The “Dokova and Dokov for the Future” Foundation, registered in the Commercial Register and the Register of Non-Profit Legal Entities at the Registry Agency, with UIC 206743151, having its seat and registered address in Sofia, postal code 1766, Vitosha District, 6 “Panorama Sofia” Street, Richhill Business Center, Block “A”, represented by Irina Dokova – Chairperson of the Board, hereinafter referred to as the “Foundation”, is a data controller and, as such, strives to comply with applicable laws and regulations related to personal data protection in the countries in which it operates.
The Foundation processes personal data independently or through assigning processing to a data processor. This policy defines the main principles and rules through which the Foundation processes personal data of employees, clients, suppliers, business partners, visitors of the Foundation’s premises, users of the website, and other individuals. It sets out the rights of data subjects, the obligations and responsibilities of the “Dokova and Dokov for the Future” Foundation as a data controller, and of employees under its supervision.
All personal data is collected and processed in accordance with the applicable European and Bulgarian legislation in the field of personal data protection.
The principle of protection and security of personal data is a fundamental principle in the execution of the Foundation’s processes. Its compliance is the obligation and responsibility of every employee. This policy develops that principle into specific rules and aims to assist employees in their daily work with personal data so as to avoid breaches.
A breach of personal data security may lead to a high risk for the rights of the affected individuals and may have significant negative consequences both for the Foundation and for its employees who have violated the requirements of applicable regulations and the Foundation’s internal rules. For this reason, any non-compliance with this policy is treated as a serious violation.
The following definitions of terms used in this document are taken from the EU General Data Protection Regulation (GDPR):
Personal Data: any information related to an identified or identifiable natural person (“data subject”).
Data Subject: a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Sensitive Personal Data: personal data that, by its nature, is particularly sensitive with regard to fundamental rights and freedoms and therefore deserves specific protection, as the context of its processing may create significant risks. Such data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a person’s sex life or sexual orientation.
Data Controller: a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.
Data Processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Processing: any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, or otherwise making data available, alignment or combination, restriction, erasure, or destruction.
Personal Data Record: any structured set of personal data, accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.
Third Party: a natural or legal person, public authority, agency, or other body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Cross-border Processing:
a) processing of personal data carried out in the context of the activities of establishments in more than one Member State of a controller or processor in the Union; or
b) processing of personal data carried out in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Supervisory Authority: an independent public authority established by a Member State pursuant to Article 51 of the Regulation.
The principles of data protection outline the main responsibilities of the Foundation when processing personal data:
Lawfulness, fairness, and transparency – personal data shall be processed lawfully, fairly, and in a transparent manner; data subjects shall be informed clearly and unambiguously.
Purpose limitation – data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data minimization – only the minimum personal data necessary to achieve the purposes of processing shall be collected.
Accuracy – data shall be accurate and, where necessary, kept up to date. As data is often provided directly by the data subject, they are requested to promptly inform the Foundation of any changes.
Storage limitation – personal data shall be kept for no longer than necessary for the purposes for which it is processed.
Integrity and confidentiality – personal data shall be processed in a manner that ensures appropriate security against unauthorized or unlawful processing.
The Foundation processes information concerning the following categories of natural persons (data subjects):
Donors – individuals (material donations): full name; personal identification number (PIN) or foreigner’s personal number; address.
Donors – individuals (services or non-material donations): full name; PIN/foreigner’s personal number; address.
Partners working under civil contracts (specialists): full name; PIN/foreigner’s personal number; address.
Volunteers: full name; PIN/foreigner’s personal number; address.
Job applicants: full name; PIN/foreigner’s personal number; address, phone, email, education, work experience, qualifications.
Employees (employment or civil contracts): full name; PIN/foreigner’s personal number; ID card data; address; education; bank account; other data provided by the subject.
Participants in campaigns, lotteries, or games organized by the Foundation: name, surname, residence, correspondence address, email, phone number.
Individuals submitting requests, complaints, or signals: full name, PIN, address, phone, email.
Partners: full name, PIN/foreigner’s personal number, address, phone, bank account.
Survey participants: name, phone, email (anonymous or not).
Clients enrolled in consultations or programs: full name; PIN/foreigner’s personal number; address; phone; email; income documents; medical records; copy of ID card.
The Foundation processes the following categories of data:
Physical identity data (e.g., PIN, full name, permanent address, ID data, images).
Economic identity data (e.g., remuneration data).
Social identity data (e.g., education, previous employment).
Family identity data (e.g., marital status, minor children).
Health data (e.g., medical diagnosis, TELK/NELK decisions).
Convictions and violations data (e.g., criminal record).
Communication data (messages via website, email, or social networks).
Client data (purchase information, delivery and billing details, contact data).
Marketing data (preferences for receiving information, communication methods, with explicit consent).
Data is collected lawfully and minimized, stored securely, and disclosed to third parties only under contractual guarantees ensuring adequate data protection.
Under GDPR, data subjects have the following rights:
Right of access – to obtain a copy of personal data processed.
Right to rectification – to correct inaccurate or incomplete data.
Right to erasure (“right to be forgotten”) – to request deletion of data when processing is based on consent.
Right to restriction of processing – in case of legal disputes.
Right to data portability – to receive a structured copy of personal data and transfer it to another controller.
Right to be informed of data breaches – to be notified of personal data security breaches without undue delay.
The Foundation may process employee data for legitimate purposes including:
Human resources management (recruitment, performance evaluation, compensation, training, occupational health and safety, insurance).
Business processes (travel, asset management, IT services, audits, litigation).
Legal compliance (disclosure to tax authorities, etc.).
The Foundation ensures data subjects are properly informed about the processing of their data (via privacy notices), collects consent where required, and processes personal data only for the purposes initially collected unless new consent is obtained.
The Foundation processes staff data in line with transparency, data minimization, and legal obligations. Disclosure to third parties requires contractual guarantees of data protection.
The national data protection supervisory authority is the Commission for Personal Data Protection:
Address: Sofia, 2 “Prof. Tsvetan Lazarov” Street
Tel: 02/91-53-555
Email: kzld@cpdp.bg
Website: www.cpdp.bg
This document is valid from 28.03.2022.
The Foundation may update, amend, or supplement this Privacy Policy at any time when circumstances require.
Last update: 28.03.2022
The Dokova and Dokov for the Future Foundation was established as the result of a single dream – the dream of a better future.
Copyright 2022 – 2025 All Rights Reserved by Dokova & Dokov for Future
