Data Protection and Cybersecurity Policy

This policy aims to establish guidelines and procedures for the protection of personal data and ensure cybersecurity in NGOs in Bulgaria. The policy is developed in accordance with the requirements of the General Data Protection Regulation (GDPR) and Bulgarian national legislation.

Scope

This policy applies to all employees, volunteers, partners, and third parties who have access to personal data and information systems of the Bulgarian Foundation for Business and Human Rights (BFBHR). BFBHR is a non-profit legal entity, designated to carry out activities for private benefit, registered in the Commercial Register and Register of Non-Profit Legal Entities at the Registry Agency with UIC 207184423, and headquartered in Sofia, Ovcha Kupel district, Boryana St., 48, entrance B, floor 3, phone: +359 882 821 989, email: info@bfbhr.org, website: https://bfbhr.org/.

Definitions

  • Personal Data: Any information related to an identified or identifiable individual.
  • Data Processing: Any operation or set of operations performed on personal data, including collection, recording, organization, storage, modification, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, arrangement or combination, blocking, erasure, or destruction.
  • Cybersecurity: Practices and technologies used to protect networks, systems, and data from cyber attacks.

Data Protection Principles

  1. Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently.
  2. Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes.
  3. Data Minimization: Processed personal data must be adequate, relevant, and limited to what is necessary.
  4. Accuracy: Personal data must be accurate and, where necessary, kept up to date.
  5. Storage Limitation: Personal data must be kept in a form that allows identification of data subjects for no longer than is necessary.
  6. Integrity and Confidentiality: Personal data must be processed in a way that ensures appropriate security, including protection against unauthorized or unlawful processing, and accidental loss, destruction, or damage.

Cybersecurity Measures

  1. Access Control: Limit access to information systems and data to authorized individuals only.
  2. Training and Awareness: Regular training of employees and volunteers on good cybersecurity practices.
  3. Monitoring and Auditing: Regular monitoring and auditing of security systems and compliance with data protection policies.
  4. Incident Response: Have procedures in place for detecting, responding to, and reporting incidents related to cybersecurity.
  5. Encryption: Use encryption to protect data during transmission and storage.
  6. Software Updates: Regular updating of software and security systems.

Data Subject Rights

  • Right of Access: Data subjects have the right to receive confirmation of whether their personal data is being processed and, if so, access to the data.
  • Right to Rectification: Data subjects have the right to request the correction of inaccurate personal data.
  • Right to Erasure: Data subjects have the right to request the deletion of their personal data under certain circumstances.
  • Right to Restrict Processing: Data subjects have the right to request the restriction of their data processing under specific conditions.
  • Right to Object: Data subjects have the right to object to the processing of their personal data at any time based on reasons related to their particular situation.
  • Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format.

This data protection and cybersecurity policy is regularly reviewed to ensure it remains up-to-date and compliant with legal requirements and best practices in the field of data protection and cybersecurity.

Contacts

For additional information or questions related to this policy, please contact: Olga Peneva, info@bfbhr.org, +359 882 821 989.

This policy is effective from 9 September 2024, and is approved by the organization’s board of directors.

Appendix

  1. Form for Data Access Request
  2. Form for Reporting Cybersecurity Incidents