Policy for Protection of Personal Data

23 May 2018

Policy for Protection of Personal Data Policy for Protection of Personal Data

Last updated: 25.01.2022

As a Personal Data Administrator, Musala Soft JSC is obliged to inform you what to expect when it processes your personal information.

Transparency in information processing

I. Declaration on personal data protection policy

  1. With this document, the Management of Musala Soft JSC ensures compliance with the legislation of the EU and the Member States regarding the processing of personal data and protection of “rights and freedoms” of persons whose personal data Musala Soft JSC collects and processes in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679).
  2. In accordance with the General Regulation, other relevant documents as well as related processes and procedures are described in this Policy.
  3. Regulation (EU) 2016/679 and this Policy apply to all personal data processing functions, including those performed on personal data of customers, employees, suppliers and partners and any other personal data from various sources that the Company processes.
  4. This Policy applies to all customers, external suppliers, and third-party stakeholders, as well as by and to employees of the Company. Any breach of the General Regulation will be considered a breach of labor discipline, and in the event of a suspected criminal offense, the matter will be referred to the relevant public authorities as soon as possible.
  5. Partners and third parties working with or for Musala Soft JSC, as well as those who have or may have access to personal data, will be expected to know, understand and comply with this Policy. No third party may access personal data stored by Musala Soft JSC without first concluding a Data Confidentiality Agreement, which imposes on the said third party obligations no less burdensome than those assumed by Musala Soft JSC, and which entitles Musala Soft JSC to carry out inspections of compliance with the obligations imposed by the Agreement.

II. Obligations and roles under Regulation (EU) 2016/679

  1. Musala Soft JSC is a data administrator according to Regulation (EU) 2016/679.
  2. The Management of Musala Soft JSC is responsible for developing and promoting good practices in the field of information processing in the Company.
  3. Compliance with data protection legislation is the responsibility of all employees of the administrator which process personal data.
  4. The training policy of Musala Soft JSC (Training Policy) determines the specific requirements for training and information in connection with the specific roles of employees / workers of the Company.

III. Principles of data protection

The processing of personal data shall be carried out in accordance with the principles of data protection set out in Article 5 of Regulation (EU) 2016/679. The policies and procedures of Musala Soft JSC aim to ensure compliance with these principles.

1. Personal data must be processed lawfully, in good faith and transparently

Lawfully – to identify a legal basis before processing personal data. They are often referred to as “grounds for processing”, such as “consent”.

In good faith – in order for the processing to be in good faith, the data administrator must provide certain information to the data subjects as far as it is practically possible. This applies whether the personal data are obtained directly from the data subjects or from other sources.

Regulation (EU) 2016/679 increases the requirements for what information should be available to data subjects, which information is covered by the “transparency” requirement.

Transparency – The General Regulation includes rules on the provision of confidential information to data subjects in Articles 12, 13 and 14 of the GDPR. They are detailed and specific, emphasizing that privacy notices are understandable and accessible. The information must be communicated to the data subject in an understandable form, using clear and understandable language.

According to the requirements of GDPR, Musala Soft JSC provides data subjects with the legally required information in the form of a Notice for confidential treatment of personal data (Privacy Policy) and a Notice of conditions for the use of cookies available through the Company’s website.

The specific information that the Company provides to the data subject includes at least: data that identify the administrator and the contact details of the administrator and the contacts of the data protection officer; the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; the period for which personal data will be stored; the existence of the following rights – to request access to data, correction, erasure (right to be “forgotten”), restriction of processing, as well as the right to object to the conditions (or lack thereof) in connection with the exercise of these rights; the categories of personal data; the recipients or categories of recipients of personal data, where applicable; where applicable, whether the controller intends to transfer personal data to a recipient representing a third party and the level of data protection; any additional information necessary to ensure handling in good faith.

2. Personal data may only be collected for specific, explicit and legitimate purposes

The data obtained for specific purposes are not used for purposes that differ from those officially announced as part of the Register of Data Processing Activities (Article 30 of the GDPR) of Musala Soft JSC. A procedure for transparency in the processing of personal data sets out the relevant rules.

3. Personal data must be adequate, relevant, limited to what is necessary for the processing for that purpose. (principle of necessary minimum)

  • The persons responsible for data protection ensure that Musala Soft JSC does not collect information that is not strictly necessary for the purpose for which it was obtained.
  • All data collection forms (electronic or paper-based), including data collection requirements in new information systems, include a statement of processing in good faith or a link to a Privacy Statement (notice of confidentiality of personal data).
  • Data protection officers ensure that at least once a year all data collection methods are reviewed by internal audit or external experts to ensure that the data collected continue to be adequate, relevant and not excessive according to the Data Protection Impact Assessment Procedure, as well as to ensure the methodology used for the impact assessment is adequate.

4. Personal data must be accurate and up-to-date at all times, and the necessary efforts must be made to enable immediate (within the scope of possible technical solutions) deletion or rectification.

  • The data stored by the data administrator is reviewed and updated as necessary. No data is stored in cases where it is likely to be inaccurate.
  • Data protection officers ensure that all personnel are trained in observing the importance of collecting and maintaining accurate data.
  • Also, it is the obligation of the data subject to declare that the data he transmits for storage by Musala Soft JSC are accurate and up-to-date. The completion of a form by the data subject intended for the administrator will include a statement that the data contained therein are accurate as of the date of submission.
  • Employees, customers and everyone else are required to notify Musala Soft JSC of any changes in circumstances so that personal data records can be updated. It is the responsibility of Musala Soft JSC to ensure that any notification of a change in circumstances is recorded and adequate action is taken.
  • Data protection officers ensure that appropriate procedures and policies are in place to maintain the accuracy and timeliness of personal data, taking into account the volume of data collected, the speed with which it may change and other relevant factors.
  • At least on an annual basis, the Management of Musala Soft JSC reviews the retention periods of all personal data processed by Musala Soft JSC by referring to the data inventory and identifies all data that are no longer required in the context of the registered purpose. This data shall be properly destroyed in accordance with the administrator’s procedures and rules.
  • Data protection officers are responsible for compliance with data correction requests within one month (Procedure for data rectifiction). This period can be extended by another two months for complex applications. If Musala Soft JSC decides not to comply with the request, it responds to the data subject to explain its reasons and inform it of its right to lodge a complaint with the supervisory authority and seek redress.

5. Personal data must be stored in such a form that the data subject can only be identified for as long as is necessary for the processing.

  • When personal data are retained after the date of processing, they are stored in an appropriate way (minimized) to protect the identity of the data subject in the event of a data breach. Data minimization is also necessary when we are provided with a larger volume of data by the subject. We at Musala Soft also apply anonymization of data in order to de-identify data subject identity.
  • Personal data are kept in accordance with the Procedure for personal data erasure and after their storage period has expired, they are duly destroyed in accordance with the procedure specified in this Procedure.
  • Data protection officers specifically approve any retention of data that exceeds the retention period defined in the Data retention and destruction procedure and ensure that the justification is clearly defined and in accordance with the requirements of data protection legislation. This approval must be in writing.

6. Personal data must be processed in a way that ensures adequate security (Article 24, Article 32 of the GDPR)

The Management of Musala Soft JSC performs an impact assessment (risk assessment), taking into account all circumstances related to the operations of data management or processing by the administrator.

In determining the appropriateness of the processing, the Management considers the extent of any damage or loss that may be caused to individuals (staff, customers, etc.) if a security breach occurs, as well as any likely damage to the administrator’s reputation, including possible loss of customer confidence.

In assessing appropriate technical measures, data protection officers consider the following: Password protection; Automatic locking of inactive workstations in the network; Antivirus software and firewalls; Role-based access rights; Protection of devices that leave the premises of the Company, such as laptops or others; Security of local and wide area networks; Privacy enhancement technologies, such as pseudonymization and anonymization; Identifying appropriate international security standards appropriate for the administrator.

In assessing the appropriate organizational measures, the Management takes into account the following: The levels of appropriate training in Musala Soft JSC; Measures that take into account the reliability of employees (certification assessments, recommendations, etc.); The inclusion of data protection in employment contracts; Identification of disciplinary measures for violations with regard to data processing; Regular inspection of personnel for compliance with relevant security standards; Control of physical access to electronic and paper-based records; Adopting a “clean workplace” policy; Storage of database on paper in lockable wall cabinets; Restricting the use of portable electronic devices outside the workplace; Restricting employees’ use of personal devices in the workplace; Adopting clear rules for creating and using passwords; Regular backup of personal data and physical storage of media with copies outside the office; Imposing contractual obligations on counterparty entities to take appropriate security measures when transferring data outside the EU.

These controls are selected on the basis of the identified risks to personal data, as well as on the potential for harm to the data subjects.

In order to limit the risk of access to the provided personal data, Musala Soft and its employees do not engage supplier companies for processing personal data.

7. Observance of the principle of accountability

Regulation (EU) 2016/679 includes provisions that promote accountability and manageability and complement transparency requirements. The principle of accountability in Art. 5, para. 2 requires the administrator to prove that he/she observes the other principles in the GDPR and explicitly states that this is his/her responsibility.

Musala Soft JSC proves compliance with the principles of data protection by implementing data protection policies through joining codes of conduct, implementing appropriate technical and organizational measures, as well as by adopting data protection techniques at the design stage and default data protection, personal data protection impact assessment, personal data breach notification procedure, etc.

Musala Soft, as controller of personal data, assumes the responsibility to cooperate with providers and partners in order to demonstrate their compliance with the obligations of personal data processing.

IV. Rights of data subjects

1. Data subjects have the following rights with regard to the processing of data as well as the data recorded for them:

  • The right to make requests to confirm whether personal data related to him/her are being processed and, if so, to have access to the data as well as to information on the recipients of this data.
  • The right to request a copy of their personal data from the administrator;
  • The right to ask the administrator to correct personal data when they are inaccurate and when they are no longer up to date;
  • The right to require the administrator to delete personal data (right to be “forgotten”);
  • The right to ask the administrator to limit the processing of personal data, in which case the data will only be stored, but not processed;
  • The right to object to the processing of his/her personal data;
  • The right to object to the processing of personal data concerning him/her for the purposes of direct marketing.
  • The right to complain to a supervisory authority if he/she considers that any of the provisions of the GDPR have been violated;
  • The right to request and be provided with personal data in a structured, widely used and machine-readable format;
  • The right to withdraw his/her consent to the processing of personal data at any time with a separate request addressed to the administrator;
  • The right not to be subject to automated decisions that affect him/her significantly, without the possibility of human intervention;
  • The right to oppose automated profiling, which happens without his/her consent;

2. Musala Soft JSC provides conditions that guarantee the exercise of these rights by the data subject:

  • Data subjects may make requests for access to data as described in the Procedure for data rectification; this procedure also describes how Musala Soft JSC will ensure that the response to the data subject’s request meets the requirements of the General Regulation.
  • Data subjects have the right to submit complaints to Musala Soft JSC related to the processing of their personal data, the processing of a request by the data subject and an appeal by the data subject regarding the manner of processing complaints in accordance with the Procedure for handling of claims and the Procedure for revew of claims resolution.

V. Consent

1. By “consent” Musala Soft JSC means any freely expressed, specific, informed and unambiguous indication of the will of the data subject, through a statement or clearly confirmatory action expressing his/her consent to the processing of personal data related to him/her. The data subject may withdraw his/her consent at any time.

2. By “consent” Musala Soft JSC means only the cases in which the data subject has been fully informed about the planned processing and has expressed his/her consent without being pressured. Consent obtained through pressure or on the basis of misleading information will not be a valid basis for the processing of personal data.

3. Consent cannot be inferred from the lack of a response to a communication to the data subject. In order for there to be consent, there should be active communication between the administrator and the subject.

4. For special categories of data, explicit written consent must be obtained in accordance with the Procedure for obtaining consent for the processing of personal data of data subjects, unless there is an alternative legal basis for processing.

5. When Musala Soft JSC processes personal data of children, it receives permission from the exercisers of parental rights (parents, caretakers, etc.). This requirement applies to persons under 18 years of age.

VI. Data security

1. All employees are responsible for ensuring security in the storage of data for which they are responsible and for which Musala Soft JSC is responsible, as well as that data is stored securely and not disclosed in any circumstances to third parties, except if Musala Soft JSC has granted such rights to this third party by concluding a contract / confidentiality clause.

2. All personal data is available only to those who need it, and access is provided only in accordance with the established rules for access control. All personal data is treated with the utmost security and stored properly as follows: in a separate room with controlled access; and /or in a locked cabinet or file; and/or if it is computerized, password protected in accordance with the internal requirements specified in the organizational and technical measures for controlling access to information; and/or stored on portable computer media that are protected in accordance with the organizational and technical measures to control access to information.

3. All staff shall be trained in compliance with organizational and technical access measures, as well as the rules for locking workstations, before they have been granted access to information of any kind.

4. Paper records shall not be left within the reach of unauthorized persons and may not be removed from designated offices without express permission. As soon as the paper documents are no longer needed for the current work of customer support, they are stored for the specified period and destroyed in a timely manner in accordance with the established procedure / rules and the relevant protocol.

5. Personal data shall be deleted or destroyed only in accordance with the Procedure for personal data erasure. Paper records that have reached the end date of storage are cut and destroyed as “confidential waste”. The data on the hard disks of the redundant personal computers are erased or the disks are destroyed, according to the established rules / procedures.

6. The processing of personal data “outside the office” poses a potentially higher risk of loss, theft or breach of personal data. The staff is explicitly authorized to process the data outside the administrator’s sites.

VII. Data disclosure

1. Musala Soft JSC provides conditions under which personal data are not disclosed to unauthorized third parties, which includes family members, friends, government agencies, even investigators, if there is reasonable doubt that they are not required in the prescribed manner. Employees are provided with special training and periodic briefings in order to avoid the risk of such a violation.

2. The Company shall require that all requests from third parties for the provision of data be supported by appropriate documentation and all such disclosures shall be specifically authorized by the data protection officers.

VIII. Data storage and destruction

1. Musala Soft JSC does not store personal data in a form that allows the identification of subjects for a longer period than necessary in relation to the purposes for which the data were collected.

Musala Soft JSC may store data for longer periods only if the personal data are processed for archiving purposes, for public interest purposes, scientific or historical research and for statistical purposes, and only with the implementation of appropriate technical and organizational measures to ensure the rights and freedoms of the data subject.

The retention period for each category of personal data is specified in the Data Retention and Destruction Procedure as well as the criteria used to determine this period, including any legal obligations.

4. The Procedure for personal data erasure, as well as the rules for destroying information on unused recording media, shall apply in all cases.

5. Personal data shall be securely destroyed by appropriate technical or organizational measures (“integrity and confidentiality”).

IX. Data transfer

Any export of data from within the EU to non-EU countries (referred to in the General Regulation as “third countries”) is illegal, unless there is an appropriate “level of protection of the fundamental rights of data subjects”.

The transfer of personal data outside the EU is prohibited unless one or more of the following guarantees or exceptions apply:

1. Adequacy decision
The European Commission may assess third countries, territories and/or specific sectors in third countries to assess whether there is an appropriate level of protection of the rights and freedoms of individuals. No permit is required in these cases. Countries that are members of the European Economic Area (EEA) but not the EU are considered eligible for an adequacy decision.

2. Mandatory company rules
Musala Soft JSC may adopt approved mandatory corporate rules for data transfer outside the EU, where applicable. This requires their submission to the relevant supervisory authority for approval.

3. Standard contractual clauses
The administrator may adopt approved standard data protection contractual clauses for data transfers outside the European Economic Area. If Musala Soft JSC accepts standard contractual clauses approved by the respective supervisory body, there is an automatic recognition of adequacy.

4. Exceptions
In the absence of an adequacy decision, mandatory Company rules and/or contractual clauses, the transfer of personal data to a third country or international organization takes place only under one of the following conditions: the data subject has explicitly agreed to the proposed transfer after being informed of the possible risks of such transfers; the transfer is necessary for the performance of a contract between the data subject and the administrator or for the performance of pre-contractual measures taken at the request of the data subject; the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the administrator and another natural or legal person; the transmission is necessary for important reasons of public interest; the transfer is necessary for the establishment, exercise or defense of legal claims; the transfer is necessary in order to protect the vital interests of the data subject or of other persons where the data subject is physically or legally incapable of giving his/her consent; the transmission shall be made by a register which, under EU or Member State law, is intended to provide information to the public and is available for consultation by the general public or by any person who can demonstrate a legitimate interest in doing so, but only in so far as the conditions of reference laid down in European Union law or in the law of the Member States are satisfied in the present case.

X. Data inventory

1. Musala Soft JSC has created a data inventory process as part of its approach to dealing with risks and opportunities in the process of complying with the Policy of compliance with Regulation (EU) 2016/679. During the inventory of the data in Musala Soft JSC and in the workflow of data the following shall be established:

  • business processes that use personal data;
  • sources of personal data;
  • the number of data subjects;
  • description of the categories of personal data and the elements of each category;
  • processing activities;
  • the purposes of the processing for which the personal data are intended;
  • the legal basis for the processing;
  • the recipients or categories of recipients of personal data;
  • main storage systems and locations;
  • all personal data subject to transfers outside the EU;
  • the terms for storage and deletion.

2. Musala Soft JSC is aware of the risks associated with the processing of certain types of personal data.

3. Musala Soft JSC assesses the level of risk for the persons related to the processing of their personal data. Data protection impact assessments are performed in connection with the processing of personal data by Musala Soft JSC and in connection with the processing undertaken by other entities on behalf of Musala Soft JSC (Data Protection Impact Assessment Procedure).

Musala Soft JSC manages all risks identified by the impact assessment in order to reduce the likelihood of non-compliance with these rules. When the type of processing may lead to a high risk for the rights and freedoms of individuals, in particular with the use of new technologies and taking into account the nature, scope, context and purposes of processing, before proceeding to processing Musala Soft JSC performs assessment of the impact of the envisaged processing operations on the protection of personal data. An overall impact assessment may consider a range of similar processing operations that pose similar high risks.

5. When as a result of the Impact Assessment it is clear that Musala Soft JSC will start processing personal data, which due to high risk could cause harm to the data subjects, the decision on whether or not to continue processing will be submitted for review by the supervisory authority.

6. The Management of Musala Soft JSC periodically reviews the initially inventoried data, reviews the information entered in the “Register of processing activities” in relation to any changes in the activities of Musala Soft JSC.


1. General Regulation on the Protection of Personal Data
Regulation (EU) 2016/679 (General Data Protection Regulation) replaces Data Protection Directive 95/46 / EC. It has direct effect and implies an amendment to the legislation of the Member States in the field of personal data protection. Its purpose is to protect the “rights and freedoms” of individuals and to ensure that personal data are not processed without their knowledge and, where possible, that they are processed with their consent.

2. Scope outlined by the General Data Protection Regulation
Material scope – this Regulation applies to the processing of personal data in whole or in part by automatic means, as well as to the processing by other means of personal data which are part of a personal data register or which are intended to form part of a personal data register.

Territorial scope – the rules of the General Regulation will apply to all data administrators established in the EU which process personal data of individuals in the context of their activities. It will also apply to non-EU administrators who process personal data in order to offer goods and services or if they monitor the behavior of data subjects residing in the EU.

3. Concepts
“Personal data” – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more features specific to the natural, the physiological, genetic, mental, intellectual, economic, cultural or social identity of that individual;

Special categories of personal data” – personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for unique identification of a natural person, data relating to health or data on the sexual life of a natural person or sexual orientation.

Processing” – any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing or transmitting, disseminating or otherwise making the data available, arranging or combining, restricting, deleting or destroying;

Administrator” – any natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU law or the law of the Member State, the administrator or the specific criteria for determining it may be laid down in Union law or in the law of a Member State;

Data subject” – any living natural person who is the subject of personal data stored by the administrator.

Consent of the data subject” – any freely expressed, specific, informed and unambiguous indication of the data subject’s will, by means of a statement or clear confirmatory action expressing his or her consent to the processing of personal data relating to him or her;

Child” – The General Regulation defines a child as anyone under the age of 16, and under national law anyone under the age of 18. The processing of a child’s personal data is lawful only if a parent, guardian or custodian has given consent. The administrator shall make reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given or is authorized to give his or her consent.

Contact with the Personal Data Administrator:
E-mail: gdpr@musala.com