Privacy policy

With this Policy, in its capacity of controller of personal data, the Financial Supervision Commission (FSC) informs individuals how the FSC processes their personal data, how their protection and security are ensured and what their rights are. The protection of personal data and the natural persons rights with regard to their personal data is stated by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 /EC (General Data Protection Regulation) (Regulation (EU) 2016/679), the present Policy, as well as other European Union regulations and the Member States legislations.

1.Details of the controller and contact with him:
Financial Supervision Commission
1000 Sofia, 16 Budapest Str.
direct: + 359 2 9404 999
fax: + 359 2 9404 606
e-mail: bg_fsc@fsc.bg
Website: https://www.fsc.bg/

2.Contact details of the Data Protection Officer:
Oleg Pavlov
e-mail: pavlov_o@fsc.bg
phone: + 359 2 9404 819

3.Personal data categories and purposes in connection with which the personal data are processed in the FSC:

Staff

For the purposes of human resources management, personal data of job applicants, current and former employees of the FSC are processed. In the course of human resources management activities, the FSC processеs data for identification of individuals, data on education and qualification, health data, contact details data, as well as other data required by virtue of special laws governing employment and service relationship, tax and social security relations, business accounting, safe and healthy working conditions, as well as social issues.

The collected data are used only for the above purposes and are provided to third parties only in cases where this is laid down by law.
In connection with the implementation of employment relationships, only the personal data required by law are processed and are kept within the time limits set by the labor and social security legislation.
The procedures for selection of candidates are carried out in compliance with the approved by the FSC Chairman Procedure for recruitment, selection and appointment of employees in the Financial Supervision Commission, which sets out the principles and methods for recruitment, selection, evaluation and ranking of candidates in the Commission.
The procedure for documents application and selection of candidates for vacant positions starts with the publication of an announcement on the FSC website. In the course of the announced selection procedure, the candidates are informed about the forthcoming steps through e-mails sent personally to the attention of each of them.
The Financial Supervision Commission processes and publishes personal data of the liable persons in accordance with the Anti-Corruption and Confiscation of Illegally Acquired Property Act (ACIA).
Personal data are not reused for incompatible purposes. Their processing is only for the purposes for which the data are collected, as well as for the purposes of archiving in the public interest, scientific and historical research and statistical use.

Video surveillance

The FSC carries out video surveillance for security purposes. Video surveillance records are stored for a period of 2 (two) months. Within the framework of their official duties, certain employees have access to the records.

Access control

The processing of personal data of FSC visitors is carried out through a personal data controller – a security company selected after a public procurement procedure. The purpose of personal data collection is to identify individuals visiting the FSC premises and access control.

Counterparties

In the performance of its activity and in connection with its powers, the FSC processes personal data of natural persons for the performance of contracts concluded under the Obligations and Contracts Act, the Public Procurement Act, the Commercial Act and others.
As far as in connection with the performance of these contracts personal data of natural persons are processed, information about them shall be processed in a minimum amount, sufficient only for the exact performance of the obligations under the respective contract. Access to this information is granted to third parties only when required by law.

Requests under the Access to Public Information Act (APIA)

In connection with the processing of requests under the APIA, information on certain natural persons data is processed, which may contain data on the physical, economic, social or other identity of individuals. The Financial Supervision Commission provides such information only to the extent that it meets the objectives of the APIA.

Supervised entities

Registers of FSC supervised entities are maintained in connection with the requirements of Regulation (EU) 2016/679 (Article 30) and the Financial Supervision Commission Act (Article 30).
Ordinance № 15 of 05/05/2004 on the keeping and storage of the registers by the Financial Supervision Commission and on the circumstances subject to entry shall apply to the keeping and storage of these registers.

Record keeping and archives

The data in Records keeping and Archive Register are collected, processed and stored in compliance with the provisions of the Financial Supervision Commission Act, the Public Offering of Securities Act, the Markets in Financial Instruments Act, the Collective Investment Schemes and Others Undertakings for Collective Investment Act, the Special Purpose Investment Companies Act, the Implementation of the Measures against Market Abuse of Financial Instruments Act, the Insurance Code, the Social Insurance Code, the Administrative Violations and Penalties Act, the Rules of Organisation and Operation of the Financial Supervision Commission and its Administration and other applicable regulations.

Complaints handling and alerts

Complaints and alerts with regards of the exercise of the FSC’s powers as controller are submitted in accordance with the terms and conditions of the current legislation.
When processing the information contained in the complaints and alerts submitted to the FSC, only personal data relevant to the specific case are processed. Data disclosed to the FSC in this regard may be provided to third parties only if provided by law.

Initiatives

The Financial Supervision Commission conducts annual educational program oriented to students. The aim of the training is to increase and enrich the knowledge in the field of finance, insurance and social insurance, acquired in the framework of the secondary education.
The Financial Supervision Commission also conducts an internship program. The duration of the internship is from one to six months.

4. Rights of natural persons:

Right of information and access

The data subject has the right to obtain confirmation from the controller whether personal data relating to him are being processed and, if so, to have access to the data.

Right of correction

Any person whose data are processed by the controller has the right to request the correction of inexact personal data related to him without undue delay. Taking into account the purposes of processing, the person has the right to supplement the incomplete personal data.

Right of deletion (right “to be forgotten”)

Any person whose data are processed by the controller has the right to request the deletion of personal data related to the him without undue delay, and the controller has the obligation to delete without undue delay the personal data, in case they are processed illegally or no longer legally grounds (expired retention period, withdrawn consent, achieved original purpose for which they were collected and other).

Right of processing limitation

Each person whose data are processed by the administrator disposes of the right to require from it to limit the processing, in case of legal dispute between the administrator and the natural person until its solution, and/or to the purpose of stating, exercising and justifying legal claims. When subject to data has required processing limitation, the administrator shall inform him/her before the revocation of the latter.

Right of data transfer

The subject to data disposes of the right to receive all data concerning him/her which he/she has provided to the administrator, in a structured, widely used and machine readable format. Furthermore, he/she has right to transfer the data in question to another administrator without being hindered by the initial administrator.
When exercising his/her right of transfer, the subject to data is entitled to transfer directly his/her personal data from one administrator to another, if technically realizable.

Right of objection

The subject to data is entitled at any time, basing on his/her concrete situation, to raise objections to the personal data processing relating to him/her. The administrator shall cease from processing his/her personal data, except where it attests that there are persuasive legal grounds for its processing which have priority over the interests, rights and liberties of the respective subject to data, or for the sake of establishing, exercising and protection of legal claims.

Right of the subject to data not to be treated as object of a fully automated solution including profiling

The subject to data is entitled to require not be treated as object of solution based solely on automated processing, including profiling which bears legal consequences in respect of the subject to data, or significantly concerns him/her in a similar manner.

Right of lodging complaints to the Commission for personal data protection or to the court

If the subject to data considers his rights upon Regulation (EC) 2016/679 being violated, he/she has right to lodge a complaint to both the Commission for personal data protection and to the court.

The rights deriving from Regulation 2016/679 may be exercised either through written or through electronic request submitted to the administrator of personal data. The request should contain name, address and other data identifying the subject to data, as well as essence of the request, preferred way of communication and actions needed in order to satisfy the request. It is necessary to sign the request and to point out submission date and correspondence address.

5. Personal data collection aimed at providing services requested by the user
In case of complaint launched or question raised using the form published to that purpose on the internet site of the FSC, personal data needed for performing the service in question shall be provided too. The FSC shall use the provided information solely for performing the requested service (submission of complaint to the FSC or receipt of reply to a question posed). The FSC shall not provide the information in question to any third parties.

6. Types of personal data receivers
In case of necessity to comply with any legal duty and/or contractual obligations and depending on the essence of the concrete legal relationship respectively, it is conceivable that the FSC provides personal data it disposes of to the following types of third parties:
representatives of the Ministry of Interior, State Agency for National Security, Prosecutor’s Office of Republic of Bulgaria, various courts, Counter-Corruption and Unlawfully Acquired Assets Forfeiture Commission, National Investigation Service, Inspectorate at the Supreme Judicial Council, other public/supervisory bodies, agencies and other structures/persons. The FSC shall not disclose any personal data for direct marketing purposes.

7. Children’s personal data processing

As part of its activity, the FSC periodically arranges and conducts classes and seminars intended for scholars.
The participation in those classes is on voluntary basis, and the respective data, such as name, age and educational institution shall be processed solely to the above purposes and in order to make the public acquainted with the secondary course of education.

8. Transfer of personal data to third states or international organizations
Transfer of personal data which is processed or destined for processing after their transferring to third state or international organization, shall be performed solely if the prescriptions of Regulation (EC) 2016/679, Personal Data Protection Act and Financial Supervision Commission Act are complied with.

9. Data to be used in the information center
In case of phone call to the FSC information center, information about the calling person shall be collected and utilized for the purpose of providing with the required information, and/or for performing certain service.

10. Significance of the transferred personal data.
In most of the cases where the FSC processes personal data, it is a mandatory requirement for performing official competences and legal obligations. In such cases, the lack of provision of personal data impedes the taking of actions related to anonymous claims.

11. Preservation
The FSC applies the principle of preservation restriction, so it preserves personal data during periods adapted for data processing purposes, whereat it takes into consideration their significance in case of revisions. Documents related to employment contracts shall be destined for preservation for fifty-year term. In regard to documents, which are temporary valid for the purpose of operational revisions, the preservation period shall be set in accordance with the List of dossiers subject to preservation term. After expiry of the term set, the FSC shall annihilate the personal data. Personal data towards which no preservation period has been expressly set, shall be annihilated after the goals for which it has been collected and processed are attained. Term may be prolonged, for instance in case of preliminary proceedings, judicial proceedings and arbitrage proceedings, suspension/cessation of term, as well as in case of implementation of legal prescriptions and requirements of supervisory authorities.
12. Using biscuits
“Biscuit” means a small quantity of data stored through the internet site either in the computer, or in the mobile equipment of the respective visitor.
The internet site of the FSC utilizes biscuits in order to facilitate its functioning, as well as to the purpose of collecting statistical data needed for performing analysis. For achieving that goal, we make use of Google Analytics.
The utilized biscuits serve to differentiate between users and sessions, for assigning new sessions, submission of applications, preservation of traffic source and the way in which the FSC internet site could be accessed.
The following biscuits are usable on the FSC internet site:
Biscuits used for collecting statistical data aimed at performing analysis through Google Analytics. As regards the biscuits generated by Google Analytics, you could obtain more information here.

Through respective browser’s adjustment, users can always turn off both the FSC biscuits and those of third parties as well. In such case, it is possible to lose partially the functionality of some of the services offered through the FSC internet site.
In case where a link forwarding to another internet site is used, it will for sure dispose of own biscuits and adhere its privacy policy which are not subject to control on the part of the FSC.

13. Log files
Like most internet sites, the one of the FSC collects data comprised in log files.The information in question contains IP, the browser used (for instance Mozzilla, IE, Chrome and others), operational system (Linux, Windows, iOS), the point at which access to the FSC internet site has been gained, as well as the visited sites. The FSC reserves its right to utilize IP addresses of its users for the purpose of revelation their identity, in case where it would be necessary for the implementation of a law.
The information in question shall be saved on the FSC server, which is located in a server room in its building.

14. Links to other internet sites
The current privacy policy does not encompass transmissions from the FSC internet site to other sites.
We recommend to read the declarations of privacy policies published on other internet sites you already visited.

15. Newsletter
The FSC publishes Newsletter containing news on its activity as supervisory body
(art. 12 of the Rules of Procedure and Activity of the Financial Supervision Commission and its administration). The information published in the newsletter section does not contain any personal data, except the cases upon art.6, par.1, “b” of Regulation (EC) 2016/679.

16. Changes in the privacy policy
The Financial Supervision Commission reserves its right to make additional changes in its privacy policy.
Questions regarding personal data processing by the FSC

In case of questions raised in relation to personal data processing on the part of the FSC, the latter has to be sent to the following e-mail: pavlov_o@fsc.bg*

*It shall be used only in connection with questions regarding data processing by the FSC in its capacity of administrator, as well as in case of exercising the rights upon art.15-22 of Regulation (ЕU) 2016/679. For all other general questions concerning the competence of the FSC in its capacity of supervisory authority, the following e-mail should be used: bg_fsc@fsc.bg

ADDITIONAL PROVISIONS
According to the current policy:
§ 1. „Personal data controller“ is the FSC, whereat actions on the part of the controller are performed by its Chair.
§ 2. „Processing“ is the notion upon art. 4, n. 2 of Regulation (ЕU) 2016/679.

The privacy policy has been approved through Order № З – 4/07.01.2020 г. of the FSC Chair. It entered into force from the date of its approval.1.