General Data Protection Regulation

Sponsorship/ donation applicants

I.

Controller

 

For the processing of your personal data, the controller is Aurubis Bulgaria AD, a joint stock company, registered in the Company Register with the Registry Agency under uniform ID code 832046871, having its registered seat and management address in:

 

            Aurubis Bulgaria

            Industrial Zone

            2070 Pirdop

            Bulgaria

 

Aurubis Bulgaria is represented by Tim Kurth – Executive Director.

                        

II.

Contact information for the Data Protection Officer

 

Data Protection Officer, Security and Risk Management department, Aurubis Bulgaria AD, Industrial zone, 2070 Pirdop

Tel.:        +359 7286 2280

Fax:          + 359 7286 2646

 

III.

Collection and processing of personal data for evaluation of sponsorship/ donation applications

1.

 

 

 

 

 

 

 

 

 

 

 

 

 

2.

 

 

 

3.

 

 

 

 

Personal data, collected directly from the applicant in written or verbal when applying for sponsorship/ donation:

  • Names;
  • Address;
  • telephone number (landline and/or mobile)
  • Email address;
  • Date of birth;
  • Civil number;
  • ID number.

 

Personal data, collected directly from the applicant in written:

  • Current bank account (after approval of the application).

Additional personal data, which Aurubis Bulgaria AD may requests:

  • Medical conclusions;
  • Invoices for bought products or services.

 

Video Surveillance – on the territory of the company are located cameras for 24-hour video surveillance designed for security and operational purposes; on the entrances of the company are located cameras for 24-hour body temperature measurement that aim is to prevent epidemic/ pandemic disease spreading.

 

The processing of personal data in p. III (1- 4) is necessary for the following purposes:

  •   Social responsibility – including, but not limited to consideration and evaluation of applications for sponsorship or donation, as well as conclusion of contracts with the approved, protection against serious cross – border threats to health;
  • Operational management – including but not limited to establishment, implementation and management of the social activities of the company, audits and checks. The processing of personal data for these purposes is based on the legitimate interests of the company to manage its material resources and workforce, including to maintain written or verbal communication with the applicant, as well as managing its budget effectively;
  • Compliance with regulatory requirements and settling of legal disputes - including, but not limited to, the processing of personal data in accordance with regulatory requirements (e.g tax, social, health, trade and other applicable legislation). The processing of personal data for these purposes is done on the basis of compliance by the company with applicable legal obligations.

 

  • When approving and signing a donation/ sponsorship contract, personal data will be stored for up to 6 years from the date of the contract.

If the donation/ sponsorship request is rejected, personal data will be stored for up to 1 year from the rejection decision.

 

Video records and indicators of body temperature measurements are processed for up to 2 weeks.

 

Sponsorship/ donation applicants provide their personal data to the Company on a voluntary basis. If they do not provide their personal data, the company will not be able to consider, evaluate and prepare a donation contract with them, because it will not be able to fulfill its legitimate interests and/ or legal obligations.

 

The grounds for processing the personal data under p. III (1-4) are based on Regulation (EU) 2016/679 as follows: Article 6 (1) (b) of Regulation (EU) 2016/67 and Article 6 (1) (c) of Regulation (EU) 2016/679 and/ or Article 6 (1) (f) of Regulation (EU) 2016/679 and Article 6 (1) (d) of Regulation (EU) 2016/679, in relation with Article 9 (2) (i) of Regulation (EU) 2016/679.

 

IV.

Collection and processing of Personal Data in other cases

 

In other cases, different than the mention in p. III, personal data is collected and processed only if provided voluntarily, as follows:

 

If Aurubis Group companies provide personal data of the type described above to us as allowed for the purposes mentioned above, especially for cases in which You have contacted an affiliated company of ours with an issue that relates to us and not that affiliated company.

 

V.

Provision of personal data to third parties         

 

Aurubis Bulgaria AD uses service providers, who process and store personal data ("Personal Data Processors" pursuant to Article 28 of Regulation (EC) 2016/679). In particular, this is applicable to legal advisers, medical advisers and other services. These processors work only on contractual basis with Aurubis Bulgaria AD and store and process personal data according to the company's instructions.

 

If you contact Aurubis Bulgaria regarding issues that concern a company affiliated with Aurubis Bulgaria, in individual cases we will provide this affiliated company with your personal data.

 

If you have entered the premises of the company and subsequently informed us that you have been infected in order to prevent the spread of a pandemic / epidemic disease, this information shall be disclosed to employees of Aurubis Bulgaria AD and employees of contractors who have been in contact with you and respectively may have been infected.

Out of these three circumstances, data will only be provided in individual cases and in a volume that is in accordance with a specific legal obligation of Aurubis Bulgaria AD, as well as in cases where You submitted consent to provide your data.

 

VI.

Sponsorship/ donation applicants rights as Data Subject

 

·         Right to withdraw consent at any time (Article 7 (3) of Regulation (EC) 2016/679). As a consequence, the company will not be able to continue processing this data if it was based on consent.

·         Right to request confirmation whether the company processes personal data, and if so, information on the storage and processing (Article 15 of Regulation (EC) 2016/679). In particular, information may be requested about the purposes of processing; categories of personal data; the categories of recipients to whom personal data will be or have been provided; storage period; the right to request correction, erasure and / or limitation of processing, to object to such processing and to lodge a complaint with a supervisory authority; information about the source from which the company have received personal data when it was not collected by the subject; information on the availability of automated decision making (including profiling) and, if applicable, relevant detailed information.

·         Right to request immediate rectification of the personal data (Art. 16 of Regulation (EU) 2016/ 679).

·         Right to request erasure of the personal data, unless its processing is necessary:

1) For exercising the right of freedom of expression and information;

2) For compliance with a legal obligation;

3) For reasons of public interest;

4) For the establishment, exercise or defense of legal claims (Art. 17 of Regulation (EU) 2016/ 679).

·         Right to request restriction of the processing of the personal data if: contest their accuracy; the processing is unlawful; the company does not need the personal data any more, but the data subject require them for establishment, exercise or defense of а legal claim; if the data subject has objected to processing pursuant to Article 21 (1) of Regulation (EU) 2016/ 679 (Art. 18 of Regulation (EU) 2016/ 679).

·         Right to receive the personal data in a structured, widely used and machine readable format or request the transfer of this data to another Administrator (Article 20 of Regulation (EC) 2016/679).

 

When exercising the right to receive personal data or to transfer it to another Controller, more than once within 24 months, Aurubis Bulgaria AD reserves the right, according to Ch. III, Art. 12 par. 5 (a) of Regulation (EU) 2016/679, to require payment of administrative costs of BGN 20 per set of paper copy and BGN 20 per electronic carrier.

 

In order to exercise his rights under the above points, the applicant/ data subject must contact the Data Protection Officer designated by Aurubis Bulgaria AD:

 

              Address:                   2070. Pirdop, Industrial zone,

              Tel :                         + 359 886 131 999

              E-mail:                      d.temelkova(at)aurubis.com

 

The applicant/ data subject has the right, under Article 77 of Regulation (EC) 2016/679, to lodge a complaint to the Commission for Personal Data Protection (CPDP) by the ways described in the Commission's website. The contact details of CPDP are:

 

Address:                      1592 Sofia, Prof. Tsvetan Lazarov Blvd. 2

        Fax:                           02 9153525

        E-mail:                        kzld(at)cpdp.bg

 

Aurubis Bulgaria AD will cooperate to CPDP in the handling of such complaints and will comply with all recommendations and/ or instructions issued by the supervisory authority.

The applicant/ data subject has the right to lodge a complaint at Aurubis Group Headquarters by sending an email to dataprotection(at)aurubis.com .

 

VII.

Right to object

 

If the personal data is processed on the basis of a legitimate interest of the company pursuant to Article 6 (1) (f) of Regulation (EC) 2016/67, the applicant/ data subject has the right to object the processing of these data under Article 21 (1) of Regulation (EC) 2016/679. In this case, the company will not continue the processing of the personal data, unless there are convincing legal grounds for the processing that take precedence over the interests of the data subject, his rights and freedoms or are necessary for the establishment and/ or the defense of legal claims.

 

If the applicant/ data subject wants to use the right to object, it is enough to send an email to d.temelkova(at)aurubis.com 

Job applicants

I.

Controller

 

For the Processing of Your personal data, Controller is Aurubis Bulgaria AD, a joint stock company, registered in the Company Register with the Registry Agency under uniform ID code 832046871, having its registered seat and management address in:

 

Aurubis Bulgaria AD

            Industrial zone

            2070 Pirdop

            Bulgaria

 

Aurubis Bulgaria AD is represented by Tim Kurt, Executive Director.

 

II.

Contact details of the Data Protection Officer

 

Data Protection Officer, Security and Risk Management department, Aurubis Bulgaria AD, Industrial zone, 2070 Pirdop

Tel.:        +359 7286 2280

Fax:        + 359 7286 2646

E-mail:   d.temelkova(at)aurubis.com

 

III.

Collection and processing of personal data of job applicants/ apprenticeship in Aurubis Bulgaria AD

1.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2.

 

 

 

 

 

 

 

 

3.

Personal data, collected directly from the data subject in written or verbal prior to entering into employment or in civil contract:

  • Identification data: names, personal address, personal phone number, personal email add., date of birth, Civil Number, ID number, photo, marital status;
  • Other Data: In compliance with the Conflict of Interests policy in the Company, are collected names and position of family members, as family members we consider spouses or persons who are in a real spouses cohabitation, relatives in a straight line and a collateral line - up to the second grade inclusive, and kinship by marriage - to a second grade inclusive;
  • CVs, summaries, applications, referrals, offers.

 

 Personal data, generated by the Company in written or verbal:

 

  •   Information for the interview performance, tests results, expected salary level, reference checking and others.

 

When issuing an access card, as part of the security and safety measures, review and transfer of the personal data from the identity document is performed, via reader, into the access control system, or the personal data is entered manually into the system. We collect and process the following data:

 

  • Name;
  • Personal identification No;
  • Photo;

 

Video Surveillance – on the territory of the company are located cameras for 24-hour video surveillance designed for security and operational purposes; on the entrances of the company are located cameras for 24-hour body temperature measurement that aim is to prevent epidemic/ pandemic disease spreading.

 

 

The processing of personal data in p. III (1-3)  is necessary for the following purposes:

  • Viewing of job application / internship at the company and assessing whether the job applicant meets the relevant requirements. The processing of the personal data for these purposes is based on job applicant consent, which he express unambiguously through his voluntary submission of application documents to the company. The processing of the personal data is also carried out for the purpose of taking, per his request, selection and recruitment steps prior to the conclusion of a labor or civil contract.
  • Personnel management – including but not limited to customary business practices related to planning and recruitment inclusive apprenticeship and trainees. The processing of personal data for these purposes is based on the legitimate interests of the company related to the necessity to develop its business in a sustainable manner and to increase its efficiency as well as the necessity to ensure compliance with the applicable legal requirements;
  •   Security management – including but not limited to activities related to access control, video surveillance, ensuring security of the premises, assets and information held by the company, and for the purposes of preventing and investigating theft, fraud, abuse, conflict of interest, audits and controls, protection against serious cross – border  threats to health. The processing of personal data for these purposes is based on the legitimate interests of the company to ensure the safety and security of its assets as well as its employees against any possible risks;

 

Personal data provided as mentioned in p. III (1 and 2) is processed for up to 6 months.

Personal data entered into the access control system is processed and kept for up to 3 years.

Video records are processed and stored for up to 2 months of creation in compliance with the Private Security Services Legislation. The video records of sites under the Waste Management Act are processed for up to 1 year.

 

Video records and indicators of body temperature measurements are processed for up to 2 weeks.

 

Job applicants provide their personal data to the Company on a voluntary basis. If they do not provide their personal data, the company will not be able to execute the procedure for recruitment and to take steps for conclusion of a labor contract or to enter in civil contract with them.

 

The grounds for processing the personal data under p. III (1-3) are based on Regulation (EU) 2016/679 as follows: Article 6 (1) (a) of Regulation (EU) 2016/67 and Article 6 (1) (b) of Regulation (EU) 2016/679 and Article 6 (1) (e) of Regulation (EU) 2016/679 and Article 6 (1) (d) of Regulation (EU) 2016/679, in relation with Article 9 (2) (i) of Regulation (EU) 2016/679.

 

IV.

Collection and processing of personal data in other cases

 

In other cases, different than the mention in p. III, personal data is collected and processed only if provided voluntarily, as follows:

 

1.

Written consent of the job applicant for the storage and processing of his personal data for up to 1 year.

 

The processing in this case is based on staying in touch with the job applicant for the above mentioned period of 1 year if in the company are opened new vacancies that matches his profile.

Personal data processing for these purposes is based on the job applicant consent, which is expressed unambiguously, by voluntary provision of documents and information necessary for the purposes of the certain case. Job applicant may withdraw the consent at any time that will not affect the lawfulness of the processing prior to the withdrawal of the consent.

 

The grounds for processing this personal data is based on Article 6 (1) (a) of Regulation (EU) 2016/679, Article 6 (1) (b) of Regulation (EC) 2016/679, Article 6 (1) (c) of Regulation (EU) 2016/679 and Article 6 (1) (f) of Regulation (EC) 2016/679.

 

V.

Provision of personal data to third parties

 

Aurubis Bulgaria AD uses supplier services to process and store personal data ("Personal Data Processors" pursuant to Article 28 of Regulation (EC) 2016/679). In particular, this is applicable to the security company, recruitment companies and other services. These processors work only on contractual basis with Aurubis Bulgaria AD and store and process personal data according to the company's instructions.

 

The above mentioned data for the above purposes will be provided to other Aurubis Group companies only in the volume required for processing.

 

If you have entered the premises of the company and subsequently informed us that you have been infected in order to prevent the spread of a pandemic / epidemic disease, this information shall be disclosed to employees of Aurubis Bulgaria AD and employees of contractors who have been in contact with you and respectively may have been infected.

 

Out of these three circumstances, data will only be provided in individual cases and in a volume that is in accordance with a specific legal obligation of Aurubis Bulgaria AD, as well as in cases where You submitted consent to provide your data.

 

VI.

Job applicants rights as Data Subject

 

  • Right to withdraw consent at any time (Article 7 (3) of Regulation (EC) 2016/679). As a consequence, the company will not be able to continue processing this data if it was based on consent, and in particular the job applicant will prevent the possibility of the company  to review and assess his job/ internship application, respectively, to consider his application if there are new vacancies that match his profile within 6 (six) months of his application.
  • Right to request confirmation whether the company processes personal data, and if so, information on the storage and processing (Article 15 of Regulation (EC) 2016/679). In particular, information may be requested about the purposes of processing; categories of personal data; the categories of recipients to whom personal data will be or have been provided; storage period; the right to request correction, erasure and / or limitation of processing, to object to such processing and to lodge a complaint with a supervisory authority; information about the source from which the company have received personal data when it was not collected by the subject; information on the availability of automated decision making (including profiling) and, if applicable, relevant detailed information.

Right to request immediate rectification of the personal data (Art. 16 of Regulation (EU) 2016/ 679).

  • Right to request erasure of the personal data, unless its processing is necessary:

1) For exercising the right of freedom of expression and information;

2) For compliance with a legal obligation;

3) For reasons of public interest;

4) For the establishment, exercise or defense of legal claims (Art. 17 of Regulation (EU) 2016/ 679).

  • Right to request restriction of the processing of the personal data if: contest their accuracy; the processing is unlawful; the company does not need the personal data any more, but the data subject require them for establishment, exercise or defense of а legal claim; if the data subject has objected to processing pursuant to Article 21 (1) of Regulation (EU) 2016/ 679 (Art. 18 of Regulation (EU) 2016/ 679).
  • Right to receive the personal data in a structured, widely used and machine readable format or request the transfer of this data to another Administrator (Article 20 of Regulation (EC) 2016/679)

When exercising the right to receive personal data or to transfer it to another Controller, more than once within 24 months, Aurubis Bulgaria AD reserves the right, according to Ch. III, Art. 12 par. 5 (a) of Regulation (EU) 2016/679, to require payment of administrative costs of BGN 20 per set of paper copy and BGN 20 per electronic carrier.

 

In order to exercise his rights under the above points, the job applicant/ data subject must contact the Data Protection Officer designated by Aurubis Bulgaria AD:

 

Address:         2070. Pirdop, Industrial zone,

Tel :                + 359 886 131 999

E-mail:            d.temelkova(at)aurubis.com

 

The job applicant/ data subject has the right, under Article 77 of Regulation (EC) 2016/679, to lodge a complaint to the Commission for Personal Data Protection (CPDP) by the ways described in the Commission's website. The contact details of CPDP are:

 

Address:          1592 Sofia, Prof. Tsvetan Lazarov Blvd. 2

Fax:                  02 9153525

E-mail:              kzld(at)cpdp.bg

 

Aurubis Bulgaria AD will cooperate to CPDP in the handling of such complaints and will comply with all recommendations and/ or instructions issued by the supervisory authority.

 

The job applicant/ Data subject has the right to lodge a complaint at Aurubis Group Headquarters by sending an email to dataprotection(at)aurubis.com .

VII.

Right of objection

 

If the personal data is processed on the basis of a legitimate interest of the company pursuant to Article 6 (1) (f) of Regulation (EC) 2016/67, the job applicant/ data subject has the right to object the processing of these data under Article 21 (1) of Regulation (EC) 2016/679. In this case, the company will not continue the processing of the personal data, unless there are convincing legal grounds for the processing that take precedence over the interests of the data subject, his rights and freedoms or are necessary for the establishment and/ or the defense of legal claims.

If the job/ applicant/ data subject wants to use the right to object, it is enough to send an email to d.temelkova(at)aurubis.com

Employees

I.

Controller

 

For the Processing of Your personal data, Controller is Aurubis Bulgaria AD, a joint stock company, registered in the Company Register with the Registry Agency under uniform ID code 832046871, having its registered seat and management address in:

 

Aurubis Bulgaria AD

            Industrial zone

            2070 Pirdop

            Bulgaria

 

Aurubis Bulgaria AD is represented by Tim Kurt, Executive Director.

 

II.

Contact details of the Data Protection Officer

 

Data Protection Officer, Security and Risk Management department, Aurubis Bulgaria AD, Industrial zone, 2070 Pirdop

Tel.:        +359 7286 2280

Fax:        + 359 7286 2646

E-mail:   d.temelkova@aurubis.com

 

III.

Collection and processing of personal data of Aurubis Bulgaria employees

1.

Personal data, collected directly from the data subject in written or verbal prior to entering into employment or in civil contract:

  • Identification data: names, personal address, personal phone number, personal email add., date of birth, Civil Number, ID number, photo, marital status;
  • Other Data: In compliance with the Conflict of Interests policy in the Company, are collected names and position of family members, as family members we consider spouses or persons who are in a real spouses cohabitation, relatives in a straight line and a collateral line - up to the second grade inclusive, and kinship by marriage - to a second grade inclusive;
  • CVs, summaries, applications, referrals, offers.

 

2.

Personal data, collected directly from the employee in written at the beginning or at time of contractual relationship:

  • Identification data: names, personal address, date of birth, Civil number, ID number, photo, marital status;
  • Finance details: IBAN, tax information, payments information;
  • Copies of diplomas, driving license, documents for qualifications and trainings, according to the regulatory requirements and procedures of Aurubis Bulgaria AD.
  • Other Data: In compliance with the Conflict of Interests policy in the Company, are collected names and position of family members, as family members we consider spouses or persons who are in a real spouses cohabitation, relatives in a straight line and a collateral line – up to the second grade inclusive, and kinship by marriage - to a second grade inclusive;
  • Sensitive Personal data - health data and non-conviction certificate for certain positions.

 

3.

Personal data, generated by the Company in written or verbal:

  • Details about the employment, e.g. salary, history of employment and compensations, professional growth, paid leaves, sick leaves, level of payment, information about the performance (including job evaluation, internal communication on performance and attendance), company email address, etc.

4.

Personal data, collected directly from the employee in written or verbal, or received by third parties (medical tests, diagnostic procedures, consultations, documents on temporary disability to work) or are generated by the Health service department throughout the employment period:

  • Identification data: names, personal address, date of birth, Civil number, phone number;
  • Family burden - in terms of socially significant diseases;
  • Working activities professional history; reduced working capacity;
  • Health status - past diseases; chronic diseases; bad habits; results of medical tests, diagnostic procedures, consultations; disability; accidents at work and data on temporary incapacity for work.

 

5.

Video Surveillance:

  • on the territory of the company are located cameras for 24-hour video surveillance designed for security and operational purposes.
  • on the entrances of the company are located cameras for 24-hour body temperature measurement that aim is to prevent epidemic/ pandemic disease spreading.

 

Photos:

  • on the territory of the company, employees are shot for proving violations.

 

6.

Personal data collected directly from the employees in written or verbal, or received by third parties (medical tests, diagnostic procedures, consultations, documents on temporary disability to work) or are generated by the Health service department throughout pandemics period, in case the person has symptoms or direct contacts with infected people:

  • Identification data: names, personal address, position, phone number;
  • Travel data – travelling location (business and personal) during the last 14 days;
  • Contacts within the family: names;
  • Contacts within Aurubis Bulgaria: names, positions, companies;
  • Records for pandemic’s specific symptoms;
  • Results of pandemic’s specific tests;
  • Body temperature.

 

7.

Personal data collected directly from the employees in written or verbal with his consent, or received by third parties (medical tests, diagnostic procedures, consultations, documents on temporary disability to work) or are generated by the Health service department throughout pandemics period, in case the employer carries out an impact assessment and assessment on the need for anti-epidemic measures:

  • Copy of vaccination passport;

 

The processing of personal data in p. III (1-6) is necessary for the following purposes:

  • Managing employee relationships with the Company - including, but not limited to, activities related to the existence, modification and termination of labor relations and the preparation of documents of the persons in this respect (contracts, additional agreements, documents certifying length of service, references, statements, certificates, etc.); administration of salaries, bonuses, paid leaves, social benefits, mission orders, etc. The processing of personal data for these purposes is based on the fulfillment of the contractual obligations of Aurubis Bulgaria AD towards the employee.
  • Personnel management – including but not limited to customary business practices related to planning and recruitment; managing and improving the efficiency of the workforce, payments and compensation programs; performance management, training and development; progress and planning of successors; control over the compliance with statutory and contractual obligations and obligations arising from internal policies and procedures; internal reporting; conducting disciplinary proceedings; investigation of work accidents; protection of the rights and interests of the company in various administrative and judicial proceedings. The processing of personal data for these purposes is based on the legitimate interests of the company related to the necessity to develop its business in a sustainable manner and to increase its efficiency as well as the need to ensure that its employees comply with the applicable legal, contractual or intercompany requirements;
  • Operational management – including but not limited to establishment, implementation and management of the business activities of the company, for example: correspondence and work with business partners, maintenance, monitoring of the use and personal identification at internal networks and information systems, accounting of business travels and costs, health and safety management, protection against serious cross – border  threats to health, preparation of powers of attorney, administration of insurance claims, use of company cars, preparation of business missions, trips and reservations, and others. The processing of personal data for these purposes is based on the legitimate interests of the company to manage its material resources and workforce, including providing network and information security in its organization, as well as managing its budget effectively;
  • Security management – including but not limited to activities related to access control, video surveillance; ensuring the health and safety of employees, ensuring security of the premises, assets and information held by the company, and for the purposes of preventing and investigating theft, fraud, abuse, conflict of interest, audits and controls. The processing of personal data for these purposes is based on the legitimate interests of the company to ensure the safety and security of its assets as well as the health of its employees against any possible risks;
  • Compliance with regulatory requirements and settling of legal disputes - including, but not limited to, the processing of personal data in accordance with regulatory requirements (e.g. tax, social, health, labor and other applicable legislation). The processing of personal data for these purposes is done on the basis of compliance by the company with applicable legal obligations.

 

Personal data will be stored for a period of 11 (eleven) years after termination of employee legal relationship with the Company, same as the absolute limitation period for tax obligations, unless they have become necessary within that period to establish, exercise or protect of any legal claims or administrative proceedings against Aurubis Bulgaria AD. In this case, the personal data will be stored until the end of the relevant legal procedure.

 

Personal data entered into the access control system is processed and kept for up to 3 years from the termination of the employment or civil relationship.

 

Payment records and health dossiers are kept for up to 50 years.

 

Video records are processed and stored for up to 2 months of creation in compliance with the Private Security Services Legislation. The video records of sites under the Waste Management Act are processed for up to 1 year.

Photos of employees are processed for a period of 5 years from committing a violation, unless they have become necessary within that period to establish, exercise or protect of any legal claims or administrative proceedings against Aurubis Bulgaria AD. In this case they will be stored until the end of the relevant legal procedure.

Personal data which is processed in case of work accidents, is stored for up to 5 years after the event.

 

Health records for the purpose to prevent pandemics are processed for up to 2 months after the announcement of the end of pandemics.

 

Video records and indicators of body temperature measurements are processed for up to 2 weeks.

 

Employees provide their personal data to the Company on a voluntary basis. If they do not provide their personal data, the company will not be able to conclude a contract with them or will not be able to fulfill its obligations under such contract, or will not be able to perform its obligations towards the public interest in the area of public health, such as protecting against serious cross-border threats to health, or the employee will not be able to take advantage of certain social benefits / participate in certain processes and projects in the Company.

 

The grounds for processing the personal data under p. III are based on Regulation (EU) 2016/679 as follows: Article 6 (1) (b) of Regulation (EU) 2016/67 and Article 6 (1) (c) of Regulation (EU) 2016/679 and/ or Article 6 (1) (f) of Regulation (EU) 2016/679 and Article 6 (1) (d) of Regulation (EU) 2016/679, in relation with Article 9 (2) (h) of Regulation (EU) 2016/679.

 

IV.

Collection and processing of Personal Data in other cases

 

In other cases, different than the mention in p. III, personal data is collected and processed only if provided voluntarily, as follows:

 

1.

Additional personal data, collected and processed after a written request from the employee:

  • Family status - marriage, divorce, number of family members, including children under 18 years of age;
  • Identity data for family members: names, personal address, date of birth, Civil number, phone number;
  • Labor union’s membership of the employee.

 

The processing of the above mentioned personal data serves for the following purposes:

  • Social responsibility - including but not limited to donation, sponsorship, additional benefits for employees and their family members, addressing labor relations issues and health insurance claims;
  • Labor unions membership data is process only upon a written request by him/ her, to use the more favorable conditions for labor benefits agreed in the Collective Labor Agreement (CTA), withholding unions membership fees and/or loan installments from the salary, etc.;

 

If employee provides to Aurubis Bulgaria AD, personal data of his family members (e.g. in order to use certain social benefits) or any other third parties, it is his responsibility to:

  • Provide these data subjects with all the relevant information for the lawful disclosure of their personal data to Aurubis Bulgaria AD, details about the data processing and the purposes for which the data is provided; and
  • Receive the consent of these data subjects for the mentioned disclosure of their personal data and its processing by Aurubis Bulgaria AD, if such consent is necessary.

 

Personal data processing for these purposes is based on employee consent, which is expressed unambiguously, by voluntary provision of documents and information, necessary for the purposes of the certain case. Employee may withdraw the consent at any time that will not affect the lawfulness of the processing prior to the withdrawal of the consent.

 

The grounds for processing this personal data is based on Article 6 (1) (a) of Regulation (EU) 2016/679, Article 6 (1) (b) of Regulation (EC) 2016/679, Article 6 (1) (c) of Regulation (EU) 2016/679 and Article 6 (1) (f) of Regulation (EC) 2016/679.

 

V.

Provision of personal data to third parties

 

Aurubis Bulgaria AD uses service providers, who process and store personal data ("Personal Data Processors" pursuant to Article 28 of Regulation (EC) 2016/679). In particular, this is applicable to the security company, insurance companies, mobile operators, travel agencies, transport companies, pension and insurance companies, legal advisers and other third parties with which Aurubis Bulgaria has concluded contracts for provision of training, medical, accounting and other services. These processors work only on contractual basis with Aurubis Bulgaria AD and store and process personal data according to the company's instructions.

 

The above mentioned data for the above purposes will be provided to other Aurubis Group companies only in the volume required by the particular purpose for processing. The reason for the processing of personal data by other Aurubis Group companies is based on a legitimate interest - unification and standardization of processes at the corporate group level.

 

The information for confirmed infected employees, in relation with p. III (6), shall be disclosed only in case it is necessary to assess whether other employees of Aurubis Bulgaria AD or employees of contractors had been in contact with the infected person, and respectively infected too.

 

Out of these three circumstances, data will only be provided in individual cases and in a volume that is in accordance with a specific legal obligation of Aurubis Bulgaria AD, as well as in cases where employee has submitted consent to provide the data.

 

VI.

Employees rights as Data Subject

 

  • Right to withdraw consent at any time (Article 7 (3) of Regulation (EC) 2016/679). As a consequence, the company will not be able to continue processing this data if it was based on consent.
  • Right to request confirmation whether the company processes personal data, and if so, information on the storage and processing (Article 15 of Regulation (EC) 2016/679). In particular, information may be requested about the purposes of processing; categories of personal data; the categories of recipients to whom personal data will be or have been provided; storage period; the right to request correction, erasure and / or limitation of processing, to object to such processing and to lodge a complaint with a supervisory authority; information about the source from which the company have received personal data when it was not collected by the subject; information on the availability of automated decision making (including profiling) and, if applicable, relevant detailed information.
  • Right to request immediate rectification of the personal data (Art. 16 of Regulation (EU) 2016/ 679).
  • Right to request erasure of the personal data, unless its processing is necessary:

1) For exercising the right of freedom of expression and information;

2) For compliance with a legal obligation;

3) For reasons of public interest;

4) For the establishment, exercise or defense of legal claims (Art. 17 of Regulation (EU) 2016/ 679).

  • Right to request restriction of the processing of the personal data if: contest their accuracy; the processing is unlawful; the company does not need the personal data any more, but the data subject require them for establishment, exercise or defense of а legal claim; if the data subject has objected to processing pursuant to Article 21 (1) of Regulation (EU) 2016/ 679 (Art. 18 of Regulation (EU) 2016/ 679).
  • Right to receive the personal data in a structured, widely used and machine readable format or request the transfer of this data to another Administrator (Article 20 of Regulation (EC) 2016/679).

 

When exercising the right to receive personal data or to transfer it to another Controller, more than once within 24 months, Aurubis Bulgaria AD reserves the right, according to Ch. III, Art. 12 par. 5 (a) of Regulation (EU) 2016/679, to require payment of administrative costs of BGN 20 per set of paper copy and BGN 20 per electronic carrier.

 

In order to exercise his rights under the above points, the employee must contact the Data Protection Officer designated by Aurubis Bulgaria AD:

 

Address:         2070. Pirdop, Industrial zone,

Tel :                 + 359 886 131 999

E-mail:            d.temelkova@aurubis.com

 

Data subject has the right, under Article 77 of Regulation (EC) 2016/679, to lodge a complaint to the Commission for Personal Data Protection (CPDP) by the ways described in the Commission's website. The contact details of CPDP are:

 

Address:          1592 Sofia, Prof. Tsvetan Lazarov Blvd. 2

Fax:                  02 9153525

E-mail:              kzld@cpdp.bg

 

Aurubis Bulgaria AD will cooperate to CPDP in the handling of such complaints and will comply with all recommendations and/ or instructions issued by the supervisory authority.

Data subject has the right to lodge a complaint at Aurubis Group Headquarters by sending an email to dataprotection@aurubis.com .

 

VII.

Right to object

 

If the personal data is processed on the basis of a legitimate interest of the company pursuant to Article 6 (1) (f) of Regulation (EC) 2016/67, the employee has the right to object the processing of these data under Article 21 (1) of Regulation (EC) 2016/679. In this case, the company will not continue the processing of the personal data, unless there are convincing legal grounds for the processing that take precedence over the interests of the data subject, his rights and freedoms or are necessary for the establishment and/ or the defense of legal claims.If the data subject wants to use the right to object, it is enough to send an email to d.temelkova@aurubis.com

Contractors

I.

Controller

 

For the Processing of Your personal data, Controller is Aurubis Bulgaria AD, a joint stock company, registered in the Company Register with the Registry Agency under uniform ID code 832046871, having its registered seat and management address in:

 

Aurubis Bulgaria AD

            Industrial zone

            2070 Pirdop

            Bulgaria

 

Aurubis Bulgaria AD is represented by Tim Kurt, Executive Director.

 

II.

Contact details of the Data Protection Officer

 

Data Protection Officer, Security and Risk Management department, Aurubis Bulgaria AD, Industrial zone, 2070 Pirdop

Tel.:        +359 7286 2280

Fax:        + 359 7286 2646

E-mail:   d.temelkova(at)aurubis.com

 

III.

Collection and processing of personal data of Contractors employees, who work on the territory of Aurubis Bulgaria

1.

 

 

 

 

 

 

 

 

 

2.

 

 

 

 

3.

 

 

3.

 

 

5.

 

 

 

 

 

 

6.

When issuing an access card, as part of the security and safety measures, review and transfer of the personal data from the identity document is performed, via reader, into the access control system, or the personal data is entered manually into the system. We collect and process the following data:

  • Name;
  • Personal identification No or date of birth;
  • Photo;
  • Registration plate No of the vehicle (only in case access with vehicle in needed)

 

Video Surveillance – on the territory of the company are located cameras for 24-hour video surveillance designed for security and operational purposes; on the entrances of the company are located cameras for 24-hour body temperature measurement that aim is to prevent epidemic/ pandemic disease spreading.

 

Photos - on the territory of the company, contractors employees are shot for proving violations.

 

Copies of qualification, driving license  and training certificates, as required by the OHS procedures and work instructions in Aurubis Bulgaria AD and form FM-HNSD-006-B/E.

 

Communication details, namely:

  • Names;
  • one or more valid e-mail addresses
  • address     
  • phone number (landline and/or mobile)
  •  fax number
  • Personal data collected directly from the employees in written or verbal, generated by the Health service department throughout pandemics periods, in case the person has symptoms or direct contacts with infected people:
  •  Identification data: names, personal address, position, phone number;
  • Contacts within Aurubis Bulgaria: names, positions, companies;
  • Results of pandemic’s specific tests;
  • Body temperature.

The processing of personal data in p. III (1- 6) is necessary for the following purposes:

  •   Security management – including but not limited to activities related to access control, video surveillance, ensuring security of the premises, assets and information held by the company, and for the purposes of preventing and investigating theft, fraud, abuse, conflict of interest, audits and controls. The processing of personal data for these purposes is based on the legitimate interests of the company to ensure the safety and security of its assets as well as its employees against any possible risks;
  • Operational management – including but not limited to establishment, implementation and management of the business activities of the company, for example: maintenance and monitoring of the use of internal networks and information systems, exchange of written correspondence or other communication, health and safety management, protection against serious cross – border threats to health. The processing of personal data for these purposes is based on the legitimate interests of the company to manage its material resources and workforce, including providing network and information security in its organization, issuing  invoices as well as managing its budget effectively;
  •   Compliance with regulatory requirements and settling of legal disputes - including, but not limited to, the processing of personal data in accordance with regulatory requirements (e.g tax, social, health, trade, labor and other applicable legislation). The processing of personal data for these purposes is done on the basis of compliance by the company with applicable legal obligations.
  • Personal data entered into the access control system is processed and stored for up to 3 years from the termination of the contract with Aurubis Bulgaria AD or a notice from the Employer that the person is no longer its employee.
  • Video records are processed and stored for up to 2 months of creation in compliance with the Private Security Services Legislation. The video records of sites under the Waste Management Act are processed for up to 1 year.
  • Photos of contractor’s employees are processed for a period of 5 years from committing a violation, unless they have become necessary within that period to establish, exercise or protect of any legal claims or administrative proceedings against Aurubis Bulgaria AD. In this case they will be stored until the end of the relevant legal procedure.
  • Personal data which is processed in case of work accidents, is stored for up to 5 years after the event.
  • Video records and indicators of body temperature measurements are processed for up to 2 weeks.
  • Contractor’s employees provide their personal data to the Company on a voluntary basis. If they do not provide their personal data, the company will not be able to allow them to work on the territory because it will not be able to fulfill its legitimate interests and/ or legal obligations or will not be able to perform its obligations towards the public interest in the area of public health, such as protecting against serious cross-border threats to health.
  • The grounds for processing the personal data under p. III are based on Regulation (EU) 2016/679 as follows: Article 6 (1) (b) of Regulation (EU) 2016/67 and Article 6 (1) (c) of Regulation (EU) 2016/679 and/ or Article 6 (1) (f) of Regulation (EU) 2016/679 and Article 6 (1) (d) of Regulation (EU) 2016/679, in relation with Article 9 (2) (h) of Regulation (EU) 2016/679 and Article 9 (2) (i) of Regulation (EU) 2016/679.

 

IV.

Collection and processing of Personal Data in other cases

 

In other cases, different than the mention in p. III, personal data is collected and processed only if provided voluntarily, as follows:

 

1.

If the employee is communicating with us while acting in a professional capacity for one of our business partners, we store and process professionally used contact data, as follows:

  • business partner for whom you are working
  • title, first name, last name
  • position in the organization of our business partner
  • one or more valid e-mail addresses
  • address     
  • phone number (landline and/or mobile)
  • fax number

 

The processing of the above mentioned personal data serves for the following purposes:

  • in order to be able to identify you as our contact with our business partner;
  • for business correspondence with You;
  • in order to inform you about the products, services, and Aurubis Group companies;
  • in order to offer you Aurubis Bulgaria’s products and services;
  • to initiate, execute, and terminate contracts in connection with the business relationship;
  • to maintain the business relationship with Aurubis Bulgaria;
  • for invoicing;
  • to fulfill legal obligations, especially for the prevention of fraud and money laundering.

 

The grounds for processing this personal data are based on Regulation (EU) 2016/679 as follows: 1) Article 6 Paragraph 1(b) GDPR (General Data Protection Regulation) and Article 6 Paragraph 1(f) GDPR (General Data Protection Regulation) in order to maintain and conduct the business relationship for the length of the business relationship or until the Aurubis Bulgaria business partner communicates that You are no longer employed by them; 2) In cases when we are obligated to store the data for a longer period of time pursuant to Article 6 Paragraph 1 Sentence 1(c) GDPR (General Data Protection Regulation) due to storage and documentation obligations according to legal tax, commercial regulations and other applicable regulations; 3) In cases when You have consent to a longer storage period pursuant to Article 6 Paragraph 1 Sentence 1(a) GDPR (General Data Protection Regulation).

2.

If Aurubis Group companies provide personal data of the type described above to us as allowed for the purposes mentioned above, especially for cases in which You have contacted an affiliated company of ours with an issue that relates to us and not that affiliated company.

 

V.

Provision of personal data to third parties         

 

Aurubis Bulgaria AD uses service providers, who process and store personal data ("Personal Data Processors" pursuant to Article 28 of Regulation (EC) 2016/679). In particular, this is applicable to the security company and its employees, legal advisers and other third parties. These processors work only on contractual basis with Aurubis Bulgaria AD and store and process personal data according to the company's instructions.

If You contact Aurubis Bulgaria regarding issues that concern a company affiliated with Aurubis Bulgaria, in individual cases we will provide this affiliated company with your personal data.

 

The information for confirmed infected employees, in relation with p. III (6), shall be disclosed only in case it is necessary to assess whether employees of Aurubis Bulgaria AD or employees of other contractors had been in contact with the infected person, and respectively are infected too.

 

Out of these three circumstances, data will only be provided in individual cases and in a volume that is in accordance with a specific legal obligation of Aurubis Bulgaria AD, as well as in cases where You submitted consent to provide your data.

 

VI.

Your rights as Data Subject

 

  • Right to withdraw consent at any time (Article 7 (3) of Regulation (EC) 2016/679). As a consequence, the company will not be able to continue processing this data if it was based on consent.
  • Right to request confirmation whether the company processes personal data, and if so, information on the storage and processing (Article 15 of Regulation (EC) 2016/679). In particular, information may be requested about the purposes of processing; categories of personal data; the categories of recipients to whom personal data will be or have been provided; storage period; the right to request correction, erasure and / or limitation of processing, to object to such processing and to lodge a complaint with a supervisory authority; information about the source from which the company have received personal data when it was not collected by the subject; information on the availability of automated decision making (including profiling) and, if applicable, relevant detailed information.
  • Right to request immediate rectification of the personal data (Art. 16 of Regulation (EU) 2016/ 679).
  •  Right to request erasure of the personal data, unless its processing is necessary:

1) For exercising the right of freedom of expression and information;

2) For compliance with a legal obligation;

3) For reasons of public interest;

4) For the establishment, exercise or defense of legal claims (Art. 17 of Regulation (EU) 2016/ 679).

  •  Right to request restriction of the processing of the personal data if: contest their accuracy; the processing is unlawful; the company does not need the personal data any more, but the data subject require them for establishment, exercise or defense of а legal claim; if the data subject has objected to processing pursuant to Article 21 (1) of Regulation (EU) 2016/ 679 (Art. 18 of Regulation (EU) 2016/ 679).
  • Right to receive the personal data in a structured, widely used and machine readable format or request the transfer of this data to another Administrator (Article 20 of Regulation (EC) 2016/679).

 

When exercising the right to receive personal data or to transfer it to another Controller, more than once within 24 months, Aurubis Bulgaria AD reserves the right, according to Ch. III, Art. 12 par. 5 (a) of Regulation (EU) 2016/679, to require payment of administrative costs of BGN 20 per set of paper copy and BGN 20 per electronic carrier.

 

In order to exercise his rights under the above points, the data subject must contact the Data Protection Officer designated by Aurubis Bulgaria AD:

 

              Address:                2070. Pirdop, Industrial zone,

              Tel :                         + 359 886 131 999

              Email:                      d.temelkova(at)aurubis.com

 

Contractors employee/ Data subject has the right, under Article 77 of Regulation (EC) 2016/679, to lodge a complaint to the Commission for Personal Data Protection (CPDP) by the ways described in the Commission's website. The contact details of CPDP are:

 

Address:                      1592 Sofia, Prof. Tsvetan Lazarov Blvd. 2

Fax:                             02 9153525

E-mail:                          kzld(at)cpdp.bg

 

Aurubis Bulgaria AD will cooperate to CPDP in the handling of such complaints and will comply with all recommendations and/ or instructions issued by the supervisory authority.

Contractors employee/ Data subject also has the right to lodge a complaint at Aurubis Group Headquarters by sending an email to dataprotection(at)aurubis.com .

VII.

Right to object

 

If the personal data is processed on the basis of a legitimate interest of the company pursuant to Article 6 (1) (f) of Regulation (EC) 2016/67, the employee/ data subject has the right to object the processing of these data under Article 21 (1) of Regulation (EC) 2016/679. In this case, the company will not continue the processing of the personal data, unless there are convincing legal grounds for the processing that take precedence over the interests of the data subject, his rights and freedoms or are necessary for the establishment and/ or the defense of legal claims.

 

If the data subject wants to use the right to object, it is enough to send an email to d.temelkova(at)aurubis.com

Truck drivers

I.

Controller

 

For the Processing of Your personal data, Controller is Aurubis Bulgaria AD, a joint stock company, registered in the Company Register with the Registry Agency under uniform ID code 832046871, having its registered seat and management address in:

 

Aurubis Bulgaria AD

            Industrial zone

            2070 Pirdop

            Bulgaria

 

Aurubis Bulgaria AD is represented by Tim Kurt, Executive Director.

 

II.

Contact details of the Data Protection Officer

 

Data Protection Officer, Security and Risk Management department, Aurubis Bulgaria AD, Industrial zone, 2070 Pirdop

Tel.:        +359 7286 2280

Fax:        + 359 7286 2646

E-mail:   d.temelkova(at)aurubis.com

 

III.

Collection and processing of personal data of truck drivers who enter in Aurubis Bulgaria

1.

 

 

 

 

 

 

 

 

 

 

 

 

2.

 

 

 

3.

 

 

For truck drivers, the company collects and process the following data:

  •  Names;
  • Civil numbers;
  • ID number;
  • Date of birth;
  • Photo;
  • Cell phone number
  • Registration No of truck and trailer;
  • Copies of qualification, driving license  and training certificates, as required by the international ADR Convention on the Transport of Dangerous Goods and others.

 

Video Surveillance – on the territory of the company are located cameras for 24-hour video surveillance designed for security and operational purposes; on the entrances of the company are located cameras for 24-hour body temperature measurement that aim is to prevent epidemic/ pandemic disease spreading.

 

Photos - on the territory of the company, truck drivers are shot for proving violations.

 

The processing of personal data in p. III (1-3) is necessary for the following purposes:

  • Security management – including but not limited to activities related to access control, video surveillance, ensuring security of the premises, assets and information held by the company, and for the purposes of preventing and investigating theft, fraud, abuse, conflict of interest, audits and controls. The processing of personal data for these purposes is based on the legitimate interests of the company to ensure the safety and security of its assets as well as its employees against any possible risks;
  • Operational management – including but not limited to establishment, implementation and management of the business activities of the company, such as loading and unloading activities, communication, administration of insurance claims, health and safety management and others, protection against serious cross – border threats to health. The processing of personal data for these purposes is based on the legitimate interests of the company to manage its material and financial resources and workforce, to mantain business communication with its partners as well as to manage its budget effectively and its expedition schedules ;
  • Compliance with regulatory requirements and settling of legal disputes - including, but not limited to, the International ADR Convention on the Transport of Dangerous Goods, tax, customs, health, commercial and other applicable legislation. The processing of personal data for these purposes is done on the basis of compliance by the company with applicable legal obligations.
  • Personal data entered into the access control system is processed and kept for up to 3 years.
  • Video records are processed and stored for up to 2 months of creation in compliance with the Private Security Services Legislation. The video records of sites under the Waste Management Act are processed for up to 1 year.
  • Photos of truck drivers are processed for a period of 5 years from committing a violation, unless they have become necessary within that period to establish, exercise or protect of any legal claims or administrative proceedings against Aurubis Bulgaria AD. In this case they will be stored until the end of the relevant legal procedure.
  • Personal data which is processed in case of work accidents, is stored for up to 5 years after the event.

 

  • Video records and indicators of body temperature measurements are processed for up to 2 weeks.

 

  • Truck drivers provide their personal data to the Company on a voluntary basis. If they do not provide their personal data, the company will not be able to allow them to carry out loading and unloading activities because it will not be able to fulfill its legitimate interests and/ or legal obligations.

 

 

The grounds for processing the personal data under p. III (1-3) are based on Regulation (EU) 2016/679 as follows: Article 6 (1) (b) of Regulation (EU) 2016/67 and Article 6 (1) (c) of Regulation (EU) 2016/679 and/ or Article 6 (1) (f) of Regulation (EU) 2016/679 and Article 6 (1) (d) of Regulation (EU) 2016/679, in relation with Article 9 (2) (h) of Regulation (EU) 2016/679 and Article 9 (2) (i) of Regulation (EU) 2016/679.

 

IV.

Collection and processing of Personal Data in other cases

1.

In cases when other companies in the Aurubis Group provide us with the above mentioned data for the above mentioned purposes.

 

V.

Provision of personal data to third parties

 

Aurubis Bulgaria AD uses service providers, who process and store personal data ("Personal Data Processors" pursuant to Article 28 of Regulation (EC) 2016/679). In particular, this is applicable to the security company  and other services. These processors work only on contractual basis with Aurubis Bulgaria AD and store and process personal data according to the company's instructions.

In case You contact Aurubis Bulgaria AD on a matter that concerns and/ or is of the competence of another Aurubis Group company, we will provide your information to this company.

 

If you have entered the premises of the company and subsequently informed us that you have been infected in order to prevent the spread of a pandemic / epidemic disease, this information shall be disclosed to employees of Aurubis Bulgaria AD and employees of contractors who have been in contact with you and respectively may have been infected.

 

Out of these three circumstances, data will only be provided in individual cases and in a volume that is in accordance with a specific legal obligation of Aurubis Bulgaria AD, as well as in cases where You submitted consent to provide your data.

 

VI.

Truck drivers rights as Data Subject

 

  • Right to withdraw consent at any time Article 7 (3) of Regulation (EC) 2016/679). As a consequence, the company will not be able to continue processing this data if it was based on consent.
  • Right to request confirmation whether the company processes personal data, and if so, information on the storage and processing (Article 15 of Regulation (EC) 2016/679). In particular, information may be requested about the purposes of processing; categories of personal data; the categories of recipients to whom personal data will be or have been provided; storage period; the right to request correction, erasure and / or limitation of processing, to object to such processing and to lodge a complaint with a supervisory authority; information about the source from which the company have received personal data when it was not collected by the subject; information on the availability of automated decision making (including profiling) and, if applicable, relevant detailed information.
  •  Right to request immediate rectification of the personal data (Art. 16 of Regulation (EU) 2016/ 679).
  •  Right to request erasure of the personal data, unless its processing is necessary:
  • 1)For exercising the right of freedom of expression and information;

2) For compliance with a legal obligation;

3) For reasons of public interest;

4) For the establishment, exercise or defense of legal claims (Art. 17 of Regulation (EU) 2016/ 679).

  •   Right to request restriction of the processing of the personal data if: contest their accuracy; the processing is unlawful; the company does not need the personal data any more, but the data subject require them for establishment, exercise or defense of а legal claim; if the data subject has objected to processing pursuant to Article 21 (1) of Regulation (EU) 2016/ 679 (Art. 18 of Regulation (EU) 2016/ 679).
  •  Right to receive the personal data in a structured, widely used and machine readable format or request the transfer of this data to another Administrator (Article 20 of Regulation (EC) 2016/679).

 

When exercising the right to receive personal data or to transfer it to another Controller, more than once within 24 months, Aurubis Bulgaria AD reserves the right, according to Ch. III, Art. 12 par. 5 (a) of Regulation (EU) 2016/679, to require payment of administrative costs of BGN 20 per set of paper copy and BGN 20 per electronic carrier.

 

In order to exercise his rights under the above points, the truck driver/ data subject must contact the Data Protection Officer designated by Aurubis Bulgaria AD:

 

              Address:                 2070. Pirdop, Industrial zone,

              Tel :                         + 359 886 131 999

              Email:                      d.temelkova(at)aurubis.com

 

The truck driver/ Data subject has the right, under Article 77 of Regulation (EC) 2016/679, to lodge a complaint to the Commission for Personal Data Protection (CPDP) by the ways described in the Commission's website. The contact details of CPDP are:

 

Address:                      1592 Sofia, Prof. Tsvetan Lazarov Blvd. 2

        Fax:                           02 9153525

        E-mail:                        kzld(at)cpdp.bg

 

Aurubis Bulgaria AD will cooperate to CPDP in the handling of such complaints and will comply with all recommendations and/ or instructions issued by the supervisory authority.

The truck driver/ Data subject has the right to lodge a complaint at Aurubis Group Headquarters by sending an email to dataprotection(at)aurubis.com .

 

VII.

Right to object

 

If the personal data is processed on the basis of a legitimate interest of the company pursuant to Article 6 (1) (f) of Regulation (EC) 2016/67, the truck driver/ data subject has the right to object the processing of these data under Article 21 (1) of Regulation (EC) 2016/679. In this case, the company will not continue the processing of the personal data, unless there are convincing legal grounds for the processing that take precedence over the interests of the data subject, his rights and freedoms or are necessary for the establishment and/ or the defense of legal claims.

 

If the truck driver/ data subject wants to use the right to object, it is enough to send an email to d.temelkova(at)aurubis.com

Shareholders

I.

Controller

 

For the processing of your personal data, the controller is Aurubis Bulgaria AD, a joint stock company, registered in the Company Register with the Registry Agency under uniform ID code 832046871, having its registered seat and management address in:

 

            Aurubis Bulgaria

            Industrial Zone

            2070 Pirdop

            Bulgaria

 

Aurubis Bulgaria is represented by Tim Kurth – Executive Director.

                        

II.

Contact details of the Data Protection Officer

 

Data Protection Officer, Security and Risk Management Department, Aurubis Bulgaria AD, Industrial Zone, 2070 Pirdop

Phone:            +359 7286 2280

Fax:                +359 7286 2646

E-mail:            d.temelkova(at)aurubis.com

 

III.

Collection and processing of personal data of shareholders in Aurubis Bulgaria AD

1.

 

 

 

 

 

 

 

 

2.

 

 

 

 

3.

 

When issuing an access card, as part of the security and safety measures, review and transfer of the personal data from the identity document is performed, via reader, into the access control system, or the personal data is entered manually into the system. We collect and process the following data:

  •  Name;
  • Personal identification No;
  • Photo;
  • Registration plate No of the vehicle (only in case access with vehicle in needed)

 

Video Surveillance – on the territory of the company are located cameras for 24-hour video surveillance designed for security and operational purposes; on the entrances of the company are located cameras for 24-hour body temperature measurement that aim is to prevent epidemic/ pandemic disease spreading.

 

Other personal data:

  • ID number;
  • Address;      
  • telephone number (landline and/or mobile)

·         Information for current bank account.

 

The processing of personal data in p. III (1-3) is necessary for the following purposes:

  • Security management – including but not limited to activities related to access control, video surveillance, ensuring security of the premises, assets and information held by the company, and for the purposes of preventing and investigating theft, fraud, abuse, conflict of interest, audits and controls; protection against serious cross – border threats to health. The processing of personal data for these purposes is based on the legitimate interests of the company to ensure the safety and security of its assets as well as its employees against any possible risks;
  • Operational management – including but not limited to convening a Shareholders Meeting, payment of dividends, checking the powers of attorneys of the representatives, reporting, establishing, implementing and managing the business activities of the company. The processing of personal data for these purposes is based on the legitimate interests of the company to manage its material and financial resources;
  • Compliance with regulatory requirements and settling of legal disputes - including, but not limited to, the processing of personal data in accordance with regulatory requirements (e.g tax, trade and other applicable legislation). The processing of personal data for these purposes is done on the basis of compliance by the company with applicable legal obligations.

 

Personal data entered into the KIOSK system for initial Health & Safety instruction, for visitors (e.g. Names, ID date of expiry, photo, № and date of instruction) – is stored for up to 5 years according to Art. 9, para. (2) of Ordinance No. RD-07-2 of December 16, 2009 on the conditions for conducting periodic briefing of employees and the rules for ensuring healthy and safe working conditions.

Personal data entered into the access control system is processed and kept for up to 3 years.

Video records are processed and stored for up to 2 months of creation in compliance with the Private Security Services Legislation. The video records of sites under the Waste Management Act are processed for up to 1 year.

All other personal data will be stored for a period of 10 years after payment of dividends. 

 

Video records and indicators of body temperature measurements are processed for up to 2 weeks.

 

Shareholders provide their personal data to the Company on a voluntary basis. If they do not provide their personal data, the company will not be able to fulfill its legitimate purposes and/ or legal obligations.

 

The grounds for processing the personal data under p. III are based on Regulation (EU) 2016/679 as follows: Article 6 (1) (b) of Regulation (EU) 2016/67 and Article 6 (1) (c) of Regulation (EU) 2016/679 and/ or Article 6 (1) (f) of Regulation (EU) 2016/679 and Article 6 (1) (d) of Regulation (EU) 2016/679, in relation with Article 9 (2) (i) of Regulation (EU) 2016/679.

 

V.

Provision of personal data to third parties

 

Aurubis Bulgaria AD uses service providers, who process and store personal data ("Personal Data Processors" pursuant to Article 28 of Regulation (EC) 2016/679). In particular, this is applicable to the security company, legal advisers and other services. These processors work only on contractual basis with Aurubis Bulgaria AD and store and process personal data according to the company's instructions.

 

If you contact Aurubis Bulgaria regarding issues that concern a company affiliated with Aurubis Bulgaria, in individual cases we will provide this affiliated company with your personal data.

 

If you have entered the premises of the company and subsequently informed us that you have been infected in order to prevent the spread of a pandemic/ epidemic disease, this information shall be disclosed to employees of Aurubis Bulgaria AD and employees of contractors who have been in contact with you and respectively may have been infected.

Out of these three circumstances, data will only be provided in individual cases and in a volume that is in accordance with a specific legal obligation of Aurubis Bulgaria AD, as well as in cases where You submitted consent to provide your data.

 

VI.

Shareholders rights as Data Subject

 

  • Right to withdraw consent at any time (Article 7 (3) of Regulation (EC) 2016/679). As a consequence, the company will not be able to continue processing this data if it was based on consent.
  • Right to request confirmation whether the company processes personal data, and if so, information on the storage and processing (Article 15 of Regulation (EC) 2016/679). In particular, information may be requested about the purposes of processing; categories of personal data; the categories of recipients to whom personal data will be or have been provided; storage period; the right to request correction, erasure and / or limitation of processing, to object to such processing and to lodge a complaint with a supervisory authority; information about the source from which the company have received personal data when it was not collected by the subject; information on the availability of automated decision making (including profiling) and, if applicable, relevant detailed information.
  • Right to request immediate rectification of the personal data (Art. 16 of Regulation (EU) 2016/ 679).
  • Right to request erasure of the personal data, unless its processing is necessary:

1) For exercising the right of freedom of expression and information;

2) For compliance with a legal obligation;

3) For reasons of public interest;

4) For the establishment, exercise or defense of legal claims (Art. 17 of Regulation (EU) 2016/ 679).

  • Right to request restriction of the processing of the personal data if: contest their accuracy; the processing is unlawful; the company does not need the personal data any more, but the data subject require them for establishment, exercise or defense of а legal claim; if the data subject has objected to processing pursuant to Article 21 (1) of Regulation (EU) 2016/ 679 (Art. 18 of Regulation (EU) 2016/ 679).
  • Right to receive the personal data in a structured, widely used and machine readable format or request the transfer of this data to another Administrator (Article 20 of Regulation (EC) 2016/679).

 

When exercising the right to receive personal data or to transfer it to another Controller, more than once within 24 months, Aurubis Bulgaria AD reserves the right, according to Ch. III, Art. 12 par. 5 (a) of Regulation (EU) 2016/679, to require payment of administrative costs of BGN 20 per set of paper copy and BGN 20 per electronic carrier.

 

In order to exercise his rights under the above points, the shareholder/ data subject must contact the Data Protection Officer designated by Aurubis Bulgaria AD:

 

Address:         2070. Pirdop, Industrial zone,

Tel :                 + 359 886 131 999

E-mail:            d.temelkova(at)aurubis.com

 

The shareholder/ data subject has the right, under Article 77 of Regulation (EC) 2016/679, to lodge a complaint to the Commission for Personal Data Protection (CPDP) by the ways described in the Commission's website. The contact details of CPDP are:

 

Address:           1592 Sofia, Prof. Tsvetan Lazarov Blvd. 2

Fax:                  02 9153525

E-mail:              kzld(at)cpdp.bg

 

Aurubis Bulgaria AD will cooperate to CPDP in the handling of such complaints and will comply with all recommendations and/ or instructions issued by the supervisory authority.

The shareholder/ data subject has the right to lodge a complaint at Aurubis Group Headquarters by sending an email to dataprotection(at)aurubis.com .

 

 

VII.

Right to object

 

If the personal data is processed on the basis of a legitimate interest of the company pursuant to Article 6 (1) (f) of Regulation (EC) 2016/67, the shareholder/ data subject has the right to object the processing of these data under Article 21 (1) of Regulation (EC) 2016/679. In this case, the company will not continue the processing of the personal data, unless there are convincing legal grounds for the processing that take precedence over the interests of the data subject, his rights and freedoms or are necessary for the establishment and/ or the defense of legal claims.

 

If the shareholder/ data subject wants to use the right to object, it is enough to send an email to d.temelkova(at)aurubis.com

Visitors

I.

Controller

 

For the processing of your personal data, the controller is Aurubis Bulgaria AD, a joint stock company, registered in the Company Register with the Registry Agency under uniform ID code 832046871, having its registered seat and management address in:

 

            Aurubis Bulgaria

            Industrial Zone

            2070 Pirdop

            Bulgaria

 

Aurubis Bulgaria is represented by Tim Kurth – Executive Director.

                        

II.

Contact information for the Data Protection Officer

 

Data Protection Officer, Security and Risk Management department, Aurubis Bulgaria AD, Industrial zone, 2070 Pirdop

Tel.:        +359 7286 2280

Fax:        + 359 7286 2646

E-mail:   d.temelkova(at)aurubis.com

 

III.

Collection and processing of personal data for visitors in Aurubis Bulgaria

1.

 

 

 

 

 

 

 

 

 

 

 

2.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3.

When issuing an access card, as part of the security and safety measures, review and transfer of the personal data from the identity document is performed, via reader, into the access control system and into the KIOSK system for initial Health & Safety instruction.  The personal data might be  entered manually into the system. We collect and process the following data:

  • Name;
  • Personal identification No or date of birth;
  • Photo;
  • Registration plate No of the vehicle (only in case access with vehicle in needed);
  • Expiration date of the identity document.

 

When visiting Aurubis Bulgaria as a public official and identifying with an official card, as part of the security and safety measures, personal data is entered manually into the access control system. We collect and process the following data:

  •  Name
  •  No of the pass;
  • Public institution, issuing the pass;
  • Registration plate No of the vehicle (only in case access with vehicle in needed).In the KIOSK system for initial Health & Safety induction is performed transfer of the following additional personal data from the identity document, via reader:
  •       Photo;
  •  Expiration date of the identity document.

 

Video Surveillance – on the territory of the company are located cameras for 24-hour video surveillance designed for security and operational purposes; on the entrances of the company are located cameras for 24-hour body temperature measurement that aim is to prevent epidemic/ pandemic disease spreading.

 

The processing of personal data in p. III (1-3) is necessary for the following purposes:

·         Security management – including but not limited to activities related to access control, video surveillance, ensuring security of the premises, assets and information held by the company, and for the purposes of preventing and investigating theft, fraud, abuse, conflict of interest, audits and controls. The processing of personal data for these purposes is based on the legitimate interests of the company to ensure the safety and security of its assets as well as its employees against any possible risks;

  • Operational management – including but not limited to establishment, implementation and management of the business activities of the company, for example: maintenance and monitoring of the use of internal networks and information systems, exchange of written correspondence or other communication, health and safety management, protection against serious cross – border threats to health. The processing of personal data for these purposes is based on the legitimate interests of the company to manage its material resources and workforce, including providing network and information security in its organization, as well as managing its budget effectively;
  • Compliance with regulatory requirements and settling of legal disputes - including, but not limited to, the processing of personal data in accordance with regulatory requirements (e.g tax, social, health, trade and other applicable legislation). The processing of personal data for these purposes is done on the basis of compliance by the company with applicable legal obligations.

 

Personal data entered into the KIOSK system for initial Health & Safety instruction, (e.g. Names, ID date of expiry, photo, № and date of instruction) – is stored for up to 5 years according to Ordinance No. RD-07-2 of December 16, 2009 on the conditions for conducting periodic briefing of employees and the rules for ensuring healthy and safe working conditions.

Personal data entered into the access control system is processed and stored for up to 3 years.

Video records are processed and stored for up to 2 months of creation in compliance with the Private Security services Legislation. The video records of sites under the Waste Management Act are processed for up to 1 year.

 

Video records and indicators of body temperature measurements are processed for up to 2 weeks.

 

The grounds for processing the personal data under p. III are based on Regulation (EU) 2016/679 as follows: Article 6 (1) (b) of Regulation (EU) 2016/67 and Article 6 (1) (c) of Regulation (EU) 2016/679 and/ or Article 6 (1) (f) of Regulation (EU) 2016/679 and Article 6 (1) (d) of Regulation (EU) 2016/679, in relation with Article 9 (2) (h) of Regulation (EU) 2016/679 and Article 9 (2) (i) of Regulation (EU) 2016/679.

 

IV.

Collection and processing of personal data in other cases

 

In other cases, different than the mention in p. III, personal data is collected and processed only if provided voluntarily, as follows:

 

1.

If data subject contacts us directly, especially electronically, e.g., via e-mail, via our website or by telephone, to order a publication or place a request. In this case, we store and process the following data to the extent that has been provided:

  • title, first name, last name,
  • one or more valid e-mail addresses,
  • address,      
  • telephone number (landline and/or mobile)
  • fax number

 

The processing of the above mentioned personal data serves for the following purposes:

  • in order to be able to identify You as our contact;
  • for correspondence with You;
  • in order to inform You about the products, services, and Aurubis Bulgaria/Aurubis Group companies;
  • for initiating and establishing a contractual relationship with You, if applicable;
  • for invoicing, if applicable.

 

The basis for the storage and processing is Article 6 Paragraph 1(b) GDPR (General Data Protection Regulation) if You contact us in order to enter into a contractual and pre-contractual legal relationship; otherwise, Article 6 Paragraph 1(a) GDPR (General Data Protection Regulation).

 

2.

If data subject is communicating with us while acting in a professional capacity for one of our business partners, we store and process professionally used contact data, as follows:

  • business partner for whom you are working
  • title, first name, last name
  • position in the organization of our business partner
  • one or more valid e-mail addresses
  • address     
  • phone number (landline and/or mobile)
  • fax number

 

The processing of the above mentioned personal data serves for the following purposes:

  • in order to be able to identify You as our contact with our business partner;
  • for business correspondence with You;
  • in order to inform You about the products, services, and Aurubis Group companies;
  • in order to offer You Aurubis Bulgaria’s products and services;
  • to initiate, execute, and terminate contracts in connection with the business relationship;
  • to maintain the business relationship with Aurubis Bulgaria;
  • for invoicing;
  • to fulfill legal obligations, especially for the prevention of fraud and money laundering.

 

The grounds for processing this personal data are based on Regulation (EU) 2016/679 as follows: 1) Article 6 Paragraph 1(b) GDPR (General Data Protection Regulation) and Article 6 Paragraph 1(f) GDPR (General Data Protection Regulation) in order to maintain and conduct the business relationship for the length of the business relationship or until the Aurubis Bulgaria business partner communicates that You are no longer employed by them; 2) In cases when we are obligated to store the data for a longer period of time pursuant to Article 6 Paragraph 1 Sentence 1(c) GDPR (General Data Protection Regulation) due to storage and documentation obligations according to legal tax, commercial regulations and other applicable regulations; 3) In cases when You have submitted consent to a longer storage period pursuant to Article 6 Paragraph 1 Sentence 1(a) GDPR (General Data Protection Regulation).

 

3.

If Aurubis Group companies provide personal data of the type described above to us as allowed for the purposes mentioned above, especially for cases in which You have contacted an affiliated company of ours with an issue that relates to us and not that affiliated company.

 

V.

Provision of personal data to third parties

 

Aurubis Bulgaria AD uses service providers, who process and store personal data ("Personal Data Processors" pursuant to Article 28 of Regulation (EC) 2016/679). In particular, this is applicable to the security company and companies that provide and maintain hosting services and servers. These processors work only on contractual basis with Aurubis Bulgaria AD and store and process personal data according to the company's instructions.

 

If you contact Aurubis Bulgaria regarding issues that concern a company affiliated with Aurubis Bulgaria, in individual cases we will provide this affiliated company with your personal data.

 

If you have entered the premises of the company and subsequently informed us that you have been infected in order to prevent the spread of a pandemic / epidemic disease, this information shall be disclosed to employees of Aurubis Bulgaria AD and employees of contractors who have been in contact with you and respectively may have been infected.

 

Out of these three circumstances, data will only be provided in individual cases and in a volume that is in accordance with a specific legal obligation of Aurubis Bulgaria AD, as well as in cases where You submitted consent to provide your data.

 

VI.

Your rights as Data Subject

 

·         Right to withdraw consent at any time (Article 7 (3) of Regulation (EC) 2016/679). As a consequence, the company will not be able to continue processing this data if it was based on consent.

·         Right to request confirmation whether the company processes personal data, and if so, information on the storage and processing (Article 15 of Regulation (EC) 2016/679). In particular, information may be requested about the purposes of processing; categories of personal data; the categories of recipients to whom personal data will be or have been provided; storage period; the right to request correction, erasure and / or limitation of processing, to object to such processing and to lodge a complaint with a supervisory authority; information about the source from which the company have received personal data when it was not collected by the subject; information on the availability of automated decision making (including profiling) and, if applicable, relevant detailed information.

·         Right to request immediate rectification of the personal data (Art. 16 of Regulation (EU) 2016/ 679).

·         Right to request erasure of the personal data, unless its processing is necessary:

1) For exercising the right of freedom of expression and information;

2) For compliance with a legal obligation;

3) For reasons of public interest;

4) For the establishment, exercise or defense of legal claims (Art. 17 of Regulation (EU) 2016/ 679).

·         Right to request restriction of the processing of the personal data if: contest their accuracy; the processing is unlawful; the company does not need the personal data any more, but the data subject require them for establishment, exercise or defense of а legal claim; if the data subject has objected to processing pursuant to Article 21 (1) of Regulation (EU) 2016/ 679 (Art. 18 of Regulation (EU) 2016/ 679).

·         Right to receive the personal data in a structured, widely used and machine readable format or request the transfer of this data to another Administrator (Article 20 of Regulation (EC) 2016/679).

 

When exercising the right to receive personal data or to transfer it to another Controller, more than once within 24 months, Aurubis Bulgaria AD reserves the right, according to Ch. III, Art. 12 par. 5 (a) of Regulation (EU) 2016/679, to require payment of administrative costs of BGN 20 per set of paper copy and BGN 20 per electronic carrier.

 

In order to exercise his rights under the above points, the visitor/ data subject must contact the Data Protection Officer designated by Aurubis Bulgaria AD:

 

              Address:                   2070. Pirdop, Industrial zone,

              Tel :                         + 359 886 131 999

              E-mail:                      d.temelkova(at)aurubis.com

 

The visitor/ data subject has the right, under Article 77 of Regulation (EC) 2016/679, to lodge a complaint to the Commission for Personal Data Protection (CPDP) by the ways described in the Commission's website. The contact details of CPDP are:

 

Address:                      1592 Sofia, Prof. Tsvetan Lazarov Blvd. 2

        Fax:                           02 9153525

        E-mail:                        kzld(at)cpdp.bg

 

Aurubis Bulgaria AD will cooperate to CPDP in the handling of such complaints and will comply with all recommendations and/ or instructions issued by the supervisory authority.

The visitor/ data subject has the right to lodge a complaint at Aurubis Group Headquarters by sending an email to dataprotection(at)aurubis.com .

 

VII.

Right to object

 

If the personal data is processed on the basis of a legitimate interest of the company pursuant to Article 6 (1) (f) of Regulation (EC) 2016/67, the visitor/ data subject has the right to object the processing of these data under Article 21 (1) of Regulation (EC) 2016/679. In this case, the company will not continue the processing of the personal data, unless there are convincing legal grounds for the processing that take precedence over the interests of the data subject, his rights and freedoms or are necessary for the establishment and/ or the defense of legal claims.

 

If the visitor/ data subject wants to use the right to object, it is enough to send an email to d.temelkova(at)aurubis.com