Slider

AVVI LTD
PERSONAL DATA PROTECTION POLICY

Version 1, 22 May 2018

Introduction

This policy is based on Regulation (EU) 2016/679 (General Data Protection Regulation) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC, and on the basis of the relevant guidelines adopted by Article 29 Working Party. As of the time of drafting this policy, the protection of natural persons with regard to the processing of personal data is provided by the Bulgarian Personal Data Protection Act, therefore any changes in the legislation (both European and national) may necessitate amending or supplementing this policy. In the event of any inconsistency between this policy and the legislation (both primary and secondary), the latter shall prevail.

AVVI Ltd. Company, UIC 130336591, registered office Sofia 1000, 9 Rositsa St., (hereinafter referred to as "the Company"),

Whereas:

(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation - GDPR), came into force with effect from 25 May 2018, thus considerably altering the existing data protection legal regime,

(2) As a legal entity established on the territory of the Republic of Bulgaria and a Data Controller processing personal data in accordance with the GDPR and its implementing acts, and the current national legislation, AVVI Ltd. adopts this General Personal Data Protection Policy (hereinafter referred to as "the Policy"), with the greatest responsibility, undertakes to process personal data in accordance with the applicable legislation.

This Policy is intended to provide a framework for the processing of personal data by AVVI Ltd., as well as to outline the basic principles that shall be followed in any data processing operation within the Company.

This policy may be supplemented by other policies related to personal data privacy, as well as by procedures and instructions governing individual specific rights and obligations related to the protection of personal data.

Scope

This Policy applies to the use and processing of personal data of natural persons, including customers, employees, contractors and suppliers.

Every employee of AVVI Ltd. shall abide by this Policy when processing personal data. There are no exceptions to this rule.

Definitions

For the purposes of this Policy:

"personal data controller" means an individual or legal entity which determines the purposes and means of personal data processing. The controller is responsible for establishing practices and policies in accordance with the applicable data protection legislation. AVVI Ltd. is a personal data controller of the personal data of all its employees that are processed in the course of the activities of the Company. AVVI Ltd. is also a personal data controller in terms of its suppliers and customers.

"personal data processor" means any natural person or legal entity which processes personal data on behalf of a personal data controller. The employees of the personal data controller are excluded from the scope of this definition; however, it applies to contractors that process personal data on behalf of AVVI Ltd.

"data subject" means an identified or identifiable natural person. For the purposes of this Policy, data subjects may be employees, customers and/or representatives of suppliers and business partners, as well as other individuals whose personal data may be processed by the Company.

"personal data" means any data or information related to an identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal data may be stored electronically, on a computer or in certain paper-based systems.

"personal data relating to criminal convictions and offences" means any personal data related to criminal proceedings, criminal offenses and/or convictions and pardons.

"processing" means any operation or set of operations performed on personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"special categories of personal data" mean personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data and biometric data processed for the purpose of uniquely identifying a natural person, data concerning a natural person’s health or sex life or sexual orientation.

Types of Personal Data Processed by AVVI Ltd.

AVVI Ltd. collects and processes personal data in connection to the following data categories (the list is not exhaustive):

  • job candidates and personnel of AVVI Ltd., in relation to their (possible) position at AVVI Ltd. (including contact details, CV, etc.);
  • dependants and family members of AVVI Ltd.’s employees, in relation to the purposes of social security and tax legislation;
  • customers and potential clients;
  • consumers, some of them also becoming direct customers, in relation to the products and services they request;
  • trade partners of AVVI Ltd, as well as other persons in charge of managing business relations.

In certain and limited cases, AVVI Ltd. may also process special categories of personal data (health status, trade union membership, etc.).

Obligations of the Company in Relation to Personal Data Protection

In its capacity of a personal data controller AVVI Ltd. has the following obligations:

  • to determine the personal data protection policy of the Company in compliance with the provisions of the GDPR and the national legislation;
  • to analyze the need for a data protection officer and appoint one, if applicable;
  • to create and maintain records of the processing activities as regards personal data in accordance with the appropriate measures to guarantee adequate protection;
  • to introduce and implement, both at the time of determination of the means for processing and at the time of the processing itself, appropriate technical and organizational measures, which shall be designed to implement data-protection principles in an effective manner;
  • to ensure the exercise of the rights of natural persons in relation to personal data protection;
  • to adopt appropriate technical and organizational measures to ensure and be able to prove that the GDPR is implemented in the processing of personal data;
  • to adopt appropriate technical and organizational measures for ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage, and their accessibility;
  • to monitor compliance with the requirements for protection of the registers, identify the circumstances of protection-related breaches, and take measures to eliminate them;
  • to update the maintained registers with personal data;
  • to maintain personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • to regularly raise awareness and train employees in personal data protection;
  • to assist the supervisory authority (the Personal Data Protection Commission) in its functions and facilitate the identification of circumstances related to the protection of personal data;
  • to determine the access rights of employees dealing with personal data in the information systems according to the purposes of processing, so as to ensure the lawfulness of data processing and compliance with its principles;
  • to uses only personal data processors which provide sufficient safeguards by implementing appropriate technical and organizational measures;
  • in the event of a personal data breach, to notify the breach to the supervisory authority (Personal Data Protection Commission) without undue delay and not later than 72 hours after having become aware of it. The supervisory authority shall not be notified when the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  • in case of a high risk to the natural persons, to communicate to the data subject the personal data breach in an appropriate manner;
  • to document any personal data breaches, including the facts relating to the personal data breach, its effects, and the remedial action taken;
  • to carry out a data protection impact assessment (DPIA) pursuant to Art. 35 of the GDPR.
Data Protection Principles

Adherence to the principles provided by the GDPR is essential to the practical implementation of the Regulation and is a demonstration of responsible attitude. Personal data shall only be processed in accordance with this Policy and by following the principles as described below:

  1. Lawfulness

    Whenever personal data are collected, they must be collected with clarity as to the legitimate business purpose for which the data are collected. Personal data processing must be based on either of the legal provisions in the GDPR, otherwise it shall not be considered lawful.

    Whenever AVVI Ltd. processes a special category of personal data (e.g. employee’s health data), due care shall be given and greater responsibility exercised in comparison to the protection of other personal data, on the presumption that such data can be used in a discriminatory way and are likely to be extremely personal. The nature of the data is also a factor in determining the safeguards that shall be taken. Whenever AVVI Ltd. processes such personal data, it shall satisfy one or more of the grounds for processing such data, as specified in the GDPR, as well as one of the general provisions applicable in each individual case.

  2. Transparency

    Developments, practices and policies related to personal data protection shall be written and updated in accordance with the basic principle of transparency. AVVI Ltd. is obliged to provide information and assist data subjects, who request to know whether and how their personal data are processed and who their personal data processor is. If data subjects do not know what we are processing as a controller and why, the processing of personal data cannot be considered "fair".

    In its capacity as a controller, AVVI Ltd. is obliged to provide data subjects with privacy notices whenever their personal data are collected. The obligation to notify data subjects applies to all forms of data collection, with the specific requirements for a valid GDPR-compliant privacy notice being stipulated in the Regulation.

  3. Data Minimization

    Personal data processing shall be limited to what data is necessary in relation to the purposes for which AVVI Ltd. has collected them. Personal data shall only be obtained in lawful and transparent ways and, where appropriate, with the knowledge or consent of the data subject, without the consent being the sole and absolute basis for the processing of personal data.

    Whenever information is provided by a data subject in a specific form, both electronic or written, the data necessary for the specific purpose shall be labeled as any information that is provided voluntarily and in addition to the minimally required data, in order to communicate to the data subject that the provision is not mandatory.

    Where feasible, personal data shall be anonymized, pseudonymized or optimized as much as possible.

  4. Data Accuracy

    Personal data must be relevant to the purposes for which they are to be used. Personal data must be accurate, complete, collected in compliance with the processing purpose, and kept up to date. Data subjects shall be provided with the possibility to update their own data, if possible, otherwise procedures shall be implemented to guarantee data accuracy.

  5. Purpose Limitation

    The purposes for which personal data are collected must be communicated to data subjects at the time the data are collected. Personal data shall only be processed in compliance with the purposes for which they are collected or for other purposes that are not incompatible with the initial purposes. Any other purposes shall be communicated to the data subjects.

  6. Restriction of Processing and Storage Limitation

    Personal data must not be disclosed, made available or otherwise used for purposes other than those communicated to the data subjects, except with the consent of the latter or by law. Personal data may be processed for purposes other than the initial purpose if only they are compatible with the initial purpose.

    If personal data collected by AVVI Ltd. have to be processed for purposes other than the initially stated and described in the privacy notice, one has to ensure the lawfulness of the processing for the new purpose. In case of any doubts or subsequent use of personal data, contact the data protection officer, who can judge whether, due to the subsequent use of the information, one has to adopt a specific data rectification procedure in compliance with the data protection principles by design and by default and/or the requirement for a data protection impact assessment. This may possibly necessitate rectification/update of existing privacy notices or additional consent from the data subject, if consent is considered basis for the processing.

    Data protection by design refers to the adoption of an approach to each project, which ensures data privacy and protection by default. When introducing new technologies, systems, applications and/or operations, AVVI Ltd. shall implement appropriate technical and organizational measures to ensure that data protection is the underlying principle in the early stages of each project and throughout its life cycle.

    The data protection impact assessment is a process that facilitates the evaluation of the risks to data confidentiality in the process of data collection, processing or disclosure. The data protection impact assessment may be improved by adoption of measure for data protection by default and by design.

    AVVI Ltd. shall only maintain data in a readable format as long as it is necessary for the processing purposes. All other data shall be erased from all systems and devices of AVVI Ltd. after the expiry of the storage period determined in line with the local legislation and business activities of AVVI Ltd. The pursuit of the legitimate interests of AVVI Ltd. shall not be in conflict, but in concordance with the rights of the data subjects. This is achieved by creating a special policy on the rights and their exercising at AVVI Ltd., as well as by regularly updating the data storage procedure.

  7. Integrity and Confidentiality

    Personal data should be appropriately safeguarded against risks such as loss or unauthorized access, destruction, use, alteration or disclosure of data. Security and protection of personal data is crucial in any processing. Hence, AVVI Ltd. shall develop personal data security procedures in accordance with the level of risk to the rights of the data subjects.

    In case of third parties, subcontractors or suppliers, AVVI Ltd. shall ensure that those individuals with access to personal data also meet AVVI Ltd.’s requirements in terms of the security, technical and organizational measures.

  8. Responsibility and Accountability

    The company that collects personal data and determines the ways they are processed. i.e. the data controller shall be responsible for the implementation of measures designed in compliance with the above-stated principles.

    The accountability principle means that AVVI Ltd. shall be able to demonstrate compliance with the GDPR requirements at any time. This is achieved by ensuring as follows:

    • compliance with applicable local legislation and implementation of adequate technical and organizational data protection measures;
    • maintenance of an up-to-date and accurate register of data processing activities (pursuant to Art. 30 of the GDPR), which shall be made available to the supervisory authority upon request. If necessary, the register shall be agreed with the good business practices followed by AVVI Ltd.
    • a data protection impact assessment (DPIA) with respect to any new processing activity that may pose a high risk to the rights and freedoms of the natural persons;
    • compliance with the data protection by design and by default principle (privacy by design and privacy by default) in the development of new technologies, systems, applications or business processes;
    • adequate and regular training of the staff in terms of the organizational and technical data protection measures, development of plans for this training;
    • conduct of regular internal and external audits of the personal data processing procedures at AVVI Ltd.;
    • provision of timely reports by the responsible persons and the Board on personal data breaches, as well as constant analysis of received data breach signals for the purpose of improving data protection and related processes at AVVI Ltd.;
    • assistance to the supervisory authority in the execution of its duties.
Rights of the Data Subject

AVVI Ltd. shall take appropriate measures to provide data subjects with information on the processing of personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The controller shall assist the exercise of the rights of the data subject under Articles 15 to 22 of the GDPR, unless it is unable to prove the identity of the natural person.

Regulation 2016/679 complements the existing rights of the data subject with new provisions, offering guidelines for their exercise. The GDPR extends the rights of the data subject so that the data subject is better informed and is able to more effectively control the processing of his or her personal data.

Data subjects have the following rights:

  • Right of access: the right to request a copy of their personal data that are being processed by AVVI Ltd. and by third parties with whom AVVI Ltd. has business (e.g. providers of social security and insurance services).

    The right of access includes the following information:

    • the purposes of the processing;
    • the categories of personal data concerned;
    • the storage period;
    • the existence of the right to rectify or erase personal data, or restrict the processing of personal data, or object to the processing;
    • the right to file a complaint with the supervisory authority;
    • the sources of personal data.
    Under the access right of the data subject, a natural person is entitled to information related only to his or her own personal data, and may not request information related to another person, unless the natural person acts on behalf of that other person.
  • Right to rectification: the right to have inaccurate or incomplete personal data corrected.

    The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

  • Right of erasure (right to be forgotten): the right of the data subject to have his or her personal data permanently removed or deleted when they are no longer necessary for processing.

    This right is exercised only in the following specific situations:

    • when the personal data are no longer necessary for the initial purpose for which they have been collected/processed;
    • when the personal data have been unlawfully processed (i.e. not in compliance with the GDPR);
    • if the data subject withdraws his or her consent and there is no other legal ground (e.g. legitimate interests) for the processing of the personal data.
    However, AVVI Ltd. may keep the personal data when:
    • there are compelling reasons (e.g. existing insurance contracts, current damages, etc.);
    • the personal data are required in relation to a legal obligation (e.g. company records, financial matters, audits, etc.) or for establishment, exercise or defense of legal claims (e.g. detention in case of pending damages).
  • Right to restriction of processing: the right to request AVVI Ltd. to suspend or end the processing of all or some of the personal data of the data subject. If the data have been disclosed to third persons, they shall be notified of the restriction on the data processing (unless it proves impossible or involves disproportionate effort). There are also specific cases, described in the GDPR, when this right is exercised.
  • Right to data portability: the right to receive the personal data in a structured, commonly used, machine-readable and interoperable format, enabling them to transmit their personal data to another personal data controller by themselves or through AVVI Ltd. It applies only when all of the following conditions are met:
    1. the personal data are processed by automated means (i.e. no data records on paper);
    2. the personal data are voluntarily provided to the controller by the data subject;
    3. the processing basis is only the consent of the data subject or the data are processed pursuant to a contract or as preliminary steps for the conclusion of a contract.
  • Right to object: the right to object to the processing of personal data when the processing is based on grounds of public or legal interest, or is carried out for direct marketing purposes.
  • Automated decision-making, including profiling: the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects on the data subject or significantly affect the data subject.
  • Right to give, change or withdraw consent: when consent is the basis for data processing.

In order to provide mechanisms and to guarantee the exercise of the rights of data subjects, AVVI Ltd. has developed an internal process for processing and tracking requests by natural persons.

Consent to the Processing of Personal Data

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Pursuant to Art. 6 (1) of the GDPR, the consent of the data subject is one of the permissible conditions for the lawfulness of personal data processing. Consent shall be given personally by a written declaration, in electronic format, or by other means determined by the controller, which ensure that the consent of the data subject is:

  • freely given,
  • specific,
  • informed,
  • and unambiguous.

Tacit consent, pre-checked boxes, or no action shall not be considered a consent.

AVVI Ltd. shall provide data subjects with the possibility to easily alter or withdraw their consent with no adverse legal consequences for them.

Data Protection Officer

AVVI Ltd. has designated an employee to act as a Data Protection Officer (DPO), to participate properly and in a timely manner in all issues relating to the protection of personal data. The responsibilities of the Data Protection Officer are set out in details in his/her job description.

The DPO’s responsibilities and powers include, but are not limited to, the following:

  • to inform and advise the management and the staff (controller and processors) engaged in the personal data processing operations about their obligations under the GDPR and all other applicable EU provisions and the national legislation related to personal data protection;
  • to monitor, raise awareness and train the staff involved in personal data processing operations;
  • to monitor the need for amendments to the personal data processing activities and the related and/or regulatory documents;
  • to act as the single point of contact with the supervisory authority (Commission of Personal Data Protection) and for data subjects in terms of the exercise of their rights;
  • to perform comprehensive monitoring and provide regular evaluation, consultations, recommendations and proposals so as to ensure an adequate level of personal data protection.
Relations with Personal Data Processors

When outsourcing personal data processing to third parties, AVVI Ltd., in its capacity as controller, shall comply with the following requirements:

  • to select only processors which provide sufficient guarantees of the implementation of appropriate technical and organizational data protection measures;
  • the terms of the data protection shall be laid down in the written contract with the processors;
  • the data subjects shall be informed in an appropriate way.

Contracts with processors shall contain at least the following details:

  • the object and period of processing;
  • the purpose and nature of processing;
  • the categories of natural persons whose data are processed;
  • the categories of personal data that are processed;
  • the rights and obligations of the contractor;
  • the requirements to the processor under Art. 28 (3) of the GDPR.
Disclosure of Personal Data. Transfer of Data.

The international business of AVVI Ltd. requires transfer of personal data to companies within the Willis Towers Watson group. In these cases, the following rules apply:

Disclosure of data to another company within the AVVI Group: Personal data shall be disclosed to another company within the AVVI Group for statistical purposes, and service and service quality management, with the Group taking the necessary safeguards to ensure appropriate level of data protection and implement adequate technical and organizational measures.

Transfer of data to third parties: In certain cases, data shall be transferred to third parties by virtue of a contract between AVVI Ltd. and a company acting as a service provider. In these cases, AVVI Ltd., through its parent company Willis Towers Watson, shall ensure that the transfer is fully compliant with the legal provisions, and the level of data protection is retained (including, but not limited to, standard personal data transfer clauses).

Personal Data Security Incident Management

The management of personal data security incidents (data breaches) is based on the provisions of Art. 33 and Art. 34 of the GDPR. In case of a security incident, which may pose a risk to the rights and freedoms of the natural persons, the controller shall notify it to the supervisory authority within 72 hours. In the presence of a high risk, the natural persons have to be notified as well.

Technical and Organizational Measures for Data Protection

In its activity AVVI Ltd. plans and implements appropriate technical and organizational measures for personal data protection against accidental or unauthorized destruction, accidental loss, unauthorized access, alteration or disclosure, as well as other illegal forms of processing.

The types of data protection are physical, personnel, documentary, of automated information systems and/or networks, and cryptographic protection.

The controller shall take the following measures to protect the personal data:

  • physical protection measures: a system of technical and organizational measures to prevent unauthorized access to buildings, premises and facilities where personal data are being processed, which include:
    1. technical measures:
      • access control systems to protect the premises of the company;
      • locking systems operating outside office hours and regulating access to the premises;
      • provision of rooms and cabinets with locks for storing information related to personal data in the cases provided by the internal organizational and regulatory documents;
      • furnishing the premises with the necessary equipment for storage of personal data (folders, files, etc.);
      • firefighting systems compliant with the regulations.
    2. organizational measures:
      • determination of the premises in which personal data shall be processed, as well as the premises where elements of the communications and information systems for personal data processing shall be located, the organization of physical access included;
      • designation of areas with access control;
      • determination of the characteristics of the physical environment and the areas with access control;
      • determination of the premises where the elements of the communication and information systems for personal data processing are to be located;
      • determination and organization of physical access;
      • identification of the basic technical means of physical protection.
  • Personnel protection measures: a system of organizational measures in terms of the individuals who are assigned by AVVI Ltd. the task of processing personal data, and they include:
    1. knowledge and compliance with the regulations relating to the protection of personal data;
    2. knowledge of the policies and guidelines relating to the protection of personal data;
    3. compliance with the clean desk and clean screen policy;
    4. no sharing of critical information among staff (e.g. IDs, access passwords, etc.)
    5. consent to non-disclosure of available data, confidentiality;
    6. training of staff that are processing personal data;
    7. training of staff to respond to events that threaten the security of personal data;
    8. determination of ways to ensure personnel protection.
  • documentary protection measure: a system of organizational measures for processing of personal data on paper, which include:
    1. determining the conditions for personal data processing on paper;
    2. regulating access of authorized staff to paper-based registers;
    3. determining access control to paper-based registers;
    4. determining terms and conditions for storing personal data on paper;
    5. determining rules for reproduction and distribution of paper-based personal data;
    6. creating procedures for destruction of paper-based personal data.
  • measures for protection of automated information systems and/or networks: a system of technical and organizational measures to protect against unlawful forms of personal data processing, which include:
    1. means for identification and authentication of users;
    2. external links/connection;
    3. provision of telecommunications and remote access;
    4. measures against viruses and malware;
    5. measures for maintenance/operation of information systems and/or networks;
    6. ways for storing copies/ backup information for recovery of data;
    7. different types of information carriers;
    8. certain characteristics of the physical environment / surroundings
    9. determining methods for personnel protection;
    10. determining the period for storage of personal data in electronic format;
    11. rules for destruction/erasure of electronic media with personal data.
  • cryptographic protection measures: a system of technical and organizational measures implemented to protect personal data from unauthorized access during transmission, dissemination, or provision, which include:
    1. standard cryptographic capabilities of the operating systems;
    2. standard cryptographic capabilities of the database management systems;
    3. standard cryptographic capabilities of the communications equipment.

The measures are in line with the latest technological developments and provide an adequate level of protection corresponding to the risks related to the processing and the category of the protected data.

In addition, AVVI Ltd. shall also adopt the following technical and organizational measures:

  • Personal data on portable media shall be stored in designated cabinets in the offices of the respective authorized employees that shall be locked during off-hours;
  • Personal data shall not leave the buildings of AVVI Ltd., unless required by an official necessity and/or permission.
  • Personal data, compiled and stored electronically, shall be recorded on a hard disk of a network server (if they are to be processed by more than one employee) or on a standalone computer (in they are to be processed by only one employee or the server is not accessed from this particular workstation). Computers on which personal data are to be processed and accessed shall be connected to the local network by secured access to the personal data granted only to the processor. Personal data are processed by standalone computers in line with the policies for controlled access (username, password, antivirus protection, etc.).
  • Personal data shall be processed by relevant software products for data processing, including for human resource management and staff remuneration (basic salaries, bonuses, tax and other obligations like loans and distraints, work experience, working days and days off, etc.), related to the staff of AVVI Ltd. as well.
  • The operating system that contains the personal data files shall be accessed only by authorized personnel that shall process the personal data via a personal password opening those files, which shall be known only by the respective employee, and in his/her absence by his/her immediate superior or other employee, specifically designated for the purpose.
  • Computers processing personal data shall be placed in separate rooms, if feasible, otherwise they shall be placed in a single room.
  • In order to increase security of the personal data processing in accordance with Art. 32 of the GDPR, AVVI Ltd. may introduce additional organizational, technological and technical measures to ensure availability, confidentiality and integrity of the personal data.
Obligations of the Employees at AVVI Ltd.

The employees at AVVI Ltd. shall process personal data in line with the personal data protection regulations and the company policies, procedures and instructions for personal data protection.

Non-compliance with the obligations under this Policy and the other company policies, procedures and instructions for data protection at AVVI Ltd. shall result in disciplinary penalties for the respective employees in accordance with the Labor Code. When the act of non-compliance is established by a competent authority, it shall result in an administrative fine as provided by the Personal Data Protection Act. If actions by the respective authorized person that is processing personal data result in damages to a third party, the third party may take legal actions under the civil law or the criminal code if the offence is considered a crime and criminal liability is envisaged for it.

Policy Relevance

The revision and updating of this policy is the responsibility of the company's legal department. For inquiries and requests, regarding the exercise of data subjects’ rights contact This email address is being protected from spambots. You need JavaScript enabled to view it..

Please publish modules in offcanvas position.