Privacy policy

As a personal data controller, the FSC informs individuals with this policy how the FSC processes their personal data, how it ensures their protection and security and what their rights are.

The protection of personal data and the rights of data subjects in relation to their personal data are governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Regulation (EU) 2016/679), this Policy, as well as other European Union and Member State legislation.

1.Controller details and contact information

Financial Supervision Commission

Sofia 1000, 16 Budapest Street

tel.: 02 9404 999

fax: 02 9404 606

e-mail: bg_fsc@fsc.bg

Webpage: https://www.fsc.bg

2.Contact information of the Data Protection Officer

Oleg Pavlov

phone: 02 9404 819

e-mail: pavlov_o@fsc.bg

The contact details of the Data Protection Officer are used for questions regarding the processing of personal data by the Financial Supervision Commission in its capacity as controller, as well as for exercising the rights of data subject under Art. 15 – 22 of Regulation (EU) 2016/679. For all other general matters concerning the competence of The Financial Supervision Commission as a supervisory authority, the following email address is available: bg_fsc@fsc.bg.

3. Information that may contain personal data is processed for the following purposes:

Personnel;
Video surveillance;
Access control;
Contractors;
Requests under the Access to Public Information Act (APIA);
Supervised Entities;
Registry and Records;
Complaints and Alerts;
Initiatives;
Reports of breaches of the Act on the enforcement of measures against market abuse of financial instruments and of Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (Market Abuse Regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC (Regulation (EU) No 596/2014) and its implementing acts;
Alerts in relation to the internal whistleblowing channel under the Whistleblower Protection Act (WPA);
Reports of violations of the Measures against Money Laundering Act, the Measures against Terrorist Financing and Proliferation of Weapons of Mass Destruction Act and their implementing acts.

3.1. Personnel

For the purposes of human resources management, the Commission processes personal data of job applicants, current and former employees of the Financial Supervision Commission. In the course of human resources management activities, data on the identification of natural persons, data on education and qualifications, health data, contact data, as well as other data required by the special laws regulating employment and service relationships, tax and insurance relationships, accounting, occupational health and safety, as well as social issues are processed.

The data collected shall be used only for the purposes mentioned above and shall be made available to third parties only in cases where this is provided for by law.

In connection with employment, only the personal data required by law is processed and stored for the periods prescribed by employment and social security legislation.

The recruitment procedures shall be carried out in compliance with the requirements of the laws governing this activity and the Procedure for recruitment, selection and appointment of employees of the Financial Supervision Commission, approved by the Chairperson of the Financial Supervision Commission.

The Financial Supervision Commission processes and publishes personal data of obliged persons in accordance with the Anti-Corruption Act.

Activities to ensure occupational health and safety are regulated by a contract with the occupational health service in accordance with Regulation No 3 of 25 January 2008 on the conditions and procedure for the activity of the occupational health services.

Personal data shall not be re-used for incompatible purposes. Processing shall be limited to the purposes for which the data are collected and for archiving purposes in the public interest, scientific and historical research and statistical purposes.

3.2. Video surveillance

The Financial Supervision Commission is subject to video surveillance for security purposes, compliance with the Internal Regulations of the Financial Supervision Commission and the access regime. Video surveillance recordings shall be kept for a period of 2 (two) months. Only designated employees shall have access to the recordings within the scope of their duties.

3.3. Access control

The processing of personal data of employees and visitors to the Financial Supervision Commission is carried out by a data processor – a security company selected through a public procurement procedure. The purpose of collecting personal data is to identify individuals visiting the premises of the Financial Supervision Commission and to control access.

3.4. Contractors

In the course of its operations and in relation to its statutory powers, the Financial Supervision Commission processes personal data of natural persons for the performance of contracts concluded under the Obligations and Contracts Act, the Public Procurement Act, the Commercial Act, and other applicable legislation.

Where the performance of such contracts involves the processing of personal data of individual natural persons, only the minimum amount of information necessary for the proper fulfillment of the contractual obligations is processed. Access to this information is granted to third parties only where provided for by law.

3.5. Requests under the Access to Public Information Act (APIA)

In relation to processing requests under the APIA, information concerning individual data subjects is processed, which may include data relating to the physical, economic, social, or other identity of natural persons. The Financial Supervision Commission provides such information only to the extent that it complies with the purposes of the APIA.

3.6. Supervised Entities

Registers of the entities supervised by the Financial Supervision Commission are maintained on the basis of Article 30 of the Financial Supervision Commission Act.

The maintenance and storage of these registers are governed by Ordinance No. 15 of 5 May 2004 on the maintenance and storage of registers by the Financial Supervision Commission and on the circumstances subject to registration.

3.7. Registry and Records

The data in the Registry and Records register are collected, processed, and stored in compliance with the provisions of the Financial Supervision Commission Act, the Public Offering of Securities Act, the Markets in Financial Instruments Act, the Collective Investment Schemes and Other Undertakings for Collective Investment Act, the Special Purpose Investment Companies Act, the Measures Against Market Abuse with Financial Instruments Act, the Insurance Code, the Social Insurance Code, the Administrative Offenses and Penalties Act, the Rules of Procedure of the Financial Supervision Commission and its Administration, and other applicable legal acts.

3.8. Complaints and Alerts

Complaints and alerts relating to the exercise of the supervisory powers of the Financial Supervision Commission are submitted in accordance with the applicable legislation.

When processing the information contained in complaints and alerts submitted to the Financial Supervision Commission, only personal data relevant to the specific case is processed. Any data obtained by the Financial Supervision Commission in this context may be disclosed to third parties only where provided for by law.

3.9. Initiatives

The Financial Supervision Commission conducts annual training for secondary school students. The aim of the training is to enhance and deepen knowledge in the fields of finance, insurance, and social security, as acquired through secondary education.

The Financial Supervision Commission also runs an internship program. The duration of the internship is up to six months.

3.10. Whistleblowing under the Measures Against Market Abuse with Financial Instruments Act and Regulation (EU) No. 596/2014

The Financial Supervision Commission receives reports of breaches of the Measures Against Market Abuse with Financial Instruments Act and Regulation (EU) No. 596/2014, as well as the acts adopted for its implementation, in accordance with its statutory obligation under the Measures Against Market Abuse with Financial Instruments Act. The data is received via email and on paper.

3.11. Alerts in relation to the internal whistleblowing channel under the Whistleblower Protection Act

Personal data is processed for individuals who submit reports of violations that have come to their attention in a work-related context, as well as for individuals who assist them in the reporting process and those associated with the whistleblowers. The processing of personal data for the purposes of the WPA is described in a dedicated privacy notice.

3.12. Reports of violations of the Measures against Money Laundering Act, the Measures against Terrorist Financing and Proliferation of Weapons of Mass Destruction Act and their implementing acts.

Personal data is processed for individuals submitting reports under Article 115, paragraph 9 of the Measures Against Money Laundering Act. Reports are submitted to a dedicated email address established for this purpose.

4. Rights of natural persons:

Regulation (EU) 2016/679 provides the following rights for individuals in connection with the processing of their personal data:

4.1. the right to access personal data concerning the individual that is being processed by the controller;

4.2. the right to have inaccurate or incomplete personal data corrected;

4.3. the right to have personal data erased (“right to be forgotten”) when it is processed unlawfully or when the legal basis for processing no longer exists (e.g. expired retention period, withdrawn consent, the original purpose for collection has been fulfilled, etc.);

4.4. he right to restrict processing where there is a legal dispute between the controller and the data subject until the matter is resolved and/or for the establishment, exercise, or defense of legal claims;

4.5. right to data portability, where personal data is processed by automated means based on consent or a contract. For this purpose data is transmitted in a structured, commonly used, and machine-readable format;

4.6. the right to object at any time, on grounds relating to the data subject’s particular situation, unless there are compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or court proceedings;

4.7. right not to be subject to solely automated decision-making, including profiling, which produces legal effects concerning the data subject or significantly affects them in a similar way.

5. Right to lodge a complaint with the Commission for Personal Data Protection or the court

If individuals believe that their rights related to the processing of personal data under Regulation (EU) 2016/679 have been violated, they may file a complaint with the Commission for Personal Data Protection or the competent court.

The rights arising under Regulation (EU) 2016/679 may be exercised by submitting a request to the personal data controller. The request must include the individual’s name, address, and other information identifying them as the data subject, the nature of the request, the preferred form of communication and action on the request, and must be signed by the individual.

6. Collection of personal data for the purpose of providing requested services, inquiries, complaints, or alerts

When requesting a service, submitting an inquiry, or lodging a complaint or alert to the Financial Supervision Commission, personal data must be provided The Financial Supervision Commission uses the information provided solely for performing the necessary actions. The Commission discloses this information to third parties only where there is a valid legal basis.

7. Categories of recipients of personal data

Where necessary for the performance of a legal obligation and/or contractual obligation, and depending on the nature of the specific legal relationship, the Financial Supervision Commission may disclose personal data it has received to third-party recipients.

Such recipients may include: the Ministry of Interior, the State Agency for National Security, the Prosecutor’s Office, the courts, the Commission for Anti-Corruption and Illegal Assets Forfeiture, the National Investigation Service, the Inspectorate to the Supreme Judicial Council, and other administrative and supervisory authorities

The Financial Supervision Commission does not disclose personal data for the purposes of direct marketing.

8. Processing of children’s personal data

As part of its activities, the Financial Supervision Commission periodically organizes and conducts training sessions and seminars for students.

Participation in such training is voluntary, and the data collected (name, age, and school) is processed solely for the purposes stated above and for the promotion of secondary education.

9. Transfer of personal data to third countries or international organizations

The transfer of personal data that is being processed or is intended to be processed following its transfer to a third country or an international organization is carried out only in compliance with the provisions of Regulation (EU) 2016/679, the Personal Data Protection Act, and the Financial Supervision Commission Act.

10. Data used by the information hub

When a call is made to the Financial Supervision Commission’s information hub, information about the caller is collected and used to provide the necessary information and/or to perform a specific service.

11. Relevance of the provided personal data

When the Financial Supervision Commission processes personal data, such processing is in connection with the exercise of its powers and statutory obligations.

12. Data retention period

The Financial Supervision Commission applies the principle of storage limitation and retains personal data for periods appropriate to the purposes for which the data is processed, also considering its reference value.

Documents related to employment relationships are subject to a retention period of 50 years.

Documents of temporary operational or reference significance are subject to retention periods of 3, 5, 10, or 20 years, in accordance with the Records Retention Schedule of the Financial Supervision Commission.

Upon expiry of the legally established retention periods, the Financial Supervision Commission will destroy the personal data. Personal data for which no explicit retention period is provided will be destroyed after the purposes for which it was collected and processed have been fulfilled.

Retention periods may be further extended, for example in cases of pre-trial, judicial, or arbitration proceedings, suspension/interruption of limitation periods, or in order to comply with statutory provisions or the requirements of other supervisory authorities.

13. Use of cookies

A cookie is a small piece of data that a website stores on the visitor’s computer or mobile device.

The website of the Financial Supervision Commission uses cookies to collect statistical data for analytical purposes, using Google Analytics. Information about cookies generated by Google Analytics can be found here.

Users can disable both the Commission’s and third-party cookies at any time by adjusting their browser settings. In such cases, some of the functionality of the services available on the Commission’s website may be lost.

If a link redirects the user to another website, that site will have its own cookies and privacy policy over which the Financial Supervision Commission has no control.

14. Log files

Like most websites, the website of the Financial Supervision Commission collects data in log files. This information includes IP address, browser type (such as Mozilla, IE, Chrome, etc.), operating system (Linux, Windows, iOS), date and time of access, and the sections visited. The Financial Supervision Commission reserves the right to use IP addresses to identify users where this is necessary for the fulfillment of legal obligations. This information is stored on the server of the Financial Supervision Commission, located in a secure server room on the premises of the Commission.

15. Links to other websites

The privacy policy does not apply to links on the website of the Financial Supervision Commission that redirect to other websites. It is recommended that users review the privacy policies of any external websites they visit.

16. Changes in the privacy policy

The Financial Supervision Commission reserves the right to change the privacy policy.

ADDITIONAL PROVISION

§1. For the purposes of this policy:

“Personal Data Controller” is the Financial Supervision Commission, with actions on behalf of the controller carried out by the Chairperson of the Financial Supervision Commission.
“Processing” means the concept under Article 4, item 2 of Regulation (EU) 2016/679.

FINAL PROVISION

§2. The Privacy Policy is approved by Order No. З-151/20.06.2025 of the Chairperson of the Financial Supervision Commission and becomes effective from the date of its approval.