Privacy Policy
I. GENERAL
Art. 1. (1) Marveltech Ltd, hereinafter referred to as “the Company”, is a legal entity registered under the Commercial Law and is entered in the Commercial Register of the Registry Agency with the UIC: 202783376.
(2) “Marveltech” Ltd. has its registered office and registered address in. Registered office and registered address. 1680, Vitosha district, ul. 9A, OFFICE 3.
(3) As a legal entity, the Company processes personal data in connection with its activities and only determines the purposes and means of their processing. In this case, the Company acts as a personal data controller.
(4) Where the Company processes personal data for purposes determined independently by a third party or the purposes are determined jointly by the Company and a third party, the Company has the position of either a processor (if the purposes are determined by the person who commissioned the processing) or a co-controller.
Art. 2. These Internal Rules of the Company shall regulate the organization of processing and protection of personal data of employees, including applicants for employment with the Company, of the Company’s customers, contractors and partners, as well as of all other groups of individuals with whom the Company enters into relations in the exercise of its powers and activities.
(1) “Personal data” means any information relating to an identified natural person or to an identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person or a natural or legal person, or to the identity of a natural or legal person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
(2) ‘Processing of personal data’ means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(3) “A ‘personal data record’ is any structured set of personal data, regardless of its type and medium, which is accessed according to certain criteria, whether centralised, decentralised or distributed according to a functional or geographical principle.
Art. 4. (1) The Company is a controller of personal data within the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679. (2) As a personal data controller, when processing personal data, the Company complies with the data protection principles set out in the General Data Protection Regulation (EU) 2016/679 and the legislation of the European Union and the Republic of Bulgaria.
Art. 5. (1) The principles for the protection of personal data are: Lawfulness, fairness and transparency – processing in the presence of legal basis, in the exercise of due diligence and in informing the subject of data; Purpose limitation – collection of data for specific, explicit and legitimate purposes and prohibition of further processing in a manner incompatible with those Objectives; Data minimisation – data to be relevant, relevant to and limited to what is necessary in relation to the purposes of the processing; Accuracy – keeping up to date and taking all reasonable measures to ensuring that inaccurate data is deleted or corrected in a timely manner when consideration of the purposes of the processing; Storage limitation – data to be processed for a minimum period duration according to the objectives.
Storage for longer periods is acceptable for archiving purposes in the public interest, for scientific or historical research or statistical purposes, but provided that appropriate technical and organizational measures; Integrity and confidentiality – processing in a way that ensures an appropriate level of the security of personal data by implementing appropriate technical or organizational measures; Accountability – the administrator is accountable and must be able to prove compliance with all principles relating to the processing of personal data.
(2) If the specific purpose or purposes for which personal data are processed by the Company do not or no longer require the identification of the data subject, the Company is not obliged to maintain, acquire or process additional information to identify the data subject for the sole purpose of demonstrating compliance with the requirements of Regulation 2016/679.
Art. 6. The Company shall organise and take measures to protect personal data from accidental or unlawful destruction, from unauthorised access, from alteration or dissemination, and from other unlawful forms of processing of personal data. The measures taken shall be in accordance with current technological developments and the risks associated with the nature of the data to be protected.
Art. 7. The Company shall apply adequate protection of personal data, which shall include: Physical protection; Documentary protection; Protection of automated information systems and networks;
Art. 8. (1) Personal data shall be collected for specific purposes which are lawfully and fairly defined and shall not be further processed in a manner incompatible with those purposes. Further processing of personal data for archiving purposes in the public interest, scientific, historical research or statistical purposes shall not be considered incompatible with the original purposes.
(2) Personal data shall be stored on paper, technical and/or electronic media only for the time necessary for the performance of the Company’s powers, legal obligations, the protection of the Company’s rights and legitimate interests and/or its normal functioning.
(3) The collection, processing and storage of personal data in the Company’s registers shall be carried out on paper, technical and/or electronic media in a centralised and/or distributed manner in premises in accordance with the security measures provided for and the assessment of the appropriate level of security of the relevant register.
Art. 9. Where the hypotheses of Art. 1, б. “b” – ” f” of Regulation 2016/679, the natural persons personal data are processed by the Company shall sign a declaration of consent in a form.
Art. 10. (1) The right of access to the personal data registers shall only be granted to the authorised employees of the Company, in accordance with the powers assigned to them by the Company, as well as to processors of personal data to whom the controller has entrusted the processing of data from the relevant register under the terms of Article 28 of the General Data Protection Regulation.
(2) The authorization of employees shall be based on a job description or by an express act of the Company’s representative.
(3) Employees shall be responsible for ensuring and securing regulated access to office premises and safeguarding records containing personal data. Any deliberate breach of the rules and restrictions on access to personal data by staff may be grounds for disciplinary action against the employees concerned.
(4) Employees who have access to the personal data registers shall not disclose information about personal data which have come to their knowledge in the course of and in connection with the performance of their duties.
Art. (1) The documents and files on which the work has been completed shall be archived.
(2) The permanent storage for archiving purposes of documents containing personal data shall be carried out on paper in an area designated as an archive for a period of time in accordance with the legislation in force. The premises designated asarchive, is equipped with a fire extinguisher, with access control systems and must be locked.
(3) Electronic documents are stored on dedicated servers, computer systems and/or external storage media. Backup of personal data on technical media shall be carried out periodically in order to keep the information up-to-date for the persons concerned and to ensure the possibility of recovery in the event of loss of the underlying media/system. Backup copies shall be stored at a different location from the location of the computer equipment processing the data. Access to the archives shall be restricted to the processor/operator and authorised officials.
(4) Access to the archived documents containing personal data shall only be granted to the authorized persons and the representative of the Company, in accordance with their assigned powers.
Art. 12. (1) In order to protect paper, technical and information resources, all employees shall comply with fire safety rules.
(2) Employees shall receive mandatory Fire Safety awareness training at least once a year. A record of the briefing shall be drawn up.
Art. (1) Periodic checks shall be carried out at least once a year on the state and integrity of the personal data contained in the records processed by the Company. The inspections shall be carried out by a committee including the representative of the Company and employees of the Company who shall prepare a Report on the result of the inspection.
(2) The report referred to in par. 1 shall include an assessment of the need for processing or destruction of the personal data. The reports shall be addressed to the Management of the Company.
Art. 14. (1) In case of registration of an unauthorized access to the information arrays for personal data, or in case of any other incident violating the security of personal data, the employee who has detected such violation/incident shall immediately report it to the manager of the company. Notification of an incident shall be made in writing, electronically, or by other means that allow the incident to be identified and comply with the requirement to notify the Personal Data Protection Commission within 72 hours of becoming aware of the incident.
(2) The incident reporting and management process necessarily includes the recording of the incident, the time of its identification, the person reporting it, the person to whom it was reported, its consequences and the remedial measures.
Art. 15. (1) In the event of an increase in the level of sensitivity of the information resulting from a change in its type or in the risks involved in its processing,The Company may determine additional measures to protect the information in the relevant personal data register.
(2) Reports on the status, risks and level of sensitivity of the information shall be prepared every 2 years or when the nature of the personal data processed changes.
Art. 16. (1) After the purpose of processing the personal data contained in the records maintained by the Company has been achieved, the personal data shall be destroyed in accordance with the procedures provided for in the applicable regulations and these Internal Rules.
(2) In cases where the destruction of a personal data carrier is necessary, the Company shall implement the necessary actions for the deletion of personal data in a manner that precludes data recovery and misuse, such as: Personal data stored on electronic media and servers shall be destroyed by permanent erasure, including overwriting of the electronic means or physical destruction of carriers; Paper documents containing data shall be destroyed by shredding.
(3) Destruction shall be carried out by employees authorized by an express written act of the representative of the Company.
(4) A Protocol shall be drawn up for the destruction of personal data and personal data carriers, signed by the officials referred to in par. 3, in accordance with a model.
Art. (1) Access to personal data shall be granted to persons only if they have the right to such access, in accordance with the legislation in force, following an application or a request for access to information and following their legitimation.
(2) The Company shall communicate its decision to grant or deny access to personal data of the person concerned within 1 month of the submission of the application or request.
(3) The information can be provided in the form of: oral report; written reference; review of the data by the person himself; provision of the requested information on technical and/or electronic media.
(4) Any legal entity that processes personal data on behalf of and under the authority of the controller shall be a processor and shall sign a model data processing agreement including the clauses referred to in Article 28(2) to (4) of the General Data Protection Regulation.
(5) Third parties are granted access to personal data processed by the Company if there is a legal basis for the processing of personal data (e.g. court, prosecution, NRA, NSSI, etc.).
II. DATA PROTECTION MEASURES
Art. 18. Physical protection in the Company shall be ensured through a set of applicable technical and organizational measures to prevent unauthorized access and to protect the buildings and premises where personal data processing activities are carried out.
Art. 19. (1). The main organizational measures for physical protection in the Company include: identification of the premises where personal data will be processed; identification of the premises where the elements of the communication and information systems for the processing of personal data will be located, determining the organisation of physical access;
(2) The premises where personal data will be processed are defined as all premises where, for the normal course of business, personal data are collected, processed and stored. Access to them shall be physically restricted and controlled – only to employees for the performance of their duties and if their place of work or job description allows access to the relevant premises and the relevant personal data register. Where such premises are also accessible to outsiders, there shall be a ‘non-public’ part of the premises where processing activities are carried out, which shall be physically restricted and accessible only to employees who need to have access in order to carry out their duties, and a ‘public’ part where outsiders have access and where no processing activities are carried out, including the storage of data, regardless of their medium.
(3) The communication and information systems used for the processing of personal data shall be located in special physically protected premises or secure cabinets, access to which shall be limited to those employees who, in the performance of their duties, require such access to the data, as well as to those persons charged with official responsibilities for the maintenance of the normal functioning of those systems. The latter shall not have access to the data stored electronically.
(4) The organisation of physical access to premises where personal data processing activities are carried out is based on limited physical access (based on locking systems and mechanisms) to restricted areas of the premises, including those where the information systems are located. Access shall be granted only to those employees who need it to carry out their duties.
(5) Controlled Access Areas are all areas of the Company’s premises where personal data is collected, processed and stored.
(6) The technical means used for the physical protection of personal data in the Company comply with the legislation in force and the level of impactof this data. All physical areas with paper and electronic records are restricted to employees who must have access through the need-to-know principle in order to perform their job duties.
(7) All paper records and documents containing personal data are stored in locked cabinets which are locked in offices with access restricted to authorised staff only.
(8) Access to systems processing personal data electronically is restricted by unique user identifiers and passwords, and electronic media, including servers, are adequately protected in access-controlled areas.
Art. 20 (1). The main technical measures for physical protection in the Company include: Use of alarm and security equipment; Use of locks and locking mechanisms; Equipping premises with fire extinguishing equipment.
(2) Documents containing personal data shall be stored in locked cabinets or filing cabinets, the latter located in restricted (controlled) access areas. Only those persons expressly in charge (by express order or by virtue of their duties and job description) shall have a key to the cabinets.
(3) The equipment of the premises where personal data are collected, processed and stored shall include: alarm and security equipment, locks (mechanical or electronic) to restrict access to authorised persons only; lockable cabinets and fire extinguishing equipment.
(4) Fire alarms and fire extinguishers shall be located in accordance with the requirements of the applicable regulations.
Art. 21 (1). The basic personal data protection measures applicable in The company are: Obligation of employees to undergo training and familiarize themselves with regulatory personal data protection regulations and these Internal Rules, such as training and instruction in data protection rules is certifies by signature on a protocol for personal protection instruction Data; Awareness and understanding of the risks to personal data processed by The Company; Prohibition of sharing critical information (identifiers, passwords, etc.) between staff and any other unauthorized persons; Declaration of consent to undertake non-disclosure of personal data.
(2) For personal data assessed with a higher degree of risk as sensitive personal data, in addition to the measures referred to in par. 1 and the following additional measures: Conduct specialized training on the handling and protection of personal data, if the specifics of the job duties require such; Train staff to respond to data security events, if the specifics of the job duties require such.
Art. 22 (1). The main measures for documentary protection of personal data are: Determination of the records to be maintained on paper – paper medium shall be stored all personal data that require their completion on certain blank documents and/or forms relating to the execution of requirements of the legislation in force or directly related to the implementation of of the normal activities of the Company, conclusion of contracts, execution of contracts, the exercise of rights provided by law and established by law Duties; Defining the conditions for processing personal data – personal data is collected и shall be processed only for a specific purpose directly related to the performance of the Company’s legal obligations and/or normal business activities, and the manner of their storage shall be in accordance with the specific processing needs and the physical medium of the data; Regulation of access to personal data records – access to personal data records shall be personal data is limited and is only provided to authorised personnel, in accordance with the ‘Need to Know’ principle; Setting retention periods – personal data is kept for no longer than as necessary to fulfil the purpose for which they were collected or until the expiry of the period laid down in the applicable law.
Destruction Procedures:Documents containing personal data, the retention periods of which have expired and are not necessary for the normal functioning of the Company or for the establishment, exercise or defence of legal claims, shall be destroyed in an appropriate and secure manner (e.g. incineration, shredding, electronic erasure and other appropriate methods consistent with the physical medium of the data).
(2) For personal data assessed as higher risk, in addition to the measures referred to in par. 1, the following additional measures shall apply: Control of access to records, restricting access to staff or in limited cases other specifically authorised persons, in accordance with the principle of ‘Need to Know’ to carry out their duties; Reproduction and Dissemination Rules, which permit the copying and dissemination of personal data only where it is necessary for legal purposes, arises under a requirement of law and/or government authority, and to be provided only to persons to whom it is needed in connection with the performance of assigned work. Unauthorised copying and distribution shall be subject to disciplinary sanctions and other measures if it constitutes an offence other than a breach of employment discipline.
(1) The protection of automated information systems and/or networks in the Company shall include a set of applicable technical and organisational measures for preventing unauthorised access to the systems and/or networks where personal data is created, processed and stored.
(2) The main measures to protect automated information systems and/or networks processing personal data include:Identification and authentication using unique user accounts and passwords for each person accessing the network and resources of The Company. The application of this measure is in order to regulate access levels and Introduce access in line with the “Need to Know” principle; Records management tailored to limit access to the relevant register only to persons who are directly in charge of and/or ex officio engaged in its keeping, maintenance and processing; Management of external connections and/or connectivity, including in turn: Defining the scope of internal networks: internal networks are considered to be all local wired networks and/or point-to-point telecommunication links that are under the control and administration of the Company.
External networks are considered to be all networks, including wireless networks, the Internet, Internet connections, third party network connections, network segments of third party hosting systems that are not under the administrative control of the Company. Regulation of access to the internal network: access to the internal network is only granted to employees and/or persons specifically authorized by the Company. Access to the network and the personal data processed is granted in order to perform their direct duties and is in accordance with the “Need to Know” principle. The minimum level of security required for access to internal networks requires identification with a unique username and password. Administration of access to the internal network: the responsibilities related to the implementation of access administration are assigned to qualified persons. Responsibilities also include activities related to approving the installation of all network access devices, technologies, and software, including switches, routers, wireless access points, network access points, Internet connections, connections to external networks, and other devices, technologies, and software that may allow access to the Administrator’s internal networks. Control of access to the internal network: the responsibilities related to the implementation of access control are assigned to qualified persons. They are required to take adequate measures to minimise the risk of unauthorised (physical and/or remote) access to the Company’s networks, including through the use of adequate measures and tools.
Malware protection includes: the use of standard configurations for each computer and/or network platform, with system and, where applicable, application software controlled, installed and maintained by persons authorized by the Company’s Management. Installation of software products without the express approval of the Company’s Management Persons is prohibited. use of the built-in functionality of the operating system and/or hardware, which shall only be configured by persons authorized by the Company’s Management.
Any modification and/or deactivation of security systems by unauthorized persons is prohibited.enabling automatic protection and scanning for malware and updating antivirus definitions. Users are prohibited from refusing automatic software processes that update virus definitions. ban data transfer from infected computers. If a computer system is suspected or found to be infected, the person operating the computer system shall notify the persons authorized by the Company’s Management and shall cease all activities to operate and/or send information from the infected computer (via external media, e-mail and/or other means of electronic exchange of information). Until the malware is removed, the infected computer should be immediately isolated from internal networks. A policy on creating and maintaining recovery backups that regulates: The main purpose of archiving is related to preventing the loss of information related to personal data that would impede the normal functioning of the Company. The method of backup: the information should be backed up in an appropriate manner and on a medium outside the specific physical computer and allow for the full recovery of the data in the event of the loss of its primary medium. Backup is the responsibility of the data processor. The period of archiving should comply with the legislation in force. Storage of the archive should be in another physical premises.
All archives containing confidential and/or official information should be stored with physical access control. The main electronic data storage media are: internal hard disks (part of a computer and/or storage system), single- and/or rewritable external media (external hard disks, rewritable cards, memory sticks and other data storage media, single-recordable media, etc.) Personal data in electronic form is stored in accordance with the statutory time limits and in accordance with the specifics and needs of the Company. Data that is no longer necessary for the Company’s purposes and whose retention period has expired shall be destroyed by an applicable method (e.g., by shredding, burning, or permanent deletion from electronic means).
(3) For personal data assessed as higher risk, in addition to the measures referred to in paragraph 2, additional measures relating to: Organization of telecommunication links and remote access to the Company’s internal networks: Remote access to the Company’s internal networks is not provided. Exceptionally, and after explicit authorization by the Company’s Management, such access may be permitted by authorized persons, using adequate and applicable modern methods to protect the connection and the data exchanged.
The Company’s personnel may be granted Internet access (remote access) to electronic records of personal data for the performance of their duties. The scope of access and the type of resources accessed (including sites, files, services, etc.) shall be determined at the discretion and suggestion of immediate supervisors, in consultation with persons authorised by the Company’s Management for the degree of feasibility, in direct relation to the duties performed and the associatedaccess risks and approved by the Management of the Company. Remote access via the Internet to certain resources, including internal resources, may be terminated at any time at the Company’s discretion and in the event of a threat to data security. The publication of official information on the Internet, in whatever form and on whatever platform, shall be made only after written authorization by the Management of the Company.
Measures related to the ongoing maintenance and operation of the Company’s information systems and resources include: Security assessment, including periodic tests and assessments of the vulnerability of the Company’s networks and systems to external and internal attacks (Vulnerability test), including an assessment of the impact, the adequacy of the measures and means of protection used, as well as recommendations for its technical and organizational improvement.
The assessment shall also include the aforementioned aspects regarding the security of personal data collected, processed and stored. Prohibition on the possession and use of hardware or software tools by Company personnel that could be used to compromise the security of information systems. This group also includes tools capable of breaching copyrights, revealing secret passwords, identifying security vulnerabilities or decrypting encrypted files. The use of hardware or software that remotely monitors network traffic or an operating computer is also prohibited. The unauthorised use of such tools shall be subject to disciplinary action and, if the offence is not merely disciplinary or constitutes a criminal offence, to the procedure provided for the sanctioning of that offence.
Measures related to the creation of a physical environment (surroundings) include physical access control (alarm and security equipment, locks, metal bars and other applicable means), the creation of a suitable working environment, including by maintaining appropriate temperature and humidity levels, and a fire extinguishing system. These are aimed at providing an environment for normal operation, protecting IT equipment from unauthorised access and controlling the risk of damage and destruction.
III. BASIC RULES AND MEASURES TO ENSURE THE PROTECTION OF PERSONAL DATA IN COMPUTER PROCESSING
(1) Computer access via the local network to files containing personal data shall be made only by officials with regulated rights, only from their physical workplace, from a specially designated computer and after identification by name and password to the system. At the end of working hours, employees shall switch off their local computer.
(2) The Company implements adequate technical and administrative control measures (IP restriction, MAC address, physical location, unique username and password, setting all workstations to “automatic screen lock” mode when there is no activity for more than 30 seconds), thus ensuring that only authorized employees are granted access to the data to perform their assigned functions.
(3) Identification of authorized persons for handling personal data necessarily includes identification through a unique user account, which contains the user’s name and password, rights to access the system and use its resources.
(1) The hardware used for the storage and processing of personal data shall comply with modern requirements and shall be capable of ensuring a reasonable degree of fault tolerance, backup and recovery capabilities of the data and the operating state of the environment.
(2) In the event of a need to repair the computer equipment, it shall be provided to the service organization without the devices on which personal data is stored.
Art. 26. (1) Only copyrighted software shall be used in the Company. The installation and/or use of any other type of software with unsettled copyrights is prohibited.
(2) Only software that has been installed by a person authorized by the Company’s Management shall be used on Company computers. The unauthorized installation of any other type of software.
(3) When implementing a new personal data processing software product, the product’s capabilities are tested and verified to comply with the requirements of Regulation 2016/679, the Personal Data Protection Act and to ensure maximum protection of data from unauthorised access, loss, damage or destruction.
Art. 27. Employees who are assigned to sign official correspondence with a qualified electronic signature (QES) shall not be entitled to provide their QES to third parties or to share their PIN with third parties.
IV. MAINTAINED REGISTERS OF PERSONAL DATA AND THEIR MANAGEMENT
Art. 28. /1/ The personal data registers maintained by the Company are: An “Employee register, including job applicants” in which the following types of personal data are recorded: Physical identity: name, ID number, passport details, address, telephone number, e-mail address, etc. Social identity: information on education, educational qualifications, professional qualifications, knowledge of foreign languages, work experience prior to entry in the register, etc. Criminal record: criminal record; Health data: medical certificate from a psychiatric hospital, hospital certificates, decisions of TELK/NELK, etc. Customer Register, which records the following types of personal data:Physical identity – names, passport details (ID number, ID card number, date and place of issue, address, contact telephone number and other necessary identification of the data subject); Economic Identity – general banking information, information on number of bank account;
Contractors and Partners Register, which records the following types of personal data: Physical identity – names, passport details (ID number, ID card number, date and place of issue, address, contact telephone number and other necessary identification of the data subject); Economic Identity – general banking information, information on number of bank account. /
2/ The Company does not process personal data under Article 9 of the Regulation, except for the data on the health of its employees, the processing of which is necessary for the performance of its legal obligations as an employer.
V. RIGHTS AND OBLIGATIONS OF DATA PROCESSORS
Art. 29. The data processors appointed by the Management of the Company shall have the following powers and duties: ensure the organisation of the keeping of records, in accordance with the measures provided for ensuring adequate protection; ensure compliance with specific security and access control measures in accordance with the specifics of the personal data records kept; monitor compliance with the requirements for the protection of records in accordance with the legislation in force and these Internal Rules; liaise with the Data Protection Commission on the measures taken measures and means to protect the records and applications submitted for the provision of personal data; monitor compliance with consumer rights in relation to registers and software and technical resources for their processing; specifies the technical resources applied to the processing of personal data; ensure compliance with the organisational procedure for processing personal data, including time, place and order of processing, by registering all actions performed with the registers in the computer environment; determine the procedure for storage and destruction of information media; defines the order of setting, using and changing passwords, as well as the actions in in case of knowledge of a password and/or cryptographic key; define rules for regular maintenance of computer and communication means, including virus checking, for illegal installed software, database integrity, and data backup, updating system information, etc.; periodically monitor compliance with data protection requirements and in the event of irregularities being detected, take measures to remedy them; keep a register of personal data processing activities in the Company.
Art. 30. The employees of the Company shall: process personal data lawfully and in good faith; to use the personal data to which they have access in accordance with the purposes for which it is collect, and not further process them in a way incompatible with those purposes; to update the personal data records as necessary; to erase or correct personal data where it is found to be inaccurate or disproportionate in relation to the purposes for which they are processed; keep personal data in a form which permits identification of the natural persons concerned for no longer than is necessary for the purposes for which the data are processed.
Art. (1) Employees shall be liable to disciplinary action for failure to comply with the provisions of these Internal Rules.
(2) If as a result of the actions of a relevant employee in the processing of personal data, damage to the Company or a third party has occurred, the Company may seek liability under general civil law.
VI. ADDITIONAL PROVISIONS
Art. 32. All employees of the Company are required to familiarize themselves with these Internal Rules and to comply with them on a daily basis in the performance of their duties and assigned work.
Art. 33. The provisions of the General Data Protection Regulation (EU) 2016/679, the applicable law of the European Union and the legislation of the Republic of Bulgaria on the protection of personal data shall apply to all matters not covered by these Internal Rules.
Art. 34. These Internal Rules are approved by the Order of 01.01.2023 of the representative of Marveltech Ltd.