This privacy notice outlines how and why the American University in Bulgaria (AUBG) collects, uses and stores your personal data, and your rights in relation to the personal data we hold. We may modify or amend this Privacy Notice. The most current version will always be available on our Website and, where appropriate, notified to you by e-mail. If you have any questions about such matters you can contact us at [email protected].
What personal data do we collect?
The personal information we collect from you is the following:
- personal data including your name, date of birth and gender;
- personal data as on passport (№ of passport, date of issue, expiry date, date and place of birth);
- contact data including your home/school address, citizenship, email address and phone number;
- medical information about you, where appropriate;
- information about your family as part of the application process;
- education, and work/volunteer experience (CV and resume for summer camp counselors);
- recommendations from third parties (for summer camp counselors);
- profile data including your specific requests, preferences, feedback, survey responses;
- other information you share during an application interview.
How do we collect your personal data?
We collect information about you when you:
- request information to be sent to you;
- request assistance with initiating visa application process;
- register for an event – conference, seminar, workshop or summer camp; visit our campus;
- participate in AUBG-initiated events and programs and events at AUBG;
request additional conference services such as transportation, accommodation and dining interact with any AUBG page or account on a social media platform, or when you use your social media account or credentials to log in to the Website;
- provide your personal information to other parties such as official organizational representatives, consultants and others*.
Note: * When we obtain personal data from third party sources, we will look to ensure that the third party has lawful authority to provide us with your personal data.
The basis for processing your information and how we use it
The lawful base for data processing is a contractual obligation or steps on your part to enter into a contract with AUBG – based on your request to participate in an event organized by AUBG. In this respect, we use your personal data for the following:
- to provide our conference services to you, to administer financial documents, statements and receipts; to provide IT, information and other conference related services;
- to ensure participants’ safety and security;
- to manage participants` accommodation;
- to deal with any concerns or feedback you may have.
We may also process your personal data because it is necessary for our legitimate interests. In this respect, we may use your personal data for the following:
- to monitor and evaluate the performance and effectiveness of the university, including training and/or monitoring our staff performance;
- to maintain and improve the academic, corporate, financial, estate and human resource; management of the university;
- to promote equality and diversity throughout the university;
- to promote our services (e.g. provide information about summer schools, student exchange programs, or other events happening on and off campus);
- to seek advice on our rights and obligations; to recover money you may owe to AUBG; to support our fundraising and recruitment efforts.
We may also process your personal data in relation to compliance with our legal obligations. In this respect, we may use your personal data for the following:
- financial audits;
- compliance with anti-money laundering laws and safeguarding requirements;
- prevention and detection of crime;
- criminal investigations – assist with investigations (including criminal investigations) carried out by the police and other competent authorities.
We may also process your personal data where:
- it is necessary for medical purposes (e.g. medical diagnosis, provision of health or social care or treatment, or a contact with a health professional);
- it is necessary to protect your or another person’s vital interests;
- or we have your specific or, where necessary, explicit consent to do so.
Control and care over your data
We, as an institution with one of the highest rankings in Bulgaria, are striving to improve and upgrade our control systems – to include pseudonymization of the collected and processed data, access controls, defined within the university, and most importantly – applied due care by our staff and faculty members. All measures are implemented against inadvertent or deliberate manipulation, loss, or destruction, and access by unauthorized persons
With whom we share your data?
Your data may be shared with public authorities, such as the Bulgarian Ministry of Education, National Agency for Evaluation and Accreditation, Ministry of Foreign affairs (for visa purposes), external auditors, etc. as part of our legal obligations. In cases we need to transfer your personal data to other third parties – internal auditors, insurance companies, transport providers, software providers, etc. you will be notified, and asked for consent, if the data transfer process requires us to do so. In any case, we will share your personal data with high attention to the third parties’ level of technical and organizational ability to manage personal data as required by the GDPR standards.
How long we keep it?
Personal data collected through the application/registration process will be stored for a period of one year following the event. If you participate in an event, organized or hosted by AUBG, certain personal data will be retained according to the legal requirements of the local authorities, as part of your record.
The American University in Bulgaria (AUBG) can implement mandatory COVID-19 testing as part of its measures to prevent/limit the spreading of COVID-19 on the territory of the University and with the aim to protect the life and health of its students, employees and visitors. The mandatory COVID-19 testing is based on the legitimate interest of the controller AUBG – Art. 6, p. 1, (f) of the General Data Protection Regulation (GDPR). Please note that the actual testing is carried out in licensed laboratories by medical practitioners and AUBG does not process personal data at that stage. Once presented with information about the medical status of individuals, the processing of this data by the University is based on Art. 9, p. 2, (b) of the GDPR – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
The AUBG has chosen tests that are most appropriate for the purposes of the testing and expenses for the tests are covered by the University. The AUBG will apply short retention periods by keeping the data related to the tests only for as long as it is necessary in order to make decisions connected with the purposes mentioned above: preventing/limiting the spreading of COVID-19 on the territory of the University and protecting the life and health of its students, employees and visitors. For your as a data subject in relation to the personal data we hold, pease refer to the last section of this privacy notice.
Collection and use by third party vendors
We do not sell data or databases to third parties for any reason.
You rights in relation to the personal data we hold
- to request access to your personal data we hold;
- to rectify or erasure your personal data; to restrict or object to processing concerning your data;
- to request data transfer to other parties;
- to withdraw consent at any time, without affecting the lawfulness of processing based on consent before this withdrawal;
- to lodge a complaint with the supervisory authority – Commission for Personal Data Protection, address – 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592.
You may address your concerns or inquiries to our Data Protection Officer (DPO) – Gugushev and Partners Law Office, Yoanna Ivanova, e-mail: [email protected]; Address: 11A Aksakov Street, floor 5, Sofia 1000, Bulgaria, Telephone: +359 2 815 75 10.
Please see AUBG Internal Rules for Data Protection for more information.