top of page

Data protection

I. Introduction and Overview

  1. Pursuant to Art. 4, para. 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, EUROPEAN NEUROGRAPHICA CENTER is a data controller. Pursuant to Art. 4, para. 8 of the Regulation, EUROPEAN NEUROGRAPHICA CENTER is also a data processor.

 

II. Basic Information about the Company
2) Company name: EUROPEAN NEUROGRAPHICA CENTER Ltd.
3) Registered office and business address: Sofia, 1000, Vazrazhdane District, Lavelle Street, Block 31B, Entrance B, Floor 4, Apt. 24
4) UIC (Unified Identification Code): 206663125
5) Phone: 0887625818
6) E-mail: neurograffbg@gmail.com
7) Website: https://neurograff-bg.com

III. Purpose of the Personal Data Protection Policy
This policy aims to declare the position of the management of European Neurographica Center, hereinafter referred to as the Controller, regarding Regulation (EU) 2016/679. The management guarantees that the Controller’s activities are aligned with the Regulation and the Bulgarian Personal Data Protection Act.
This policy establishes the framework within which the company will operate in accordance with legal requirements and good practices.

 

IV. Scope of the Data Protection Policy
This policy covers the activities of the Controller and any dependent entities and their employees. “Dependent” in this context means that the Controller can directly or indirectly enforce this policy via contract or agreement. It applies to all personal data processing operations.

 

V. Definitions
As per Art. 4 of the Regulation, the following definitions apply:

  1. "Personal data" – any information relating to an identified or identifiable natural person;

  2. "Data subject" – an individual who can be identified, directly or indirectly;

  3. "Processing" – any operation performed on personal data such as collection, recording, structuring, storage, adaptation, consultation, use, disclosure, alignment, restriction, erasure, or destruction;

  4. "Personal data register" – a structured set of personal data accessible by specific criteria;

  5. "Controller" – a natural/legal person or body determining the purposes and means of processing;

  6. "Processor" – a party processing personal data on behalf of the controller;

  7. "Data subject’s consent" – a freely given, specific, informed and unambiguous indication of the data subject’s wishes;

  8. "Personal data breach" – a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

 

VI. Principles for Processing Personal Data (Art. 5 of the Regulation)

  1. Purpose Limitation – Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.

  2. Lawfulness, Fairness and Transparency – Processing must be lawful and transparent.

  3. Data Minimisation – Only data that is adequate, relevant and limited to what is necessary shall be processed.

  4. Accuracy – Data must be kept accurate and up to date.

  5. Storage Limitation – Personal data must not be kept longer than necessary.

  6. Integrity and Confidentiality – Data must be processed securely, protecting it against unauthorised or unlawful processing and against accidental loss, destruction or damage.

  7. Accountability – The Controller is responsible for demonstrating compliance with these principles.

 

VII. Categories of Data Subjects

  1. Legal entity representatives (whose data is publicly available);

  2. Individuals – users or potential users of services;

  3. Individuals employed or in contractual relationships with the Controller.

 

VIII. Categories of Personal Data

  1. Data processed includes:

  • Names, DOB, POB, PIN, ID numbers, gender, address, phone, ID document details, photo, education, employment details, marital status, children, health status, financial details (bank info, card details), online identifiers (IP, cookies, MAC).

  1. Data not processed includes:

  • Geolocation (e.g. GSM, GPS), race, ethnic origin, mental health, political or religious beliefs, trade union membership, sexual orientation.

IX. Legal Bases

  1. Consent – data subject can give and withdraw consent freely.

  2. Contractual necessity – including employment and civil contracts.

  3. Legal obligation or legitimate interest – as long as processing is necessary and justifiable.

 

X. Purposes for Data Processing

  1. Employment/contractual relations;

  2. Accounting and finance;

  3. Marketing and commercial activity;

  4. Based on contractual relations with partners.

 

XI. Rights of Data Subjects

  1. Right to access, rectification, erasure, restriction, portability, objection, not to be subject to automated decision-making, and the right to lodge a complaint with a supervisory authority.

 

XII. Disclosure of Personal Data
Data will not be disclosed to unauthorised third parties without proper documentation or approval.
External recipients include:

  1. Public authorities – NRA, NSSI, NSI;

  2. Other data processors, e.g. accounting services.

 

XIII. Data Transfers

  1. Transfers outside the EU are treated as unlawful unless safeguards are in place.

  2. Exceptions are allowed under strict conditions (e.g. vital interest, legal claims, public interest, contract performance, etc.).

 

XIV. Data Retention and Disposal

  1. Personal data is retained only as long as necessary.

  2. Longer retention is allowed for archiving/statistics/public interest with proper safeguards.

  3. Secure disposal procedures are enforced.

 

XV. Security Measures

  1. Technical and organisational safeguards are in place as recorded in the processing register.

  2. Employees are responsible for data security and non-disclosure.

  3. Data access is role-based and controlled.

 

XVI. Notification of Data Breaches

  1. In the event of a breach, the supervisory authority (CPDP) will be notified within 72 hours.

  2. Processors notify the controller without undue delay.

  3. Partial notifications are permitted when full details are unavailable.

  4. All breaches are documented for regulatory review.

20 June 2025
Sofia

bottom of page