INTERNAL RULES FOR DATA PROTECTION

Approved May 21, 2018.

Last revised on August 31, 2020.

1. Introduction

The present Internal Rules for Data Protection (‘AUBG Data Protection Policy’ or the ‘Policy’) of the American University in Bulgaria Association, UIC: 000019449, seated in the city of Blagoevgrad 2700,  No.1 Georgi Izmirliev Square, (‘AUBG’) regulate the technical and organizational measures applied by AUBG to ensure and to be able to demonstrate that the processing of personal data of AUBG staff, lecturers, prospective students, student applicants, job applicants, current and former students, as well as other stakeholders such as suppliers and contractors, is performed in accordance with the General Data Protection Regulation (Regulation 2016/679/EU) (GDPR).

2. Scope

The technical and organizational measures described herein shall apply to all processing activities performed by AUBG in the capacity of controller, i.e. where AUBG alone or jointly with others determines the purposes and means of the processing of personal data.

This Policy shall also apply to all processing activities performed under the authority of AUBG. Any processor or another person acting under the authority of AUBG or of the processor who has been provided with access to the personal data processed by AUBG, shall not process those data further except on instructions from AUBG, unless required to do so by Union or Bulgarian law.

An exhaustive list of the processing activities performed by or on behalf of AUBG, whether independently or jointly, may be found in the AUBG record of processing activities.

3. Definitions

All terms used herein shall have the meaning defined under Article 4 of the GDPR. In addition, the following terms used the AUBG Data Protection Policy, whether capitalized or non-capitalized, shall be interpreted as follows:

  • ‘AUBG Staff’ or ‘Staff’ shall refer to the individuals who have executed employment contracts or other similar contractual relations with AUBG under the applicable Bulgarian labor laws.
  • ‘AUBG Faculty’ or ’Lecturers’ shall refer to the individuals who are teaching classes at AUBG under an employment contract or another contractual relation executed with AUBG.
  • ‘Students’ shall refer to the individuals who are attending classes at AUBG, including Erasmus+ and other exchange students.
  • ‘Guests’ shall refer to any visitors of the AUBG campus who are not staff, lecturers or students.
  • ‘Prospective students’ shall refer to individuals, regardless of whether their personal data has been obtained by AUBG directly or indirectly via partnering organization such as the College Board, and whom AUBG considers eligible/ interested in applying for tuition.
  • ‘AUBG Donors’ or ‘Donors’ shall refer to individuals who have executed or have demonstrated interest in executing donations agreements with AUBG.
  • ‘Former students’ or ‘AUBG Alumni’ shall refer to graduates from AUBG regardless of whether they are members of the AUBG Alumni Association or not.
  • ‘Applicants’ shall refer to individuals who have applied or are in the process of applying for tuition at AUBG.
  • ‘Loan Applicants’ shall refer to individuals who have applied or are in the process of applying for a loan offered by AUBG or a third party.
  • ‘Job Applicants’ shall refer to individuals who have applied or are in the process of applying for job positions at AUBG and whose personal data is processed in the context of hiring/recruitment procedures.
  • ‘Suppliers’ shall refer to any individual or company, including the representatives of such company, who are providing supply services such as IT support and services related to the delivery of goods, accounting, catering, reservation of conference rooms, organization of events, etc. which typically involve processing of personal data on behalf of AUBG.
  • ‘Contractors’ shall refer to any individual or organization, including the representatives of such organization, who process personal data jointly with AUBG or for purposes and by means specified by law (such as banks, insurance companies, law offices, etc.).

4. Responsibilities of AUBG and AUBG management as a controller

4.1. Implementation of appropriate technical and organizational measures for ensuring and documenting that processing is performed in compliance with the regulation (Article 24, GDPR)

As a controller taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, AUBG is required to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. These measures are documented by the present AUBG Data Protection Policy as well as the documents specified herein and are to be reviewed and updated, where necessary, on a yearly basis no later than May 25 of each year following a report by the designated AUBG Data Protection Officer.

4.2. Data protection by design and by default (Article 25, GDPR)

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, AUBG is required both at the time of the determination of the means for processing and at the time of the processing itself, to implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. The determination of the appropriate measures designed to implement the data protection principles is performed by a matter of risk assessment prior to the beginning of the processing related to each newly designed activity (see the AUBG Policy on risk assessment and data protection impact assessment for more information).

AUBG is further required to implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

4.3. Maintaining a record of processing activities (Article 30, GDPR)

AUBG is required to maintain and provide to the supervisory authority upon request a record of processing activities under its responsibility. Whether in writing or in electronic form, this record shall contain all of the following information:

  • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
  • where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

The AUBG Record of Processing Activities is maintained in electronic form by the AUBG Data Protection Officer and is updated on a yearly basis no later than May 25 of each year, or sooner, where necessary.

4.4. Implementation of appropriate measures for the security of the processing (Article 32, GDPR)

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, AUBG is required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident as well as a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. To ensure the security of the processing in cooperation with the Data Protection Officer the AUBG Office of Communications and Computing has adopted a separate Information Technology Disaster Recovery Plan.

AUBG is further required to take steps to ensure that any natural person acting under its authority who has access to personal data does not process them except on instructions from AUBG, unless he or she is required to do so by Union or Member State law. To ensure compliance, AUBG has included the relevant clauses in the AUBG Staff employment contracts and job descriptions. The AUBG Data Protection Officer has also been assigned with the organization of yearly GDPR awareness trainings well as initial training for newly hired employees.

4.5. Notification of a personal data breach to the supervisory authority (Article 33, GDPR)

In case of a personal data breach, AUBG is required without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it is to be accompanied by reasons for the delay. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

The notification to the competent supervisory authority is to include at least the following information:

  • description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the personal data breach;
  • measures taken or proposed to be taken by AUBG to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

AUBG is further required to document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation is to enable the supervisory authority to verify compliance with the GDPR.

To ensure compliance AUBG has adopted the AUBG Policy on notification and communication of data breaches (including template notification and communication forms as appendices to the policy) as well as the AUBG Record of Data Breaches.

4.6. Communication of a personal data breach to the data subject (Article 34, GDPR)

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, AUBG is required to communicate in clear and plain language the nature of the personal data breach to the data subject without undue delay, unless:

  • AUBG has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
  • AUBG has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialize;
  • it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
  • if AUBG has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to above are met.

Please find additional information in the AUBG Policy on notification and communication of data breaches.

4.7. Data protection impact assessment and prior consultation (Article 35-36, GDPR)

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, AUBG is required prior to the processing, to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data seeking out the advice of the designated data protection officer. A single assessment may address a set of similar processing operations that present similar high risks.

AUBG is further required to consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by AUBG to mitigate the risk.

The procedures and standards for data protection impact assessment and prior consultation are specified in the Policy on risk assessment and data protection impact assessment.

4.8. Determination of responsibilities for compliance with the obligations under the GDPR when processing personal data with another controller (Article 26, GDPR)

Where jointly determining the purposes and means of processing with another controller, AUBG shall jointly with the controller in a transparent manner determine their respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information regarding the processing, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Bulgarian law to which the controllers are subject. The arrangement may designate a contact point for data subjects, such as the controllers’ data protection officers. Irrespective of the terms of the arrangement referred to above, the data subject may exercise his or her rights under the GDPR in respect of and against each of the controllers. All contractual relations are subject to review by the AUBG Data Protection Officer and acting on the DPO’s recommendations AUBG has executed the relevant agreements under Art. 28, para 3 of the GDPR. These have been duly documented in the AUBG Record of Processing Activities.

4.9. Executing contracts or other binding legal acts to govern processing on behalf of AUBG (Article 28, GDPR)

AUBG shall execute with the processors, including suppliers and contractors, where applicable, a contract or other legal act under Union or Bulgarian law, that is binding on the processor with regard to AUBG and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of AUBG. All contractual relations are subject to review by the AUBG Data Protection Officer and acting on the DPO’s recommendations AUBG has executed the relevant agreements under Art. 26 of the GDPR. These have been duly documented in the AUBG Record of Processing Activities.

4.10. Obligations with regards to the transfers of personal data to third countries or international organizations (Article 44-49, GDPR)

AUBG is required with regards to any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization, to ensure that such transfer shall take place only if (1) the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection; or (2) in the absence of such decision, AUBG has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available; or (3) in the absence of an adequacy decision or of appropriate safeguards, one of the following conditions is present:

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the data subject and AUBG or the implementation of pre-contractual measures taken at the data subject’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between AUBG and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defense of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
  • the transfer is made from a register which according to Union or Bulgarian law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

All current transfers have been reviewed by the AUBG Data Protection Officer. Information regarding the transfers have been duly documented in the AUBG Record of Processing Activities.

4.11. Transparent information, communication and modalities for the exercise of the rights of the data subject (Art. 12-23, GDPR)

AUBG takes appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR as well as any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information has been drawn up in a number of privacy notices provided by electronic means on the AUBG website (https://www.aubg.edu/) free of charge and in a section at the website footer, which has been made visible from each page of the website.

AUBG has a further obligation to facilitate the exercise of data subject rights under Articles 15-22 of the GDPR as well as to provide information on action taken on any such request without undue delay and in any event within one month of receipt of the request, which may be extended with another two months. To facilitate this process AUBG has adopted the AUBG Policy on data subject requests. This policy includes a procedure for request of additional information by AUBG for the purposes of identifying the data subject.

Union or Bulgarian law t may restrict by way of a legislative measure the scope of AUBG obligations and data subject rights provided for in Articles 12 to 22 and Article 34 of the GDPR, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of the GDPR, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

  1. national security;
  2. defence;
  3. public security;
  4. the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
  5. other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
  6. the protection of judicial independence and judicial proceedings;
  7. the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
  8. a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points 1 to 5 and 7;
  9. the protection of the data subject or the rights and freedoms of others;
  10. the enforcement of civil law claims.

4.12. Designation of a Data Protection Officer (Article 37, GDPR)

AUBG has designated as data protection officer Gugushev & Partners Law Office with address at 1000 Sofia, No.11A Aksakov Street, floor 5, office 3, e-mail address: [email protected]. The AUBG Data Protection Officer may be contacted via the designated authorized representative, who has been notified to the Commission for Personal Data Protection. The AUBG Data Protection Officer is independent in the completion of its tasks and responsibilities under the GDPR and this policy and reports directly to the highest level of management of the university, i.e. the AUBG President.

5. Responsibilities of AUBG Data Protection Officer

The AUBG Data Protection Officer is assigned with and responsible for the following tasks:

  1. to inform and advise AUBG, the AUBG Staff and AUBG Faculty who carry out processing of personal data with regards to their obligations pursuant to the GDPR and to other Union or Member State data protection provisions;
  2. to monitor compliance with the GDPR, with other Union or Member State data protection provisions;
  3. to monitor compliance with the policies of the AUBG in relation to the protection of personal data;
  4. to be responsible for awareness-raising and training of staff involved in processing operations, and the related audits;
  5. to provide advice where requested as regards the data protection impact assessment and monitor its performance;
  6. to cooperate with the Commission for Personal Data Protection in the capacity of the Commission of competent supervisory authority under the GDPR with regards to the processing of personal data;
  7. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, GDPR, and to consult, where appropriate, with regard to any other matter;
  8. to maintain on behalf of the controller the AUBG Record of Processing Activities;
  9. to maintain on behalf of the controller the AUBG Record of Data Breaches as well as to notify any such breaches on behalf of AUBG to the Commission for Personal Data Protection and to communicate any such breaches on behalf of AUBG to the data subjects, where applicable.

6. Responsibilities of AUBG Staff and Faculty

All leaders and managers of departments bear responsibility for the observance of these rules on behalf of the staff and they shall introduce relevant practices, processes and training.

Please, contact the data protection officer in case of any enquiries relating to the application of these rules or if you have any fears that the same are not correctly applied. It is obligatory for you to contact the data protection officer in the following situations:

  • If you are not sure about the legal basis which you can rely on in respect of the processing of personal data (see section 5.1 below);
  • If you need to be given consent and/or if you have to provide explicit consent;
  • If you have to prepare data protection notifications (see section 5.3 below);
  • If you have any concern in connection with the term for keeping personal data which you process;
  • If you are not sure about the data security measures which you have to introduce in order to protect personal data;
  • If you found a breach of the protection of personal data;
  • If you are not sure on what a basis you can make a transfer of personal data out of the European Economic Area (see section 11 below);
  • If you need cooperation because of a given information that a data subject wants to exercise some of his/her rights  in compliance with GDPR (see section 12 below);
  • Always when you plan to begin or to significantly change the way you perform a concrete operation relating to the processing and which can require impact assessment (see section 13.5 below) or when you have the intention to use personal data for purposes which are different of those for which it is collected;
  • If you plan to carry out activities relating to the processing of personal data, based on automated processing, including profiling and automated taking of decisions;
  • If you need cooperation in respect of the observance of the applicable law and in connections with activities which concerns direct marketing (see section 13.6 below);
  • If you need cooperation in connection with trade or other contracts, or in other spheres in connection with the sharing of personal data (see section 13.7 below).

Each employee will also be responsible for the protection of the personal data which AUBG keeps and he/she shall be really careful when he/she protects sensitive personal data against loss and unauthorized access, use or provision.

Each employee shall follow all procedures and technological measures which AUBG has introduced for the purpose of protecting the security of personal data from the moment of its collection to the moment of its destruction. You can transfer personal data to subcontractors only if they agree to observe the same policies and procedures and if they provide the necessary protection measures which AUBG requires.

Each employee has to provide the security of personal data, as he/she shall protect its confidentiality, integrity and accessibility, defined as follows:

  • Confidentiality means that only the persons who shall know and are authorized to use personal data have access to the same;
  • Integrity means that the personal data are correct and appropriate in order to be used for the purposes in respect of which it is processed;
  • Accessibility means that the authorized users are provided with access to personal data for authorized purposes.

Each employee has to observe and it does not have to impede the action of the administrative, physical and technical protections which AUBG introduces.

REPORTING A BREACH

Each employee who has information about a breach in respect of the data protection or a suspicion that there is such a breach, he/she has to connect the person or the team that is predicted for the purpose: data protection officer, information security department, legal department. All the evidences for a potential breach have to be kept.

DATA SUBJECT REQUESTS

Each employee shall verify the identity of the person who wants to exercise some of the given above rights (the employee does not have to allow third parties to receive personal data without prior authorization).

Each employee has to immediately forward any request for access to personal data he/she receives to his/her line manager or to the data protection officer of AUBG.

SHARING OF PERSONAL DATA

In general, AUBG is not allowed to share personal data with third parties, unless there are appropriate protections and contractual relationships. Each employee can share personal data which he/she processes, as he/she can share it with another employee of AUBG if the execution of the official duties of the receiver requires access to the data on the so-called ‘NEED TO KNOW’ basis.

Each employee can share personal data which he/she controls, as he/she can share it with third parties, such as subcontractors and if the following conditions are kept:

  • They shall posses this information with the purpose to implement a service under a contract;
  • The sharing of personal data is in compliance with a data protection statement which is provided to the subject and if it is necessary, the consent of the subject is given;
  • The third party has agreed to observe the necessary data security standards, policy and procedures;
  • The transfer is in compliance with the applicable limitations concerning the transfer to countries out of the European Economic Area, and
  • There is a duly concluded contract for processing, where the same is concluded with the subcontractor who corresponds to the requirements of GDPR.

TRAINING AND AUDITS

GDPR obliges AUBG to provide adequate training of its staff and faculty which shall help for the compliance with the requirements of GDPR, as well as regular testing of the systems and processes connected with the processing. Each employee shall familiarize themselves with the AUBG Data Protection Policy and, more specifically, with their obligations with regards to the processing of personal data, including – when required- by completing or participating in the relevant GDPR awareness trainings, organized by the AUBG Data Protection Officer.

Any purposeful or negligent violation of these internal rules shall represent a disciplinary offense/breach of the employment contract executed with AUBG for which AUBG shall take the necessary disciplinary measures as provided by the Bulgarian Labor Code.