INTRODUCTION

This Employee Privacy Policy (“Privacy Policy”) explains what types of personal information we may collect about our employees, job applicants, contractors and candidate and other similar persons, as well as how it may be used.

In this Privacy Policy the terms “we,” ”us,” and “our” refers to iCard AD and its affiliates and subsidiaries.

2. Who are we?

iCard AD (or the “Data Controller”) is a Joint-stock Company, with seat and registered address at Republic of Bulgaria, Sofia city, Lozenets district, Lozenets residential area, 76 James Bourchier blvd., incorporated in the COMMERCIAL REGISTER OF BULGARIA, under UIN 175325806, represented by Yavor Petrov.

iCard AD is responsible for your information under this Privacy Policy.

If you are unsure how or if this Privacy Policy applies to you, please contact your Human Resources representative or our Data Protection Officer at dpo@icard.com

3. What Personal Information Do We Collect?

We collect and maintain different types of personal information about you in accordance with applicable law. There are three general categories of information that we collect:

3.1. Information That We Collect In Order To Perform Our Legal Obligations and for the adequate execution of our contracts with you

We ask for and collect from you the following personal information when you:

– apply for job postings and other similar publicly available offers that we may post from time to time
– conclude a contract with us, including a labour contract
– otherwise engage yourself with providing any kind of products or services to us

This information is necessary for us to comply with our regulatory obligations and for the adequate performance of the contract between you and us. Without it, we may not be able to effectively carry out the intended purpose of our mutual engagement.

3.1.1 Names, Date of Birth, Unique citizenship number, permanent address, other data contained in any official document, that we may be required to collect from you in compliance with the applicable law.

3.1.2 Your resume or CV, cover letter, previous and/or relevant work experience or other experience, education, transcripts, or other information you provide to us in support of an application and/or the application and recruitment process.

3.1.3 In case of labour contracts – marital status, information about any children and other similar information that we may be required to collect from you in order to adequately perform the contract between us and guarantee your rights as an employee.

3.1.4 In case you are not Bulgarian citizen – residency and work permit status, for the purposes of complying with the applicable law.

3.1.5 Social security or other taxpayer/government identification number, for the purposes of deducting amounts from your remunerations in order to comply with Social Security laws or other similar obligations.

3.1.6 Payroll information, banking details, for the purposes of wiring you your remunerations as defined in the contract between us.

3.1.7 In case you are an employee or in a similar position – wage and benefit information, for the purposes of the adequate execution of the labour contract or other similar legal agreement and complying with labour or other similar legislation

3.1.8 In case you are an employee: Sick pay, Paid Time Off (“PTO”), social security and healthcare personal identifiers, pensions, insurance and other benefits information (including the gender, age, nationality and passport information for any spouse, minor children or other eligible dependents and beneficiaries, if applicable), for the purposes of the adequate execution of the labour contract and complying with social security and healthcare legislation

3.1.9 Date of hire/contracting, date(s) of promotions(s), work history, technical skills, educational background, professional certifications and registrations, language capabilities, training records, letters of offer and acceptance of employment and other similar information about your qualifications, for the purposes of the adequate administration of our contract with you, as well as in order to comply with applicable laws.

3.1.10 In case you are an employee or job applicant: Information relating to the application for, or in respect of changes to, employee health and social security or healthcare benefits; including, short and long term disability, medical history, etc, for the purposes of the adequate execution of our contract with you and complying with applicable laws.

3.1.11 Records of work absences, vacation/paid time off, entitlement and requests, salary history and expectations, performance appraisals, letters of appreciation and commendation, and disciplinary and grievance procedures (including monitoring compliance with and enforcing our policies), for the purposes of the adequate execution of our contract with you and complying with applicable labour legislation.

3.1.12 Information required for us to comply with laws, the requests and directions of law enforcement authorities or court orders (e.g., child support, debt payment information, requests from national revenue agencies).

3.1.13 Date of resignation or termination, reason for resignation or termination, information relating to administering termination of employment (e.g. references), for the purposes of complying with applicable laws.

3.2. Information That We Collect With Your Consent

You may choose to provide us with additional personal information in order for us to provide you with additional benefits or in order to improve your employee/contractor/job applicant experience. This additional information will be processed based on your revocable consent

3.2.1. You may choose to provide us with additional information about yourself in order to be eligible to receive additional benefits, which we have made available to you or may introduce in the future.

3.2.2. You may choose to provide us with information about yourself when you fill any forms, participate in any sport, promotional or other similar events, organized by us.

3.3. Information We Collect From You During The Course Of Our Relationship

During the course of our relationship, we may collect information, including personal information, about you. This information is necessary given our legitimate interest in ensuring the security of our business activities and the security of our other employees, our interest in enforcing our legal claims and improving our employee/contractor/job applicant experience.

  • Telephone number, Emergency contacts, Personal E-mail, Residential Address, other information that facilitates the communication between us for the purposes of sending you important communication or for your, your family’s or our other employees’ health and safety.
  • Information from interviews and phone-screenings you may have had, if any.
  • Information captured on security systems, including Closed Circuit Television (“CCTV”) and key card entry systems.
  • Photograph, videos, physical limitations and special needs.
  • Voicemails, e-mails, correspondence, documents, and other work product and communications created, stored or transmitted using our networks, applications, devices, computers or communications equipment.
  • Information relating to any previous applications you may have made to iCard AD and/or any previous employment history with iCard AD.
  • References and interview notes.
  • Acknowledgements regarding our policies, including employee handbooks, ethics and/or conflicts of interest policies and computer and other corporate resource usage policies.

4. How Do We Collect Your Data?

Generally, we collect personal information directly from you in circumstances where you provide personal information (during the recruitment process, for example). However, in some instances, the personal information we collect has been inferred about you based on other information you provide us, through your interactions with us, or from third parties. When we collect your personal information from third parties it is either because you have given us express consent to do so, your consent was implied by your actions (e.g., your use of a third-party employee service made available to you by us), because you provided explicit or implicit consent to the third party to provide the personal information to us or because it is our legal obligation to obtain this information from competent authorities or other third parties. Where permitted or required by applicable law or regulatory requirements, we may collect personal information about you without your knowledge or consent.

We reserve the right to monitor the use of our premises, equipment, devices, computers, network, applications, software, and similar assets and resources. In the event such monitoring occurs, it may result in the collection of personal information about you. This monitoring may include the use of CCTV cameras in and around our premises.

5. How Do We Use the Personal Information We Collect?

iCard AD may use your personal information in order:

5.1 To manage all aspects of an employee’s employment relationship, including, but not limited to the establishment, maintenance, and termination of employment relationships. Examples of activities related to this include: determining eligibility for initial employment, including the verification of references and qualifications; pay and benefit administration; corporate travel and other reimbursable expenses; development and training; absence monitoring; project management; auditing, compliance, and risk management activities; conflict of interest reporting; employee communications; performance evaluation; disciplinary actions; grievance and internal investigation activities; career management, including the assessment of qualifications for a particular job or task; processing employee work-related claims (e.g., worker compensation, insurance claims); succession planning; relocation assistance; obtaining and maintaining insurance; the provision of employee related services; and other general operations, administrative, financial, and human resources related purposes.

5.2 To provide additional information on job vacancies

5.3 Where requested by you, assisting you with obtaining an immigration visa or work permit where required

5.4 For use in video conferencing.

5.5 Maintain directories of employees.

5.6 For employee engagement programs, including surveys, benefit programs, contests.

5.7 Administer our occupational safety and health programs.

5.8 To protect the safety and security of our workforce, guests, property, and assets (including controlling and facilitating access to and monitoring activity on and in our premises and activity using our computers, devices, networks, communications and other assets and resources).

5.9 To investigate and respond to claims against us.

5.10 To maintain emergency contact and other similar details.

5.11 To comply with applicable laws (e.g. health and safety, employment laws, tax laws), including judicial or administrative orders regarding individual employees (e.g., garnishments, other similar orders).

5.12 Carry out any additional purposes that we advise you of (if applicable law requires your express consent for such additional use or disclosure we will obtain it from you).

5.13 Carry out other purposes as part of our business activities when reasonably required by us.

6. WITH WHOM DO WE SHARE PERSONAL DATA?

With other members of the iCard corporate family: We may share your Personal Data with members of the iCard  Group of companies or within our corporate family of companies that are related by common ownership or control, so that we may adequately comply with our obligations to you or with the applicable law, or to manage the risk, or to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements and to help us manage our legitimate needs.

With third-party service providers: We may share personal information with third party service providers which provide us with important HR-related services at our decision and our behalf.

These third party service providers may for example be: providing many of the benefits and services we offer our employees, such as provision of sport activities, mobile phone/internet services, restaurant/catering and other food service providers, health and other kinds of insurance and other benefits we may introduce in the future.

Providing legal, tax, accounting or other professional services, which we may procure to comply with the applicable law or to protect or defend our rights or property.

Like most international businesses, we have centralized certain aspects of our business operations, including for example, financial and human resources administration. This may result in the transfer of personal information from one country to another and amongst our various subsidiaries and affiliates. At the moment our HR servicers are managed by Intercapital Holding AD, with seat and registered address at: the Republic of Bulgaria, Sofia city, 76a James Bourchier blvd., UIN 201142175.

We may store some of the information we collect about you in cloud or other kind of data storages which are provided by third parties.

We may use third-party software and online platforms in order to manage our relations with you, which may result in your personal information being disclosed to the software providers.

We might have to provide some your personal information to lease companies (for the purposes of issuing access cards) or security service providers in order to provide you with access to some of our higher security clearance premises.

With other third parties for our legitimate interest or as permitted or required by law: We may share information about you with other parties for our legitimate interest or as permitted or required by law, including:

We may buy or sell businesses and other assets. In such transactions, employee information is generally one of the transferred business assets and we reserve the right to include your personal information as an asset in any such transfer. Also, in the event that iCard AD, or substantially all of our assets, are acquired, your personal information may be one of the transferred assets.

Where required by law, by order or requirement of a court, administrative agency, or government tribunal, which includes in response to a lawful request by public authorities, including to meet national security or law enforcement requirements or in response to legal process or in case we determine it is necessary or desirable to comply with the law or to protect or defend our rights or property.

Where necessary to protect the rights, privacy, safety, or property of an identifiable person or group or to detect, prevent or otherwise address fraud, security or technical issues, or to protect against harm to the rights, property or safety of iCard AD, our users, applicants, candidates, employees or the public or as otherwise required by law.

7. Your rights

You may exercise any of the rights described in this section before the iCard AD by sending an email to dpo@icard.com. Please note that we may ask you to verify your identity before taking further action on your request.

7.1 Managing Your Information.
You have the right to obtain the following:

  • confirmation of whether, and where we are processing your personal data;
  • information about the purposes of the processing;
  • information about the categories of data being processed;
  • information about the categories of recipients with whom the data may be shared;
  • information about the period for which the data will be stored (or the criteria used to determine that period);
  • information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
  • information about the existence of the right to complain to any Regulator;
  • where the data was not collected from you, information as to the source of the data; and

information about the existence of, and an explanation of the logic involved in, any automated processing.

  • Additionally, you may request a copy of the personal data being processed.

7.2 Rectification of Inaccurate or Incomplete Information.
You have the right to ask us to correct inaccurate or incomplete personal information concerning you

7.3 Data Access and Portability.
You have the right to:

  • receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
  • transfer your personal data from one controller to another;
  • store your personal data for further personal use on a private device; and
  • have your personal data transmitted directly between controllers without hindrance.

The Applicable law may entitle you to request copies of your personal information held by us.

7.4 Data Retention and Erasure.
We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our regulatory obligations. As a general rule, we shall keep all information about you for a period of 5 years after our last legally-relevant interaction, unless we are otherwise obligated to keep said information for a longer period.

In particular, in case you have sent us your CV and/or application documents and we do not sign an employment contract with you we are going to retain your personal data for a period of 1 year following your list application or in case you have, at any point in time, been a company employee, we are legally obliged to keep in archive pay slips, employment contracts, payroll documents, documents regarding change of position, unpaid leave requests for more than 30 days, contract termination documents or other similar for a period of 50 years.

You have a right to ask to erase your personal information. Please note that if you request the erasure of your personal information:

  • We may retain some of your personal information as necessary for our legitimate business interests, such as managing and enforcing our legal rights and claims.
  • We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, we may keep some of your information for labour, accounting, tax, legal reporting and auditing obligations, for a period as defined under the applicable law.
  • Because we maintain our archives to protect from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time.

7.5 Withdrawal of consent
Where you have provided your consent to the processing of your personal information by us you may withdraw your consent at any time by sending a communication to us specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal. Additionally, in some jurisdictions, applicable law may give you the right to limit the ways in which we use your personal information, in particular where (i) you contest the accuracy of your personal information; (ii) the processing is unlawful and you oppose the erasure of your personal information; (iii) we no longer need your personal information for the purposes of the processing, but you require the information for the establishment, exercise or defence of legal claims; or (iv) you have objected to the processing and pending the verification whether our legitimate grounds override your own.

7.6 Objection to Processing.
In some jurisdictions, applicable law may entitle you to require us not to process your personal information for certain specific purposes (including profiling) where such processing is based on legitimate interest. If you object to such processing we will no longer process your personal information for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defence of legal claims.

Where your personal information is processed for any marketing purposes, you may, at any time ask us to cease processing your data for these direct marketing purposes by sending an e-mail to the addresses shown below.

7.7 Lodging Complaints.
You have the right to lodge complaints about the data processing activities carried out by us before the competent data protection authorities.:

Commission for Protection of Personal Data, Bulgaria

Address:
Sofia 1592
2 Prof. Tsvetan Lazarov blvd.
Tel: 02 91 53 518
e-mail: kzld@cpdp.bg

8. OPERATING GLOBALLY

To facilitate our global operations we may transfer, store, and process your information within our family of companies or with service providers based in Europe, India, Asia Pacific and North and South America. Laws in these countries may differ from the laws applicable to your Country of Residence. For example, information collected within the EEA may be transferred, stored, and processed outside of the EEA for the purposes described in this Privacy Policy. Where we transfer store, and process your personal information outside of the EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

9. INTERNATIONAL TRANSFERS

Where we disclose any of your collected personal information outside EEA to USA, we shall comply with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework and any other adequacy decision.

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have – prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection. We will provide further information on the means to ensure an adequate level of data protection on request.

10. CHANGES TO THIS PRIVACY POLICY

We reserve the right to modify this Privacy Policy at any time in accordance with this provision. If we make changes to this Privacy Policy, we will make the revised Privacy Policy available to you through any means of communication. If you disagree with the revised Privacy Policy, you may inform us through the contact details contained hereinabove. If you do not contact us before the date the revised Privacy Policy becomes effective, you will be subject to the revised Privacy Policy.