Enrolment
bg

PERSONAL DATA SECURITY POLICY of “PRIVATE KINDERGARTEN KIDSVILLE” OOD

“PRIVATE KINDERGARTEN KIDSVILLE” OOD, UIC: (“The Company”) has implemented and will support necessary technical and organizational measures for security for the purpose of the protection of the Personal data of its clients, users of the web page of the Company (here and after the web page), its employees and partners, also other subjects of personal data, from whom the company could collect personal data, against incidental loss, destruction, change, unauthorized revelation or illegal acces.

Taking into account the nature of the processing, The company agrees that every subject of data can and has the legal right to require the Company to adopt additional technical and organization measures.

The processing includes processing of personal data, related to clients, users of the webpage, employees, partners and all other subjects of personal data, depending on the specificity of the current activity, which is processed by the Company.

In the context of processing its activity private kindergarten “KIDSVILLE” including, but not limited, pedagogical services, teaching foreign languages, games, entertainment, celebrations, sport activities, pedagogical services (cinema, theater, concerts), the processing is related to the following Personal data categories, depending on the current project:

• General personal data(like name), data for contact (for example e-mail, telephone number and other).

• Data included and about the identity documents of individuals, necessary in connection of services, provided by the Company. Information about the Administrator of Personal data and data for contact:

• Name: “GLABAL FUND CONSULTING” EOOD, owner of Kindergarten “KIDSVILLE”

• 203071360 UIC:

• Address; Sofia, Vitosha, postal code № 53 1415, “Dragalevci”, street “Panayot Pipkov”

• E-mail: welcome@kidsville.space

• Mobile phone: +359 88 2908136

MINIMUM TECHNIKAL AND ORGANIZATIONAL SECURITY MEASURES

1. DATA PROTECTION

The Company will treat every personal data of subjects of data (including its clients, users of the web page, employees and partners) as confidential, will not share it, except to its employees and to its subcontractors and only to the extent necessary to provide a current services, unless other is described in agreement between the company and the subjects of data.

2. PRIVACY POLICY

2.1. The Company supports and follows privacy practice, which are integral part of the business of the Company and are mandatory for each employee of The Company.

2.2. The Company reviews its privacy policy at least once a year and will change these policy, as the Company considers reasonable to maintain the protection of Personal data.

2.3. The Company will notify the Commission for the Protection of personal data without any delay if it becomes aware of an infringement related with the processing of Personal data. The Notification to the Commission of the Protection of personal data will include as a minimum:

(i) the nature of the infringement of the personal data security, including if its possible the categories and the approximate numbers of subjects of data and the categories and the approximate number of records of Personal data.

(ii) probable consequences of the Personal data security infringement.

(iii) the taken measures or measures proposed to be taken by the Company for the purpose of dealing with the infringement of the Personal data security, including if its appropriate, measures for mitigation of the possible unfavourable consequences of the infringement.

2.4. In case that the Company is obligated to notify the subjects of data about the infringement, the Company shall provide necessary contact details, if available with the affected data subjects. The Company assumes all costs made for sending such messages to the subjects of the personal data.

2.5. The Company can hire third party to process personal data, which can help the Company to provide its services and process Personal data for different activities in its commercial activity, which third party will guarantee that: i. the obligations, related to the personal data security, provided here and in the legislation in the field of personal data protection are imposed to every subcontractor with written agreement. ii. every subcontractor must provide sufficient limits for acceptance of appropriate technical and organizational measures for compliance with the legislation in the field of personal data protection and the following personal data processing policy and must provide to the administrator and to the relevant administrative authorities access and information, necessary for the verification of compliance with the legislation. The Company remains fully responsible to the subjects of data for the performance of every subcontractor.

3. COMPLIANCE WITH SECURITY POLICI BY THE EMPLOYEES.

3.1. The Company applies system of organizational measures against individuals, who process Personal data. The employees of the Company must:

(i) know the applicable legislation;

(ii) knows privacy policy in the organization of the Company;

(iii) is in condition to demonstrate knowledge about the dangers of the Personal data processing;

(iv) is trained to react in events, that threat the personal data security.

3.2. The Company applies measures for Personal data protection, which guarantees the access to such data only to individuals, whose duties or particular assigned task of executing contracts impose such access, in accordance witht the need to know principle.

3.3. The Company will support and will follow standarts and mandatory verification requirements for every new hired employee. When selecting employees, the Company can collect data, required by the applicable legislation in the field of the current positions (criminal record and others), identification and verification of the personality and additional verifications, which the Company assumes as necessary. The Company is responsible for the implementation of those requirements in the process of hiring its employees, as applicable and permitted under the applicable legislation.

3.4. Every year the employees of the Company will undergo training for protection and confidentiality of Personal data. Additional training for policy and processing of personal data will be provided to employees of the Company, which has administrative access and which carry out activities in which they have access to personal data, depending on the specifics of the role in the operations of the Company.

4. PHYSICAL PROTECTION AND CONTROL OF THE ACCESS.

4.1. The Company supports appropriate control of the physical access via system of technical and organizational measures for providing unauthorised access to buildings, premises and facilities in which personal data of clients, users of the web page, employees and partners is processed. This physical security is applied to the headquarter of the Company, where personal data of clients, users of the webpage, employees, partners is stored and to be premises, where the personal data of clients, users of the web page, employees and partners is processed.

4.2. The Company observes the following minimum organizational measures of physical protection:

(i) separate control access zones;

(ii) separate premises in which the Personal data is processed;

(iii) separate premises where the communication-information systems for personal data processing is stored;

(iv) separate systems for organisation of the physical access; ;

(v) procedures for managing and accessing visitors are established and maintained

(vi) technical resources for physical protection are provided;

(vii) providing a person to respond to incidents/ security infringement.

4.1. The Company applies appropriate technical measures for physical protections like: lockers, cabinets, metal cases, equipped zones with controlled access, equipped premises, system for physical control of the access (including barriers, visualisation cameras), security guards and system for security management, automatic fire alarm and fire extinguishing system, system for protection of the perimeter.

4.4. The access of the premises of data is limited by the role and the duty of the current employee of the Company with authorization mode.

4.5. Every person, who is temporarily authorised to enter in the premises of data, will be registered when entering the premises and must present evidence of personality at registration and will be accompanied by authorised employee of the Company. Every temporarily authorised including for deliveries will be pre-scheduled and will require approval by authorised employee of the Company.

4.6. The Company take precautions to protect the physical infrastructure of the premises of data against environmental threats both natural and man-made, such as excessive ambient temperature, fire, flood, humidity, theft and vandalism.

5. PROTECTION OF THE DOCUMENTS

5.1. The Company apply appropriate document security as a system of organizational measures with the processing of personal data which is carried on paper.

5.2. The Company comply minimum the following document protection measures:

(i) supports registers, which will be carried on paper;

(ii) creates and supports terms for processing of Personal data;

(iii) regulates the access to the registers;

(iv) has control to the access of the registers;

(v) determines clearly the period of storage;

(vi) create and support rules for multiplying and sharing of Personal data;

(vii) creates and supports procedures for determination of Personal data;

(viii) creates and supports procedures for verification and control of the processing.

5.3. Measures for processing of Personal data carried on paper:

(i) every employee who is working with documents, must keep them in drawer or case, so that only he and his direct manager can access them;

(ii) the documents containing personal data should not be exported outside of the offices, except if its necessary for performance of contractually or legal obligation or if its not explicitly requested by the subject of personal data.

(iii) its forbidden to employees to copy and take photos of the documents, unless its necessary for processing their employment obligations.

(iv) when leaving the workplace in the office, where the employee works with his/hers crew and outsiders, for more than 5 minutes, the employee cant leave the documents on their desks; the document must be stowed in a locker, where unauthorised persons cant see them.

(v) the documents are copied, printed, scanned and shredded by the employee, who works with them or by a specially defined employee with obligation to keep confidentiality; the employees should take as soon as possible the documents from the machine and take care not to leave them uncovered for a long time;

(vi) the documents with personal data are shredded/destroyed by tearing them to small strips by a special machine; the disposal of documents is prohibited, unless they are not shredded or torn by hand or in such a way that the reproduction of documents of personal data is impossible.

6. IT SISTEMS AND NET SECURITY

6.1. The company applies protection to the automatic information systems and nets, via system of technical and organizational measures for protection of illegal forms of processing of Personal data.

6.2. The Company observes minimum of the following measures for protection of the automatic information systems and nets:

(i) determines roles and obligations;

(ii) applies authentication;

(iii) applies identification;

(iv) applies management of the registers;

(v) applies controls on the sessions;

(vi) keeps a clear description of the external links;

(vii) keeps a description of the processing via telecommunications and remote access;

(viii) implement monitoring;

(ix) provides protection against computer viruses; а

(x) plans ccidents /contingencies;

(xi) provides support and exploitation;

(xii) provides copy and reserve copies for backup;

(xiii) keeps clear description of the information storage;

(xiv) takes into account the physical environment;

(xv) provide training for response to its employees in event that threaten data security;

(xvi) determinates the period of storage of the Personal data;

(xvii) prepares and support procedures of destruction, deletion and erasure of the storage.

6.3. The Company apply cryptographic protection of the system via technical and organizational measures, for the purpose of protection of Personal data from unauthorised excess when transmitted distributed or made available.

6.4. Application of measures for cryptographic protection, which the administrator apply are:

(i) the standard cryptographic resources of the operating systems;

(ii) the standard cryptographic resources of the system for managing data bases;

(iii) the standard cryptographic resources of the communication equipment;

(iv) systems of distribution and management of the cryptographic keys.

6.5. The Company supports network security, managed by it in the process of exercising its activity The Company may use wireless network technology in the performance and maintenance of its activities. Such wireless networks, if any, will be encrypted and required secure authentication and will not provide direct access to the network through which the company`s activities are performed.

6.6. The Company maintain measures that are intended for detachment, prevention of exposure and unauthorised access to Personal data of clients, users of the web pages, employees and partners.

6.7. The Company encode the Personal data for clients, users of the web page, employees and partners, which are not intended for public or unlawful access when transferring personal data of clients, users of the web page, employees and partners by public network and use cryptographic protocol like HTTPS, SFTP and FTPS for secure transfer of personal data of clients, users of the web page, employees and partners by/via public networks.

6.8 The Company encode the Personal data of clients, users of the web page, employees and partners, when specified in the contract.

6.9. if some of the activities performed by the Company requires access of Personal data of clients, users of the web page, employees and partners, The Company will limit this access to minimum level, necessary to providing and supporting the relevant activities. This access, including the administrative access in individual, based on the role and subject of approval and regularly validated by the authorised personal of the Company, following the principles of separation of the obligations. The Company will maintain measures to identify and remove redundant and passive accounts with privileged access and will immediately terminate that access in case that the current employee change his/hers position or terminate his/hers employment as well as at the request of duly authorized employees of the Company, such as by the respective direct manager.

6.10. In accordance with industry`s standard practices, the Company maintains technical measures that require the closure of inactive sessions, blocking accounts after several unsuccessful logins, strong password or authentication via password and measures, requiring secure transfer of such passwords.

6.11. The Company should correct the usage of privileged access and should support security measures for information and management of events, intended to: a) identify unauthorised access and activity b) to help opportunely and appropriate reaction and c) to allow internal and independent audit of the compliance with documented company rules.

6.12. The Software logs in which the privileged access and activities are saved, will be archived when a special software with such functionality is used. The Company will maintain measures designed to prevent the unauthorized access, modification and accidental or deliberate destruction of such logos.

6.13. Insofar as this is supported by the functionality of the current device or operating system, the Company will maintain computer protections of systems, cointaining personal data of clients, users of the web page, employees and partners, which contains but its not limited to: firewalls of the endpoints, encrypt of the whole disk space, detecting and removing malware which: a) are updated regularly from the central location and b) are logged in central place and lock the screen at certain period.

6.14. Measures of processing of Personal data on electronic storage:

(i) Identification/authentication (unique authentificator (login) for every user of the IT system): for example password, smartcard, toke, password are “strong” i.e. at least 8 symbols of different kind, regularly changing the password;

(ii) Organisation (defying the level of access to the information of the IT systems and advance control of the access of IT systems of every users);

(iii) Control of the operations: Tracking of IT operations (saves and storage of the log files), including logins and exit of the IT system by specific persons, periodic view of the log files.

(iv) Protection of the IT system: – Antivirus softwere, firewall software; – Automatic termination of IT sessions after a short period of time for lack of activity; – Limitation the number of unsuccessful attempts to log into the IT system;

(v) The data security in mobile devices and physical carriers (laptops, USB devices, CD, DVD) by: – encrypt of the hardware and software; – encrypt of the separate files;

(vi) Protection of remote transportation of data; – Encrypt the files from e-mail communication, encrypt the storage carrier (USB devices, CD, DVD); notification for cryptographic key/ password with separate massage and if its possible with different communication channel; (vii) Protection of data against incidentally lost and modification: – Anti-blackout: UPS: – Ensured system recovery in case of an interruption; error reporting.

7. INTEGRATION OF ACTIVITYES AND CONTROL OF ACCESS

7.1. The Company: a) conducts test to pervasion and vulnerability, including automatic scanning of systems security and applications. b) will require a qualified independent third party to conduct penetration tests once a year. c) Will recover identified vulnerabilities or discrepancy with the requirements of configurating the system based on the connected with them risk, exploitation ability and impact. The Company will undertakes reasonable moves to prevent interruption of its activity, when it conducts its test, ratings, scanings and performing repair activities.

7.2. The Company should support a description of every informational technologies, which it use for performing its activities. The Company constantly monitors for the functionality and availability of the services which are part of its activity.

7.3. The Company will: a) Back up systems, which contains personal data of clients, users of the web page, employees and partners. b) Guarantee that unless one back up site is separated from production systems. c) Encrypt the backed up data, store on spare mobile devices. d) confirm the integrity of the archived data by regularly performing data recovery tests.

8. PROVIDING ACCESS TO INDIVIDUALS TO THEIR PERSONAL DATA

8.1. (1) Hired employees on employment and civil contracts as well as other subjects of personal data has the right of access to their personal data, for which they may submit claims/applications to the processor of personal data, electronically, personal or by authorised person to the stated in the following privacy policy, data for contact to the company.

(2) The application contains a claim written in free text.

(3) Access to the data of individual is provided by the following form: 1. oral information; 2. written information; 3. Review of the data of the individual or authorized by him individual; 4. providing a copy the claimed information.

(4) The deadline of reviewing and pronunciation on the application is 14 days from the day of receiving the request, respectively 30 days, when more time is needed to collect personal data of the individual in view of possible difficulties in collection. The applicant shall be notified about the decision in the same manner as the applicant used for his request. If the data doesn`t exist or cannot be provided on a specific legal basis, the access shall be refused to the applicant with a motivated decision.

(5) Every subject of data has the right: – right to correct and amplify the inaccurate and incomplete personal data; “- right of deletion (“right to be forgotten) of personal data which are processed illegally or dropped on legal basis (expired, retired consent, completed original purpose for which they were collected and other); – right to limit the processing – if there is a legal dispute between The Company and individual at his decision and/or establishment, exercising and protection of legal claims; – right to portability of data – if they are automatically processed on the basis of consent or agreement. If its technically possible, the transfer of data can be done from one administrator to other. – right of objection – at every time and on various grounds, related to the current situation, on the condition that there are no persuasive legal grounds for processing, which has advantage over the interests, the rights and freedom of the subject of data, or in court trial. – the right not be subject to a fully automated decision involving profiling which has a legal impact on the data subject or significantly affects it. Data collected by The Company

8.2. While processing its activity the Company collects the following data for the following purposes: – Names from the ID, date of birth, Personal number from the ID – necessary for mobile tickets in the field of transport, parking and other public services (cinema, theater, concerts). These data is required by the providers of such services. – e-mail and/or mobile phone – for connection with the current user, clients and partners or other subjects of data when the communication is necessary.

8.3. Data collected by employees can be provided for processing to accountant/accounting firm, which provides guarantees of processing the personal data according to the applicable legislation. Deadlines

8.4. The Company destroys all personal data after the objectives have been fulfilled for which they were collected as follows: – within 30 (thirty) days after the deletion of the profile of client`s profile, respectively from the request for deletion of the personal data; – for personal data, contained in accounting, commercial, tax or other documents, which are relevant to the taxation, compulsory social security contributions or other public obligations – within 5 years after the deadline for repayment of the respectively public obligation.

9. SECURITY INCIDENTS

9.1. The Company maintains and follows computer security incident response policies and complies with the terms of the law regarding to the notification of data subjects to breaches of data security.

9.2. The Company will inspect every unauthorized access and unauthorized usage of Personal data of clients, users of the webpage, employees and partners, for which the Company is aware (security incidents) and will determine and perform appropriate response plan. Every subjects of data can notify the Company for vulnerability or incidents.

9.3. The Company without delay (and in no case later than 24 hours) and when its necessary will notify affected individuals for incidents related to the security or security breach of the personal data which is reasonable suspected by the Company, that will affect subjects of data. The Company will provide to every individual requested information about such security brake and status of all activities for recovering of the security.