Book a meeting Only for employers

Privacy policy

AT BEST RECRUITERS LTD > Privacy policy

INTERNAL RULES FOR PERSONAL DATA PROTECTION
AT BEST RECRUITERS LTD / ET BEST RECRUITERS LLC
PRIVACY POLICY

SUBJECT

Article 1. (1) These rules (the “Rules”) determine the procedure by which AT BEST RECRUITERS LTD / ET BEST RECRUITERS LLC, UIC BG204509986 (the “Company”), processes personal data for the purposes of its activities.

PRIVACY POLICY

One of our primary concerns is the security of natural persons’ personal data, in accordance with best practices and legal requirements for information protection and confidentiality.

When we collect personal data, we follow the principles of data minimization, lawfulness, transparency, and security.

This Policy aims to explain how we use the personal data we collect about you, and it also applies to personal data processed by us in the course of our core activities.

What information do we collect?

Personal data processed for recruitment purposes

Article 1. What information do we collect:

  1. We collect information about you when you submit your résumé via our website’s electronic form or through various job platforms, our Contact form, or different social channels. You contact us regarding a posted vacancy or for inclusion in our database.
    When you apply for a job with us using the documents you send, you disclose your personal data, which we will process in connection with the recruitment process.
  2. Depending on the specific situation, the Company may act as data controller or data processor.
  3. These Rules are drawn up in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation – GDPR).

Article 2. These Rules regulate:

  1. The principles, procedures, and mechanisms for processing personal data;
  2. Procedures for notifying the supervisory authority in case of security breaches;
  3. Procedures for handling requests for data access, rectification, objections, and withdrawal of consents, as well as for exercising other rights granted by law to data subjects;
  4. The persons who process personal data and their responsibilities;
  5. Rules for transferring personal data to third parties in Bulgaria;
  6. Necessary technical and organizational measures to protect personal data from unlawful processing and incidents such as accidental or unlawful destruction, loss, unauthorized access, alteration, or disclosure;
  7. Technical resources applied in personal data processing.

DEFINITIONS

Article 3. For the purposes of these Rules, the following terms shall have the meanings given below:

  • ZLD – Personal Data Protection Act (Bulgaria).
  • CPDP – Commission for Personal Data Protection.
  • GDPR – General Data Protection Regulation – Regulation (EU) 2016/679.
  • Data Protection Officer – the person assigned responsibilities regarding data protection and processing operations under these Rules. The Company’s core activities do not require the appointment of a Data Protection Officer under Article 37 et seq. of the GDPR.
  • Data Controller – any natural or legal person which alone or jointly with others determines the purposes and means of the processing of personal data. For these Rules, the Data Controller is ET BEST RECRUITERS LLC.
  • Data Processor – a natural or legal person who processes personal data on behalf of the Controller under a contract.
  • Data Protection Notices – notices providing information to data subjects at the time of data collection. These may be general (e.g., for employees or on the organization’s website) or specific to a processing purpose.
  • Processing – any operation performed on personal data such as collection, recording, storage, organization, retrieval, use, disclosure, erasure, or destruction, including transfer to third parties.
  • Pseudonymization – replacing identifying information with one or more identifiers (pseudonyms) so that the data subject cannot be identified without additional information, which is kept separately and confidentially.
  • Consent – any freely given, specific, informed, and unambiguous indication of the data subject’s wishes.

DATA SUBJECTS AND CATEGORIES OF PERSONAL DATA

Article 4. (1) The Company collects and processes personal data for human resources management, using your data solely for recruitment and career counseling purposes.

The Company also collects and processes data necessary to fulfill its obligations as employer, service and goods provider, and contracting party in compliance with applicable law.

Personal data processed are grouped into activity registers containing processing rules for:

4.1. Personnel administration – maintaining employee and contractor records;
4.2. Contract management with clients and suppliers – entering into and executing contracts, storing related documents.

Appendix 1

(2) For employees, contractors, and job applicants, we collect:
a) Identification: name; UIC (birth date); permanent and/or current address; phone; ID card or passport details;
b) Education and qualifications: education, work experience, professional and personal qualifications and skills;
c) Health data: only when required by the employer;
d) Other data: court record certificate when legally required, and any other data necessary to fulfill the Company’s rights and obligations as the provider of recruitment services in Bulgaria or abroad.

(3) For clients, we collect data necessary to fulfill legal obligations as a service and goods provider: name; UIC; address; phone; ID or passport details; email; and any information related to the candidate’s application.

(4) For service and goods suppliers, we collect data needed to conclude and execute contracts: name; UIC; address; phone; ID or passport details; email.

(5) Sensitive data are processed only as necessary for labor, social security, and tax law compliance.

PURPOSES AND PRINCIPLES OF DATA PROCESSING

Article 5. Purposes of personal data processing:

  • Human resources management, recruitment, and career counseling;
  • Conducting interviews, tests, obtaining references, health or criminal background information as needed;
  • Ensuring confidentiality, accuracy, and availability of data through technical and organizational measures;
  • Transparent procedures for exercising GDPR rights;
  • Career consulting assistance;
  • Payroll and related social security, tax, and employment obligations;
  • Recruitment services domestic and international; consulting services;
  • Client relationship management;
  • Supplier contract management.

Article 6. Personal data shall be processed lawfully, fairly, and transparently, in accordance with the following principles:

  1. Data subjects shall be informed in advance;
  2. Collected for specific, explicit, lawful purposes;
  3. Adequate, relevant, and limited to purposes;
  4. Accurate and kept up to date;
  5. Erased or rectified if inaccurate;
  6. Kept in identifiably appropriate form no longer than necessary.

Article 7. Lawful processing requires one of:

  1. Data subject’s consent;
  2. Necessary for contract performance;
  3. Compliance with legal obligation;
  4. Protection of vital interests;
  5. Task in public interest;
  6. Legitimate interests of the Controller, unless overridden by data subject’s rights.

CONSENT

Article 8.

  1. Consent must be freely given, specific, informed, and unambiguous.
  2. Withdrawal of consent must be as easy as giving it; processing based solely on consent must cease upon withdrawal.
  3. Consent declarations are retained while processing under that basis.

PROCEDURES FOR DATA PROCESSING

Recruitment and employment records

Article 9.

  1. Data for employees, contractors, and applicants are collected during recruitment and stored in personal files, on paper or technical media.
  2. Files are organized; access only for authorized personnel.
  3. Authorized personnel implement organizational and technical measures to secure files from unauthorized access.
  4. Files are not removed from Company premises.

Client and supplier data

Article 10.

  1. Client data collected when requesting services or signing contracts.
  2. Supplier data collected when concluding contracts, included in contract documents.
  3. Data stored electronically and on paper, classified in separate files; electronic data in databases.

DOCUMENTATION OF DATA PROCESSING

Article 11.

  1. The Company documents processing activities under the accountability principle.
  2. Documentation must demonstrate compliance with lawful processing principles.
  3. Processing involving data transfers, storage on third-party servers, archiving, deletion, pseudonymization, or other non-standard operations is documented with protocols detailing:
    a) Processing purposes;
    b) Data categories and subjects;
    c) Recipients, including third countries;
    d) Deletion timeframes;
    e) Security measures.
  4. Protocols are prepared by personnel under the Data Protection Officer’s guidance.
  5. The set of all protocols forms the processing activities register per Article 30 GDPR.

TECHNICAL AND ORGANIZATIONAL MEASURES

Technical measures (Article 12)

  1. Access-controlled premises;
    – Locked rooms;
    – Visitor access only with staff escort.
  2. Fire protection per Bulgarian law.

Documentary measures (Article 13)

  1. Procedures for data access, destruction, and retention periods detailed in these Rules.
  2. Duplication and distribution only by authorized staff when necessary.

Personnel measures (Article 14)

  1. Before starting, personnel handling data:
    – Commit to confidentiality;
    – Learn legal and internal data protection rules;
    – Receive security training;
    – Agree not to share critical information outside procedures.
  2. New employees are briefed on these Rules and protection measures.

System and cryptographic protection (Article 15)

  1. OS access via password only to authorized staff.
  2. Databases protected by antivirus, firewalls, etc.
  3. Periodic backups of technical media.

Article 16. Additional measures:
– Passwords for computers and data files;
– Antivirus and software audits;
– Periodic integrity checks;
– Regular backups on technical and paper media;
– Data Protection Officer reports security measures to management.

SECURITY BREACHES

Article 17.

  1. Suspected breaches reported immediately to Data Protection Officer with full information.
  2. Officer investigates breach, affected data.
  3. Officer reports to Company partners on incident nature, timing, impact, and proposed measures.
  4. Officer implements containment and recovery measures after management consultation.
  5. If delay would increase damage, Officer may act immediately and later inform management.

Article 18.

  1. If breach poses risk to data subjects’ rights, Officer shall, after management approval, notify the CPDP.
  2. Notification to CPDP without undue delay, no later than 72 hours from awareness.
  3. Notification includes breach description; categories and number of data subjects and records; contact details of Data Protection Officer; potential consequences; mitigation measures.
  4. If high risk, data subjects are informed without undue delay under applicable law.

Article 19.

  1. The Company maintains a breach register with:
    a) Breach discovery date;
    b) Description – source, type, scale, cause;
    c) Notifications made;
    d) Containment measures;
    e) Measures to prevent recurrence.
  2. Register kept electronically by the Data Protection Officer.

DISCLOSURE TO THIRD PARTIES

Article 20.

  1. The Company may disclose data to processors under explicit contracts.
  2. For transfers to processors:
    a) Adequate guarantees of compliance;
    b) Written agreements per Article 28 GDPR;
    c) Data subjects informed of transfers.
  3. Transfers outside EU/EEA only if:
    a) Adequacy decision by the Commission;
    b) Appropriate safeguards (BCRs, SCCs, codes of conduct, certifications);
    c) Explicit subject consent after risk information;
    d) Necessary for GDPR purposes (contract performance, public interest, legal claims, vital interests).

DATA PROTECTION IMPACT ASSESSMENT

Article 21.

  1. Impact assessments conducted when required by law for high-risk processing.
  2. Required for new systems, automated processing, large-scale sensitive data processing, public area monitoring.
  3. Assessment protocols available to CPDP on request.

DATA DESTRUCTION

Article 22.

  1. Data destruction by the Company or authorized person in compliance with laws and data subjects’ rights.
  2. Data destroyed when no longer needed.
  3. Paper data shredded; electronic data irrecoverably deleted.

RESPONSIBLE PERSONS AND ACCESS

Article 23. Data processing performed by authorized personnel with necessary competence, appointed by written act, including these Rules.

Article 24.

  1. Data handling only by explicitly authorized persons.
  2. External service providers must comply with legal requirements and Article 19 procedures.
  3. State authorities (court, prosecution, audit bodies) may access data upon lawful request.

DATA SUBJECTS’ RIGHTS

Article 26.

  1. Every individual has the right to access their data, confirm processing, be informed of purposes, categories, and recipients.
  2. Access requests via Company’s registered address or official email.
  3. Right to request deletion, correction, or blocking of unlawful data processing.
  4. Right to object to processing or sharing without legal basis.
  5. Company must respond within two weeks, indicating grounds for request approval or refusal and procedure to exercise rights.
  6. Data subjects may:
    – Withdraw consent anytime;
    – Object to direct marketing;
    – Request information on transfers outside EU/EEA;
    – Object to automated decisions, including profiling;
    – Be notified of high-risk breaches;
    – Lodge complaints with supervisory authority;
    – In some cases, request data portability in a structured, machine-readable format.

AMENDMENTS TO THE INTERNAL RULES

Article 27. The Company may amend these Rules at any time. All changes shall be promptly communicated to affected persons.

HOW CAN WE HELP YOU?

Our recruitment professionals are available to assist you on your career journey. Explore our job opportunities and apply directly, or contact us for personalized support in your job search.

AT BEST RECRUITERS Ltd.
Veliko Tarnovo 5000, Asti St. No. 6
hr@atbestrecruiters.com
+359 883 209 292

CONTACT

If you have any questions regarding your personal data processed by us, please contact us at hr@atbestrecruiters.com.

If you would like us to delete your CV/resume from our database, please send an email request to hr@atbestrecruiters.com.

Privacy policy