General information

From May 25, 2018 a new General Data Protection Regulation, adopted by the European Union, enters into force. The regulation aims to guarantee the protection of the data of individuals from all EU Member States and to harmonize the rules for their processing.
As the controller of personal data for the provision of aesthetic services, MALINOV AESTHETICS LTD meets all the requirements of the new regulation, collecting only the data of the persons to the extent necessary for the provision of the service and preserving them responsibly and legally.

Information about the Data Controller

Name MALINES AESTHETICS LTD;
UIC / BULSTAT: 204499015;
Registered office and address: Gr. Plovdiv, Arch. Kamen Petkov 62
Email: [email protected]
Phone: 0877535355

Website: https://lasercenter.bg

Information on the Data Protection Officer

Name: Valentina Malinova – Director
Unified Identification Code (UIC / BULSTAT): 204499015
Registered office and address: Gr. Plovdiv, Arch. Kamen Petkov 62

Phone: 0877535355
Email: [email protected]
Information concerning the competent supervisory authority
Name: Personal Data Protection Commission
Registered office and registered office: 1592 Sofia, Prof. Tsvetan Lazarov ”№ 2
Correspondence data: 1592 Sofia, Prof. Tsvetan Lazarov ”№ 2
Phone: 02 915 3 518
Email: [email protected], [email protected]
Website: www.cpdp.bg

Definitions:

For the purposes of this privacy policy, we define the following terms:
Website – refers to a virtual platform that covers a site: .https://lasercenter.bg

Scope and consent:

By accepting our Privacy Policy, you agree to collect and process your personal data for the purposes and in the ways described below. By visiting and using the Company’s site and platform, you declare that you have read, understood the content and agree to this Policy. You should be aware that we may periodically change and update this policy, with the top of this page mentioning the date the document was last updated, which is also the current version.
The provision of personal data is voluntary. If you do not wish to provide us with your personal data, it will not be usable for certain services. As a result, you will not be able to use the services provided by us.

Grounds for collecting, processing and storing your personal data

We collect, store and use data by:

Training contract that you sign for each school year
Law – when data is necessary to fulfill our legal obligation
Legitimate interest – to meet your expectations and to provide you with an informed choice of services
Consent – when you provide us with personal data when organizing and conducting webinars, events, trainings, project implementation and more.
MALINES AESTHETICS LTD is a personal data controller with respect to your data, determining the purposes and means of processing.

Aims and principles in the collection, processing and storage of your personal information

Data from persons in the education system are used for the following purposes:

individualisation of a party to the contract;
create an account on our electronic platform
application form for client registration;
accounting purposes;
statistical objectives;
protection of information security;
ensuring the performance of the contract for the provision of the relevant service;
sending information messages;
improving and personalizing the service by offering event offers, other products and services;
regulatory requirements.
Basic principles for processing personal data

MALIN AESTHETICS LTD adheres to the following principles when processing personal data:

legality, integrity and transparency;
limitation of processing purposes;
consistency with the purposes of processing and minimizing the data collected;
data accuracy and timeliness;
limitation of storage in order to achieve the objectives;
integrity and confidentiality of processing and ensuring an adequate level of security of personal data.
Legal basis for the processing of personal data

1. The processing of personal data is legitimate only insofar as at least one of the following legal bases is available:

You have provided your personal data with free, specific, informed and unambiguous consent to the processing of its data for one or more specific purposes.
In an electronic environment, consent can be given, e.g. by ticking, selecting technical settings, or other statement or behavior of the data subject that clearly indicates that he or she agrees to the proposed processing of his or her personal data. Outside the electronic environment, consent is given in another appropriate manner.

Consent to the processing of the data may be withdrawn at any time without any adverse effect on the data subject; In the processing of personal data of a child, consent is given by the holder of parental responsibility;
2. Processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject before concluding a contract;
3. Processing is necessary to comply with a legal obligation that applies to the company;
4. Processing is necessary to protect the vital interests of the data subject or of another individual.
5. Processing is necessary for the purposes of the legitimate interests of the company or of a third party, except where such interests have priority over the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, in particular where the data subject is a child.

Data Protection Officer

The Data Protection Officer has the following basic powers:

Controls compliance with the legal requirements and the General and Special rules for personal data protection;
Inform and advise data processing officers of their data processing responsibilities; raise awareness and train staff involved in processing operations;
Assigns responsibilities and performs audits;
Acts as a contact point for data subjects who can contact the Data Protection Officer on any issues related to the processing of their data and the exercise of their rights. Acts and liaises with the Commission on Personal Data Protection;
Participates in the impact assessment; taking into account the risks associated with processing operations, taking into account the nature, scope, context and purposes of processing;
The Data Protection Officer shall respect confidentiality in the performance of his duties.
Personal data

MALIN AESTHETICS LTD processes the following categories of personal data:

Personal data of parent / guardian: name, identification number, date and place of birth, citizenship; demographic characteristics – gender, age, place of residence; contact information, address, landline / mobile number, work number, email.
Student personal data: name, identification number, date and place of birth, citizenship; demographic characteristics – gender, age, place of residence; physical identity data – facial images, voice, handwriting; health.
Personal data of employees – name, identification number, date and place of birth, citizenship; demographic characteristics – gender, age, place of residence; contact information, address, landline / mobile number, medical and eligibility certificate, education level.
The Company does not collect or process personal information that is of a racial or ethnic origin; disclose political, religious or philosophical beliefs, or membership of trade union organizations; data on sexual life or sexual orientation.
Purposes and reasons for collecting and processing personal data.

MALIN AESTHETICS LTD performs the following operations with personal data for the following purposes:

registration of a student and parent / guardian for the purposes of a training contract;
concluding and executing a commercial transaction with a client or partner – the purpose of this operation is to conclude and execute a contract with a commercial partner or client and its administration;
registration in an electronic platform on the company website;
sending information messages concerning improvements or changes in services; issuing an invoice to an individual.
2. Grounds for data collection: signing of a Training and Payment Contract – Art. 6, para. 1, b. (b) GDPR), MES; contract law

Period of storage of personal data

1. Personal data shall be stored within the following time limits:

safeguard personal data under applicable law for the relevant timeframe;
while the data is necessary for the exercise of rights or enforcement
the obligations of the company;
stores the personal data of participants in recruitment procedures
not more than three years;
in the event of a legal dispute to which the data may be relevant
pending the conclusion of the dispute by an enforced judgment;
up to three months when the data have been submitted for the purpose of requesting a contract, but no later than 15.08. this year;
within the term of the contract when the data are processed on the basis of a contract;
until the withdrawal of consent when the data is processed on the basis of consent;
to the attainment of the right and / or loss of interest when the data are processed to protect the realization of the rights and interests of the company, which have a particular advantage over the interests of individuals.

2. After the expiry of the specified time limits, unless there is another reason for processing the data, they will be deleted. In case the data retention period needs to be extended for the purpose of fulfilling the objectives, the fulfillment of the contract, for the legitimate interests of the company or otherwise.
Transmission of your personal data for processing
Some data under a regulatory obligation are provided to administrative bodies according to their competence (eg MES, etc.). When we provide information to other organizations and individuals – our partners, external consultants, etc., those individuals make appropriate legal commitments to protect the data through contractual terms, privacy statements, and more.

Persons to whom your personal data are provided

MALINES AESTHETICS LTD, which processes your data as an administrator and transmits the necessary information for the purposes of MES, MES, MES, Admin soft, NRA – Declaration Form 3 and RZI.

Rights in the collection, processing and storage of your personal data

1. Under European law you have the right to:

withdraw the consent to the processing of your personal data and there is no other legal basis for the processing.
require confirmation that his or her personal data is being processed;
you want information regarding the collection, processing and storage of your personal data or you request,
receive a copy of the personal data processed in an appropriate form.
make corrections or fill in inaccurate or incomplete or changed personal information upon written request to the company.
request the deletion of personal data relating to you and the company is obliged to delete them without undue delay when the personal data are no longer needed for the purposes for which they were collected or otherwise processed;
object to the processing of personal data, including for the purposes of direct marketing, and there are no legitimate grounds for processing to take precedence;
in order to comply with a legal obligation under EU law or the law of a Member State that applies to a company or personal data have been collected in connection with the provision of information society services.
2. The company is not obliged to delete personal data if it stores and processes:

to exercise the right to freedom of expression and the right to information;
to comply with a legal obligation requiring processing as provided for in EU or Member State law applicable to the Administrator or for the performance of a public interest task or in the exercise of official powers conferred on it;
does not delete the data which he has a legal obligation to keep, including for the protection of legal claims against him or for proving his rights;
for reasons of public interest in the field of public health;
for purposes of archiving in the public interest, for scientific or historical research or for statistical purposes;
for the establishment, exercise or defense of legal claims.
in order to exercise the right to “forget”, a request is made and identity and identity are identified.
3. You may request that data processing be restricted when:

you dispute the accuracy of personal data for a period that allows for verification
accuracy of personal data;
processing is unlawful and their use may be restricted;
Businesses no longer need personal data for processing purposes,
but are required for the establishment, exercise or defense of a legal entity
claims;
object to the processing pending verification that the Company’s legitimate grounds take precedence.
4. At any time, the data stored can be downloaded when technically feasible,
5. Your personal data may be transferred directly to another designated administrator.
6. You may request MALININ AESTHETICS OOD to inform you of any recipients to whom the personal data for which the correction, deletion or restriction of processing has been requested have been disclosed. The company may refuse to provide this information if this would be impossible or would require a disproportionate effort.
7. You may object at any time to the processing of personal data relating to you, including if it is processed for profiling or direct marketing purposes.

Your rights in breach of your personal data security

If MALINOV AESTHETICS LTD detects a breach of the security of your personal data, which may pose a high risk to your rights and freedoms, we will notify you without undue delay of the breach, as well as the measures taken or to be taken. The obligation is canceled if:
appropriate technical and organizational measures have been taken to protect the
the attitude of the data affected by the security breach;
Subsequently, measures were taken to ensure that the infringement would not
put you at high risk for your rights; notification would require a disproportionate effort.

Persons to whom your personal data are provided
MALINES AESTHETICS LTD which processes your data as an administrator transmits the necessary information for the purposes of RWS to MES, Admin Soft, NRA – Declaration Form 3 and RZI.

Security and confidentiality when processing personal data

We use all appropriate technical and organizational measures to protect your personal data, which provide a level of protection appropriate to the risk by applying best practices. We provide various types of protection: personal, documentary, physical, information systems protection, cryptographic. Each of these types of protection consists of different specific measures. Separation of separate premises where data is stored, special equipment, locking, regulation and access control, entry through identification in information systems, rules for reproduction and dissemination – these are only part of the measures we apply to protect data under the best way. It is important to know that your data is well protected, including through a rigorous procedure for action in case of potential risk to them.

Impact level and level of protection

The type of personal data processed and the nature of the processing operations shall be periodically checked with the assistance of the Data Protection Officer. Depending on the results of the verification, the data processing operations are divided into two categories, depending on the risks to the rights and freedoms of the entities arising from them, as follows:

low impact processing operations and
medium impact processing operations;
Depending on the established level of impact, an appropriate level of protection applies to the relevant data:

personal data subject to a low level of protection;
personal data subject to an average level of protection;
If the check reveals that a processing operation carries a high risk to the rights of the data subjects, e.g. due to the fact that it is subject to new technological permits, and given that MALINES AESTHETICS LTD cannot limit this risk with appropriate measures in terms of available technologies and implementation costs, prior to the relevant processing operation, consultation will take place with the Commission for Personal Data Protection.

Low-level technical and organizational measures:

1. Specific measures, including by designating those responsible for their implementation, shall be specified by internal orders.

physical protection – the data is processed in office or restricted areas; the elements of the communication and information systems shall be located in the office or restricted premises; the premises where the data are stored shall be locked when they are not supervised; personal data files are stored in separate cabinets; access to the data is provided only to the persons who need it to ensure their lawful processing, and appropriate fire extinguishers and equipment of the premises are provided.
personal protection – data protection regulations are explained to persons involved in data processing operations; these persons are acquainted with and adopt the General Rules for Data Processing of MALIN AESTHETICS Ltd. and the Special Rules for Data Processing of Individual Members; explain the dangers involved in processing personal data; persons involved in data processing operations undertake to disseminate personal data.
document protection – each employee keeps separate registers for the personal data he or she processes; each employee determines the registers he maintains on paper; access to the registers shall be granted only to persons who are required to ensure the lawful processing of the data; employees are obliged to prevent unauthorized access to documents with which they work and which contain personal data; personal data is stored within the time limits set by the controller; after expiry of the data retention periods, they shall be destroyed in accordance with the procedures of the controller.
protection of automated information systems and / or networks is ensured by explaining to the persons involved in data processing operations by automated means the operation of the systems and the risks of processing personal data with them; access to the data is available only to persons who are required for the lawful processing of the data; individuals gain access to the systems after identification and authentication; access to the data is carried out at different levels (the need-to-know principle is respected); unauthorized access and processing of data, including when transmitting data, is prevented; records (logs) are collected, modified, referenced, disclosed, including transmission, combining and deletion;

records of reference or disclosure make it possible to establish the basis, date and time of such transactions and, as far as possible, the identification of the person who made the reference or disclosed personal data as well as data identifying the recipients of such personal data; equipment and storage media are protected and restricted; secure connections between information systems are used; appropriate protection against computer viruses shall apply;
backup and backup electronic data are created and maintained; provision is made for systems to be restored in the event of technical failure; Functional defects reported; it is not allowed to damage the stored personal data due to the malfunctioning of the systems; the time limits for storing data when processed by automated means are consistent with the deadlines applicable for paper data.
Technical and organizational measures at medium level of protection:

1. Physical protection:

all physical protection measures at low level of protection are applied;
the controlled access zones in which the data are processed are identified;
specific methods of physical protection are identified;
2. Personal protection:

all low-level personal protection measures are implemented;
persons participating in data processing operations are involved in appropriate training, including those in response to personal data breaches;
persons involved in personal data-processing operations share the critical information needed to protect the data;
3. Documentary protection:

all documentary protection measures at low level of protection are applied;
access to registers is granted only to certain persons;
no copies of the data may be made or distributed without the permission of the data subject;
4. Protection of automated information systems and / or networks

all measures are in place to protect the low-level automated information systems and / or networks;
the elements of the information systems are placed in premises with restricted access;
accountability is maintained for the maintenance and operation of the information system elements;
5. Cryptographic protection:

standard cryptographic capabilities of operating systems apply;
the standards for cryptographic capabilities of database management systems are applied;
the standard cryptographic capabilities of the communication equipment apply.
Procedures for the destruction of personal data

After the storage periods have expired or where the reason for processing the data has otherwise been dropped, they shall be disposed of in a secure manner. Paper carriers are destroyed by shredder. Electronic media data shall be destroyed in such a way as to prevent their recovery. The data to be destroyed shall be kept confidential, including in the process of destruction, unless other measures have been taken to protect the rights and freedoms of the data subject. In all cases, good case-by-case practices shall be applied to ensure that data is permanently deleted;

A privacy breach strategy

This is an offense that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal information. The following shall be considered as types of infringement:

breach of privacy – unauthorized or unauthorized access to the data;
data breach – data cannot be accessed even though it has to be processed;
breach of integrity – data has been altered in an improper or unauthorized way;
1. Internal reporting. Anyone who becomes aware of a security breach of personal data processed by the company is required to immediately report it to the Data Protection Officer. The communication must include accurate information, as far as the person reporting it, the type of the offense, how many persons were affected, when the violation was detected, as well as the name of the reporter and his contact details. The data on the infringement shall not be divulged to other persons, unless otherwise it would deepen the infringement or make it difficult to overcome its consequences.
The Data Protection Officer shall immediately carry out a preliminary check on the communication and establish, in so far as circumstances permit, whether there has been a breach of personal data security, what is its type and how many and who are the persons concerned. Immediately thereafter, the Data Protection Officer shall report on the communication received and the results of the ex ante verification of the management.
The official shall take the measures at the earliest opportunity.

Investigation and risk assessment. Action Plan

The Data Protection Officer shall carry out a careful assessment and analysis of the circumstances surrounding the breach and its risk to the rights and freedoms of individuals. Other (including external) specialists are involved as necessary. A plan for the rapid restriction and cessation of the infringement and its consequences shall be drawn up. The goals of the plan are of paramount importance: protecting the rights and freedoms of individuals affected by the violation, including preventing the violation from deepening; preventing the rights and freedoms of other individuals from being affected; restoring the state of personal data as it was before the breach occurred; prevention or limitation of material damage. If the breach occurred with the data processor, the data controller shall be notified immediately and the necessary coordination shall be established.

Need to notify CPDP of the violation

In the event that a personal data breach creates a likelihood of risk to the rights and freedoms of the data subject, the Data Protection Officer shall arrange to notify the Data Protection Commission (CPDP) of the breach. The official shall notify the CPDP of the infringement if it considers it necessary to protect the rights and freedoms of the data subjects, regardless of the opinion of the management on this matter. CPDP notification should be made without undue delay and, where practicable, no later than 72 hours after the initial recognition of the violation. The CPDP notification contains:

a general description of the personal data breach;
a description of the categories and approximate number of persons concerned and of the categories and approximate number of records of personal data concerned;
the name and contact details of the Data Protection Officer;
a description of the possible consequences of the personal data breach;
a description of the measures taken or proposed to remedy the infringement, including measures to mitigate any adverse effects.
Where it is not possible to provide all information on the violation in its entirety to the CPDP, it shall be provided in stages without undue delay.
The CPDP is notified by the data controller.

Notification to the individuals concerned of the violation

Where a personal data breach is likely to create a high risk to the rights and freedoms of individuals, the Data Protection Officer shall, without undue delay and subject to applicable law, notify the individuals concerned. The official shall arrange for the individuals concerned to be informed of the infringement if they consider it necessary to protect their rights and freedoms, irrespective of the opinion of the management on this matter.
The notification shall be made without undue delay and shall contain the following information:

a general description of the personal data breach;
the possible consequences of the infringement;
the measures taken to tackle the infringement;
the name and contact details of the Data Protection Officer;
what actions the data subjects themselves can take to protect their rights.
Individuals may not be informed if adequate technical and organizational measures are taken to adequately protect their rights or if measures are taken to ensure that the high risk to their rights is no longer likely to be exercised. and freedom.

Documentation of violations

You can exercise all your rights regarding the protection of your personal data. You can submit your requests in any form that contains a statement to that effect and identifies you as the data owner who is being recorded in a personal data breach registry that has occurred to its members, which contains the following information:
date of the finding of the infringement; description of the violation – source,
type and scale of data affected, reason; a description of the notifications of the CPDP, if any, of the persons concerned; measures taken to prevent and limit the consequences for the entities; measures taken to limit the possibility of subsequent security breaches.

Other provisions

In the event of a violation of your rights under the aforementioned or applicable personal data protection legislation, you have the right to file a complaint with the Data Protection Commission as follows:
Name: Personal Data Protection Commission
Registered office and registered office: 1592 Sofia, Prof. Tsvetan Lazarov ”№ 2
Correspondence data: 1592 Sofia, Prof. Tsvetan Lazarov ”№ 2
Phone: 02 915 3 518
Email: [email protected], [email protected]
Website: www.cpdp.bg

You can exercise all your rights regarding the protection of your personal data. You can submit your requests in any form that contains a statement to that effect and identifies you as the data owner.

A public announcement of the violation, which is coordinated with the CPDP, may be initiated.