Categories

Private data policy

PERSONAL DATA PROTECTION POLICY

OF “PLASTIK SOFIA” LTD

I. INTRODUCTION

PLASTIK SOFIA LTD (“Plastik Sofia”, the “Company”), UIC 130349076, is a commercial company with its registered office and management address at: Sofia 1510, Poduyane District, 12 Stefan Konsulov St.

PLASTIK SOFIA is a data controller within the meaning of REGULATION (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR), regarding the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC.

In carrying out its commercial activities, PLASTIK SOFIA undertakes to process personal data in strict compliance with the provisions of the GDPR and the Bulgarian Personal Data Protection Act (PDPA).

To ensure full compliance with EU and Bulgarian legislation concerning the processing of personal data, PLASTIK SOFIA adopts this PERSONAL DATA PROTECTION POLICY, which applies to all personal data processing activities carried out within the Company.

This POLICY applies to all personal data processed by PLASTIK SOFIA, including data of clients, employees, job applicants, suppliers, subcontractors, and partners.

This PERSONAL DATA PROTECTION POLICY is mandatory and must be observed by all employees who work with or for PLASTIK SOFIA and have or may have access to personal data processed by the Company.

II. DEFINITIONS

Article 1. For the purposes of the GDPR and this policy, the following terms shall have the meaning assigned to them by the Regulation, including:

  1. Personal Data – Any information related to an identified or identifiable natural person (data subject).

  2. Special Categories of Personal Data – Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, data concerning health or a person's sex life or sexual orientation.

  3. Health Information – Personal data related to physical or mental health, including healthcare services provided.

  4. Processing – Any operation or set of operations performed on personal data, whether by automated means or otherwise (e.g., collection, storage, modification, deletion, etc.).

  5. Controller – A legal or natural person that determines the purposes and means of processing.

  6. Processor – A person or entity processing data on behalf of the controller.

  7. Data Subject – The natural person to whom the personal data relates.

  8. Recipient – A natural or legal person to whom data is disclosed.

  9. Third Party – A person other than the data subject, controller, processor, or persons under their direct authority.

  10. Personal Data Breach – A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data.

  11. Supervisory Authority – The Bulgarian Commission for Personal Data Protection.

III. PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA

Article 2. PLASTIK SOFIA processes personal data in accordance with the principles set out in Article 5 of the GDPR, namely:

  1. Lawfulness, Fairness, and Transparency

  2. Purpose Limitation

  3. Data Minimization

  4. Further Processing Only with Consent

  5. Accuracy and Updating

  6. Storage Limitation

  7. Integrity and Confidentiality

  8. Accountability

IV. CATEGORIES OF DATA SUBJECTS AND DATA TYPES

Article 3. (1) PLASTIK SOFIA collects, stores, and processes personal data of the following:

  1. Clients – Identity and contact data; banking data where applicable.

  2. Job Applicants – CV information, contact details, documents of qualification, and if necessary, sensitive data (e.g., criminal records).

  3. Employees – Identification data, employment records, qualifications, salaries, sensitive data related to health or disability if required.

  4. Website Users – Data via cookies, contact forms, IP addresses, browser type, and access time.

  5. Business Partners and Suppliers – Names, contact details, and relevant business data.

V. LAWFULNESS OF DATA PROCESSING

Article 4 & 5. PLASTIK SOFIA processes data only under a valid legal basis from Article 6(1) of the GDPR (e.g., consent, contract, legal obligation, vital interests, public task, legitimate interests).

VI. PROCESSING FOR SPECIFIC PURPOSES

Articles 6 & 7. Personal data is processed only for explicitly defined purposes (e.g., contractual obligations, communication, marketing – upon consent).

VII. INFORMATION OBLIGATION TOWARDS DATA SUBJECTS

Articles 8 & 9. Data subjects are informed in clear and understandable terms about the processing of their personal data, including their rights, contact details of the controller, data categories, legal grounds, recipients, and more.

VIII–XIV. DATA PROCESSING OBLIGATIONS

These sections include:

  • Data Minimization (Art. 10)

  • Data Accuracy and Updates (Art. 11)

  • Disclosure to Third Parties (Arts. 12–15)

  • International Transfers (Art. 16)

  • Storage Limitation and Retention Periods (Arts. 17–18)

  • Data Subject Rights (Art. 19)

  • Accountability Measures (Arts. 20–21)

XV. DATA SECURITY

Articles 22–24. Measures are adopted to ensure technical and organizational security, including password protection, employee training, encryption, physical access restrictions, and more.

XVI. CONFIDENTIALITY

Articles 25–28. Employees must only access personal data as required for their duties, maintain confidentiality, and follow company policies for data protection.

XVII. PERSONAL DATA BREACHES

Articles 29–31. Any data breach must be reported to the supervisory authority within 72 hours, unless it is unlikely to pose a risk. Data subjects must be informed if the breach may result in a high risk to their rights.

XVIII. FINAL PROVISIONS

Article 32. PLASTIK SOFIA reserves the right to amend this policy and will notify stakeholders accordingly.

Adopted on: July 21, 2025.