Privacy Policy




“International Federation” Ltd. is an Administrator of Personal Data within the meaning of Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereafter referred to as “CRPD”) and the Personal Data Protection Act (hereinafter “LPDP”).

With this Privacy Policy (hereafter referred to as “Policy”), the Administrator shall take into account the integrity of the individual and shall endeavor to protect against unauthorized processing of the personal data of individuals. In accordance with the Bulgarian legislation, the ARRD and the good practices, the Administrator has taken the necessary technical and organisational measures to protect the personal data of the individuals.

Understanding this Policy prior to using the Services of the Administrator is imperative as providing it involves the collection of certain categories of personal data required by the Administrator for the full provision of services.


With this Privacy Policy, the Administrator aims to inform individuals about:

(A) the purposes and means of processing personal data;

(B) the recipients or categories of recipients to whom the data may be disclosed;

(C) the basis for the processing of personal data (the mandatory or voluntary nature of the provision of the data) and the consequences of refusal to provide them;

(D) information on the right of access, the right to rectify and delete the data collected.

A) “Personal data” means any information relating to an identifiable natural or legal person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more signs specific to the physical, physiological, genetic, mental, mental, economic, cultural or social identity of that individual;

B) “Special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or membership of trade unions and the processing of genetic data, biometrics for the unique identification of an individual, data relating to health or data about a person’s sexual life or sexual orientation.

C) “Processing” means any operation or set of operations performed with personal data or a set of personal data by automatic or other means such as collecting, recording, organising, structuring, storing, adapting or changing, retrieving, consulting, using, disclosing by transmission, dissemination or other means by which data become available, arranged or combined, restricted, deleted or destroyed;

D) “Administrator” means any natural or legal person, public body, agency or other entity which, alone or jointly with others, defines the purposes and means of processing personal data; where the purposes and means of such processing are determined by either EU law or the law of a Member State, the Administrator or the specific criteria for his / her determination may be established in Union law or in the law of a Member State;

E) “Joint Administrators” – when two or more Administrators jointly define the purposes and means of processing personal data, they are joint Administrators;

(F) “Personal data processor” means a natural or legal person, public authority, agency or other entity which processes personal data on behalf of the Administrator

(G) “Register” means any structured set of personal data accessed according to specific criteria, whether centralised, decentralised or distributed according to a functional or geographic basis.

(H) “Data subject” means any natural person who is the subject of personal data held by the Administrator.

(I) “Data subject consent” means any free expression, specific, informed and unambiguous indication of the will of the data subject by means of a statement or clearly confirming action, expressing his consent to the processing of personal data relating to him;

J) “Child” – The General Regulation defines a child as anyone below the age of 16, although this may be reduced to 13 from the Member State’s law. The processing of personal data of a child is legal only if the parent or guardian has given its consent. The Administrator shall make reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given or has been authorised to give his consent.

K) “Profiling” means any form of automated processing of personal data consisting of the use of personal data for the assessment of certain personal aspects relating to an individual and in particular for the analysis or forecasting of aspects relating to the performance of the professional duties of that individual, his or her economic status, health, personal preferences, interests, reliability, behaviour, location or movement;

L) “Personal data breach” means a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed;

M) “Principal place of establishment” – the EU Administrator’s headquarters will be the place where he takes the basic decisions on the purpose and means of his data processing activities. For personal data processors, its main place of establishment in the EU will be its administrative center. If the Administrator is headquartered outside the EU, he must appoint a representative in the jurisdiction in which the Administrator works to act on behalf of the Administrator and deal with supervisors.

N) “Consignee” means a natural or legal person, public body, agency or other body to which personal data is disclosed, whether or not a third party. At the same time, public authorities which may receive personal data in a specific investigation under Union law or the law of a Member State are not considered as ‘recipients’; the processing of such data by the said public authorities complies with the applicable data protection rules according to the purposes of the processing;

O) “Third Party” means any natural or legal person, public body, agency or other authority other than the data subject, the Administrator, the Personal Data Processor and the persons under the direct authority of the Administrator or the Personal Data Processor to process personal data


The administrator processes personal data for the following reasons:
Based on the free, informed and explicit consent of the data subject;
Where there is a legal obligation to process the data;
When concluding or executing a contract, as well as for pre-contract activities;
Where this is necessary to protect the vital interests of the individual or the legitimate interest of the Administrator, provided that he does not conflict with the legitimate interests of the individual.
The Administrator processes personal data provided by employees, clients, assignors, suppliers, contractors and other individuals to whom the data relate to the provision of services from the subject of their activity, as well as for the preparation and conclusion of contracts.
The Administrator also processes personal data that is not received by the individual to whom they refer but has been provided by a third party in connection with a particular service, and the person who provided such data to the Administrator undertakes:

1. to provide the third person with data about the Administrator;
2. to notify the third party of the purposes, the categories of data provided and the categories of recipients of that data;
3. to provide information on the right of access and the correction of personal data of the person to whom they relate.

The collected personal data are stored for up to 6 (six) years from the date of termination of the service contract.
Personal data shall be stored for the period required by the purposes for which they were collected or for a period laid down in a statutory instrument.
With the consent of the direct marketing data subject, personal data is retained until it is written off or requested to be deleted. In cases where personal data is provided only for needs and purposes for feedback upon request, in the absence of a contract / order or other written agreement between the parties, the personal data are deleted and destroyed.


The administrator processes personal data through a set of actions that may be performed by automatic or other non-automated means such as collecting, recording, organizing, storing, adapting or modifying, restoring, consulting, using, disclosing by transmitting, distributing, providing, updating or combining, blocking, deletion and destruction.

The administrator processes the personal data either on his own or through the assignment of the data processors, by a written agreement defines the objectives and the volume of the obligations assigned by the controller of the data processor, provided the relevant legal basis is in accordance with the requirements of the ARPD / PDPA. Processors on behalf of the Administrator are, for example, the employees of the Administrator, whose rights and obligations regarding the processing of personal data of individuals are duly regulated in the internal acts of the Administrator, as well as in the employment characteristics of the respective employees. They also process third parties outside the Administrator structure who are entrusted with the processing of personal data on behalf of the Administrator.

The above processing operations are carried out in accordance with the following principles:

the lawfulness of the processing of personal data;

the appropriateness of the processing of personal data;

proportionality of the processing of personal data;

actuality of the processed personal data.

In connection with the fulfillment of statutory obligations and pre-contractual and contractual relations, in the course of its activity, the Administrator processes personal data of his employees, clients and third parties for the following purposes:

– administration of employment relationships: personal data of persons applying for employment and employees in connection with an existing employment relationship (data processing is most often due to the fulfillment of statutory obligations of the Personal Data Administrator arising from the specifics of the requirements of the legislation, financial, accounting, pension, health and social security activities, human resources management activities, automatic exchange of information in the field of taxation and others);

– administration of contractual relations: personal data of pre-contract and current clients (including where explicit consent is granted or processing is necessary to fulfill contractual obligations under which the data subject is a party as and for actions preceding the conclusion of a contract and undertaken at the request of the person).

In establishing permanent commercial relations with natural persons, the Administrator, in accordance with the provisions of Art. 4, item 15, b. “A” and b. “C” of the Money Laundering Measures Act (LMML), undertakes to identify its clients. Pursuant to Art. 2, para. 1 of the Regulations for the Application of the LMML in relation to Art. 6, para. 1, item 2 of the LMML, the identification of the clients and the verification of the identification of the individuals shall be carried out by presenting an official identity document and taking a copy of it. The administrator is obliged to collect and process information, which is personal data for individuals pursuant to Art. 4, in connection with Art. 10 and Art. 11 of the Measures for the Prevention of Money Laundering Act.


Categories of personal data that the Administrator processes to perform his / her activity:

Related to the physical identity of physical persons – name, PIN, passport, address, telephone, e-mail, etc .;
Related to the economic identity – property and financial status, participation and / or ownership of shares, securities in companies, presence of public liabilities, data necessary to identify for the purposes of tax legislation in the territory of the jurisdiction where the person is a resident for tax purposes purposes, tax identification number issued by that jurisdiction, function of controllers, etc .;
Related to social identity – education, labor, citizenship;
Related to family identity – marital status, kinship, etc .;
Other personal data that may be provided to receive the service of the Administrator.

The processed personal data is structured in the following registers:

The “Staff” register

“Clients” register


Right to information
Each data subject shall have the right to request information about the type of personal data processed by the Administrator that affects him personally. This information should be provided regardless of where the personal data is being processed.

The data subject is entitled to information for the purposes of processing his or her personal data which is provided to him when collecting his or her personal data and subsequently altering the purposes of the processing.

Request change
If the stored personal data are incorrect or incomplete, the data subject may request that they be corrected. Data subjects are responsible for providing the correct personal data to the Administrator. In addition, the data subject should inform the Administrator of any relevant changes to his or her personal data (such as address changes or subject name).

Restrict use
At any time of the processing of personal data, the data subject may request the Administrator to restrict the use of his or her personal data to any or all of the processing purposes for which the subject has given consent.

Refusal to request information, correction or limitation of the processing of personal data.
When the request for information, correction or limitation of processing is denied, the data subject will be informed of the reason for the refusal. The refusal is made in the form of the request submitted by the subject and should be motivated.

Right to delete (“right to be forgotten”)
Everyone has the right to request from the Administrator the deletion of the related personal data, and the Administrator has the obligation to delete them without undue delay. In the exercise of this right by the data subject, the Administrator tells the subject how the deletion will affect the relationship between them in the future.

Right of objection
Each data subject shall have the right to object to the processing of personal data relating to him. The administrator terminates the processing of personal data unless it can prove that there is a legal basis for continuing processing.

In addition, any data subject has the right to object if his or her personal data are used for advertising purposes (direct marketing) or for purposes related to market research or public opinion. In this case, personal data should be blocked and not used for the purposes.

Withdrawal of consent for the processing of personal data
The data subject has the right to withdraw his consent to processing his or her personal data at any time with a separate request addressed to the Administrator. The administrator tells the subject how the deletion affects the relationship between them in the future.

Questions and complaints / remedies
The data subject is entitled to submit complaints / requests to the Administrator on issues related to the processing of his or her personal data to which the Administrator responds in accordance with a procedure adopted (Procedure for Complaint Communications and Claims by the Data subject).

Right to express consent to the processing of his or her personal data
For the existence of “consent” the Administrator accepts only in cases where the data subject has been fully informed of the intended processing and has expressed his / her consent without exerting pressure on him / her. Consent obtained under pressure or on the basis of misleading information is not a valid basis for the processing of personal data.

Consent can not be inferred from the absence of a response to a message to the data subject. There must be active communication between the Administrator and the subject for consent. The controller should be able to demonstrate that consent has been obtained for the processing operations.

In most cases, consent to the processing of personal data is routinely obtained by the Administrator using standard consent documents, for example when a new client signs a contract or when recruiting new staff.

When processing personal data of children, the Administrator should be authorized by parents exercising parenting rights (parents, guardians, etc.). This requirement applies to children under the age of 16 (unless the Member State has provided for a lower age limit, which may not be less than 13 years).

Right of representation
The data subject may authorize another person to exercise the rights under this policy. Authorization should be explicit and made in writing. In every exercise of the data subject’s rights, the proxy is required to submit a copy of his power of attorney to the Administrator or the personal data processor on behalf of the Administrator.


The administrator ensures the security of personal data in accordance with the principles laid down in the ARPD / PDPA by taking appropriate and sufficient administrative, technical and organizational measures to protect data from loss, theft, misuse and unauthorized access, disclosure, alteration or destruction .


Eligibility of data processing
The processing of personal data is only admissible if the data subject has agreed to this if there is a legal obligation to process the data when concluding or executing a contract when necessary to protect the vital interests of the individual or the legitimate interest of the Administrator , provided that it does not conflict with the legitimate interests of the individual. The admissibility of the processing of personal data is a prerequisite for the transmission of personal data.

Consent should be declared in writing or on the basis of other legally permissible means, and the data subject must be informed in advance of the purpose of the processing and the possibility of transmitting personal data to third parties. An emphasis is placed on giving consent when included in other declarations so as to be clear to the data subject.

Aimed aim
Personal data may only be collected for the purposes outlined above and can not be processed for purposes other than those intended. The purpose of data collection and processing must be complied with by the Administrator for further processing and storage of such data. Changes to the purpose are only acceptable with the consent of the data subject or if permitted by the domestic law of the country from which the personal data were received.

Data savings
The processing of personal data must be necessary for the intended purpose. The available anonymisation or pseudonymization capabilities for personal data should be used at an early stage as far as possible and cost-effective for the intended protective purpose.

Data quality

Personal data must be factually correct and, as necessary, up-to-date. The administrator shall take appropriate and reasonable steps to correct or delete incorrect or incomplete data.

Data security
The Data Administrator shall put in place appropriate technical and organizational measures to ensure the necessary data security. These measures apply in particular to computers (servers and workstations), networks and communications connections and applications, and they are incorporated into the IT security management system. Appropriate measures are taken to protect this data from erasure by mistake, unauthorized deletion or loss. Full information is provided in the European Parliament and Council Directive (EU) 2016/1148 of 6 July 2016 on measures to ensure a high level of security of networks and information systems in the Union.

Confidentiality of data processing
Only authorized personnel who have committed to complying with data privacy requirements may participate in the processing of personal data. Employees are prohibited from using such data for personal purposes or providing them to unauthorized companies and third parties. Unauthorized in this context also means the use of personal data by employees who do not require access to such data in order to fulfill their official responsibilities. The confidentiality obligation continues to work even after termination of the employment / civil / service relationship with the Administrator.


The administrator uses administrative and technical measures to protect the personal data he processes through his employees or provides for the processing of third parties processing personal data. These measures include the following:

All employees of the Administrator are responsible for ensuring the security of the storage of the data they process, as well as for the fact that the data are stored securely and are not disclosed under any circumstances to third parties unless the Administrator has granted such rights to such third parties on the basis of a written contract or a confidentiality clause;

All personal data should only be accessible to those employees / processors whose duties include the processing of specific data, and access is only made in accordance with the internal rules of access control adopted (Rule and Rights Procedure in relation to control of access to personal data by technical means).

In order to provide sufficient protection for the processed personal data, (NAME OF THE AGENCY) uses the following technical measures (virus protection, firewall, encryption / encryption option);

The Personal Data Administrator adopts internal rules that determine the levels of sensitivity of the processed personal data (information) on the basis of which separate categories of personal data are created that are processed for specific purposes. Individual categories of personal data are separated into personal data registers. The internal rules define both the procedure for access to these registers and the persons who have the right to access them, respectively process the personal data stored therein;

The administrator with an internal act determines the order for the control of the separation of personal data. These rules contain measures to ensure that data collected for different purposes can be processed separately from authorized personnel / persons;

The administrator takes measures to ensure the protection of personal information against accidental destruction or loss;

The administrator shall establish procedures for restoring the availability of personal data following a physical or technical incident. In order to fulfill these obligations, the Administrator shall provide the necessary technical means (servers, computer network, cloud space) for which the protection measures under this section are undertaken.


The administrator shall adopt procedural rules specifying the measures and procedures for physical access and protection of personal data that are mandatory for all personnel who process personal data;

The administrator shall designate protected areas for the storage of the physical media of personal data the access to which is determined in accordance with the rules of procedure in this section;

The administrator introduces the following measures to restrict access to physical data carriers (for example, locks with high level of protection for the Administrator’s office doors as well as access doors to the building where the office is located, locking the cabinets, where the paper carriers of the created registers are located);

The administrator introduces a “clean desk” policy with which all employees who process personal data are introduced and implemented. Paper-based records should not be left where they can be accessed by unauthorized persons and can not be removed from designated protected premises without explicit permission. As soon as paper documents are no longer needed for the ongoing processing of personal data, they should be archived in the appropriate order and, if there is no justification for their archiving, should be destroyed in accordance with the procedure set up for that purpose;

Personal data may be erased or destroyed only in accordance with the procedure adopted by the Administrator (Storage and Destruction Procedure). Paper-based records, the processing period of which has expired, should be cut and destroyed as “confidential waste”. Hard disk data on unused PCs should be erased or disks destroyed according to the procedures in place;

The processing of personal data outside the premises of the Administrator is carried out in accordance with the relevant procedural rules and is permitted with the explicit written consent of the direct manager of the personal data processor or the Administrator.


The administrator appoints a Data Protection Officer (DPA). The role of this person is to monitor compliance with this Policy in the Enterprise of the Administrator and to ensure the possibility of demonstrating compliance of the processing of personal data in accordance with data protection legislation.

LDDP develops and implements the requirements for the protection of personal data in accordance with the provisions of this Policy. LDDP carries out security and risk management with respect to compliance with this Policy. DPOF is responsible for administering and processing requests and inquiries made by the data subject to the Administrator. LDDP gives the necessary clarifications to the Administrator’s employees regarding the respect of the protection of personal data.

DPLD shall periodically prepare and submit reports to the Administrator in connection with the application of this Policy, the legal provisions regulating the protection of personal data and the compliance of the provided protection of personal data in the enterprise with the legal requirements in this field.



The controller does not store personal data in a form that permits the identification of the subjects for a longer period than is necessary to carry out the processing for which the data subject’s consent has been given and the purposes for which they were collected. Keeping of personal data for a longer period is acceptable without the explicit consent of the data subject, if provided for in a normative act of domestic law or European Union law;

The controller may store data for a longer period of time than is necessary for the processing to be agreed and also in the cases where the personal data will be processed for purposes of public interest archiving, scientific or historical research and for statistical purposes, and only when the appropriate technical and organizational measures are in place to guarantee the rights and freedoms of the data subject;

The period for storing each category of personal data contained in a separate register is determined by a procedure adopted by the Administrator (Procedure for Storing and Destruction of Data). This procedure specifies the criteria used to determine the storage period, including any legal obligations incumbent upon the Administrator in respect of the storage of data.

The procedure for storing and destroying data, as well as the rules for the destruction of information on physical media, applies in all cases.


Personal data must be destroyed securely, in accordance with the principle of ensuring an appropriate level of security. Compliance with the procedure is mandatory in order to ensure protection against unauthorized or unlawful processing and against accidental loss, destruction or damage to data by applying appropriate technical or organizational measures.


The administrator creates a data inventory process as part of its approach to address the possible risks of processing the collected personal data. The Data Inventory and their processing process assesses the impact of the risk of personal data, the methodology and elements of which are governed by the Methodology adopted by the Administrator to conduct an impact assessment on the protection of personal data. The determination of risks under this methodology also applies to the processing undertaken by other organizations on behalf of the Administrator;

The administrator manages all the risks identified in the impact assessment in order to reduce the probability of non-compliance with the rules introduced by the ARPD / PDPA. Where a type of processing can lead to a high risk to the rights and freedoms of individuals, in particular through the use of new technologies and taking into account the nature, scope, context and purposes of the processing, before proceeding with the processing, the Administrator an assessment of the impact of the processing operations envisaged on the protection of personal data. An overall impact assessment may consider a set of similar processing operations that present similar high risks;

Where, as a result of the Impact Assessment, it is clear that the Administrator will process personal data which, due to a high risk, could cause harm to data subjects, the decision whether or not to continue processing should be submitted for review by DPA;

If the DPA has serious concerns about the potential harm or danger or the amount of relevant data, it should report to the supervisory body (CPDP);

LDDP makes a periodic review of the initially inventory data, reviewing the entered information in the “Processing Activity Register” for any changes in the Administrator’s activities.


The Personal Data Administrator has the right to disclose the processed personal data only to the following categories of persons listed exhaustively:

(a) the natural persons to whom the data relate;

(b) persons for whom the right of access is provided for in a statutory instrument;

(c) persons for whom the right arises under a contract;

For the purpose of providing services, the Administrator provides information / necessary personal data / for the fulfillment of a contractual obligation to the subject of personal data. The administrator provides personal data to third parties who provide services on his / her behalf on the basis of an explicit written instruction / written contract. These third parties may not use or disclose the data beyond the purposes for which they were provided, except when it is necessary to perform services on behalf of the Administrator or to comply with legal requirements. The purposes for processing the personal data provided are explicitly defined in the written instruction / written agreement, on the basis of which the data are provided to the third party. Third parties (personal data processors) are required to provide the necessary technical and organizational measures to protect the personal data provided by the Administrator or higher;

The administrator shares the received personal data with his affiliates, franchisees, dealers and joint partners based on explicit written instructions or written contract. These persons may use the information for the purposes described in this Privacy Policy. Subject to the explicit consent of the data subject, the latter may be shared with third parties on the basis of a written contract for their own purposes, such as offering products and services that may be of interest to the data subject;

The Administrator shares personal data with competent authorities / persons with a view to organizing the protection of their legal rights and interests in the initiation of orders, arbitration, security, claims and other proceedings;

The administrator shall disclose personal data to entities whose personal data are processed when required by law, by regulation, by international treaty or by an act of European Union law or in connection with a judicial proceeding in response to a request from a public authority. eg law enforcement or investigative bodies) or in case of suspicion of serious and unlawful interference with the legal rights and interests of the subjects of law.


Having regard to the regulation of the protection of personal data of individuals and the enhanced data protection measures introduced by the ARDD / PDPA, the Administrator takes into account the necessity to carry out initial and follow-up training of its personnel, whose duties include the processing of personal data of natural persons on behalf of the Administrator. Initial and follow-up trainings are intended to inform employees about the established rules and procedures for complying with this Policy and the applicable legal framework in the field of personal data protection as well as other data protection and privacy issues.

Employee training seeks to raise awareness about existing or newly emerging privacy requirements as well as the actions taken by the Administrator in accordance with them.

The Data Protection Officer shall ensure that employees’ responsibilities are appropriately allocated in relation to data protection in accordance with the Rules and Procedures of the Administrator for the processing of personal data.

The Data Protection Officer should ensure that all employees who have ongoing obligations related to personal data and processing operations as well as those with permanent / regular access to personal data demonstrate compliance with data protection requirements.

Employees must be able to demonstrate competence in understanding compliance requirements and how they apply to the Administrator’s organization.

The Data Protection Officer is responsible for updating their knowledge and being aware of all personal data issues within the scope of their professional duties, such as organizing ongoing training in changing the legal framework of personal data protection or changing the the subject of the Administrator’s activity, as well as the introduction of new procedures / measures for the protection of personal data by the Administrator.

The Administrator encourages training and awareness-raising measures by providing the necessary resources and material resources for this.

The Data Protection Officer familiarizes and informs employees of the importance of data protection in the performance of their direct duties, and in accordance with their role in the organization.

The Data Protection Officer is responsible for ensuring that employees understand how and why the rules and procedures of the Administrator’s organization for the processing of personal data apply and for which he / she compiles the relevant reports / protocols.

The Data Protection Officer develops training and information programs for both the entire staff and each specific role in the organization involved in the processing of personal data.

The Data Protection Officer establishes a system of periodic alert checking and updating employee knowledge in relation to changes in data protection requirements.

Employees receive specific training for the processing of personal data related to their permanent roles and responsibilities and in accordance with the rules and procedures adopted by the Administrator.

Employees receive specific training on all data protection requirements and procedures applicable to data protection and data processing within their daily roles and responsibilities, including reporting of personal data breaches.

Employees receive training on data submissions and complaints from data subjects related to the protection of personal data and the processing of personal data in accordance with the Administrator’s policies and procedures.

The Data Protection Officer organizes training for all responsible persons and employees.

The Data Protection Officer documents each training that he / she has done and, in doing so, draws up a list / protocol with those attending relevant trainings performed at the appropriate time according to the Administrator’s activities.

Initial training of employees is carried out in the implementation of this policy as well as when new employees are brought into work whose personal duties include the processing of personal data.

Subsequent trainings are conducted periodically (at least once every 12 months) or when a change in the legal framework of personal data protection / change in the subject of activity of the Administrator regarding the processing of personal data or when introducing new measures / procedures for protection.


Personal data subjects can learn about this policy at the Administrator’s office as well as on a website at

Contact with the Privacy Commission

Address: Sofia 1592, “Prof. Tsvetan Lazarov “№ 2,

tel: (02) 940 20 46, fax: (02) 940 36 40

Email: kzld [at], kzld [at]

Web site: