General Data Protection Policy 1. Who are we? “EUROPEAN ASSOCIATION OF FOLKLORE FESTIVALS – EAFF” – association in the territory of the Republic of Bulgaria, with its registered office and headquarters: 10, “Han Krum” Street, Veliko Tarnovo, UIC: 104684810, tel .: 062/62 15 41 and email: office@eaff.eu In connection with its activities - supporting the organization and holding of festivals, promoting traditional folklore arts and granting membership to various festivals, collectives, etc. - “ EUROPEAN ASSOCIATION OF FOLKLORE FESTIVALS – EAFF” - „Association” processes data, some of which is personal data, according to the Law on Personal Data Protection and Regulation (EU) 2016/679, which is why it is an administrator of personal data. This policy is intended to inform the users of www.eaff.eu how their personal data are processed, their rights, the methods of personal data protection used by the administrator to whom the Association is entitled to provide the personal data collecte, as well as methods for exercising data subjects' rights. 2. Introduction: GDPR is the general data protection regulation (Regulation 2016/679 of the European Parliament and the Council). The regulation significantly enhances the rights of European citizens and, accordingly, places more responsibility on organizations collecting and processing personal data. It entered on May 25th, 2018 and is applied to all Member States of the European Union. Personal data are collected for specific, explicitly stated and legitimate purposes and are not further processed in a way incompatible with those purposes. The processing shall be carried out lawfully, in good faith and in a transparent manner with respect to the data subject. 3. Aims and scope of the policy: With this Privacy Policy, the “EUROPEAN ASSOCIATION OF FOLKLORE FESTIVALS - EAFF” recognizes the confidentiality and privacy of personal data. In accordance with the legislation and good practices, the Association implements the required technical and organizational measures to protect the personal data of individuals. With this Privacy Policy, the Association aims to inform individuals for the purposes of processing personal data, recipients or categories of recipients to whom the data may be disclosed, the mandatory or voluntary nature of the data disclosure and the consequences of refusing to provide it , information about the right of access and correction of the data collected. 4. Glossary of concepts: „Personal data” means any information relating to an identified or identifiable natural person (“data subject”); identifiable natural person is an identifiable person, directly or indirectly, in particular by identifier such as name, identification number, location data, online identifier, or by one or more physical-specific attributes, the physical, physiological , genetic, mental, economic, cultural or social identity of that individual; „Genetic data” means personal data relating to the inherited or acquired genetic characteristics of an individual, which give unique information about the characteristics or health of that individual and which are obtained, in particular, from the analysis of a biological sample by the person concerned ; „Biometric data” means personal data obtained as a result of specific technical processing, which are related to the physical, physiological or behavioral characteristics of an individual and which allow or confirm the unique identification of that individual, such as facial images or fingerprints; „Consent of the data subject” means any freely expressed, specific, informed and unambiguous indication of the data subject's will, by means of a statement or clearly affirmative action, expressing his / her consent to the processing of personal data relating to him / her; „Processing” means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as the collection, recording, organizing, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making the data accessible, arranging or combining, limiting, deleting or destroying them; “Administrator” means a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; when the purposes and means of such processing are determined by the law of Union or the law of a Member State, the administrator or the specific criteria for determining it may be laid down in Union law or in the law of a Member State; “Processor” means a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the administrator; “Representative” means a natural or legal person established within the Union who is appointed by the administrator or the processor in writing in accordance with Art. 27, represents the administrator or the processor in accordance to their respective obligations under Regulation (EU) 2016/679; "Recipient" means a natural or legal person, public authority, agency or other entity to whom personal data are disclosed, whether it is a third party or not. At the same time, public authorities which may receive personal data in the context of a specific investigation under Union or Member State law are not considered as 'recipients'; the processing of such data by the designated public authorities complies with the applicable data protection rules for the purposes of processing; “Supervisory authority” means an independent public body set up by a Member State and is responsible for monitoring the implementation of Regulation (EU) 2016/679. "Personal data breach" means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or processed in any other way. “Profiling” means any form of automated processing of personal data which involves the use of personal data to evaluate certain personal attributes relating to an individual, and in particular to analyze or forecast aspects relating to the fulfillment of professional obligations to that individual, his or her economic status, health, personal preferences, interests, reliability, behavior, location or movement; 5. Basic principles regarding the processing of personal data that we comply with: - lawful, conscientious and transparent processing of personal data - processing of personal data for specific purposes - minimizing data - up-to-date accuracy and maintenance - storage limit - integrity and confidentiality - accountability 6. Purpose of processing: "EUROPEAN ASSOCIATION OF FOLKLORE FESTIVALS - EAFF" processes personal data for its activities - supporting the organization and holding of festivals, promoting traditional folklore arts and granting membership to various festivals, collectives, etc. Personal data is collected for specific, targeted by law purposes and must be processed lawfully and in good faith. Data is not further processed in a manner incompatible with these purposes. The further processing of personal data for purposes of archiving in the public interest, for scientific, historical research or for statistical purposes is not considered incompatible with the original purposes. The Association collects personal data for marketing and advertising purposes. The data collected by the "EUROPEAN ASSOCIATION OF FOLKLORE FESTIVALS- EAFF" are only with the explicit, free, clear and informed consent of the consumer, which he or she noted when reading this privacy policy. Beyond the above objectives and in connection with the principles set out in Art. 5 of Regulation (EU) 2016/679, "EUROPEAN ASSOCIATION OF FOLKLORE FESTIVALS- EAFF " does not collect or process other personal data of its employees, partners and customers. The Association processes personal data for the purpose of automated decision-making, incl. "Profiling". The organization collects data from the data subject. 7. The Association processes personal data only when: - has obtained clear, free, informed and unambiguous consent from data subjects who are aware in advance of what their personal data will be used with this policy; - when there is a contractual obligation for the purpose of executing a contract, one party being the natural person (when the Association processes data of its employees) and for the exercise, establishment and protection of rights and legitimate interests; - when processing is necessary to fulfill a task of public interest (in accordance with EU or national law); 8. What kind of data is collected and processed: Important: the “EUROPEAN ASSOCIATION OF FOLKLORE FESTIVALS – EAFF” does not collect or process sensitive personal information of its customers and users on the website www.eaff.eu The data that is collected and processed is: - Name and surname - for identification purposes when registering for membership; - Address - for communication; - Telephone - for contact if necessary; - Email address - for logging in as well as quick and easy communication; - Other, eligible under the Regulation, if necessary to fulfill an obligation of the Association or related to a particular service The sender of the personal data has the right not to share all the personal data required by him. In cases where such personal data are required to meet a specific service, a specific specialized function or effective response to a query (excluding direct marketing) – the “EUROPEAN ASSOCIATION OF FOLKLORE FESTIVALS – EAFF” could not complete the request due to a lack of data that the user was explicitly notified through the privacy policy. 9. Recipients of personal data to which the Association has the right to disclose the data: The association provides personal data to the competent public authorities and institutions, when required by the laws of the country and in accordance with the rules set out therein (for example: National Revenue Agency, National Social Security Institute, Employment Agency, judicial and investigative bodies, health establishments, etc.). It also provides personal data of individuals at accounting firms, banking institutions, HR agencies and mobile operators for statutory purposes or those, specified in a contract, concluded with the persons. The personal data of users of www.eaff.eu are not available to third parties, beyond the legal requirements. The organization provides personal data to countries outside the European Union. 10. Rights of the individuals- subjects of data: The measures, taken to protect personal data in accordance with the requirements of the Regulation (EU) 2016/679, are aimed at ensuring the protection of the rights of data subjects, namely: - Right of access; - Right to correct inaccurate or incomplete data; - Right to delete (the right "to be forgotten“), the conditions of Art. 17 of the Regulation (EU) 2016/679 are relevant; - Right to a restriction on processing; - Right to data portability, if the conditions for portability under Art. 20 of the Regulation (EU) 2016/679 are available; - Right to object, if the conditions of Art. 21 of Regulation (EU) 2016/679 if available; - Right to file a complaint with the Commission for Personal data protection or the District Court - The right of the data subject not to be the subject of a decision, based solely on automated processing, including profiling; 11. Data retention period: As a personal data administrator, the “EUROPEAN ASSOCIATION OF FOLKLORE FESTIVALS – EAFF” processes data for a period as provided in the applicable legislation and in accordance with the principle of storage limitation. The remaining data is stored in different terms, according to the type of data, defining the legal obligation to process, including their storage. The criteria for storage are: - upon registration on the site, the data of the collectives wishing to become members, are kept for 10 years; - the personal data of workers / employees of the “EUROPEAN ASSOCIATION OF FOLKLORE FESTIVALS – EAFF” are stored and processed for a longer period in accordance with the requirements of Accountancy Act; 12. Responsibility of the Association for Protection of Personal Data: In relation to the responsibility of the data controller introduced by the Regulation (EU) 2016/679 and the Law on Protection of Personal Data and in order to provide adequate data protection, the Association applies all necessary organizational and technical measures to protect the personal data of individuals. For maximum security in the processing, transmission and storage of personal data, the organization uses data protection mechanisms, stored both electronically and on paper. Computer access via a local network to files containing personal data is provided only to employees of the “EUROPEAN ASSOCIATION OF FOLKLORE FESTIVALS – EAFF“ or to Data Protection Officer, authorized with regulated rights, only from their physical workplace, by specially designated computer and after identification via login and password to the system. At the end of working hours, employees turn off their local computer. In order to increase the security of access to information, employees must change the passwords they use to a specified by the “EUROPEAN ASSOCIATION OF FOLKLORE FESTIVALS – EAFF” period, no longer than 2 months. To perform the data protection functions, the Association uses fully licensed operating system. Any other software of unlicensed origin is forbidden to use. The installation of software products on office computers is done only by a specialized person - an IT specialist. 13. Policy changes: The Association has the right to update, amend and supplement the data protection policy at any time in the future, when circumstances require. 14. Contact details of the personal data controller: Address: Bulgaria, Veliko Tarnovo, 10, Han Krum str. telephone number: 062/62 15 41 e-mail address: office@eaff.eu 15. Data Protection Supervisor: The national data protection supervisory authority is Commission for personal data protection. It monitor the proper implementation of Regulation (EU) 2016/679, as any individual, who considered that his rights regarding the processing of his personal data had been violated, may file a complaint with the Commission at the following address: Address: Bulgaria, Sofia, 2, Prof. Tsvetan Lazarov str. telephone number: 02/91-53-555 e-mail address: kzld@cpdp.bg Web page: www.cpdp.bg