Privacy Policy
Last update : Jul 2, 2026
Polity is a voluntary, independent, non-profit association of citizens acting for the public benefit, registered under the provisions of the Law on Not-for-Profit Legal Persons under company file No 318/2016 of Sofia City Court and re-registered in the Commercial Register and the Register of the Not-for-Profit Legal Persons under UIC 177026247. Polity is represented by Lora Krasteva, Chairman of the Governing Board. Polity has its headquarters in Sofia, at 110, Nikola Gabrovski Street, T: +359 885 442 841, e-mail office@polity.bg, website: www.polity.bg.
This Personal Data Protection and Privacy Policy have been prepared as a document in compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
With this Policy, Polity recognises the integrity of the individual and seeks to protect individuals' personal data from unauthorised processing. This document contains information about the types of personal data collected, the purposes for which the collected personal data are used, third parties' access to such data, the security measures to be taken in this respect, as well as the options available to individuals regarding the use of the personal data provided by them. All personal data is dealt with in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and with current legislation in the field of personal data protection in Bulgaria.
Principles relating to the processing of personal data: lawfulness; fairness and transparency; relevance to purposes; accuracy and up-to-dateness; data minimisation; storage limitation; accountability, integrity and confidentiality; user consent for data processing.
Type, Purpose and Grounds for Personal Data Processing
Data specific to the physical and social identity of the individual with regard to the following:
Performing an activity under an employment or service contract involves providing details such as name, date and place of birth, national ID number, ID card number, along with its issuance date and location, permanent and current addresses, contact phone number, email, and bank account information.
Staff recruitment and interns’ admission: include name, contact number, address, email, CV, diplomas, certificates, references from previous employers, and a motivation letter.
Participation in events organised by Polity: record name, institution, email, and phone number. Project application, implementation, contract signing, and performance: gather name, institution, email or phone number, CV, bank details, and postal address.
Separate categories of personal data related to specific activities or to particular regulatory requirements, as regards the following:
Sociological surveys/interviews/focus groups: name, e-mail; data revealing the individual’s affiliation to a particular vulnerable group, ethnic origin;
Business trips related to the implementation of projects where Polity is a beneficiary: name, ID document data, date and place of birth, address, telephone number, e-mail.
The aim of personal data processing is to identify natural persons who are or will be carrying out activities assigned by Polity, contractors, invitees, and participants in events related to the implementation of Polity activities. The processing is performed for the purposes of:
Fulfilling legal obligations arising from the specific requirements set out in financial reporting and accounting, retirement, health insurance and social security, and human resource management regulations;
Performing a contract to which the data subject is a party or taking steps at the request of the data subject prior to entering into a contract;
Implementing Polity activities – for one or more specific purposes, based on the consent of the data subject; pursuing Polity or a third party’s legitimate interests, based on the consent of the data subject, as in: sending invitations for participation in project application procedures, news and releases related to the project implementation; submitting project proposals; sending invitations, news and releases about events organised by Polity; distribution of Polity publications.
Grounds for processing:
Conclusion of an employment or service contract;
Statement of the explicit, clear and informed consent of the data subject (which can be withdrawn at any time);
Legal obligation of personal data processing stipulated in the Law on Accounting, the Law on Value Added Tax and other applicable legislative acts.
Security Measures, Third-Party Access, Manner and Period of Storage
1. In compliance with the applicable legislation on personal data protection, Polity has adopted and adheres to procedures for the prevention of any authorised access and personal data misuse. Only authorised staff members have access to the subjects’ personal data to implement Polity activities.
2. No personal data provided is used for commercial or marketing purposes.
3. Personal data can be provided to third parties solely in connection with the performance of a specific contractual obligation related to the management and implementation of grant programs and projects, or the performance of other contractual obligations, only based on the explicit consent of the data subject.
4. Personal data can be made available to the national auditing authorities, auditors from the European Commission, the European Anti-Fraud Office (OLAF), the European Chamber of Auditors, the Council for Coordination in the Fight against Infringements Affecting the European Union Financial Interests, financing institutions and agencies. These institutions are entitled to carry out on-site checks of the implementation of projects in which Polity is involved, as well as to review accounting records and any other documents relevant to project financing that contain personal data.
5. Personal data are stored for as long as necessary to implement the activities within the scope of the Polity and in compliance with current Bulgarian legislation.
6. The collected personal data are stored on paper or electronically as per their type and the legal grounds for their processing.
7. The storage periods are set in accordance with current Bulgarian legislation.
8. Personal data are only stored until the data subject specifically requests their erasure, unless this affects the legitimate interests of the Polity.
Data Subject Rights
Data subjects have the following rights in respect of their personal data:
1. Right to be informed about details which identify the Polity as a data administrator, the purposes of processing personal data, the recipients or recipient categories to whom personal data might be disclosed, the obligatory or voluntary nature of providing personal data and the possible consequences of failure to provide such data.
2. Right of access to one’s personal data. In cases where granting access may involve disclosure of a third party’s personal data, the administrator is obligated to provide the data subject with partial access without disclosing any third-party personal data.
3. Right to object before the Polity to the processing of one’s personal data, where there is a legitimate reason for doing so.
4. Right to have one’s inaccurate personal data rectified or completed if incomplete.
5. Right to request the restriction, instead of erasure, of one’s personal data in certain circumstances.
6. “Right to be forgotten”, i.e. having one’s personal data erased where one of the following grounds applies:
7. Right of defence before the Commission for Personal Data Protection (https://www.cpdp.bg/) or before the court.
Consequences of Failure to Provide Personal Data
1. No express consent from the data subject is necessary, provided there are legal grounds for personal data processing, such as a legally established obligation arising from the requirements of labour, tax and social security legislation, the Law on Obligations and Contracts, the Law on Accounting, the Law on Measures against Money Laundering, the Law on Measures against the Financing of Terrorism, etc.
2. Failure to provide one’s personal data or withdrawal of consent may prevent the individual from obtaining information provided by the Polity or from opportunities to participate in the organisation’s activities.
Procedures for the Exercise of Rights of the Data Subjects
1. Natural persons exercise their rights by submitting a written request to Polity on paper or by e-mail to office@polity.bg with a subject Personal Information Request, which needs to contain at least the following information:
name, address and other identification data of the individual concerned;
description of the request;
preferred form of the requested information;
signature, date of submission and correspondence address.
2. The procedure for the exercise of rights of natural persons with regard to their personal data is free of charge. However, the administrator may refuse to provide free information if a person submits repeated requests in quick succession.
3. To avoid data abuse, in the cases when the request is submitted by an authorised person, it must be accompanied by a notarised power of attorney.
Terms and Definitions Used
For the purposes of this Policy:
1. ”Personal data” means any information relating to an identified or identifiable natural person (”data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific characteristics;
”Data processing“ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. ”Personal data administrator” is a Polity which alone or jointly with another entity / via an authorised entity, processes personal data.