Flyout Menu
Main Menu

Privacy Policy

As a data controller, Chakra 88 Ltd has a duty to inform you what to expect when it processes your personal information.

Transparency in information processing

I. Privacy Policy Statement

  1. The management of Chakra 88 EOOD hereby ensures compliance with EU and Member State legislation regarding the processing of personal data and the protection of the “rights and freedoms” of individuals whose personal data Chakra 88 EOOD collects and processes under the General Data Protection Regulation (Regulation (EU) 2016/679).
  2. In accordance with the General Regulation, other relevant documents and related processes and procedures are described in this policy.
  3. This policy applies to all personal data processing activities, including those carried out in relation to personal data of customers, employees, suppliers and partners and any other personal data that the Chakra 88 Ltd organisation processes from a variety of sources.
  4. The controller shall keep a register(s) of processing activities. Where a Data Protection Officer/Data Protection Officer has been assigned to maintain the register(s), he/she shall be responsible for entering in that register(s) any changes to the activities of Chakra 88 Ltd. and any other additional requirements, including data protection impact assessments. This register must be available upon request of the supervisory authority.
  5. This policy applies to all employees/workers (and stakeholders) of Chakra 88 Ltd, as well as to processors and their staff members. Any breach of the General Regulation will be treated as a breach of employment discipline and in the event that there is an allegation that a criminal offence has been committed, the matter will be referred to the relevant government authorities for consideration as soon as possible.
  6. Third parties who work with or for Chakra 88 Ltd, including partners, external suppliers, customers, etc., and who have or may have access to the personal data of the controller, are required to read and comply with this policy. The controller is required to enter into a data confidentiality agreement with any third party to whom it grants access to the personal data processed by it, which entitles Chakra 88 Ltd to carry out checks on compliance with the obligations imposed by the agreement, unless the processing is required by EU or Member State law.

II. Obligations and responsibilities under Regulation (EU) 2016/679

  1. Chakra 88 EOOD is a data controller under Regulation (EU) 2016/679 and bears all responsibility and risks of possible non-compliance with the requirements of the GDPR, including being responsible for developing and promoting good practices in the processing of personal data at Chakra 88 EOOD.
  2. A personal data processor is any person outside the controller’s organization who directly processes personal data on behalf of the controller – stores, digitizes, catalogs, etc. all information.
  3. The data protection officer or the person who, by virtue of a job description or assignment, carries out tasks related to the protection of personal data (data protection officer/responsible person) shall attend meetings of the controller’s management at which data protection issues are discussed and shall advise the controller to demonstrate compliance with data protection legislation and good practice.

This reporting to the DPO includes:

  • develop and implement the requirements of REGULATION (EU) 2016/679 as required by this policy;
  • security and risk management in relation to policy compliance.
  • The data protection officer, who shall be suitable, qualified and experienced, shall be selected by the management body of the controller (depending on its structure and legal form). The data protection officer shall advise and inform the controller on the application of the GDPR and other domestic and European data protection legislation, in accordance with his/her contractual obligations and as required by the GDPR, including monitoring the implementation of this policy.
  • The Data Protection Officer also has specific duties under the GDPR – he or she is the point of contact for the controller’s employees who request clarification on any aspect of data protection compliance. The Data Protection Officer is also the contact person for the supervisory authority.
  • Compliance with data protection legislation is the responsibility of all employees of the controller who process personal data.
  • The Chakra 88 Ltd Training Policy (Training Policy) sets out the specific training and awareness requirements in relation to the specific roles of the company’s employees/workers.

III. Data Protection Principles

The processing of personal data is carried out in accordance with the data protection principles set out in Article 5 of Regulation (EU) 2016/679. Chakra 88 Ltd’s policies and procedures are designed to ensure compliance with these principles.

  1. Personal data must be processed lawfully, fairly and transparently

Lawful – to identify a lawful basis before processing personal data. These are so-called “processing grounds”, for example “consent”. The consent of the subject is one of the grounds for processing personal data. It may also be the performance of a contract or the legitimate interest of the controller, in which cases consent does not need to be given.

Fair – in order for processing to be fair, the data controller must provide certain information to data subjects that is necessary in each particular case and for each particular purpose, in a way that is intelligible, concise and accessible to the data subject. This applies whether the personal data are obtained directly from the data subjects or from other sources.

Transparent – Regulation (EU) 2016/679 sets requirements on what information must be made available to data subjects, which is covered by the principle of “transparency” regulated in Articles 12, 13 and 14 of the GDPR. According to the cited provisions of the GDPR, the information must be communicated to the data subject in an intelligible form, using clear and understandable language, i.e. the privacy statements to be signed by the data subjects must be detailed and specific, understandable and accessible. The rules for the notification of the data subject by Chakra 88 Ltd. are set out in the relevant transparency procedure and the notification is made by means of a privacy notice.

The specific information that the company shall provide to the data subject shall include, as a minimum: data identifying the controller and the contact details of the controller and the DPO’s contacts, if any; the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; the period for which the personal data will be stored; the existence of the following rights – to request access to the data, rectification, erasure (right to be forgotten), restriction of processing, as well as the right to object to

  • Personal data may only be collected for specified, explicit and legitimate purposes

Data obtained for specific purposes shall not be used for purposes other than those officially declared as part of the Register of Data Processing Activities(Article 30 GDPR) of Chakra 88 Ltd. A transparency procedure for the processing of personal data sets out the relevant rules.

  • The personal data that the controller collects must be limited to what is necessary for the purpose of the processing concerned (principle of minimisation of the data that may be processed for the particular subject)
  • The data protection officer shall ensure that only information strictly necessary for the purpose of processing is collected.
  • All data collection forms (electronic or paper), including requirements for data collection in new information systems, should include a declaration of good faith processing or a link to a Privacy Statement (notice of confidential treatment of personal data) and be approved by the responsible person, unless they are publicly available on the company’s websites.
  • The Data Protection Officer has obligations to carry out periodic checks at least annually to ensure that the data collected remains adequate, relevant and not excessive.
  • Personal data must be accurate and up-to-date at all times, and reasonable efforts must be made to allow for its erasure or correction without delay (within the limits of possible technical solutions).
  • The data held by the data controller must be reviewed and updated as necessary. Data should not be stored where it is likely to be inaccurate.
  • The Data Protection Officer / Data Protection Officer must ensure that all staff are trained in the importance of accurate data collection and maintenance.
  • It is also the duty of the data subject to declare that the data he or she transmits for storage by Chakra 88 Ltd. is accurate and up-to-date. Completion of a form by the data subject intended for the controller will include a statement that the data contained therein is accurate as of the date of submission.
  • Employees, customers and all others are required to notify Chakra 88 Ltd of any changes in circumstances so that personal data records can be updated. It is the responsibility of Chakra 88 Ltd to ensure that any notification regarding a change of circumstances is recorded and appropriate action is taken.
  • The Data Protection Officer/Data Protection Officer shall ensure that appropriate procedures and policies are in place to maintain the accuracy and currency of personal data, taking into account the volume of data collected, the speed at which it may change, other relevant factors.
  • At least annually, the Data Protection Officer / Data Protection Officer will review the retention periods of all personal data processed by Chakra 88 Ltd, referring to the data inventory and identifying any data that is no longer required in the context of the registered purpose. Such data shall be duly destroyed in accordance with the procedures and rules of the controller.
  • The Data Protection Officer/Data Protection Officer shall ensure that requests for correction of data are responded to within one month. This deadline may be extended by a further two months for complex requests. If Chakra 88 Ltd decides not to comply with the request, the Data Protection Officer / Data Protection Officer must respond to the data subject to explain the reasons for the refusal and inform them of their right to lodge a complaint with the supervisory authority, and seek legal redress.
  • The Data Protection Officer/Data Protection Officer should inform all third parties to whom inaccurate or outdated personal data has been provided that the information is inaccurate or outdated and not to use it to make decisions about data subjects, and to refer any correction of personal data to third parties where necessary.
  • Personal data must be kept in such a form that the data subject can be identified only for as long as is necessary for the processing.
  • Where personal data is retained beyond the date of processing, it shall be stored in an appropriate manner (minimised, encrypted, pseudonymised) to protect the identity of the data subject in the event of a data breach.
  • Personal data shall be stored in accordance with the Data Retention and Destruction Procedure and, once it has passed its retention period, shall be securely destroyed in accordance with the procedures set out in that procedure.
  • The Data Protection Officer / Data Protection Officer must specifically approve any retention of data that exceeds the retention period defined in the relevant procedure and must ensure that the justification is clearly defined and complies with the requirements of data protection legislation. This approval must be in writing.
  • Personal data must be processed in a way that ensures appropriate security (Article 24, Article 32 GDPR)

The Data Protection Officer will carry out an initial impact assessment where one is required, taking into account all the circumstances relating to the data processing operations of Chakra 88 Ltd. In each case where there is a personal data breach, the Data Protection Officer, as the responsible person in the controller’s business, should carry out a risk assessment and, where a high risk is identified, notify the supervisory authority and/or the data subject. In considering the risk in a particular case, the data protection officer should consider the extent of any harm or loss that may be caused to individuals (e.g. staff or customers) if a breach occurs, any likely reputational damage to the controller, including any loss of customer confidence, etc. Ensuring the security of personal data also involves taking appropriate technical measures, which the data protection officer shall ensure and which may include, as a minimum:

  • Password protection;
  • Automatic locking of idle workstations on the network;
  • Remove access rights for USB and other portable storage media (there may be an exception if mandatory virus checking and data transfer logging is provided);
  • Antivirus software and firewalls;
  • Role-based access rights, including those of temporarily assigned staff
  • The protection of devices that leave the organization’s premises, such as laptops or others;
  • Security of local and wide area networks;
  • Privacy enhancing technologies such as pseudonymisation and anonymisation;
  • Identify appropriate international security standards suitable for Chakra 88 Ltd.

In assessing the appropriate organisational measures, the Data Protection Officer will take into account the following:

  • The levels of appropriate training at Chakra 88 Ltd;
  • Measures that take into account the reliability of employees (e.g. appraisals, references, etc.);
  • The inclusion of data protection in employment contracts;
  • Identification of disciplinary measures for data processing violations;
  • Regular checking of staff for compliance with relevant security standards;
  • Control physical access to electronic and paper-based records;
  • Adoption of a “clean workplace” policy – on leaving the workplace, all work documentation should be removed or stowed away in suitable and restricted areas – special cabinets, locked rooms, destruction of documents no longer needed etc;
  • Store paper database in lockable wall cabinets;
  • Limit the use of portable electronic devices outside the workplace;
  • Restrict employee use of personal devices in the workplace;
  • Adopt clear rules for the creation and use of passwords;
  • Regularly backing up personal data and physically storing media with copies offsite;
  • Impose contractual obligations on counterparty organisations to take appropriate security measures when transferring data outside the EU.

The assessment of appropriate measures shall take into account the identified risks to personal data as well as the possibility of harm to the data subjects.

  • Compliance with the principle of accountability

Regulation (EU) 2016/679 includes provisions that promote accountability and manageability and complement transparency requirements. The principle of accountability in Article 5(2) requires the controller to demonstrate compliance with the other principles in the GDPR and explicitly states that this is its responsibility.

Chakra 88 Ltd. demonstrates compliance with data protection principles by implementing data protection policies, subscribing to codes of conduct, implementing appropriate technical and organizational measures, and adopting data protection techniques at the design stage and data protection by default, data protection impact assessment, data breach notification procedure, etc.

IV. Rights of data subjects

  1. Under the GDPR, the data subject has the following rights with respect to the processing of his or her personal data:
  2. To obtain information about the personal data relating to him or her that are processed by the controller and the purpose for which they are processed, including access to the data, as well as information about who the recipients of those data are and the third parties to whom the data are transferred.
  3. Request a copy of their personal data from the controller;
  4. To ask the controller to correct personal data when it is inaccurate or no longer up-to-date;
  5. Request the controller to erase personal data (right to be forgotten);
  6. Request the controller to restrict the processing of personal data, in which case the data will only be stored but not processed;
  7. To object to the processing of his or her personal data;
  8. To object to the processing of personal data concerning him/her for direct marketing purposes.
  9. To lodge a complaint with a supervisory authority if it considers that any of the provisions of the GDPR have been breached;
  10. To request and be provided with personal data in a structured, commonly used and machine-readable format;
  11. To withdraw consent to the processing of personal data at any time by a separate request to the controller;
  12. Not be subject to automated decisions that affect it to a significant degree without the possibility of human intervention;
  13. To oppose automated profiling that occurs without their consent;
  14. Chakra 88 EOOD shall provide conditions to ensure that the data subject can exercise the rights:
  15. Data subjects may make requests for access to data as described in the relevant procedure, which also describes how Chakra 88 EOOD will ensure that the response to the data subject’s request meets the requirements of the GDPR.
  16. Where a data subject’s requests are manifestly unfounded or excessive, in particular because of their repetitive nature, Chakra 88 EOOD may either charge a reasonable fee, taking into account the administrative costs of providing the information, communicating or taking the requested action, or refuse to act on the request.
  17. Data subjects shall have the right to lodge objections with Chakra 88 EOOD concerning the processing of their personal data. The processing of a data subject’s request and the submission of objections by the data subject shall be carried out in accordance with the company’s adopted rules. The supervisory authority in Bulgaria is the Commission for Personal Data Protection, address. The Data Protection Authority is responsible for the protection of personal data, Sofia, Bulgaria, 1592 Sofia Blvd. “1595 Prof. 2(cpdp.bg).

V. Consent

  1. By “consent”, Chakra 88 EOOD means any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by means of a statement or a clear affirmative action, which signifies the data subject’s agreement to the processing of personal data concerning him or her. The data subject may withdraw his or her consent at any time. The consent of the data subject shall be required whenever no alternative legal basis for the processing exists.
  2. Chakra 88 EOOD understands “consent” to mean only those cases where the data subject has been fully informed of the intended processing and has given his or her consent without being subjected to pressure. Consent obtained under pressure or on the basis of misleading information will not be a valid basis for processing personal data.
  3. Consent cannot be inferred from the absence of a response to a communication to the data subject. For consent to exist, there must be active communication between the controller and the data subject. The controller shall request and obtain consent for processing activities where consent is required for those activities.
  4. For special categories of data, explicit written consent must be obtained in accordance with the Procedure for Obtaining Consent to Process Personal Data of Data Subjects, unless there is an alternative lawful basis for processing.
  5. The data subject’s consent to the processing of personal or special categories of data shall be given – on the basis of the relevant consent document provided by the data subject to the controller for each specific purpose of processing. Where the subject signs a contract, consent is not necessary because his or her data is collected on another lawful basis.
  6. When Chakra 88 EOOD processes personal data of children, it obtains permission from the exercising parents (parents, guardians, etc.). This requirement applies to children under the age of 16.

VI. Data Security

  1. Employees of the controller who, in accordance with their job descriptions, have a duty to process certain personal data on behalf of the controller are obliged to ensure the security of the processing and storage of the data on their part, including ensuring that they do not disclose the data to third parties, unless Chakra 88 EOOD has granted such third party access rights to the data.
  2. Personal data or part of it must only be accessible to those who have a duty to process/store it, and access can only be granted in accordance with established access control rules. All personal data must be stored for example:
  3. in a controlled access room; and/or in a locked cabinet or filing cabinet; and/or
  4. if computerised, password protected in accordance with internal requirements set out in organisational and technical measures to control access to information (e.g. access control rules) ; and/or
  5. stored on portable computer media that are protected in accordance with organisational and technical measures to control access to information.
  6. Arrangements to be made to ensure that computer screens and terminals cannot be viewed by anyone other than authorised employees/workers of Chakra 88 Ltd . All employees/workers are required to be trained and accept the relevant contractual clauses/declaration to comply with organisational and technical access measures as well as workstation lockdown rules before being granted access to information of any kind.
  7. Paper records must not be left where they can be accessed by unauthorised persons and must not be removed from designated office premises without express permission. As soon as paper records are no longer required for ongoing customer support work, they must be destroyed in accordance with an established procedure/rule and appropriate protocol.
  8. Personal data may only be erased or destroyed in accordance with the adopted procedure. Paper records for which the retention (archiving) period has expired should be shredded and destroyed as ‘confidential waste’. Data on the hard drives of redundant PCs should be deleted or the drives destroyed according to established policies/procedures.
  9. Processing personal data “off-site” poses a potentially greater risk of loss, theft or breach of personal data. Staff are specifically authorised to process data off-site.

VII. Data disclosure

  1. Chakra 88 Ltd must ensure that personal data is not disclosed to unauthorised third parties, which includes family members, friends, government authorities, even investigating ones, if there is a reasonable suspicion that it is not required under the established procedure. All employees/workers should be cautious when asked to disclose personal data held about another person to a third party. It is important to consider whether or not the disclosure of the information is relevant to the needs of the business carried out by the organisation. Employees need to be given specific training and periodic briefings in order to avoid the risk of such a breach.
  2. All requests from third parties for the provision of data must be supported by appropriate documentation and all such disclosures must be coordinated with the Data Protection Officer / Data Protection Officer for an opinion.
  3. The personal data will be provided to the competent public authorities in the exercise and exercise of their powers.

VIII. Data storage and destruction

  1. Chakra 88 EOOD does not store personal data in a form which permits identification of data subjects for longer than is necessary in relation to the purposes for which the data were collected.
  2. Chakra 88 EOOD may retain data for longer periods only if the personal data are processed for archiving purposes, for public interest purposes, scientific or historical research and statistical purposes, and only if appropriate technical and organisational measures are implemented to safeguard the data subject’s rights and freedoms.
  3. The retention period for each category of personal data is set out in a Data Retention and Destruction Procedure as are the criteria used to determine that period, including any legal obligations requiring Chakra 88 Ltd to retain the data.
  4. The procedure for the storage and destruction of data and the rules for the destruction of information on unused recording media shall apply in all cases.
  5. The personal data must be destroyed in accordance with the principle of ensuring an adequate level of security(Article 5(1)(f) of the General Regulation) – including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organisational measures (‘integrity and confidentiality’);

IX. Data transfer

Any exports of data from within the EU to non-EU countries (referred to in the General Regulation as ‘third countries’) are illegal unless there is an appropriate ‘level of protection of the fundamental rights of data subjects.

The transfer of personal data outside the EU is prohibited unless one or more of the specified safeguards or exceptions apply:

  1. Adequacy Decision

The European Commission may assess third countries, territories and/or specific sectors in third countries to assess whether there is an adequate level of protection of the rights and freedoms of natural persons. Countries that are members of the European Economic Area (EEA), but not of the EU, are presumed to be eligible for an adequacy decision.

  • Binding company rules

Chakra 88 Ltd may adopt approved mandatory corporate policies for the transfer of data outside the EU where applicable. This requires their submission to the relevant supervisory authority for approval.

  • Standard contractual clauses

The controller may adopt established standard contractual data protection clauses for data transfers outside the European Economic Area. If Chakra 88 Ltd adopts standard contractual clauses approved by the relevant supervisory authority, there is automatic recognition of adequacy.

  • Exceptions

In the absence of an adequacy decision, binding corporate rules and/or contractual clauses, a transfer of personal data to a third country or an international organisation shall only take place under one of the following conditions: the data subject has explicitly consented to the proposed transfer, having been informed of the possible risks of such transfers; the transfer is necessary for the performance of a contract between the data subject and the controller or for the performance of pre-contractual measures taken at the request of the data subject; the transfer is necessary for the

X. Data processing register (data inventory)

  1. Chakra 88 Ltd has established a data inventory process as part of its approach to address risks and opportunities in the process of complying with the Regulation (EU) 2016/679 compliance policy. The data inventory at Chakra 88 Ltd and the data workflow identified:
  2. business processes that use personal data;
  3. the sources of personal data;
  4. the number of data subjects;
  5. a description of the categories of personal data and the elements within each category;
  6. processing activities;
  7. the purposes of the processing for which the personal data are intended;
  8. the legal basis for the processing;
  9. the recipients or categories of recipients of the personal data;
  10. main storage systems and locations;
  11. all personal data subject to transfers outside the EU;
  12. retention and deletion periods.
  13. Chakra 88 Ltd is aware of the risks associated with processing certain types of personal data.
  14. Chakra 88 Ltd assesses the level of risk to individuals associated with the processing of their personal data. Where mandatory, data protection impact assessments are carried out in relation to the processing of personal data by Chakra 88 Ltd and in relation to processing undertaken by other organisations on behalf of Chakra 88 Ltd.
  15. Chakra 88 Ltd manages any risks identified by the impact assessment to reduce the likelihood of non-compliance with these rules. Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, in particular with the use of new technologies, and taking into account the nature, scope, context and purposes of the processing, Chakra 88 Ltd shall also carry out an impact assessment of the intended processing operations on the protection of personal data before proceeding with the processing. A generic impact assessment may consider a range of similar processing operations that present similar high risks.
  16. Where, as a result of the Impact Assessment, it is clear that Chakra 88 Ltd will begin processing personal data which, because of the high risk, could cause harm to data subjects, the decision whether or not to continue processing will be passed to the Data Protection Officer / Data Protection Officer for review.
  17. If the Data Protection Officer/DPO has serious concerns about either the potential harm or danger or the amount of data involved, he/she should refer the matter to the supervisory authority.
  18. The Data Protection Officer shall periodically review the data initially inventoried, review the information recorded in the “Register of Processing Activities” in light of any changes in the activities of Chakra 88 Ltd.

ADDITIONAL INFORMATION TO THE PRIVACY POLICY

  1. General Data Protection Regulation

Regulation (EU) 2016/679 (General Data Protection Regulation) replaces the Data Protection Directive 95/46/EC. It has direct effect and implies an amendment to Member States’ data protection legislation. Its purpose is to protect the ‘rights and freedoms’ of individuals and to ensure that personal data is not processed without their knowledge and, where possible, that it is processed with their consent.

  • Scope outlined by the General Data Protection Regulation

Material scope – This Regulation shall apply to the processing of personal data wholly or partly by automatic means and to the processing by other means of personal data which form part of a personal data file or which are intended to form part of a personal data file.

Territorial scope – The rules of the General Regulation will apply to all data controllers established in the EU that process personal data of individuals in the context of their activities. It will also apply to controllers outside the EU who process personal data in order to offer goods and services or if they monitor the behaviour of data subjects who reside in the EU.

  • Concepts

‘Personal data ‘ means any information relating to an identified natural person or an identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Special categories of personal data” – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.

“Processing ‘ means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Administrator.” – any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the controller or the specific criteria for its determination may be laid down in Union or Member State law;

“Data Subject” – any living individual who is the subject of personal data held by the Controller.

“Consent of the data subject” – any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by means of a statement or a clear affirmative action, which indicates his or her consent to the processing of personal data relating to him or her;

“Child.” – The General Regulation defines a child as anyone under the age of 16, and under national law anyone under the age of 18. The processing of a child’s personal data is only lawful if a parent, guardian or custodian has given consent. The controller shall make reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given or is authorised to give consent.

Contact with the Data Controller:

Website: health-design.eu