I. GENERAL PROVISIONS

1.1. With this Privacy Policy, Talent Bridge Ltd. (“Talent Bridge” and/or “the Company”) takes into account the privacy of individuals and makes efforts to protect against unlawful processing of personal data of individuals. In accordance with the legislation and good practices, the Company applies the required technical and organizational measures to protect personal data.

1.2. This Privacy and Personal Data Protection Policy has been drawn up in accordance with the requirements of Regulation 2016/679 (GDPR) and regulates:

1.2.1. The mechanisms for keeping, maintaining and protecting personal data in Talent Bridge in order to guarantee the privacy of individuals and privacy, by ensuring data protection for individuals in the event of unlawful processing of personal data related to them.

1.2.2. The types of personal data processed at Talent Bridge and their general and technological description.

1.2.3. The rights and obligations of persons processing personal data and/or persons who have access to personal data and work under the direction of the personal data processors, their liability in the event of failure to fulfill these obligations.

1.2.4. The necessary technical and organizational measures to protect personal data from unlawful processing (accidental or unlawful destruction, accidental loss or alteration, unlawful disclosure or access, unauthorized modification or dissemination, as well as from all other unlawful forms of personal data processing).

1.2.5. Incident reporting, management and response procedures. The organization and procedure for exercising control over the processing of personal data by Talent Bridge employees.

1.2.6. Provision of data to third parties – basis, purpose, categories of personal data.

1.2.7. The period for which the personal data will be stored.

1.2.8. Right to request from Talent Bridge access to, correction or deletion of personal data or restriction of processing of personal data relating to the data subject, or right to object to processing, as well as the right to data portability.

1.3. The Policy is approved, supplemented, amended or repealed by order of the Manager of the Company.

1.4. “Talent Bridge” EOOD is a limited liability company, established under the laws of the Republic of Bulgaria, registered in the Commercial Register of the Registry Agency with UIC 208330450, with seat and management address: Sofia, 21 Hristo Botev Blvd., fl. 2, ap. 8 and processes only legally collected personal data necessary for specific, precisely defined and lawful purposes. The personal data that Talent Bridge collects and processes should be accurate and, if necessary, updated. Personal data is deleted after the expiration of the statutory storage periods.

1.5. Talent Bridge maintains personal data in a form and format that allows for identification of the identity of individuals for no longer than is necessary to fulfill the purposes for which the personal data is processed and the statutory deadlines.

1.6. Talent Bridge takes the protection of personal data seriously and responsibly and collects and processes data in accordance with applicable data protection laws, including the European Union (EU) General Data Protection Regulation (Regulation 2016/679) and the Personal Data Protection Act.

II. DEFINITIONS

Within the meaning of the current legislation and this Policy, the definitions used in this document have the following meaning:

2.1. “Personal data” (in short – “Data”) means any information by which a natural person can be identified such as: name, identification number (PIN or personal number of a foreigner), location data, email address, etc.;

2.2. “Non-personal data” means information by which a natural person cannot be identified such as: name of the legal entity. registration number of the legal entity, email address of the legal entity.

2.3. “Processing” refers to any procedure performed with or without the aid of automated processes or any set of such procedures relating to personal data, such as acquisition, recording, organization, submission, storage, adaptation or modification, reading, querying, use, disclosure
by communication, dissemination or any other form of provision, comparison or connection, application of restrictions, deletion or destruction;

2.4. “Consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by which he or she, by a statement or by a clear affirmative action, signifies agreement to personal data relating to him or her being processed;

2.5. “Recipient” means the natural or legal person, public authority, agency or other body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the context of a specific investigation in accordance with
Union or Member State law shall not be considered as “recipients”; the processing of such data by those public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing;

2.6. “Third party” means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data;

2.7. “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

2.8. “Supervisory authority” means an independent public authority established by a Member State pursuant to Article 51 of the Regulation, which is responsible for monitoring the application of the Regulation in order to protect the fundamental rights and freedoms of natural persons with regard to processing and to facilitate the free movement of personal data within the Union. In the Republic of Bulgaria, this supervisory authority is the Personal Data Protection Commission with contacts: Sofia, p.o. 1592, 2 Prof. Tsvetan Lazarov Blvd., tel. 02/91-53-518, e-mail:
kzld@cpdp.bg

III. PROCESSING OF PERSONAL DATA.
PURPOSE OF PROCESSING OF PERSONAL DATA

3.1. Talent Bridge processes personal data through a set of operations that can be performed on personal data by automated or other non-automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure and destruction, in compliance with the following principles:
3.1.1. lawfulness, fairness and transparency of the processing of personal data;
3.1.2. appropriateness of the processing of personal data;
3.1.3. proportionality of personal data processing;
3.1.4. accuracy and up-to-dateness of the processed personal data;
3.1.5. storage limitation;
3.1.6. integrity and confidentiality;
3.1.7. accountability

3.2. Talent Bridge ensures that it complies with all these principles both in the processing of personal data that it currently carries out and as part of the introduction of new means of processing, such as new information systems.

3.3. The company processes personal data independently or by assigning data processors, determining the purposes and scope of the obligations assigned by the controller to the data processor, if there is a relevant legal basis, in accordance with the requirements of the Regulation
and in compliance with national law.

3.4. Talent Bridge collects and processes personal data of clients, suppliers, subcontractors and job applicants under one of the following conditions:
3.4.1. A personal data protection agreement has been concluded with the client, supplier, subcontractor and applicant;
3.4.2. The client, supplier, subcontractor and applicant has consented to the processing of his personal data for one or more specific purposes;
3.4.3. The processing is necessary for the performance of a contract to which the client, supplier, subcontractor and candidate are parties;
3.4.4. The processing is necessary for compliance with a legal obligation to which Talent Bridge is subject;
3.4.5. The processing is necessary for the purposes of Talent Bridge’s legitimate interests.

3.5. The personal data of each person are collected in fulfillment of a regulatory obligation – the provisions of laws, by-laws, codes and others via: e-mail, on paper – written documents – contracts, applications, CVs, statements, personal documents on current issues in the work
process, submitted by the person, as well as from external sources (from social networks, judicial, financial, insurance, tax, etc. institutions in fulfillment of regulatory requirements).

3.6. Talent Bridge declares that personal data are processed only for the purposes for which they were initially collected. In the event that it becomes necessary to process the collected data for another purpose, the Company will make an individual assessment of the compatibility of the
purposes for each specific case, and if necessary, will seek the consent of the individuals in a clear and concise form.

3.7. Talent Bridge processes identification data and other personal data collected through job applications, in connection with hiring personnel, or in connection with our relationships with clients and suppliers in order to provide the services it provides to clients and job candidates, to
fulfill its contractual and pre-contractual obligations, as well as to exercise its rights under the concluded contracts. The processing of personal data is carried out for the purpose of:
3.8.1. performance of contracts for personnel selection services;
3.8.2. provision of opportunities and vacancies to job candidates;
3.8.2. preparation of a proposal for concluding a contract;
3.8.3. preparation and sending of orders/invoices for the services used by clients;
3.8.4. to ensure the necessary comprehensive service to clients and candidates, as well as to collect the amounts due for the services used;
3.8.5. notifications about everything related to the services used by clients and candidates.

3.9. In certain cases, Talent Bridge may process personal data only after prior written consent. Such explicit consent will only be necessary if Talent Bridge needs data that is more than the minimum data required to conclude and perform the contract or provide the service.

IV. TYPES AND STORAGE OF PERSONAL DATA

4.1. The categories of personal data that Talent Bridge collects and processes from individuals may be:

4.1.1. company data (company name, UIC number, VAT number, address of the registered office and management address, names of representatives, etc.), customer payment information, information about the type and content of the contractual relationship, as well as any other
information related to the contractual relationship, including: information about orders, complaints, requests, grievances; other feedback received from customers; personal contact data – contact address, telephone number and contact information (email, telephone number); bank
account number or other banking and payment information in connection with payments made to Talent Bridge.

4.1.2. identity data, names, gender, personal identification number, information on age, work experience and experience of job applicants, as well as information on education, completed courses/internships, contact address, contact information (email, phone number) of the applicants,
social media data, citizenship and work permit, other information included in a CV provided by the job applicant; when by law the applicant has given explicit consent – ​​information on health status and disabilities, information on criminal record, etc.

4.2. The organization and storage of personal data in Talent Bridge is carried out using technical means and in rare cases, when obtained in this way – on paper. Paper media of personal data are stored in folders to which only the personal data processors have access.

4.3. Data stored on a technical medium are processed on computers, and only the personal data processor has access to them through the relevant username and password.

4.4. Only the personal data processors have access to the relevant personal data. The possibility of granting another person access to personal data during their processing is limited and explicitly regulated by the company’s policies and procedures.

4.5. Talent Bridge stores the personal data of individuals for as long as necessary for the purposes of the processing for which the data were collected and for any other permissible and related purpose or until the expiry of the legally prescribed period.

4.6. Talent Bridge does not delete personal data if they are necessary for pending legal, administrative proceedings or proceedings to consider a customer complaint before the company.

V. MEASURES TO ENSURE THE LEVEL OF SECURITY

5.1. Talent Bridge takes the necessary technical and organizational measures provided for inapplicable legislation, as well as best practices, to protect the data of the company, its clients, suppliers and subcontractors.

5.1. The measures for the protection of personal data of individuals are described in detail in the “Procedure for the Protection of Personal Data of “Talent Bridge” EOOD”.

5.2. The types of personal data protection are physical, personal, documentary and protection of automated information systems.

5.3. Physical protection of personal data is a system of technical and organizational measures to prevent unauthorized access to the premises and technical means of Talent Bridge, through which personal data are processed.

5.4. Organizational measures of physical protection include the adoption of policies and procedures in the field of personal data protection, as well as other organizational measures in accordance with the company’s internal rules and procedures.

5.5. The main technical measures of physical protection are: physical access control;

5.6. Personal protection is a system of organizational measures for individuals who process personal data. The main measures of personal protection are: knowledge of the main regulatory acts in the field of personal data protection; knowledge of the Company’s policies and procedures for personal data protection; prohibition of sharing critical information between employees; agreement to undertake an obligation not to disseminate personal data; training;

5.7. Personal protection measures ensure access to personal data only to individuals whose official duties or a specifically assigned task require such access, in compliance with the “Need to know” principle.

5.8. Individuals may begin processing personal data after familiarizing themselves with the legal framework in the field of personal data protection and the policies and procedures of the Company for the protection of personal data.

5.9. Employees sign a declaration of non-disclosure of personal data to which they have gained access in the course of and in connection with the performance of their duties.

5.10. For failure to fulfill the obligations imposed on the relevant employees under these regulations, under the Personal Data Protection Act, under Regulation 2016/679 of the EU and other regulations and policies of the Company in the field of personal data protection, disciplinary sanctions are imposed under the Labor Code, and when the failure to fulfill the relevant obligation is ascertained and established by a competent authority – the administrative penalty provided for in the Personal Data Protection Act – a fine. If, as a result of the actions of the relevant person, damages have occurred to a third party, the same may seek liability under general civil law or under criminal law, if the act constitutes a more serious act for which criminal liability is provided.

5.11. Documentary protection is a system of organizational measures for the processing of personal data on paper.

5.12. The main measures of documentary protection are: determining the documents that will be maintained on paper; determining the conditions for processing personal data; regulating access to documents; controlling access to documents; determining storage periods; procedures for destruction; procedures for checking and controlling processing.

5.13. Protection of automated information systems and/or networks is a system of technical and organizational measures for protection against illegal forms of processing of personal data.

5.14. The main measures for protecting automated information systems and/or networks are: adopting policies and procedures in the field of personal data protection; defining roles and responsibilities; operating system in accordance with the requirements of the applied software used with the latest security packages installed; antivirus software with automatic updates and constant scanning included.

VI. PROVIDING ACCESS TO PERSONAL DATA TO THIRD PARTIES

6.1. Talent Bridge does not provide personal data to third parties before all technical and organizational measures have been taken to protect such data, and strives to implement strict controls to achieve this goal. In this case, Talent Bridge remains responsible for the confidentiality and security of personal data.

6.2. Categories of recipients to whom we provide personal data:
6.2.1. persons processing data on behalf of Talent Bridge;
6.2.2. persons who, by assignment, maintain equipment, software and hardware used for processing personal data and necessary for building the service, for performing various services for reporting, payment of services and products, technical support, etc.;
6.2.3. persons employed under a civil contract by Talent Bridge, supporting various processes.;
6.2.4. bodies, institutions and persons to whom we are obliged to provide personal data under the current legislation;
6.2.5. banks – for servicing payments made by clients;
6.2.6. persons providing accounting services to the company;
6.2.7. persons providing consulting services in various fields.

VII. RIGHTS OF NATURAL PERSONS IN RELATION TO THE PROCESSING OF THEIR PERSONAL DATA

7.1. Data subjects have the following rights regarding their personal data:
7.1.1. Right of access;
7.1.2. Right to rectification;
7.1.3. Right to erasure;
7.1.4. Right to restriction of processing;
7.1.5. Right to data portability;
7.1.6. Right to object to the processing of personal data;
7.1.7. Right to lodge a complaint.
7.2. Data subjects must make their requests under para. 1 in writing, which must contain the specific request and the signature of the data subject. If the request is not signed, the Talent Bridge Manager may request additional information from the data subject in order to be able to identify him/her.

7.3. A request to exercise the rights of data subjects can be submitted to the following email address office@talentbridge-bg.com

7.4. The “Talent Bridge Request Management Procedure” applies to the processing of requests under paragraph 1.

7.5. Requests shall be processed free of charge and as soon as possible by the Talent Bridge Manager.

7.6. Where requests are manifestly unfounded or excessive, in particular due to their repetition, the Talent Bridge Manager may refuse to take action to process the request or set a reasonable fee (based on the costs it will incur) to be paid by the data subject.

7.7. The Talent Bridge Manager shall assess on a case-by-case basis whether a request is manifestly unfounded or excessive.

7.8. Under certain conditions, the Talent Bridge Manager may refuse to process a request. In such cases, the Talent Bridge Manager shall send a reasoned response to the Data Subject, stating the reasons for the refusal.

7.9. The Manager shall provide information on the actions taken in connection with a received request for the exercise of the subjects’ rights within one month of receiving the request.

7.10. The Manager shall not be obliged to respond to a request if it is unable to identify the data subject.

7.11. The Talent Bridge Manager may request the provision of additional information necessary to confirm the identity of the data subject where there are reasonable concerns regarding the identity of the natural person submitting the request.

7.12. Upon request under point 7.1.1., the Manager of Talent Bridge shall provide the personal data subject with the following information:
7.12.1. confirmation of whether or not Talent Bridge processes the personal data of the person;
7.12.2. a copy of the personal data of the person processed by Talent Bridge, if explicitly stated in the request;
7.12.3. an explanation of the data processed, which shall include the following information: the purposes of the processing – if explicitly stated in the request; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data are or will be disclosed, in particular recipients in third countries or international organisations, if any; where possible, the envisaged period for which the personal data will be stored, and if that is not possible, the criteria used to determine that period; where the personal data are not collected from
the data subject, any available information about their source;

7.13. Upon request from the data subject, Talent Bridge may provide a copy of the personal data that is being processed.

7.14. When providing a copy of personal data, Talent Bridge may not disclose the following categories of data:
7.14.1. personal data of third parties, unless they have expressed their explicit consent to do so;
7.14.2. data that constitutes a trade secret, intellectual property or confidential information;
7.14.3. other information that is protected under applicable law and company policies.

7.15. Providing access to personal data subjects may not adversely affect the rights and freedoms of third parties or result in a breach of a legal obligation of Talent Bridge.

7.16. Data subjects may request that their personal data processed by Talent Bridge be corrected if the latter are inaccurate or incomplete. Upon satisfying a request for correction of personal data, the Manager of Talent Bridge shall notify other recipients to whom the data have been disclosed (e.g. government authorities, service providers) so that they can reflect the changes.

7.17. Upon request under 7.1.3., Talent Bridge is obliged to delete personal data if any of the following grounds apply:
7.17.1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
7.17.2. the data subject withdraws his or her consent on which the processing of the data was based and there is no other legal basis for the processing;
7.17.3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
7.17.4. the data subject objects to the processing of personal data for direct marketing purposes;
7.17.5. the personal data have been processed unlawfully;

7.18. Talent Bridge is not obliged to delete personal data to the extent that the processing is necessary:
7.18.1. to comply with a legal obligation of Talent Bridge;
7.18.2. for the establishment, exercise or defense of legal claims.

7.19. The data subject has the right to request restriction of processing where one of the following conditions applies:
7.19.1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
7.19.2. the processing is unlawful, but the data subject does not wish the personal data to be erased, but requests instead the restriction of their use;
7.19.3. the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims;
7.19.4. the data subject has objected to the processing based on the legitimate interests of Talent Bridge and it is being verified whether the legitimate grounds of the controller override the interests of the data subject;

7.20. Talent Bridge may process personal data, the processing of which is restricted, only for the following purposes:
7.20.1. for storing the data;
7.20.2. with the consent of the data subject;
7.20.3. for the establishment, exercise or defence of legal claims;
7.20.4. for the protection of the rights of another natural person; or
7.20.5. for important reasons of public interest.

7.21. Where a data subject has requested restriction of processing and one of the grounds under paragraph 1 applies, the Manager of Talent Bridge shall inform him/her before the restriction of processing is lifted.

7.22. Upon request of a subject under item 7.1.5, the data subject shall have the right to receive the personal data concerning him/her, which he/she has provided to Talent Bridge, in a structured, commonly used and machine-readable format. Upon request, these data may be transferred to another controller indicated by the data subject, where technically feasible.

7.23. The data subject may exercise the right to data portability in the following cases: the processing is based on the consent of the data subject and the processing is based on a contractual obligation.

7.24. The right to data portability may not adversely affect the rights and freedoms of other persons.

7.25. The data subject has the right to object to the processing of his or her personal data by Talent Bridge, if the data are processed on one of the following grounds:
7.25.1. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
7.25.2. the processing is necessary for the purposes of the legitimate interests pursued by Talent Bridge or a third party;
7.25.3. the processing involves profiling.

7.26. The controller shall cease the processing of personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

7.27. Where personal data are processed for direct marketing purposes, the data subject shall have the right, at any time, to object to processing of personal data for such purposes, including profiling related to direct marketing.

7.28. Where the data subject objects to processing for direct marketing purposes, the processing of personal data for these purposes shall cease.

7.29. The data subject shall have the right to lodge a complaint with the Manager of Talent Bridge and/or the CPDP regarding the processing of personal data.

VIII. ACTIONS IN RESPONSE TO PERSONAL DATA BREACH INCIDENTS

8.1. Persons who have identified signs of a data security breach are obliged to report immediately to the Manager, providing him with all available information.

8.2. The Manager shall immediately check the submitted signal, as well as in cases where the signs of a data security breach are identified by him, trying to establish whether a security breach has occurred and which data are affected, in compliance with the “Procedure for responding to a personal data breach”.

8.3. The Manager shall take measures to prevent or mitigate the consequences of the breach and the possibilities for data recovery.

8.4. In case the security breach creates a likelihood of risk to the rights and freedoms of individuals whose data are affected, the Manager shall notify the Personal data protection commission. Notification to the Personal data protection commission should be carried out without undue delay and, where feasible, no later than 72 hours after the initial knowledge of the breach.

8.5. The notification to the Personal data protection commission shall contain the following information:
8.5.1. description of the security breach; the categories and approximate number of data subjects affected and the categories and approximate quantity of personal data records affected;
8.5.2. contact details of “Talent Bridge” Ltd;
8.5.3. description of the possible consequences of the security breach;
8.5.4. description of the measures taken or proposed to address the security breach, including measures to mitigate the possible adverse consequences.

8.6. Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall, without undue delay and in compliance with applicable law, notify the natural persons concerned.

8.7. Where Talent Bridge is acting as a Processor of personal data and there is a risk to the rights and freedoms of data subjects, the Company must notify the Administrator without undue delay.

8.8. The Company keeps a “Register of filed complaints and signals”, which contains the following information:
8.8.1. date of receipt of the signal and/or date of establishment of the violation;
8.8.2. nature of the violation;
8.8.3. categories of personal data affected;
8.8.4. description of the violation – source, type and scale of the affected data, reason for the violation (if applicable);
8.8.5. description of the notifications made: notification of the CPDP and the affected persons, if any;
8.8.6. measures taken to eliminate and/or limit negative consequences for the data subjects and the Company;
8.8.7. consequences of the violation.

IX. DESTRUCTION OF DATA

9.1. Destruction of personal data is carried out by the Company, without infringing the rights of the persons to whom the data refer, object of the destruction, and in compliance with the provisions of the relevant legal acts.

9.2. Information in the registers is destroyed after the purposes of processing have been achieved, when the need for storage has ceased and the statutory storage period has expired.

9.3. Destruction of data on paper is carried out by cutting with a shredder machine. Electronic data is deleted from the electronic database in a manner that does not allow the recovery of the information.

X. “TALENT BRIDGE” LTD. IN ITS CAPACITY AS A PERSONAL DATA PROCESSOR

10.1. Talent Bridge processes personal data only upon documented instructions from the Administrator, unless otherwise provided for in the concluded contracts. All instructions are issued in writing or by e-mail. Talent Bridge immediately informs the Administrator if it considers that the instruction violates applicable legal provisions.

10.2. Talent Bridge ensures that employees involved in the processing of the Administrator’s personal data and other persons acting on behalf of Talent Bridge process such personal data only on the basis of the Administrator’s instructions, unless they are obliged to process the data in accordance with applicable laws.

10.3. Talent Bridge will notify the Administrator within 48 hours of any serious operational disruptions, suspected data protection breaches and/or other irregularities in connection with the processing of personal data.

XI. SUBCONTRACTORS

11.1. Talent Bridge, as a processor of personal data, may use subcontractors to fulfill its rights and obligations under the concluded contracts.

11.2. Talent Bridge selects subcontractors who provide sufficient guarantees that appropriate technical and organizational measures will be implemented in such a way that the processing is carried out in accordance with the requirements of the relevant applicable legal provisions.

11.3. Talent Bridge determines the technical and organizational measures together with the subcontractor and monitors compliance with the agreed technical and organizational measures.

XII. ADDITIONAL PROVISIONS

§ 1. This Procedure shall enter into force on the date of approval and may be amended in the event of a change in the applicable regulations.

§ 2. When making significant amendments and/or supplements to this Procedure, “Talent Bridge” EOOD shall publish the changes on https://talentbridge-bg.com/privacy-policy/

§ 3. The nullity of a provision of this Policy shall not affect the validity of the remaining provisions.

§ 4. For issues not settled by this Procedure, the provisions of the Personal Data Protection Act and Regulation 2016/679 of the EU shall apply.

§ 5. Direct control over the implementation of the Procedure shall be assigned to the Manager.