This privacy notice outlines how and why the American University in Bulgaria (AUBG) collects, uses and stores your personal data, and your rights in relation to the personal data we hold. We may modify or amend this Privacy Notice. The most current version will always be available on our Website and, where appropriate, notified to you by e-mail. If you have any questions about such matters you can contact us at [email protected].
What personal data do we collect?
The personal information we collect from you is the following:
- details you provided through your job application (CV, motivation letter and list of references), any requested supporting documents, additional details provided by any referees; interview details, contact details;
- contract of employment and any amendments to it – name, date of birth, personal ID number, passport/ID card number; nationality;
- correspondence with or about you, for example letters to you about a pay rise or, at your request, a letter to your mortgage company confirming your salary;
- information needed for payroll, benefits and expenses purposes; contact and emergency contact details;
- records of holiday, sickness and other absence;
- health data, as required;
- records relating to your career history, such as training records, appraisals, other performance measures;
- performance evaluation forms;
- disciplinary and grievance records;
- bank account details;
- social security status.
How do we collect your personal data?
We collect information about you when you:
- sign an employment contract;
- deposit or withdraw money at the cashiers;
- present a medical leave of absence;
- request information or service, i.e. additional medical and life insurance, additional pension insurance;
- participate in the annual evaluation process.
We may further have some information about you coming from your previous employers, as referees, and/or an HR company, it this has been part of your application for employment.
The basis for processing your information and how we use it
As your employer, AUBG needs to keep and process information about you for the usual employment purposes – main employment folder (staff record), payroll, medical and other leaves, work health and safety conditions, performance and evaluation, additional benefits to employees. Pension plans. The information we retain and process will be used for our management and administrative use only, to enable us to operate the University business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, while employed with us, at the time when your employment ends and after you leave AUBG. This includes using information to enable us to comply with employment contract clauses, to comply with legal requirements, pursue the legitimate interests of the University and protect our legal position in the event of legal proceedings.
Considering the complete and exhaustive labor legislation, processing personal data directly related to an employment contract is based on Art. 6,p. 1, © of General Data Protection Regulation (GDPR) – legal obligation. This includes:
- registering and administering employment contracts;
- administering remuneration, payroll, pension and other standard employment functions;
- processing payments;
- administering HR-related processes, including those relating to performance/absence management, disciplinary issues and complaints/grievances;
- supporting your health, safety and welfare at work;
- processing medical leave of absences;
- delivering facilities and services, necessary for the job (e.g. library, bookstore, security; IT);
- reporting to the National Revenue Agency and National Social Security Institute, Internal Revenue Service (IRS);
- issuing financial declarations and/or reports, at your request;
- submitting tax relief documentation;
- complying with anti-money laundering laws and safeguarding requirements, preventing and detecting crime;
- monitoring and fulfilling our responsibilities under equalities, immigration and public safety legislation;
- fulfilling governance, audit, regulation and quality assurance arrangements and obligations.
Processing personal data about additional benefits is based on Art. 6,p. 1, © of GDPR – consent of the data subject. This may include additional medical insurance for you and close family members, additional pension insurance, additional life insurance, celebrations for children of AUBG, etc.
We will process some personal information for the university’s legitimate interest for the following:
- ensuring safety and security within the university;
- monitoring use of AUBG facilities in accordance with University policies; supporting your training and professional development;
- assessing your suitability for a particular role or task (including any relevant right to work reviews and inspections);
- communicating effectively with you by post, email and phone, including the distribution of relevant newsletters and circulars;
- compiling statistics, and conducting surveys and research for internal and statutory reporting purposes;
- monitoring and evaluating the performance and effectiveness of the university;
- maintaining and improving academic, corporate, financial, estate and human resource management of the university;
- promoting equality and diversity throughout the university; seeking legal advice on institutional rights and obligations.
We may also process your personal data where:
- it is necessary to protect your or another person’s vital interests;
- we have your specific or, where necessary, explicit consent to do so.
Control and care over your data
We, as an institution with one of the highest rankings in Bulgaria, are striving to improve and upgrade our control systems – to include pseudonymization of the collected and processed data, access controls, defined within the university, and most importantly – applied due care by our staff and faculty members. All measures are implemented against inadvertent or deliberate manipulation, loss, or destruction, and access by unauthorized persons. Access to your personal data is limited to HR and Business offices staff who use it to perform their job obligations.
We will not use your personal information to carry out any wholly automated decision-making that affects you.
With whom we share your data?
Your data will be shared with public authorities, such as Bulgarian Ministry of Education, National Agency for Evaluation and Accreditation, Ministry of Foreign affairs (for visa purposes), National Revenue Agency, National Social Security Institute, Internal Revenue Service (IRS), Ministry of Internal Affairs, external audit companies, etc. as part of our legal obligations. AUBG may transfer your personal data if and when it finds it appropriate to contract companies for external payroll administration, work health and safety provider, marketing companies for internal and external surveys, evaluation and performance measurement, internal and external auditors, insurance and pension companies, etc. In cases we need to transfer your personal data to third parties, you will be notified, and asked for consent, if the data transfer process requires us to do so. In any case, we will share your personal data with high attention to the third parties’ level of technical and organizational ability to manage personal data as required by the GDPR standards.
How long we keep it?
We store your personal information as part of your staff record for the duration of your employment (and it may be used as part of our assessment of any future application you make for further employment at AUBG). After you leave, certain records pertaining to your employment are retained indefinitely so that the details of your employment can be confirmed, and for statistical or historical research. Your payroll records will be retained according to the legal requirements for a period of fifty years.
The American University in Bulgaria (AUBG) can implement mandatory COVID-19 testing as part of its measures to prevent/limit the spreading of COVID-19 on the territory of the University and with the aim to protect the life and health of its students, employees and visitors. The mandatory COVID-19 testing is based on the legitimate interest of the controller AUBG – Art. 6, p. 1, (f) of the General Data Protection Regulation (GDPR). Please note that the actual testing is carried out in licensed laboratories by medical practitioners and AUBG does not process personal data at that stage. Once presented with information about the medical status of individuals, the processing of this data by the University is based on Art. 9, p. 2, (b) of the GDPR – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
The AUBG has chosen tests that are most appropriate for the purposes of the testing and expenses for the tests are covered by the University. The AUBG will apply short retention periods by keeping the data related to the tests only for as long as it is necessary in order to make decisions connected with the purposes mentioned above: preventing/limiting the spreading of COVID-19 on the territory of the University and protecting the life and health of its students, employees and visitors. For your as a data subject in relation to the personal data we hold, pease refer to the last section of this privacy notice.
Collection and use by third party vendors
We do not sell data or databases to third parties for any reason.
You rights in relation to the personal data we hold
- to request access to your personal data we hold;
- to rectify or erasure your personal data; to restrict or object to processing concerning your data;
- to request data transfer to other parties;
- to withdraw consent at any time, without affecting the lawfulness of processing based on consent before this withdrawal;
- to lodge a complaint with the supervisory authority – Commission for Personal Data Protection, address – 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592.
You may address your concerns or inquiries to our Data Protection Officer (DPO) – Gugushev and Partners Law Office, Yoanna Ivanova, e-mail: [email protected]; Address: 11A Aksakov Street, floor 5, Sofia 1000, Bulgaria, Telephone: +359 2 815 75 10.
Please see AUBG Internal Rules for Data Protection for more information.