This data protection policy sets out the principles and legal conditions that ELBAT AD must comply with when receiving, processing, transferring or storing personal data for the purposes of its business, including personal data of customers, suppliers and employees. The rules are in accordance with the requirements of the General Data Protection Regulation (Regulation 2016/679) (GDPR) and the Personal Data Protection Act (26 February 2019).

Name of the Company-Controller: ELBAT AD, with headquarters and registered address: Republic of Bulgaria, town of Dolna banya, Sofia District, Municipality of Dolna banya, Sarameshe locality, quarter 121, registered in the Commercial Register at the Registry Agency with UIC 175407160;



‘Personal data’ means any information relating to an identified natural person or an identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘Special categories of personal data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation;

‘Processing’ means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Controller’ means any natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU law or the law of a Member State, the controller or the specific criteria for its determination may be laid down in Union law or the law of a Member State; ELBAT AD is the Controller of all personal data relating to its staff, as well as of personal data used for its own purposes;

‘Processor of personal data’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘Processing under the direction of the Controller’ means the processor of personal data and any person acting under the direction of the Controller who has access to the personal data shall process such data only on the direction of the Controller, unless the processing is required by Union law or Bulgarian law.

‘Data Subject’ means any living individual who is the subject of personal data held by the Controller;

‘Consent of the data subject’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by means of a statement or a clear affirmative action, which signifies the data subject’s agreement to personal data relating to him or her being processed;

Staffmeans all employees and managers appointed under a management and control contract;

‘Recipient’ means the natural or legal person, public authority, agency or other body to whom the personal data is disclosed, whether or not a third party. At the same time, public authorities which may receive personal data in the framework of a specific investigation in accordance with Union or Member State law are not considered to be ‘recipients’; the processing of those data by those public authorities complies with the applicable data protection rules according to the purposes of the processing;

‘Third party’ means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are entitled to process the personal data;

‘European Economic Area (EEA)’: the 28 EU member countries, plus Iceland, Liechtenstein and Norway.





This POLICY is intended to inform all personal data subjects who have a relationship with ELBAT AD about how their personal data is processed, what personal data is processed, when it is necessary to disclose it to third parties, and the rights of the subjects in accordance with the Regulation. The Policy is general and does not preclude the possibility of detailed and specific Policies being established.

We adhere to the data protection principles in the GDPR which require all Personal Data:

1. To be processed lawfully, fairly and transparently;

2. To be collected only for specific, explicit and legitimate purposes;

3. Be relevant, connected with and limited to what is strictly necessary for the purposes for which they are processed;

4. Be accurate and, where possible, kept up to date;

5. Be kept in a format which permits identification of the data subject for no longer than is necessary for the purposes of the processing;

6. Be processed in a way that ensures their security, using technical and organisational measures to protect them against unauthorised or unlawful processing and against accidental loss, destruction or damage;

7. Not to transfer to another country outside the EEA without the necessary safeguards;

8. Provide data subjects with the opportunity to exercise their rights in relation to their personal data.



The policy applies to all personal data that we process, regardless of the medium in which it is stored or whether it relates to former and current employees, owners of capital or any other data subject.

The data subjects whose personal data is processed are mainly job applicants, employees, persons entrusted with the management or control, owners, contractors and suppliers.

  1. The following personal data is collected from job applicants for the purpose of selection and coordination with the applicant:

• Identification: name, permanent and/or current address, telephone, email;

• Education and professional qualifications; details relating to education, work experience, professional and personal qualifications and skills (CV).

• Others, if expressly provided for in the internal rules and procedures of the individual company.

  1. The following personal data are collected from persons employed under employment relationships and management and control contracts in the company and for the purpose of concluding an employment contract or a management or control contract, which are the minimum legally required for the purposes of recruitment:

• Identification: phone, email, ID card or passport details — name; PIN, PNF (date of birth), permanent and/or current address, ID card number and date of issue.

• Education and professional qualifications: data relating to education, work experience, professional and personal qualifications and skills (employment records, copies of diplomas, qualifications relevant to the position).

• Health data: The Company processes sensitive data only to the extent necessary for the performance of its specific rights and obligations in the area of employment and social security legislation and social benefits and payments.

• Other data:

— Data on social status — marital status, number of children under 18 years of age.

— Criminal record certificate — only where a criminal record is required by law or regulation.

— Video image — photographic images and other data the processing of which is necessary for the performance of their rights and obligations as an employer and/or for the protection of their legitimate interest.

3. Personal data is collected from individuals — customers of the company, which is necessary for the conclusion and performance of the contract:

• Identification: name; PIN (date of birth), permanent and/or current address, contact telephone number, email and job title.

4. Personal data necessary for the conclusion and performance of contracts for the provision of services to the company by external providers is collected from individuals providing services to the company as follows:

• Identification: name, PIN (date of birth), permanent and/or current address, telephone number, e-mail address.

5. Personal data collected in the course of security of company property and access to company buildings and facilities — video image, identification — name, position, organization/company,



The controller and the processor have taken the necessary technical and organisational measures provided for in Regulation (EU) 2016/679 and the Data Protection Act and apply best practices from international standards. In order to maximize the security of the processing, transmission and storage of personal data, all reliable mechanisms are used to protect personal data from loss, theft and misuse, as well as from unauthorized access, disclosure, alteration or destruction.



The Controller may, where necessary, provide personal data to third parties such as competent government authorities and institutions where required by law, as well as to Processors, on the basis of an explicit contract, and all subjects whose personal data is provided to another Processor shall be informed thereof.

In the case of the provision of personal data of employees, including under management and control contracts, customers or service providers, the processor of the specific Controller shall:

• Require sufficient guarantees from the processor to comply with legal requirements and good practices for the processing and protection of personal data.

• Enter into a written agreement or other legal act with identical effect that governs the obligations of the processor and meets the requirements of Article 28 of Regulation (EU) 2016/679.

• Inform the individuals whose data will be provided to a processor.

Access to personal data may also be granted to the relevant state authorities — court, investigation, prosecution, auditing authorities, etc. The aforementioned may request the data in due order in connection with the exercise of their powers.



Transfer of personal data to non-EU/EEA countries is only permissible where:

• The European Commission has adopted a decision confirming that the country to which the transfer takes place ensures an adequate level of protection of the rights and freedoms of data subjects.

• Appropriate safeguards are in place — such as Binding Corporate Rules (BCRs), standard contractual clauses, an approved code of conduct or certification mechanism approved by the Data Protection Commission and/or the European Commission.

• The data subject has given his or her explicit consent to the transfer after being informed of the possible risks, or

• The transfer is necessary for business purposes, including the performance of a contract with the data subject, the protection of the public interest, the establishment and defence of legal disputes, the protection of the vital interests of the data subject in cases where the data subject is physically or legally incapable of giving consent.



Personal data shall be stored in accordance with the time limits specified in the regulations. The specific periods are regulated in the relevant personal data registers, according to the type of data and the purposes for which they are processed. Where the personal data are no longer necessary for the purposes mentioned and/or the time limits have expired, the controller and the processor (on the controller’s instructions) shall delete them or destroy them in another reliable manner.



The collection, processing, storage and protection of personal data shall be carried out only by persons who are expressly instructed to do so and whose official duties or specifically assigned task so require.

A designated data protection officer, with the aim of better regulation, coordination and implementation of common technical and organisational protection measures, ensuring that personal data is always processed in an open, fair and lawful manner. The main role of the Data Protection Officer is methodological guidance and control of the implementation of the data protection policy.

The persons responsible for the protection of personal data and the persons processing personal data on behalf of the controller and/or processor shall be natural persons who have previously undertaken an obligation of confidentiality, possess the necessary competence and have been appointed and/or authorised by an appropriate written act. 6



Data subjects have the following specific rights in relation to the processing of their personal data:

Right of access to personal data relating to the individual

Individuals shall have the right to access personal data concerning them at any time during processing, without delay, within the statutory period, free of charge and in accordance with the procedure established by the individual company.

Right to objection

Data subjects may object at any time to the processing of their personal data by the company or a processor.

Right of rectification

Data subjects have the right to request the rectification of their personal data if it is incorrect, including the completion of incomplete personal data.

Right to erasure (right to be forgotten)

Data subjects have the right to request the company to erase their personal data without undue delay in cases where:

• The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.

• The data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing.

• The data subject objects to the processing and there are no legitimate grounds for the processing which override.

• Personal data have been unlawfully processed.

• The personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject.

• The personal data was collected in connection with the provision of information society services to children and consent was given by the person with parental responsibility for the child.

• The controller may refuse to delete data where it has a legal obligation to retain that data.

Right to data portability

The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to a controller in a structured, commonly used and machine-readable format and shall have the right to transfer those data to another controller without hindrance from the controller to whom those data have been provided, where the processing is based on consent or a contractual obligation and the processing is carried out by automated means.

Right to restriction of processing

The data subject shall have the right to request the restriction of the processing of his or her personal data where:

• The accuracy of the personal data shall be contested by the data subject and the processing shall be limited for a reasonable period of time to allow the controller to verify the accuracy of the personal data.

• The processing is unlawful, but the data subject does not wish the personal data to be erased, but requests instead the restriction of their use;.

• The controller no longer needs the personal data for processing purposes, but the data subject requires them for the establishment, exercise or defence of legal claims.

• The data subject has objected to processing:

— Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or

— Necessary for the purposes of the legitimate interests of the controller or of a third party.

— Pending verification and response as to whether the lawful grounds for processing override the interests of the data subject.

Data subjects also have the right to:

• Be informed and give their consent to the processing of personal data where such consent is necessary, as the consent of individuals is a freely given, specific, informed, unambiguous and conscious act of their wish concerning the processing of their personal data by the company, and it is also their right to withdraw it at any time.

• Request information about the basis on which their personal data has been provided to a third party for processing.

• Object to a decision taken entirely on the basis of automated processing, including profiling, if applicable.

• Be notified of a personal data breach that is likely to pose a high risk to their rights and freedoms.

• Submit complaints to the regulatory authority.

• In some cases, to obtain or request that their personal data be transferred to countries outside the European Union in a structured, commonly used, machine-readable format (right of portability).

• Be informed of the consequences of not providing personal data.



Any interested person may contact the Data Protection Officer or the following e-mail address: e-mail:; tel. + 359 884 814 533.

The data subject shall have the right to lodge a complaint with the supervisory authority in the Republic of Bulgaria — the Commission for Personal Data Protection.



The policy is periodically updated as a result of changes in the external or internal environment. In case of amendments in the Privacy Policy, the current version will always be available on our website.

Please check regularly for the most up-to-date version of this policy.

This Policy does not override any applicable law.

This Privacy Policy is Version 03 dated 31 October 2022 and has been approved by the CEO of ELBAT AD.

Town of Dolna banya.