraph 2, item "h" of Regulation (EU) 2016/679).

3.4. Counterparties

The personal data of candidates and parties to contracts with Private Kindergarten "Tuti 2011" Ltd. is processed for the purposes of concluding and performing the relevant contract. Insofar as the personal data of individuals is processed in connection with the performance of these contracts, only the minimum amount of information necessary for the proper performance of the obligations under the relevant contract is processed. The legal basis for the processing of personal data is necessary for the performance of the contract (the basis under Article 6, paragraph 1, item "b" of Regulation (EU) 2016/679).

3.5. Video surveillance

Video surveillance is carried out at Private Kindergarten "Tuti 2011" Ltd. in order to improve the safety of children/students and human resources and to protect property from trespassing. The data collected includes data on the image of persons and their location within the scope of the video surveillance equipment. The legal basis for the processing of personal data is the public interest in protecting the safety, life, and health of children/students (the basis under Article 6, paragraph 1, item "e" of Regulation (EU) 2016/679).

3.6. Initiatives

In order to implement the initiatives organized or conducted at Private Kindergarten "Tuti 2011" Ltd., personal data of children/students and their relatives who have expressed their consent to participate in celebrations, competitions, trips, and other similar events are processed. The data processed includes data for the identification of those wishing to participate in the initiative. The legal basis for the processing of personal data is the consent of the data subject, and if he/she is under 14 years of age, the consent of the parent exercising parental rights or the guardian of the data subject (Art. 6, para. 1, item "a" of Regulation (EU) 2016/679 and Art. 25c of the Personal Data Protection Act).

4. Categories of recipients of personal data outside the controller

Private Kindergarten "Tuti 2011" Ltd. discloses personal data to third parties only if they have a legal basis to receive it. The categories of recipients of personal data are determined for each specific case according to their basis for receiving the data, and may be:

For the personal data of children/students – state authorities and local government bodies in accordance with their powers, such as the Ministry of Education and Science and the Regional Education Administration – Sofia City – in accordance with the Pre-school and School Education Act and related subordinate legislation, external service companies – technical support for information technologies, IT applications; other institutions in accordance with the Pre-school and School Education Act.

For the personal data of human resources – state authorities in accordance with their powers, such as the National Revenue Agency, the National Social Security Institute, banking institutions when paying remuneration, postal and courier service providers when addressing correspondence.

For personal data in proposals, signals, complaints, petitions, requests, counterparty data, and video surveillance data, disclosure is permissible to state authorities and local government bodies according to their powers, such as law enforcement agencies, municipalities, and others.

For personal data in initiatives, disclosure is permissible only if the data subjects have given their consent.

The provision of personal data is also possible to personal data processors with whom the controller has concluded a contract and has assigned the processing of personal data on its behalf, such as IT service providers for the maintenance of an electronic logbook, occupational health services for the personal data of employees.

Under no circumstances does the controller process or disclose personal data for direct marketing purposes.

5. Period of storage of personal data

The controller shall apply the principle of storage limitation and store personal data for periods that are appropriate for the purposes for which the data are processed, taking into account the resulting legal obligations, as well as the scientific-historical or reference significance of the personal data.

Personal data in the personal educational file of the child/student is created upon the child's or student's entry into the compulsory pre-school and school education system and is kept until the completion of secondary education or withdrawal from school. The personal educational file is stored for a period of 50 years in the National Electronic Information System for Preschool and School Education (NEISPSE) and access to it is provided to the institution where the child or student is enrolled during the relevant school year.

The personal data of human resources is stored for the statutory periods of 50 years for payroll records, 3 years for sick leave certificates, and 6 months from the final completion of the appointment/selection procedure for documents provided by job applicants with whom no contract has been concluded.

The personal data of applicants for proposals, reports, complaints, petitions, and requests is stored for a period of 5 years after their consideration or after the completion of the relevant legal proceedings in the event of an appeal.

Video surveillance recordings are deleted within 30 days. 

After the expiry of the specified periods, personal data is deleted or destroyed, depending on the nature of the material carriers.

6. Rights of natural persons

Regulation (EU) 2016/679 provides for the following rights of natural persons in relation to the processing of their personal data:

•    the right of access to personal data relating to the person being processed by the controller;

•    the right to rectify inaccurate or incomplete personal data;

•    the right to erasure ("right to be forgotten") of personal data that is processed unlawfully or without legal basis (expired storage period, withdrawn consent, fulfilled original purpose for which it was collected, etc.);

•    the right to restrict processing in the event of a legal dispute between the controller and the individual until its resolution and/or for the establishment, exercise, or defense of legal claims;

•    right to data portability when personal data is processed by automated means on the basis of consent or contract. For this purpose, the data shall be transmitted in a structured, commonly used and machine-readable format;

•    the right to object at any time on grounds relating to the specific situation of the individual, provided that there are no compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for legal proceedings;

•    the right not to be subject to a fully automated decision, including profiling, which produces legal effects concerning him or her or significantly affects him or her.

You may exercise your rights under Regulation (EU) 2016/679 by submitting a written or electronic request to the personal data controller. In the request, you should indicate your name, address, and other information identifying you as the data subject, describe your request, your preferred form of communication, and the actions you would like to be taken in response to your request. You must sign your request, indicate the date of submission, and provide your mailing address.

In fulfillment of its obligation to assist data subjects, Private Kindergarten "Tuti 2011" Ltd. has and, upon request, can provide sample forms for exercising the rights of data subjects.

7. Right to lodge a complaint with the Personal Data Protection Commission or the court

If you believe that your rights under Regulation (EU) 2016/679 have been violated, you have the right to lodge a complaint with the Personal Data Protection Commission or the court.

The supervisory authority in the Republic of Bulgaria for the processing of personal data by Private Kindergarten "Tuti 2011" Ltd. is the Commission for Personal Data Protection, address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2, website https://www.cpdp.bg/

8. No automated individual decision-making, including profiling

The controller does not use automated individual decision-making, including profiling.

9. Transfer of personal data to third countries or international organizations

As a rule, the administrator does not transfer personal data to third countries or international organizations. In the case of participation in international mobility programs, data on students and teachers may be provided on the basis of the explicit consent of their parents/guardians/trustees to third countries that do not provide an adequate level of protection, when participating in international Olympiads, competitions, exchange of experience, participation in projects, competitions, and other events. 

10. Significance of the personal data provided

In most cases where Private Kindergarten "Tuti 2011" Ltd. processes your personal data, this is a mandatory requirement for the performance of official powers and legal obligations. Failure to provide your personal data in these cases prevents us from taking action on your requests, which are anonymous.

With your consent, we process personal data when you voluntarily decide to participate in initiatives announced by the administrator. In these cases, you have the right to withdraw your consent at any time. Withdrawal of consent will result in the termination of your participation in the relevant initiative, but will not affect the lawfulness of the processing based on the consent given prior to its withdrawal. 

11. From what sources do we obtain personal data

The personal data processed by the administrator is provided by the individuals to whom it relates, as well as by other bodies in the cases provided for by law.

Changes to the transparency policy towards data subjects

We reserve the right to change our transparency policy.

If you have any questions about the processing of your personal data by Private Kindergarten "Tuti 2011" Ltd., please contact us at the above contact details of the administrator or the data protection officer.