We aim to bring value to your business through technology!

Have a question?

The protection of all personal data, in particular the strict respect of confidentiality of customers’ and employees’ data and compliance with the data protection laws applicable, is not only a legal requirement for us. Providing data protection is the basis for strong relationships with customers, business partners and employees. It is, therefore, a matter of great importance for us to protect confidential personal data from any unauthorized access. We draw the attention to this topic in the following Privacy Policy.

I. INTRODUCTION

(1) COSMOS THRACE Ltd. (“Cosmos”) is a commercial company registered in the Commercial Register at the Registry Agency with UIC 205813928 , with registered office and address of management: Sofia, Chernorizetz Hrabar str. №3 , 3rd flr.
(2) COSMOS THRACE is a controller of personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(3) While carrying out its commercial activity COSMOS THRACE shall process personal data in strict compliance with the provisions of the General Regulation on Data Protection and the Personal Data Protection Act (PDPA).
(4) In fulfillment of its commitment to ensure full compliance with the legislation of the European Union (EU) and the Republic of Bulgaria regarding the processing of personal data, COSMOS THRACE adopts this Privacy Policy, which is applicable to all processing activities performed by COSMOS THRACE of personal data.

(5) This policy applies to all personal data processed by COSMOS THRACE , including personal data of customers, employees, suppliers, subcontractors, partners.

(6) This privacy policy is mandatory and should be observed by all suppliers, subcontractors, partners, employees working with or for COSMOS THRACE , as well as by third parties who have or may have access to COSMOS THRACE personal data.

II. DEFINITIONS

For the purposes of the General Data Protection Regulation and for the purposes of this Privacy Policy, the following terms have the following meaning:

1. Personal data – any information related to an identified natural person or an identifiable natural person (data subject); an identifiable natural person is an identifiable person, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more features specific to the natural, the physiological, genetic, mental, intellectual, economic, cultural or social identity of that individual;

2. Special categories of personal data – personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the sole purpose of identifying an individual, health data condition or data on the sexual life or sexual orientation of the individual;

3. Processing – an operation or set of operations performed with personal data or a set of personal data by automatic or other means such as collection, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing, transmitting, distributing or any other way in which data is made available, arranged or combined, restricted, deleted or destroyed;

4. Administrator – a natural or legal person, public body, agency or other structure, which alone or jointly with others determines the purposes and means for the processing of personal data; where the purposes and means of such processing are determined by EU law or the law of a Member State, the controller or the specific criteria for determining it may be laid down in the Union’s law or in the law of a Member State;

5. Personal data processor – a natural or legal person, public authority, agency or other structure that processes personal data on behalf of the controller;

6. Data subject – a natural person who has been identified or who can be identified on the basis of certain information;

7. Recipient – a natural or legal person, public authority, agency or other entity to which personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the context of a specific investigation in accordance with EU or Member State law shall not be considered as recipients; the processing of such data by those public authorities complies with the applicable data protection rules in accordance with the purposes of the processing;

8. Third party – natural or legal person, public authority, agency or other authority other than the data subject, the controller, the processor and the persons who, under the direct supervision of the controller or the processor, have the right to process personal data;

9. Violation of the security of personal data – means a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed.

10. Supervisory body means the Commission for Personal Data Protection in the Republic of Bulgaria.

III. PRINCIPLES RELATED TO THE PROCESSING OF PERSONAL DATA

COSMOS THRACE processes personal data in accordance with the principles related to the processing of personal data, regulated in Art. 5 of the General Data Protection Regulation, namely:

1. Compliance, Fairness and Transparency
COSMOS THRACE processes personal data in compliance with the mandatory provisions of the General Data Protection Regulation and the LPPD, sincerely and openly.

2. Limited Data Collection
COSMOS THRACE processes personal data only for specific, explicitly stated and lawful purposes and does not further process them in a manner incompatible with these purposes.

3. Minimizing the Personal Data Used
COSMOS THRACE processes personal data, limited as necessary in connection with the purposes for which they are processed. COSMOS THRACE collects and processes only the minimum necessary personal data of individuals which:
• are provided by law;
• are needed to perform a contract;
• are needed to fulfill the purposes for which they are collected.

4. Collected personal data shall be processed for other purposes only with the consent of the persons
In all cases where it is necessary for the collected and processed personal data of individuals to be used for purposes other than the primary ones, COSMOS THRACE notifies the relevant individuals, seeks their consent and proceeds to process their personal data for other purposes only after their explicit consent.

5. Accuracy and Timeliness
The personal data stored by COSMOS THRACE shall be kept accurate and up-to-date, and all reasonable measures shall be taken to ensure the timely correction of inaccurate personal data.

6. Storage restriction
COSMOS THRACE stores personal data in a form that allows the identification of the data subject for a period not longer than necessary for the purposes which the personal data are processed for. Personal data may be stored for longer periods insofar as they will be processed exclusively for archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89 (1), provided that the appropriate technical and organizational measures provided for in this Regulation in order to guarantee the rights and freedoms of the data subject (“storage restriction”).

7. Integrity and confidentiality
COSMOS THRACE processes personal data in a way that ensures an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures.

8. Accountability
COSMOS THRACE is responsible and able to prove that it complies with its obligations in relation to the processing of personal data.

IV. CATEGORIES OF DATA SUBJECTS AND CATEGORIES OF PERSONAL DATA

1. Customers, business partners and suppliers
COSMOS THRACE processes personal data of individuals who represent (by law or by proxy) or work for business partners, suppliers and investors of COSMOS THRACE . Therefore, and to the extent permissible in the ordinary course of business, COSMOS THRACE may process the following categories of personal data:

• Ordinary personal data: Names, address, telephone, e-mail and other data, which are relevant in the present case.

In the event that COSMOS THRACE decides to process data of data subjects for marketing purposes, it shall take the measures necessary to obtain prior informed consent from the data subject.

2. Job candidates
• Ordinary personal data: Information contained in the CV of the candidate, such as names of the person, contact details (telephone number and e-mail), copies of documents for professional and educational qualification, etc.

3. Staff
COSMOS THRACE collects the following categories of personal data from employees:
• Ordinary personal data: names, PIN, passport data, education and qualifications, profession, length of service, remuneration, bank account data and others;

• Special category of personal data: health status information contained in sick leaves, documents certifying permanent incapacity for work and / or other documents required by the applicable legislation for the respective position or in order to exercise specific rights of the employee.

In the general case, COSMOS THRACE does not process personal data of employees on the basis of consent. However, in certain situations, consent may be required where it is required by the applicable law, including for the processing of a specific category of personal data.

V. OBLIGATION FOR LAWFUL AND CONSCIENTIAL PROCESSING OF PERSONAL DATA

(1) COSMOS THRACE establishes the grounds for processing the personal data under Art. 6 (1) of the General Data Protection Regulation:

1. The data subject has given consent to the processing of his/her personal data for one or more specific purposes.
2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

3. Processing is necessary for compliance with a legal obligation to which the controller is subject.

4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person.

5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

(2) COSMOS THRACE performs only activities for processing personal data for which there is any of the grounds under Art. 6 (1) of the General Data Protection Regulation.

VI. OBLIGATION TO PROCESS PERSONAL DATA FOR SPECIFIC PURPOSES

(1) The processing of personal data shall be carried out in fulfillment of the legal obligations of COSMOS THRACE , as well as in fulfillment of contractual obligations undertaken by COSMOS THRACE or on the basis of informed consent given by the client.

(2) In carrying out its commercial activity COSMOS THRACE shall collect and use categories of personal data, indicated in the register of the activities for processing of personal data under art. 30 (1) of the General Data Protection Regulation (Appendix No.1). COSMOS THRACE receives personal data directly from the data subject (for example, when completing validated sample documents or correspondence via email, telephone or other means of communication) or from other sources (e.g. from partners, subcontractors, payment service providers, etc.).

(3) COSMOS THRACE shall process personal data only for specific and explicitly indicated purposes, indicated in the register of the activities for processing of personal data under Art. 30 (1) of the General Data Protection Regulation, namely:

1. For implementation of the services offered by COSMOS THRACE ;
2. for client registration and respectively for reporting;
3. in order to fulfill a contract, which has been concluded or which is in the process of conclusion with a client of COSMOS THRACE , as well as for the conclusion or execution of a labour agreement with employees of COSMOS THRACE;

4. when this is necessary for the protection of the legitimate interests of COSMOS THRACE or third parties, provided that the legitimate interests and fundamental rights and freedoms of the data subject do not take precedence over these legitimate interests;
5. for up-to-date contact information with the data subject;
6. for providing information, including marketing communication through the channels chosen by the client (e.g. e-mail or telephone).

(4) In case the data of the subject have to be used for a purpose incompatible with the original one, COSMOS THRACE shall notify him/her in due time and explain to him/her what is the legal basis, which allows the data to be used for this new purpose as well.
(5) COSMOS THRACE provides the data subjects with the opportunity to choose whether to share their personal data with the company. In case the data subject objects to the processing of the personal data by COSMOS THRACE , the company respects this choice in accordance with its legal obligations. The objection may mean that COSMOS THRACE will not be able to carry out the activities necessary to achieve the objectives described above. It may also mean that the subject may not be able to use the services and products offered by COSMOS THRACE if he/she does not provide him/her with personal information about himself or if, after the data subject has provided this information, he/she objects to the processing. by COSMOS THRACE .

(6) The following applies to COSMOS THRACE ’s employee data

1. Personal data of employees can be processed within the context of the employment relationship, when necessary for meeting hiring decisions or in the aftermath of such, for delivering upon or termination of the employment contract, for exercising or satisfying the rights and obligations of representatives of contractors and employees. Personal data of these data subjects can be processed in favor of crime investigations only when there is ground to believe the investigated crime has taken place during the time of ongoing employment relationship and in case that the lawful right of the data subject for his/hers own data not to be processed does not prevail and more specific the type and scope of data processing are not disproportionate to the underlying reasons for investigation.

2. The Company sets in place the needed mechanisms for ensuring compliance with the principles of personal data processing, in line with the General Regulation, covered in section III.

3. These rules also apply when personal data, including special categories of personal data, of employees are processed without participating or intended to be part of a document registration system.

4. In this context, the persons who will be considered as employees are also persons employed for the purposes of vocational training (trainees).
5. Data processing is necessary to comply with the legal obligations of NUWOLO. The processing of personal data for employees is also admissible where national law requires, prescribes or authorizes data processing. The nature and scope of the data processing must be necessary for legally required data processing activities and comply with the relevant legal provisions. Personal data may be shared with different categories of recipients. For example, COSMOS THRACE provides personal data to the National Revenue Agency, the National Social Security Institute, the Executive Agency “General Labor Inspectorate”, competent law enforcement, law enforcement agencies, as well as other government agencies and institutions.

VII. OBLIGATION TO NOTIFY THE DATA SUBJECT

(1) In fulfillment of its obligations under art. 12, 13 and 14 of the General Data Protection Regulation COSMOS THRACE provides the data subject with comprehensible and easily accessible information about the personal data that it processes.

1. In the event that COSMOS THRACE receives personal data directly from the data subject, the data subject shall be informed of the confidentiality in an appropriate form containing clear, simple and comprehensible language and including the following information:
a) the data identifying COSMOS THRACE and the contact details of COSMOS THRACE and, where applicable, those of the COSMOS THRACE representative;

b) the contact details of the Data Protection Officer, where applicable;
c) the purposes of the processing which the personal data are intended for and the legal basis for the processing;
d) where the processing is carried out on the basis of Article 6, para. 1, item f) of the General Data Protection Regulation (legitimate interests of COSMOS THRACE or a third party), the legitimate interests pursued by COSMOS THRACE or a third party;

e) the recipients or categories of recipients of the personal data, if any;
f) where applicable, the intention of COSMOS THRACE to transfer personal data to a third country or to an international organization, as well as the presence or absence of a decision of the European Commission (EC) on the adequate level of protection or in case of data transfer 46 or 47, or Article 49 (1), para. 2 of the General Data Protection Regulation, a reference to the appropriate or applicable safeguards and the means of obtaining a copy thereof or information where available;

g) the period which the personal data will be stored for and, if not possible, the criteria used to determine that period;
h) the existence of a right to request COSMOS THRACE access to personal data, to correct or delete personal data or to restrict the processing of personal data relating to the data subject, or a right to object to the processing, as well as the right to the portability of the data;

i) where the processing is based on the consent of the data subject, the existence of a right of withdrawal of consent at any time, without prejudice to the lawfulness of the processing based on consent before it is withdrawn;

j) the right to appeal to the Commission for Personal Data Protection (CPDP);
e) whether the provision of personal data is a mandatory or contractual requirement or a requirement necessary for the conclusion of a contract, and whether the data subject is obliged to provide personal data and the possible consequences if such data is not provided;

f) the existence of automated decision-making, including profiling, and at least in these cases essential information on the logic used, as well as the significance and intended consequences of such processing for the data subject.

2. In the event that COSMOS THRACE receives personal data from sources other than the data subject, the data subject shall be informed of the confidentiality in an appropriate form containing clear, simple and comprehensible language and including the information referred to in the previous point, as and information on the relevant categories of personal data, as well as the source of the personal data and, if applicable, whether the data are from a publicly available source. The privacy notice shall be brought to the attention of the data subject within a reasonable time after receipt of the personal data, but no later than 1 month or upon contacting the data subject at the latest or disclosing the personal data to another recipient for the first time.

VIII. OBLIGATION FOR ADEQUATE, RELEVANT AND RESTRICTED PROCESSING OF PERSONAL DATA

COSMOS THRACE collects personal data within the limits of what is necessary for the purpose of processing, brought to the knowledge of the data subject.

IX. OBLIGATION TO PROCESS ACCURATE AND UPDATED PERSONAL DATA

(1) COSMOS THRACE collects accurate personal data and ensures its timely updating.
(2) Upon receipt of personal data, the employees of COSMOS THRACE , engaged in the process of collection of personal data, shall check the accuracy of the personal data provided to COSMOS THRACE .
(3) The personal data stored by COSMOS THRACE shall be reviewed periodically.
(4) COSMOS THRACE has adopted rules for processing the applications for correction of personal data by the data subject (Appendix No. 2).

(5) All suppliers, subcontractors, partners, workers and employees who work with or for COSMOS THRACE , as well as third parties who provide personal data to COSMOS THRACE , shall be obliged to notify of any change in the personal data provided by them.

X. PROVISION OF PERSONAL DATA OF THE ENTITY TO THIRD PARTIES
(1) Personal data may be shared with different categories of recipients. For example, in fulfilling legal obligations of the administrator, personal data may be provided to the National Revenue Agency, the National Social Security Institute, the Executive Agency “General Labor Inspectorate”, competent law enforcement, law enforcement agencies, as well as other government agencies and institutions.

(2) COSMOS THRACE transfers data to other natural / legal persons who provide a certain type of goods or services to COSMOS THRACE , including services for information maintenance and security of IT systems, accounting services, archive and legal services and others. In such cases, COSMOS THRACE shall enter into a written agreement with the specific service provider that has provided sufficient guarantees for the application of appropriate technical and organizational measures in such a way that the processing complies with the requirements of Regulation (EU) 2016/679 and ensures protection of the rights of data subjects.

(3) COSMOS THRACE maintains partnerships with other independent controllers of personal data. In connection with this partnership, it is possible for the parties to share certain data with each other. In such cases, COSMOS THRACE shall inform the data subjects in an appropriate manner about these categories of recipients, as well as conclude an additional agreement with the respective independent controller, thus, ensuring the confidentiality of the personal data shared.

(4) If there is the figure of joint administrators between COSMOS THRACE and a third-party administrator, they shall define in a transparent manner their respective responsibilities for the implementation of the obligations under Regulation (EU) 2016/679 by mutual agreement.

XI. INTERNATIONAL TRANSFER OF PERSONAL DATA – TRANSMISSION OF PERSONAL DATA TO THIRD COUNTRIES OUTSIDE THE EU AND THE EEA

(1) COSMOS THRACE may transfer personal data to third countries outside the European Union and the European Economic Area only in compliance with the requirements of Regulation (EU) 2016/679 and in particular those set out in Chapter V thereof.
(2) The transfer shall be made on the basis of a decision of the European Commission regarding the adequate level of protection provided by the third party in question. In the absence of such a decision by the European Commission, the transfer to a third party can only take place if there are adequate safeguards and provided that the data subjects’ rights and effective remedies are in place. Appropriate safeguards are standard data protection clauses included in personal data processing agreements concluded between COSMOS THRACE and the third party concerned.

(3) Alternatively, the transfer of personal data to a third party may take place after the explicit consent of the data subject or where there are other grounds referred to in Article 49 (1) of Regulation (EU) 2016/679.

XII. OBLIGATION TO LIMIT THE STORAGE OF PERSONAL DATA

(1) COSMOS THRACE shall store personal data only for a period not longer than necessary for the purposes for which the personal data are processed.

(2) After the expiration of the term of storage COSMOS THRACE shall ensure their proper destruction or deletion in accordance with an established procedure.
(3) Terms for storage of personal data in COSMOS THRACE

1. The personal data of employees contained in the employment insurance documentation are stored for a period of 50 (fifty) years in accordance with the National Archives Fund Act, the Accounting Act, the Social Security Code and the Tax Insurance Procedure Code;

2. Personal data of job applicants who have not been approved for appointment in COSMOS THRACE are stored for a period not longer than 6 (six) months from the end of the procedure, after which they are returned to the person or destroyed in an appropriate manner. Personal data may be stored for a long period for the purpose of submitting job offers only with the consent of the job applicant;

3. The records from the technical means for video surveillance are stored for 2 (two) months from their preparation;

4. Personal data contained in accounting documents are stored within the time limits under Article 12 of the Accounting Act.

5. Along with these basic deadlines, COSMOS THRACE has established its rules for determining the term for storage and procedure for destruction of personal data (Аppendix No. 3).


XIII. OBLIGATION TO PROCESS PERSONAL DATA IN ACCORDANCE WITH THE RIGHTS OF THE DATA SUBJECT

COSMOS THRACE processes personal data, ensuring the exercise of the rights of the data subject, namely:

1. right to information about his/her personal data stored by COSMOS THRACE and receipt of a copy of his/her personal data stored (right of access);

2. right to correction of his/her personal data, if the same are inaccurate or out of date;

3. the right to have his/her personal data deleted, if applicable (right to be forgotten);

4. right to limit the processing of his/her personal data;
5. the right to withdraw the consent for processing of his/her personal data, if applicable;

6. right of portability of his/her personal data (to receive them or to be transferred to another personal data controller in a structured, widely used and machine-readable format), if applicable;

7. the right of his/her personal data not to be the subject of automatically taken decisions, which would affect him/her to a significant degree, without the possibility for human intervention;
8. right to object to the processing of his/her personal data, if applicable;
9. right to appeal against the processing of his/her personal data before the Commission for Personal Data Protection (CPDP) – Sofia, 1592, Blvd. “Prof. Tsvetan Lazarov” No 2 or at www.cpdp.bg.

XIV. OBLIGATION FOR REPORTING ON THE PROCESSING OF PERSONAL DATA

(1) COSMOS THRACE shall be liable and shall be able to prove that it complies with its obligations in connection with the processing of personal data.
(2) In its capacity of administrator of personal data COSMOS THRACE has created and maintains a register of the activities for processing personal data under Art. 30 (1) of the General Data Protection Regulation, according to an approved model, which contains the following information:
1. activity for processing of the personal data;
2. purpose of the processing of the personal data;
3. grounds for processing the personal data;

4. category of personal data subjects;

5. categories of personal data;

6. source of the personal data;
7. term of storage of the personal data;
8. recipients of personal data;
9. automated decision-making / profiling;

10. organizational and technical measures for protection;
11. name of the state or the international organization upon transfer of personal data;
12. guarantees for transfer of personal data to third countries or international organizations;

13. joint administrators;
14. processing personal data.
(3) When necessary COSMOS THRACE shall carry out an assessment of the impact on the protection of the personal data, taking into account all the circumstances, related to the activities for processing of personal data.
(4) Where, as a result of the personal data protection impact assessment, it is clear that COSMOS THRACE will start processing personal data which, due to a high risk, could cause harm to data subjects, the decision whether or not to continue processing should to be submitted for review by the Data Protection Officer.

(5) In case the data protection officer has serious concerns about the potential damage or danger, or about the quantity of the respective data, the issue should be referred to the CPDP.

(6) COSMOS THRACE shall prove the fulfillment of its obligations in connection with the processing of personal data by documenting the main processes of personal data processing, adoption and application of rules and procedures for personal data processing, as well as by joining codes of conduct, implementation of appropriate technical and organizational measures, adoption of personal data protection techniques at the design stage and default personal data protection, assessment of the impact on personal data protection, etc.

XV. OBLIGATION TO GUARANTEE SECURITY IN THE PROCESSING OF PERSONAL DATA

(1) COSMOS THRACE is aware of the risks associated with the processing of certain categories of personal data.
(2) In determining the appropriateness of the processing, COSMOS THRACE shall consider the extent of any damage or loss that may be caused to the data subject if a security breach occurs, as well as any probable damage to COSMOS THRACE ‘s reputation, including any loss of customer trust.

1. In assessing appropriate technical measures to ensure security in the processing of personal data, COSMOS THRACE shall analyze the following circumstances:
a) password protection provided;

b) the existence of automatic locking of idle workstations in the network;
c) removal of access rights for USB and other removable storage media;
d) antivirus software and firewalls;
e) access rights;
f) the protection of devices leaving the premises of the organization, such as laptops and mobile phones;

g) the security of local and wide area networks;

h) confidentiality enhancement technologies, such as pseudonymization and anonymization;

i) identification of appropriate international security standards.
2. In assessing the appropriate organizational measures to ensure security in the processing of personal data, COSMOS THRACE shall take into account:

a) appropriate training for COSMOS THRACE staff;

b) guarantees of the reliability of COSMOS THRACE staff (e.g. recommendations);
c) the inclusion of obligations regarding the protection of personal data in the employment contracts of the employees of COSMOS THRACE ;
d) the provision of disciplinary sanctions for the employees of COSMOS THRACE for violations in the processing of personal data;

e) regular inspections of COSMOS THRACE staff to comply with the security standards relevant;

f) exercising control over the physical access to personal data recorded on electronic media or contained on paper;

g) the adoption and adherence to a “clean workplace” policy;
h) storage of personal data contained on paper in lockable wall cabinets;
i) restricting the use by COSMOS THRACE employees of mobile electronic devices inside and outside the workplace;

j) adoption and observance of rules for creation and use of security passwords;
k) regular backup of personal data and physical storage of media with copies outside the office;

l) the inclusion of obligations regarding the protection of personal data in contracts with suppliers, subcontractors, partners and third parties, as well as an obligation for them to take appropriate security measures when transferring data outside the EU.

(3) All suppliers, subcontractors, partners, employees who work with or for COSMOS THRACE and who have or may have access to the personal data processed by COSMOS THRACE , shall be responsible for ensuring the security of the storage of personal data.
(4) All suppliers, subcontractors, partners, employees who work with or for COSMOS THRACE and who have or may have access to the personal data processed by COSMOS THRACE , shall be obliged to store securely and not to disclose personal data to third parties, unless COSMOS THRACE has not granted the right of access to this data by concluding a confidentiality agreement for this purpose.

XVI. CONFIDENTIALITY

(1) Personal data is subject to confidentiality. It is forbidden for employees to perform unauthorized collection, processing or use of personal data. Any processing performed by an unauthorized employee entrusted to him/her in the performance of his/her duties is unauthorized. The “need to know” principle applies: Employees can only access personal data if and to the extent necessary for their respective tasks. This requires careful division and separation of roles and responsibilities, as well as their implementation and maintenance within the scope of authorization concepts.

(2) Employees are not authorized to disclose personal information to unauthorized persons or in any other way or to use them for personal or economic purposes. Company managers must inform their employees of the obligation to protect the privacy of the data when they start work. This obligation shall remain in effect also after the employment of the employee concerned has ended.

(3) Personal data must be protected against unauthorized access, unauthorized processing or disclosure, as well as accidental loss or destruction at any time. This applies irrespective of the processing of data electronically or in paper form.

(4) Before implementing new processes or data processing, especially new information systems, all technical and organizational measures to protect personal data must be defined and implemented. These measures must be appropriate to the current technology standards, the risks arising from the processing and the need for data protection (defined by the classification process). The responsible department can consult with the corporate data protection officer. The technical and organizational measures for the protection of personal data are part of the management of the information safety of the Company and must be consistent with the technical changes and the organizational changes.

XVII. VIOLATION OF THE SECURITY OF PERSONAL DATA

(1) The proper handling of personal data breaches is essential as the General Regulation provides for a very strict reporting requirement for data breaches. In the case of data security breaches, there are legal obligations to notify the supervising authority and the data subjects.

1. “Personal data breach” means a security breach that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed. The breach of data security is a breach of data security and data protection where it is probable or proven that personal data is known to unauthorized persons. Data security breaches often involve significant risks to the person concerned, such as damage to reputation, even credit card abuse or identity theft, as well as serious shortcomings for the company.

2. The General Regulation provides for a mandatory reporting requirement for data breaches. Art. 33 of the General Regulation (notification of the supervisory authority) and Art. 34 of that Regulation (for the notification of data subjects) determine when such an obligation is applicable.
(2) In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Art. 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

(3) The processor shall notify the controller without undue delay after becoming aware of a personal data breach. The notification referred to in paragraph 1 shall at least:

1. Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.

2. Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.
3. Describe the likely consequences of the personal data breach.
4. Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

(4) The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with Art. 33 of the General Regulation.

(5) When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

(6) The communication to the data subject presented above shall describe in simple manner the nature of breach in the security of personal data, covering at least:
1. Communicates the name and contact details of the data protection officer or other contact point where more information can be obtained.
2. Describe the likely consequences of the violation of personal data.
3. Describes the measures taken or suggested by the controller to handle the personal data breach, including, where appropriate, mitigation measures for possible adverse effects.


(7) The above message to the data subject is not required if any of the following conditions are met:

1. The controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.
2. The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in Art. 34(1) of the General Regulation is no longer likely to materialize.

3. It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

(8) If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that at least one of the conditions listed above is met (ref. Art. 34(3) of the General Regulation).

XVII. FINAL PROVISIONS

(1) Data protection officer in COSMOS THRACE

1. According to Art. 37, para. 2 of the Regulation, COSMOS THRACE has appointed a data protection officer, and all interested parties have easy access to this employee.

2. The Data Protection Officer monitors compliance with this Policy and serves as the single point of contact for all data subjects in exercising their rights under this Policy and the applicable data protection legislation.


3. The Data Protection Officer shall be:
Nikolai Gaidarski

tel .: +359 2 8668657

Email: [email protected]

4. The data protection officer shall render assistance to the data subjects and shall be obliged to fulfill his / her obligations according to art. 37-39 of Regulation (EU) 2016/679. The data subject may address all his requests and questions related to the exercise of his rights under the Regulation to the said DLPD.

(2) Amendments and supplements to the Personal Data Protection Policy
COSMOS THRACE reserves the right to change this Privacy Policy and, if necessary, will notify all interested parties in an appropriate manner.


This Privacy Policy was last amended on 10.02.2023.


This Privacy Policy is available for reference by the employees of COSMOS THRACE on the server of the Company, and is also available on paper or electronic media in the office of the Company and is made available to any interested subject of personal data for proper acquaintance. with her.

This image is used for the sections of the website where we have a Book a meeting CTA

Take the next step!

Book a free introductory call to learn more about transforming your entire business!

Book a meeting

At Cosmos Thrace, we deliver fast, innovative customized Data Management and AI solutions to elevate your business potential to the next level through improved efficiency, minimal error, and reduced costs.

Evolve and boost your business potential through AI and Data Management.

Have a Question?

We’re here to help you achieve your business goals with our innovative Data Management and AI solutions.

Contact us for an introduction on how we can assist your business with AI Solutions.

Lets meet!