Information about the Personal Data Controller/Processor
HITL LTD., VAT 204782718, with registered office and address of management in Bulgaria, Sofia, zh.k. Lozenets, 7 Sveta Gora Street, 2nd floor, apt. 7, website: https://humansintheloop.org/, e-mail: email@example.com.
Head office: Sofia, 97 Knyaz Boris I Str., 3rd floor
HIT Ltd. respects your right to maintain the confidentiality of your information and data. This policy is intended to inform you of the purpose, grounds and manner in which we collect, process, store and disclose your personal data in order to preserve your privacy. That is why we ask you to read its contents carefully.
Information on the competent supervisory authority
- Our main goal when working with personal data
HITL Ltd. processes your personal data with maximum security, in connection with the existing between the company and you regulatory obligations and contractual relations arising from the activities. Depending on the various goals set by our customers and the grounds for personal data processing, HITL Ltd. may take on the role of administrator, processor or joint administrator.
The security of the data you entrust us with is very important. It is of great importance for our success and for our public image, which is why we protect your data by applying all appropriate technical and organizational means at our disposal and keeping it up to date with the requirements of Regulation (EU) 2016/679. Through them, we will not allow unauthorized access, unauthorized or malicious use, loss or premature deletion of information.
We collect and process personal data only in compliance with the requirements of local and European legislation. We are aware that the processing of your data is for a specific reason and cannot be performed without restriction.
2. Objectives and scope of the data protection policy:
This policy follows the territorial and material scope of Regulation (EU) 2016/679 and adopts its main objectives. It is applied by all our employees.
HITL LTD needs the collection and processing of personal data and does so in order to carry out its activities lawfully, expediently and fully. This applies to personal data of employees, customers and other entities with whom we have a relationship or would like to contact.
3. Categories of personal data and purposes of processing
HITL LTD processes personal data of various entities on specific grounds, according to the objectives pursued. In compliance with the principles of legality, good faith, transparency and information and to facilitate personal data subjects, the company has integrated separate notifications to each specific subject and purpose of processing. In them is detailed and specific information under Art. 13 and Art. 14 of Regulation (EU) 2016/679. They are:
Notice for processing personal data of employees – you can read this document in the office of the company.
Notice for processing personal data of clients – you can read this document in the office of the company.
Notice for processing personal data when visiting the site https://humansintheloop.org/ – you can read this document in electronic form on the company’s website.
HITL LTD does not collect or process, for the sole purpose of identifying the subject, personal data relating to the following:
- reveal racial or ethnic origin;
- disclose political, religious or philosophical beliefs, or trade union membership;
- genetic data, data on sexual life or sexual orientation.
The administrator does not collect personal data of persons under 14 years of age without the explicit consent of a parent.
The administrator does not apply “automated individual decision making, including profiling”
The policy does not apply to the processing of personal data of a data subject – an individual, within the framework of his / her entire personal activity or that related to the household.
4. Grounds for personal data processing
HITL LTD. collects and processes personal data only for specific purposes, described in detail and explicitly in the documents under item III. The grounds are specific and different, according to the objective pursued and may be:
– For fulfillment of normative obligations under art. 6, para. 1, letter (C) of Regulation (EU) 2016/679 we process your personal data in order to comply with obligations provided for in laws and regulations governing the activities we carry out, such as: LC (Labour Code), SSC (Social security code), LPIT (Personal income taxes law), VATL (Value added tax law), etc.;
– For performance of a contract – labor, civil, rental or other type of contractual relations; to take steps at the request of the data subject before concluding a contract; protection of legitimate interest, under Art. 6, para. 1, points (B) and (E) of Regulation (EU) 2016/679;
– If necessary, when the purpose or regulatory obligation imposes this – HITL LTD will require your explicit and freely given consent to the processing of personal data.
5. How we protect your personal information
To ensure adequate data protection of our employees, customers and partners, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act and Regulation (EU) 2016/679 of 27 April 2016, as well as the protection of personal data at the design stage and the protection of personal data by default.
The protection of personal data at the design stage is expressed in the appropriate technical and organizational measures introduced by us before the start of personal data processing (at the stage of determining the purposes and means of processing), ensuring their implementation throughout the data life cycle. Our appropriate measures are encryption of data, setting of functionalities for automated accounting of storage terms and their automatic deletion after their expiration, etc.
We protect personal data by applying mechanisms that by default ensure compliance with the following requirements:
- Only the minimum amount of personal data – absolutely necessary to achieve our specific goal, are processed and processing operations are carried out;
- Licensed software and certificates for electronic protection of the systems and the website were used;
- Encrypted e-mails with paid, private domains are used. Sending documents containing personal data and classified information to e-mails in public domains is not performed;
- Only employees who need the relevant information to perform their official duties have access to personal data;
- Personal data is not shared with other employees, unless necessary to perform their duties;
- Annotators are required to process data and access to the platform carefully at all times and not to leave their devices unattended or to be seen by unauthorized people;
- All annotators sign a Confirmation Form before starting work on each individual project, outlining their responsibilities for security and data protection;
- For certain high-risk projects, annotators may sign additional NDA’s containing the requirements set by the clients before gaining access to the project;
- For some projects, when processing sensitive data, in order to avoid any risk of unauthorized processing, employees work directly on a platform or application owned by the contractor, allowing only remote visualization of the data for processing purposes only;
- We don’t store in our office documents related to the processing of personal data of entities. The information is entirely digital and is stored in cloud systems, applying the policies of cloud service providers. We have a legal obligation to store certain documents containing personal data on paper, which we do in a special cabinet with a locking mechanism;
- The connection with the cloud services is made through HTTPS access channel, as each employee of the company is familiar with the policies for computer and information security. Upon updating them, each employee to whom the change is relevant shall be notified;
- For our internal operations and customer data processing, we use cloud platforms that provide remote access with user-level access permissions and strict data security policies;
- Access to data in Google Drive is provided to a specific employee, through a personal business account for the implementation of a specific project;
- A person who is removed from a particular project loses access to all related data immediately;
- A Creating passwords policy for access and user rights has been introduced;
- Employees receive training on the proper implementation of Regulation (EU) 2016/679 and application of the implemented technical and organizational measures and procedures;
- The data is stored for the minimum period – absolutely necessary to achieve the purposes of processing, and then deleted in compliance with the relevant rules and procedures;
- Data whose grounds for collection have been dropped shall be irreversibly destroyed by a deletion protocol;
- Any access, transmission or sharing of data is permissible only if there is a valid legal basis for it (for example – a contract, the consent of the data subject or our legal obligations);
- Sharing and downloading any data or confidential information that annotators receive through their work on a specific project is strictly prohibited, as well as storing such data on their personal devices (including, but not limited to, laptops, tablets, mobile devices , cameras or smartphones) or to record such data in any way (eg by taking a photo, video, screenshot or other image);
- The controller shall take the necessary measures to ensure that the processor of personal data and any natural person acting under the direction of the controller process such data only on his instructions for the relevant purpose;
- In case of violation of the security of personal data, the administrator, as soon as possible after learning, will notify the competent supervisory authority – CPDP.
HITL LTD has the opportunity, if necessary, for security reasons, to introduce an additional key in the work of individual employees.
For maximum security in the processing, transmission and storage of your data, we may use additional security mechanisms.
6. when we delete your personal data
We delete your personal data after the need for processing ceases to exist or after the expiration of the period for their storage.
More detailed information on the different deadlines can be found in the Notices under Section III.
7. When and why we share personal information with third parties
We may provide your personal data to third parties, and our main goal is to offer protection of your interests and security in connection with the performance of specific tasks and contractual obligations. We do not provide your personal data to third parties until we have made sure that all technical and organizational measures have been taken to protect this data and we strive to exercise strict control to achieve this goal. We take care, when applicable, that your data is processed only according to the instructions given on behalf of the administrator – HITL LTD. In this case, we remain responsible for the confidentiality and security of your data.
We provide personal data to the following categories of recipients:
Data processors on behalf of:
- people who are engaged in the accounting of all documentation of the company;
- people who, on assignment, maintain equipment, software and hardware used for the processing of personal data and necessary for the implementation of the company’s activities and for carrying out various reporting, payment, etc.;
- people who perform audits on assignment;
- banking institutions, in order to pay amounts due when you need to verify your identity;
- institutions and people to whom we are obliged to provide personal data under applicable law or in connection with the implementation of our contractual relations (notaries, experts, lawyers – representatives of the other party);
Data processors on their own behalf:
- Contractor of a project (administrator), for which HITL Ltd. is a “processor”;
- Foundations, non-governmental organizations and other legal entities, in their capacity of joint administrator.
- Competent authorities that have the power to require the provision of information, including personal data, such as courts, prosecutors, embassies, various regulatory bodies such as the National Revenue Agency (NRA), the Regional Health Inspectorate (RHI), Labor Inspectorate, Consumer Protection Commission (CPC), Competition Protection Commission (CPC), Personal Data Protection Commission (CPDP), Ministry of Foreign Affairs, Migration Directorate and other bodies with powers to protect national security and public order;
8. Data transmission in third countries
The transfer of personal data to third countries is possible and is carried out in accordance with internal rules and procedures, applying all the data protection measures listed above. The transfer takes place after HITL LTD is convinced that an adequate level of protection has been provided, in accordance with the requirements of Chapter V of Regulation (EU) 2016/679. If necessary, HITL LTD will apply special measures, including may require the provision of additional guarantees for protection by the data recipient.
9. Your rights in connection with the processing for your personal data
1. Right to receive information and access:
You have the right to ask:
- information on whether data related to you is processed, information on the purposes of such processing, on the categories of data and on the recipients or categories of recipients to whom the data is disclosed;
- a message in an understandable form containing your personal data that is being processed, as well as any available information about their source;
- information on the logic of any automated processing of personal data concerning you, at least in the case of automated decisions.
2. Right to correct:
In the event that we process incomplete or incorrect data, you have the right, at any time, to request:
- to delete, correct or block your personal data, the processing of which does not meet the requirements of the law;
- inform third parties to whom his personal data have been disclosed of any deletion, correction or blocking, except where this is not possible or involves excessive effort.
3. The right to be forgotten:
The right to be deleted (or the “right to be forgotten”) allows you, when you do not wish your data to be processed and there are no legal grounds for its storage, to request that it be deleted on one of the following grounds.:
- personal data is no longer needed for the purposes on which they were collected or otherwise processed;
- You withdraw your consent on which the data processing is based;
- You object to the processing and there is no overriding legal basis for continuing the processing;
- personal data have been processed illegally;
- personal data must be deleted in order to comply with a legal obligation;
The right to be forgotten is not an absolute right. There are situations in which the controller has the option to refuse to delete the data, namely when the processing of specific data is necessary for any of the following purposes:
- to exercise the right to freedom of expression and information;
- archiving for public interest purposes, historical research or statistical purposes;
- to establish, exercise or defend legal claims.
4. Right of objection:
You have the right to object at any time to the processing of your personal data if there is a legal basis for doing so; where the objection is justified, the personal data of the individual concerned may no longer be processed;
5. Right to restrict processing:
You can request a restriction on the custom data being processed if:
- you dispute the accuracy of the data for the period in which we have to check their accuracy; or
- the processing of data is without legal basis, but instead of deleting it, you want its limited processing; or
- we no longer need this data (for the specified purpose), but you need it to establish, exercise or defend legal claims; or
- you have objected to the processing of the data, pending verification that the controller’s grounds are lawful.
6. Data portability right:
You can ask us to provide the personal data you have entrusted to our care to another Administrator in an organized, orderly, structured, generally accepted electronic format if:
- we process the data in accordance with the contract and based on the declaration of consent, which may be withdrawn or on a contractual obligation, and
- processing is performed automatically.
7. Right of appeal:
In case you believe that we are violating the applicable regulations, please contact us to clarify the issue. Of course, you have the right to file a complaint to the Commission for Personal Data Protection or to a relevant court under the Administrative Procedure Code. From 25 May 2018, you can also lodge a complaint with a regulatory body within the EU.
8. Compensation Right:
According to Art. 39, para. 2 of PDPL (Personal Data Protection Law) and Art. 82, para. 1 of Regulation (EU) 2016/679, any person who has suffered damage as a result of a violation of the provisions of Regulation (EU) 2016/679, is entitled to receive compensation by lawsuit before the competent judicial authority.
- Exercise of your rights
Requests for access to information or for correction shall be submitted in person. We will rule on your request within one month of its submission. If a longer period is objectively necessary – in order to collect all the requested data and when this seriously hinders our activities, this period can be extended to 30 days. By our decision, we grant or deny access and / or the information requested by the applicant, but we always motivate our response.
The minimum information contained in the application (according to Article 37c of PDPL) should be the following: name, address, PIN (personad Id number) / passport, description of the request, signature and date of submission, address for correspondence / email (depending of the preferred form for obtaining information), power of attorney.
In connection with the rights described above: information, correction, the “right to be forgotten”, objection, restriction of processing, complaint, as well as in view of the actions of the administrator in relation to these rights, a special register is created , in which all performed actions will be entered.
The initial response to a request is free of charge. In case of excessive (repeatability – more than 2 / two / essentially identical applications for a period of 12 / twelve / months) or obvious unfoundedness of the requests received from the same subject, the Administrator may charge a reasonable fee for the execution of the request, or refuse to act on the application.
10. Principles of personal data processing according to Regulation (EU) 2016/679
- “Legality, good faith and transparency” – Your data is processed in accordance with applicable law, in good faith and in a transparent manner with respect to the data subject;
- “purpose limitation” – your data is collected for specific, explicit and legitimate purposes and is not further processed in a way incompatible with those purposes;
- “minimizing data” – the types of data we collect are appropriate, related to and limited to the minimum necessary in relation to the purposes for which they are processed;
“Accuracy” – accurate and, where necessary, kept up to date, taking all reasonable steps to ensure the timely erasure or correction of inaccurate personal data, taking into account the purposes for which it is processed;
- “storage restriction” – your data is stored in a form that allows the identification of the data subject for a period not longer than necessary for the purposes for which personal data are processed;
- “Integrity and confidentiality” – processed in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures.
- “personal data” – any information relating to an identified or identifiable natural person;
- “data subject” means a person who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more characteristics specific to the physical, physiological, genetic, the mental, intellectual, economic, cultural or social identity of that individual;
- “processing” – any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing or transmitting , disseminating or otherwise making the data available, arranging or combining, restricting, deleting or destroying;
- “restriction of processing” – marking of stored personal data in order to limit their processing in the future;
- “pseudonymisation” – the processing of personal data in such a way that personal data can no longer be linked to a specific data subject without the use of additional information, provided that it is stored separately and subject to technical and organizational measures in order to ensure that personal data do not relate to an identified or identifiable individual;
- “controller” – a natural or legal person, public authority, agency or other entity which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for determining it may be laid down in Union law or in the law of the Member State;
- “processor of personal data” – a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller;
- “data subject’s consent” – any freely expressed, specific, informed and unambiguous indication of the data subject’s will, by means of a statement or clear confirmatory action expressing his or her consent to the processing of personal data relating to him or her;
- “breach of personal data security” – a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed;
- “Recipient” means a natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered as “recipients”; the processing of this data by those public authorities complies with the applicable data protection rules in accordance with the purposes of the processing.
- “third country” – any country that is not a member of the European Union and is not a party to the Agreement on the European Economic Area;
12. Relevance and policy changes
www.data-corp.bg, based on current national and European legislation.
Last updated on March 10, 2023.