Regulation (EU) 2016/679 (General Regulation FOR Data Protection) replaces the Data Protection Directive 95/46 EU. It has direct force and implies changes in the legislation of the Member States in the area of personal data protection. Its purpose is to protect the "rights and freedoms" of the individuals and to ensure that personal data are not processed without their knowledge and, where possible, that they are processed with their consent.
Material scope 2 (Article 2) – this Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data (e.g. manually and on paper) which form part of a filing system or are intended to form part of a filing system.
Territorial scope (Article 3) – The rules of GDPR will apply to all data controllers established in the EU who process personal data of individuals in the context of their activities. It will also apply to non-EU data controllers who process personal data for the purpose of offering goods and services or observing the behaviour of data subjects residing in the EU.
“Personal data" – any information relating to an identified or identifiable natural person (“data subject") who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
"Special categories of personal data" – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
“Processing" – any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, alteration, use, disclosure by transmission, dissemination or otherwise making available or other means by which data become available, arranged or combined, restricted, deleted or destroyed;
“Data controller" – a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
"Data subject" – any alive natural person who is subject of the personal data stored by the Controller.
"Data subject’s consent" – a freely given, specific, informed and unambiguous indication of the data subject's wishes by which the latter, by a statement or by a clear affirmative action, signifies agreement to the processing of his/her personal data;
"Child" – GRDP defines as child any person below the age of 16, although this age may be reduced to 13 years by the law of the Member State. The processing of personal data of a child is legal only if the parent or the guardian has given his/her consent. In such cases, the Controller makes reasonable efforts to verify that the parent/guardian of the child has given or has been authorized to give his/her consent.
“Profiling" – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
"Personal data breach" – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." "Main place of establishment" – the headquarters of the data controller in EU will be the place where he takes the basic decisions about the purpose and the means of his data processing activities. Regarding the data processor, its main place of establishment in the EU will be his administrative centre. If the controller’s headquarters are outside the EU, he must appoint a representative in the jurisdiction where the controller operates to act on behalf of the controller and to interact with the supervising bodies. (Article 4 section16) of GRDP)
“Recipient" – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
“Third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
1. The management of SAVOS PRODUCTION Ltd. undertakes to ensure compliance with the EU and Member States legislation regarding the processing of personal data and the protection of "rights and freedoms" of the persons whose personal data are collected and processed by SAVOS PRODUCTION Ltd. pursuant to the General Data Protection Regulation (Regulation (EU) 2016/679).
2. In accordance with GRDP, other relevant documents, as well as related processes and procedures are described in this policy.
3. Regulation (EU) 2016/679 and this policy apply to all personal data processing operations, including the processing of personal data of customers, employees, suppliers and partners, as well as any other personal data from different sources processed by the organization.
4. The Data Protection Officer is responsible for the annual revision of the “Registry of Processing Activities" related to any changes in the activities of SAVOS PRODUCTION Ltd, as well as any further requirements and impact assessments on the data protection. This registry must be available on demand of the supervisory authority.
This policy applies to all employees/workers and partners of SAVOS PRODUCTION Ltd, such as external suppliers. Any breach of GRDP will be treated as a breach of the labour discipline, and if there is a presumption of a crime, the matter will be referred to the relevant government authorities as soon as possible.
6. Partners and third parties working with or for SAVOS PRODUCTION Ltd. and having actual or implied access to personal data are expected to acquaint themselves with this policy to understand it and comply with it. No third party may access personal data stored by SAVOS PRODUCTION Ltd. without having previously entered into a data privacy contract imposing on the third party obligations that are at least as strict than the obligations of SAVOS PRODUCTION Ltd. and which contract entitles SAVOS PRODUCTION Ltd. to carry out checks of the compliance with the contractual obligations
1. SAVOS PRODUCTION Ltd. is (data controller and/or data processor) under Regulation (EC) 2016/679.
2. The management and all members of the consultancy bodies of SAVOS PRODUCTION Ltd. are responsible for the developing and the promoting of good practices in the field of information processing in SAVOS PRODUCTION Ltd
3. The Data Protection Officer, having the role defined by Regulation (EC) 2016/679 must be a part of the management and must be accountable to the management of SAVOS PRODUCTION Ltd. for the management of personal data within the organization and the ensuring of compliance with the data protection legislation and the good practices.
this accountability of the DPO includes:4. The Data Protection Officer who is considered appropriate, qualified and experienced by the management is appointed to take the responsibility for the compliance of SAVOS PRODUCTION Ltd. with this policy on a daily basis. The DPO is directly responsible for ensuring that both the SAVOS PRODUCTION Ltd. organization as a whole and the activities of each member of the management, within their area of responsibility, comply with the requirements of Regulation (EC) 2016/679.
5. The DPO has specific responsibilities related to procedures such as "Data subjects’ claims management" and is the contact point for the employees of the Controller who want clarifications on every aspect of the data protection compliance.
6. The compliance with the data protection legislation is responsibility of all employees of SAVOS PRODUCTION Ltd. who process personal data.
7. The training policy of SAVOS PRODUCTION Ltd. (the Training Policy) specifies the specific training and awareness requirements in relation to the specific roles of the employees/workers of SAVOS PRODUCTION Ltd.
All processing of personal data must be carried out in accordance with the data protection principles set out in Article 5 Of Regulation (ЕU) 2016/679. The policies and procedures of SAVOS PRODUCTION LTD aim to ensure compliance with these principles.
1. The personal data must be processed lawfully, fairly and transparentlyLawfully – identification of a legal basis before the processing of personal data. These are often referred to as "grounds for processing", e.g. "consent".
Fairly – in order for the processing to be fair, the data controller must provide certain information to the data subjects, as far as practicable. This applies regardless of whether the personal data is obtained directly from the data subjects or from other sources.
Regulation (EU) 2016/679 increases the requirements for what information should be available to data subjects, which information is covered by the "transparency" requirement.
Transparent – GRDP includes rules on the provision of confidential information to data subjects in Articles 12, 13 and14 of GRDP. They are detailed and specific, emphasizing that the privacy notices are understandable and accessible. The information for the data subject must be comprehensible and of easily accessible form, in plain and simple language
2. Personal data may be collected only for specified, explicit and legitimate purposesData obtained for specific purposes must not be used for purposes other than those officially announced to the supervisory authority as part of the Personal data processing registry (Article 30 of GRDP) of SAVOS PRODUCTION Ltd. – Transparency of the personal data processing.
3. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. (principle of minimum necessity)The Data Protection Officer ensures that SAVOS PRODUCTION Ltd. does not collect information that is not strictly necessary for the purpose for which it has been received.
All data collection forms (electronic or paper), including the data collection requirements in the new information systems, must include a Statement for fair processing or a link to a Statement of Privacy and must be approved by the DPO.
The Data Protection Officer ensures that all data collection methods are audited annually by internal auditors/external experts) in order to ensure that the collected data are still adequate, relevant and not excessive
4. The personal data must be accurate and up to date at all times and necessary efforts must be made allowing immediate erasure or rectification (as far as technically feasible).The data stored by the data controller must be reviewed and updated as necessary. Data, which is likely to be inaccurate should not be stored.
The Data Protection Officer is responsible for ensuring that the whole personnel is trained about the importance of the accurate data collection and maintenance.
Also, it is the duty of the data subject to declare that the data provided for storage by SAVOS PRODUCTION Ltd. are accurate and up to date. The filling in of a form by the data subject for the controller will include a statement that the data contained therein are accurate by the date they are provided.
The employees/workers (clients/others) are required to notify SAVOS PRODUCTION Ltd. about any changes of circumstances, so that the records of personal data are updated. SAVOS PRODUCTION Ltd. are obliged to ensure that any notification about change of circumstances is recorded and action is taken.
The Data Protection Officer ensures that adequate procedures and policies are implemented to maintain the accuracy and up-to-date state of the personal data, taking into account the volume of the collected data, the rate with which this volume may change and other relevant factors. At least annually, the Data Protection Officer will review the periods of storage of all personal data processed by SEMIRA Ltd by referring to the inventory of the data and will identify all data that are no longer necessary in the context of the registered purpose. These data will be duly destroyed according to the procedures and rules of the controller. The Data Protection Officer is responsible for complying with requests for data rectification within one month. That period may be extended by further two months for complex requests. If SAVOS PRODUCTION Ltd. decides not to comply with the request, the Data Protection Officer must respond to the data subject in order to explain the reasons and must inform the data subject about his/her right to lodge a complaint at the supervisory authority and to seek legal protection.
The Data Protection Officer is responsible for taking adequate measures in cases where third party organizations have inaccurate or outdated personal data and to inform them that the information is inaccurate or outdated and must not be used for making decisions about these individuals and to inform the respective parties; and to forward any rectification of personal data to the third parties where necessary.
5. The personal data must be stored in a form allowing identification of the data subject only as long as necessary for the processing.When the personal data is stored after the date of processing, they will be stored adequately (minimized) to protect the identity of the data subject in case of data breaches.
The personal data will be stored in accordance with the Data Storage and Destruction Procedure and after the expiration of the storage period they must be reliably destroyed according to this procedure.
The Data Protection Officer must specifically approve any storage of data beyond the storage period defined in the Data Storage and Destruction Procedure and must ensure that the justification is clearly defined and complies with the requirements of the applicable data protection law. this approval must be in writing.
6. The personal data must be processed in a manner that ensures appropriate security (Article 24, art. 32 of GRDP)The Data Protection Officer carries out a risk assessment taking into account all circumstances related to the data management or processing operations by SAVOS PRODUCTION Ltd.
In determining the adequacy of the processing, the Data Protection Officer must also assess the extent of any damage or loss that may be caused to individuals (e.g. personnel or customers) in case of security breach, as well as any eventual damage to the reputation of the controller, including a possible loss of customer confidence.
7. Observing the principle of accountabilityRegulation (EU) 2016/679 includes provisions that promote the accountability and the manageability and complement the transparency requirement. The accountability principle in Article 5, Para. 2 requires the controller to prove the observance of the other principles in the GRDP and explicitly states that this is his responsibility.
SAVOS PRODUCTION Ltd. will demonstrate compliance with the data protection principles through the implementation of data protection policies by adhering to codes of conduct, implementing appropriate technical and organizational measures, by adopting data protection techniques by design and by default, assessment of the impact on the personal data protection, personal data breach notification procedure, etc.
1. the data subjects have the following rights related to the data processing as well as to the data recorded for them:
To obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, access to such personal data and who the recipients of these data are.
To request a copy of his/her personal data from the controller;
To request from the controller rectification of inaccurate or not up to date personal data;
To request from the controller erasure of the personal (right “to be forgotten");
To request from the controller restriction of the processing, while in this case the personal data will only be stored, but not further processed;
To object to the processing of personal data;
To object to processing of his/her personal data for direct marketing;
To lodge a complaint to the supervisory authority if he/she believes that any of the provisions of GRDP is violated;
To request that his/her personal data is provided to him/her in a structured, commonly used and machine-readable form;
To withdraw his/her consent to the processing of his/her personal data, at any time by means of a separate application deposited before the controller.
To not be a subject of automated decisions affecting him/her to a significant extent, when there is no human intervention in the decision-making process. To object to the automated profiling carried out without his/her consent;
2. SAVOS PRODUCTION Ltd. provides conditions guaranteeing the exercise of the rights of the data subject:
The data subjects may request access to their personal data, as described in the Procedure for management of requests from data subjects;
The data subjects have the right to submit complaints to SAVOS PRODUCTION Ltd. concerning the processing of their personal data, the processing of the request from the data subject and the data subject's appeal about the way the complaints are processed in accordance with the Procedure for communication in case of complaints and requests from data subjects
1. SAVOS PRODUCTION Ltd. understands as “consent" any freely given, specific, informed and unambiguous indication of the data subject's will by which he or she, by a statement or clear affirmative action, confirms an agreement to the processing of personal data relating to him or her. The data subject may withdraw his or her consent at any time.
2. SAVOS PRODUCTION Ltd. understands as "consent" only the cases where the data subject has been fully informed about the planned processing and has expressed his/her consent without pressure being exerted on him/her. Consent obtained under pressure or based on misleading information will not constitute a valid legal ground for personal data processing.
3. Consent cannot be derived from the absence of a response to a message to the data subject. There must be active communication about the consent between the controller and the data subject. The controllers must be able to demonstrate that the consent for processing has been given.
4. In most cases, the consent for processing personal and special categories of data is obtained routinely by SAVOS PRODUCTION Ltd. using standard documents for consent – e.g. Registration form on the site including - Name, Surname, email and phone.
1. All employees/workers are responsible for ensuring the security of the storage of the data they are responsible for and stored by SAVOS PRODUCTION LTD and also that the data are stored securely and are not disclosed to third parties under any circumstances, unless SAVOS PRODUCTION Ltd. has granted such rights to such third parties by concluding a contract/clause for confidentiality. This includes the company hosting the website of SAVOS PRODUCTION Ltd.
2. All personal data must be accessible only on a need to know basis and access can only be granted in accordance with established rules for access control.
1. SAVOS PRODUCTION Ltd. provides conditions under which personal data are not disclosed to unauthorized third parties, including family members, friends, state authorities, even investigating ones, if there is reasonable doubt that they are not requested under the established procedure. All employees/workers must be cautious when a third party requests disclosure of stored personal data about another individual. It is important to consider whether or not the disclosure of information is related to the needs of the organization's activities.
2. All requests from third parties for provision of data must be supported by appropriate documentation and any such disclosure must be specifically authorized by the Data Protection Officer.
1. SAVOS PRODUCTION Ltd. does not store personal data in a form allowing identification of the individuals for a period that is not longer than is necessary for the purposes for which the data are collected.
2. SAVOS PRODUCTION Ltd. may store data for longer periods only if the personal data will be processed for purposes of archiving, for purposes of public interest and for statistical purposes and only when the appropriate technical and organizational measures are implemented to guarantee the rights and freedoms of the data subjects.
3. The procedure for storing and destruction of the data received by SAVOS PRODUCTION Ltd. applies in all cases.
4. The personal data must be destroyed securely in accordance with the principle of ensuring an adequate level of security (Article 5, Para. of GRDP) – including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality").
1. Any export of data from EU to non-EU countries (referred to in GRDP as "third countries") is illegal unless there is an appropriate "level of protection of the fundamental rights of the data subjects".
2. Exceptions
In the absence of an adequacy decision, membership in US Privacy Shield or binding corporate rules and/or contract clauses, a transfer of personal data to a third country or an international organisation takes place only on one of the following conditions:
1. SAVOS PRODUCTION Ltd. has established a data inventory process as part of its approach to addressing the risks and opportunities within the process of complying with the policy of Regulation (EC) 2016/679. During the inventory of the data in SAVOS PRODUCTION Ltd. and within the data work flow, the following is established:
2. SAVOS PRODUCTION Ltd. is aware of the risks associated with the processing of certain types of personal data.
3. SAVOS PRODUCTION Ltd. assesses the level of the risk to the data subjects, related to the processing of their personal data. Assessments of the impact on the data protection in relation to the processing of personal data is carried out by SAVOS PRODUCTION Ltd. and also in connection with the processing carried out by other organizations on behalf of SAVOS PRODUCTION Ltd.
4. SAVOS PRODUCTION Ltd. manages all risks identified by the impact assessment in order to reduce the probability of non-compliance with these rules.
5. When, as a result of the Impact assessment, it is clear that SAVOS PRODUCTION Ltd. will begin processing of personal data which, due to a high risk, could cause damage to data subjects, the decision whether or not to continue the processing must be submitted for review by the Data Protection Officer.
6. If the DPO has serious concerns about either the potential harm or danger or about the amount of the respective data, the matter is escalated to the supervisory authority.
7. The Data Protection Officer carries out a periodic (annual) review of the initially inventoried data, reviews the information entered in the "Registry of processing activities" related to any changes in the activities of SAVOS PRODUCTION Ltd.
Last updated – Мarch 01, 2019