GDPR

INTERNAL RULES FOR COLLECTION, STORAGE, PROCESSING AND DESTRUCTION OF PERSONAL DATA, TECHNICAL AND ORGANIZATIONAL MEASURES AND THE ADMISSIBLE TYPE OF PERSONAL DATA PROTECTION AT "MEDINA MED" LTD

Chapter One GENERAL PROVISIONS

Art. 1. These internal rules for technical and organizational measures and the admissible type of protection of personal data, hereinafter referred to as "The Rules", govern the organization of personal data processing and the protection thereof regarding the employees, workers, and clients of "MEDINA MED" Ltd.

Art. 2. (1) Personal data processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. (2) Personal data processing also consists of providing access to specific information only to persons whose official duties or specifically assigned tasks require such access.

Art. 3. MEDINA MED Ltd. is a personal data controller within the meaning of Regulation (EU) 2016/679 regarding:

1. Register "PERSONNEL"

2. Register "COUNTERPARTIES".

Art. 4. (1) Personal data means any information relating to an identified or identifiable natural person directly or indirectly, in particular by reference to an identifier or to one or more factors specific to that person. (2) The principles of personal data protection are:

1. Principle of limited collection – the collection of personal data must be within the limits of necessity. Information shall be collected by lawful and fair means;

2. Principle of limited use, disclosure, and retention – personal data must not be used for purposes other than those for which they were collected, except with the consent of the individual or when required by law. Personal data must be retained only as long as necessary for the fulfillment of those purposes;

3. Principle of accuracy – personal data must be accurate, complete, and up-to-date as necessary for the purposes for which they are used;

4. Principle of security and safeguarding – personal data must be protected by security safeguards appropriate to the sensitivity of the information.

Art. 5. Personal data shall be collected for specific purposes precisely determined by law or contract, processed lawfully and in good faith, and may not be further processed in a manner incompatible with those purposes.

Art. 6. When processing personal data by MEDINA MED Ltd. on grounds other than a contract or law, employees and counterparties shall sign a declaration of consent according to a template.

Chapter Two REGISTER "PERSONNEL"

Art. 7. In the "Personnel" register, personal data of employees engaged under labor or civil law relationships are collected and stored during their activity in execution of these contracts, with a view to: (3) Individualization of labor and civil law relationships. (4) Fulfillment of the regulatory requirements of the Labor Code, the Social Insurance Code, the Accountancy Act, the State Archives Act, etc. (5) Use of the collected data for the respective persons for official purposes. (6) For all activities related to the existence, modification, and termination of labor and civil law relationships – for the preparation of any documents for the persons in this regard (contracts, supplementary agreements, documents certifying length of service, official notes, references, certificates, etc.). (7) For establishing contact with the person by telephone, for sending correspondence related to the performance of their duties under labor or civil contracts. (8) For maintaining accounting records regarding the remuneration of the above-mentioned persons under labor and civil contracts.

Art. 8. The register is maintained on paper and electronic carriers.

Art. 9. (1) Paper carriers of personal data are stored in folders (personnel files) for each manager, employee, worker, or person hired under a civil contract. Personnel files are arranged in a special filing cabinet. (2) The filing cabinet is located in a room designated for the independent work of the employee from the "Human Resources" department, who is assigned by these rules to be a processor of personal data. (3) Access to personnel files is granted only to the personal data processor. The possibility of granting access to personal data to another person during processing is limited and explicitly regulated in this instruction.

Art. 10. (1) When maintaining the register on a technical carrier, personal data is entered onto a hard drive on an isolated computer. (2) The computer is connected to a local network, but with protected access to personal data, which is direct only on the part of the personal data processors. Software products are used for data processing regarding personnel remuneration, including basic and additional remuneration, tax and other obligations (loan installments, garnishments, etc.), length of service, days present and absent, and the like. The software products are adapted to the specific needs of the personal data controller. (3) The computers are located in an isolated room for the independent work of the company's administrative department. (4) Access to the operating system containing files for personal data processing is granted only to personal data processors via a password for opening these files. Protection of electronic data from unauthorized access, damage, loss, or destruction is ensured by maintaining antivirus programs, periodic data archiving, as well as by maintaining the information on paper carriers.

Art. 11. The following types of data are maintained in the register: (1) Physical identity – names, Uniform Civil Number (EGN), ID card number, date and place of issue, place of birth, address, contact telephones. (2) Education – document regarding acquired education, qualification, capacity, when such are required for the position the person occupies, etc. (3) Labor activity – according to the attached documents for length of service and professional biography. (4) Medical data – card for preliminary medical examination for employment, document for reassignment due to illness/disability when required for the position held. (5) Conviction status certificate (criminal record), when required for occupying the position. (6) Personal form according to a template.

Art. 12. Personal data in the "Personnel" register is collected upon employment/assignment of work under a labor or civil law relationship of a given person in fulfillment of a statutory obligation – the provisions of the Labor Code and the secondary legislation for its implementation, the Social Insurance Code, the Education Act, and others, in one of the following ways:

1. Verbal interview with the person (upon hiring or during the work process).

2. On paper carrier – written documents – applications, requests for hiring/performing work under labor or civil law relationships, for modification or termination of these relationships, regarding current issues during the work process submitted by the person.

Art. 13. In all cases where necessary based on a statutory obligation, persons whose data are subject to mandatory processing in the register shall submit the necessary personal data to the controller and to the official appointed for their processing – the personal data processor. The official/personal data processor shall inform the person about the necessity of collecting personal data and the purposes for which they will be used.

Art. 14. Apart from the indicated persons and in the indicated cases, limited access to personal data is granted to cashiers, accountants, and legal advisors when processing personal data of persons regarding the preparation of payment documents related to transfers of remuneration to persons hired under labor and civil law relationships in the company, via cash and bank transfer, and preparation of court papers and documents in case of labor disputes.

Art. 15. In case of a need to correct personal data, persons shall provide such data to the official/personal data processor upon their request based on a statutory obligation.

Art. 16. Apart from the officials processing personal data, access is also lawful for officials directly engaged in shaping and verifying the legality of the persons' documents – manager, chief accountant, legal advisor, as well as persons performing technical accounting operations for processing documents related to personnel remuneration – accountant, cashier. Personal data processors are obliged to provide them with access upon their request.

Art. 17. The personnel file of the person shall not be taken out of the controller's building. No official or third party has the right to access personnel files unless officially requested by judicial authorities (court, prosecutor's office, investigative bodies). Access by these bodies to the personal data of individuals is lawful.

Art. 18. (1) The consent of the person is not required if the processing of their personal data is carried out only by or under the control of a competent state authority regarding personal data related to the commission of crimes, administrative violations, and torts. Such persons are provided access to personal data, and if necessary, appropriate working conditions are provided in a room of the company. (2) Access is also lawful for auditing state bodies that have duly identified themselves with relevant documents – written orders of the respective body indicating the grounds and the names of the persons, where for the purposes of their activity it is necessary to provide them access to the personnel files.

Art. 19. (1) The Controller maintains accountability and ensures access to personal data to the persons who have provided them. The Controller communicates their decision to grant or refuse access to personal data for the respective person within 30 days of filing the application or request. (2) Data is stored and processed for a period of 50 years, in accordance with regulatory requirements in the country. Data of unapproved candidates for a specific position is destroyed immediately after the position is filled. (3) After the expiration of the legally defined periods, the required personal data is transferred to the state archive of the National Social Security Institute (NSSI), and data collected on a lapsed basis is destroyed by a specially appointed commission.

Art. 20. Upon implementation of a new software product for personal data processing, a special commission should be formed to test and verify the product's capabilities with a view to compliance with the requirements of Regulation (EU) 2016/679 and ensuring maximum protection against unauthorized access, loss, damage, or destruction.

Art. 21. For failure to fulfill obligations assigned to the respective officials under these rules and Regulation (EU) 2016/679, disciplinary penalties under the Labor Code are imposed, and when the failure to fulfill the respective obligation is established by a competent authority – the administrative penalty (fine) provided for in the Personal Data Protection Act and Regulation (EU) 2016/679. If damages to a third party have resulted from the actions of the respective official processing personal data, said party may seek liability under general civil legislation or criminal law if the act constitutes a more serious offense for which criminal liability is provided.

Art. 22. Archiving of personal data on technical carriers is performed periodically every 30 (thirty) days by the personal data processor with a view to keeping the information about the respective persons up to date. This is done on disks, access to which is limited solely to the personal data processor.

Chapter Three REGISTER "COUNTERPARTIES"

Art. 23. The register collects and stores personal data of counterparties with a view to: (1) financial and accounting activity; (2) fulfillment of regulatory requirements of the Consumer Protection Act, Accountancy Act, Commerce Act, etc.; (3) internet commerce; (4) for all activities related to the preparation of any documents and references for persons (official notes, warranty cards, etc.); (5) information and promotional campaigns of the controller – in case of explicitly given consent, according to these internal rules and the general terms and conditions of the internet store – medina-med.com; (6) for establishing contact with the person by telephone and email, for sending correspondence related to the execution of contractual processes and/or dissemination of information and promotional campaigns of the controller – in case of explicitly given consent, according to these internal rules and the general terms and conditions of the internet store – medina-med.com.

Art. 24. The register is maintained on paper and electronic carriers.

Art. 25. (1) Paper carriers of personal data are stored in folders chronologically according to sales and/or services performed. Files are arranged and stored in specially designated cabinets. (2) The special cabinets are located in a room designated for archives in the administrative building of the controller and are processed by employees holding the positions of "Data Processing Specialist" and "E-commerce Manager", who are assigned by these rules to be personal data processors. (3) Access to client files is granted only to personal data processors. The possibility of granting access to personal data to another person during processing is limited and explicitly regulated in this instruction.

Art. 26. (1) When maintaining the register on a technical carrier, personal data is entered onto a hard drive on an isolated computer. (2) The computer is connected to a local network, but with protected access to personal data, which is direct only on the part of the personal data processors. Software products for data processing are used when working with the data. (3) The computers are located in workrooms of the personal data processors for the register. (4) Access to the operating system containing files for personal data processing is granted only to personal data processors via a password for opening these files; in case of legal or overriding interest, data may also be provided to the manager, chief accountant, legal advisor, as well as persons performing technical accounting operations for document processing. Protection of electronic data from unauthorized access, damage, loss, or destruction is ensured by maintaining antivirus programs, periodic archiving of data on separate hard drives, as well as by maintaining the information on paper carriers.

Art. 27. The following types of data are maintained in the register:

1. Physical identity – names, address, telephone numbers, and contact email; exceptionally EGN (Uniform Civil Number) solely for the purpose of issuing a tax invoice, in accordance with the requirements of the Accountancy Act and the VAT Act.

Art. 28. In case of a need to correct personal data, persons shall provide such data to the official (personal data processor) upon their request based on a statutory obligation.

Art. 29. (1) The Controller maintains accountability and ensures access to personal data to the persons who have provided them. The Controller communicates their decision to grant or refuse access to personal data for the respective person within 30 days of filing the application or request. (2) Data is stored and processed for a period of 5 years, according to regulatory requirements in the country – Art. 110 et seq. of the Obligations and Contracts Act (ZZD), respectively 2 years when providing a legal warranty for products, or for the period for which consent was given; (3) After the expiration of the defined periods, collected data is destroyed by a specially appointed commission.

Chapter Four PROVISION OF PERSONAL DATA

Art. 31. (1) The Controller provides personal data in fulfillment of statutorily established obligations. (2) Personal data is provided officially after a justified request and permission from responsible employees processing personal data by filling out a control sheet indicating the person receiving the personal data and the purpose, and for data stored on an electronic carrier, through ensured software traceability.

Art. 32. Persons have the right to access their personal data, including the right to be "forgotten", for which they submit a written application to the "Data Processing Specialist", "Personnel Specialist", "E-commerce Manager", or "Accounting Department", who are assigned by the controller via these rules to be processors of personal data, including electronically, personally or through an authorized person. Submission of the application is free of charge.

Art. 33. (1) The application contains the name of the person and other data identifying them, a description of the request, preferred form for providing access to personal data, signature, date, and correspondence address; power of attorney – when the application is submitted by an authorized person. The application is registered in the general incoming register of the controller. (2) Applications are accepted by the "Data Processing Specialist" and at the address: security@medina-med.com and tel. 042/ 600 261.

Art. 34. Access to the person's data is ensured in the form of: (7) verbal reference; (8) written reference; (9) review of the data by the person themselves or a person authorized by them; (10) provision of a copy of the requested information on electronic or paper carrier.

Art. 35. Upon submission of a request for access, the representative of the controller reviews the application for access or orders the personal data processor to ensure the access requested by the person in the form preferred by the applicant. The deadline for reviewing the application and pronouncing on it is 14 days from the day of submission of the request, respectively 30 days when more time is needed to collect the person's personal data, given possible difficulties in the controller's activity. The decision is communicated in writing to the applicant, personally against a signature or by mail with a return receipt, and when the request is submitted by email – to the indicated email address. When data does not exist or cannot be provided on a specific legal ground, access is refused to the applicant with a reasoned decision. The refusal to grant access may be appealed by the person before the authority and within the term indicated in the letter.

Art. 36. Access to personal data of persons contained on a technical carrier is available only to the personal data processors: "Data Processing Specialist", "Personnel Specialist", and "E-commerce Manager" with the access password.

Art. 37. Apart from the officials processing personal data, access is also lawful for officials directly engaged in shaping and verifying the legality of the persons' documents – manager, chief accountant, legal advisor, as well as persons performing technical accounting operations for document processing. Personal data processors are obliged to provide them with access upon their request, for which accountability is kept by filling out a control sheet indicating the person receiving the personal data and the purpose, and for data stored on an electronic carrier, through ensured software traceability.

Art. 38. Information about clients and counterparties shall not be taken out of the controller's building. No official or third party has the right to access client profiles and information unless officially requested by judicial authorities (court, prosecutor's office, investigative bodies, Ministry of Interior, NSSI). Access by these bodies to the personal data of individuals is lawful.

Art. 39. (1) The consent of the person is not required if the processing of their personal data is carried out only by or under the control of a competent state authority regarding personal data related to the commission of crimes, administrative violations, and torts. Such persons are provided access to personal data, and if necessary, appropriate working conditions are provided in a room of the company. (2) Access is also lawful for auditing state bodies that have duly identified themselves with relevant documents – written orders of the respective body indicating the grounds and the names of the persons, where for the purposes of their activity it is necessary to provide them access to the personnel files.

Art. 40. The Controller communicates their decision to grant or refuse access to personal data for the respective person to third parties within 30 days of filing the application or request.

Art. 41. Upon implementation of a new software product for personal data processing, a special commission should be formed to test and verify the product's capabilities with a view to compliance with the requirements of Regulation (EU) 2016/679 and ensuring maximum protection against unauthorized access, loss, damage, or destruction.

Art. 42. For failure to fulfill obligations assigned to the respective officials under these rules and Regulation (EU) 2016/679, disciplinary penalties under the Labor Code are imposed, and when the failure to fulfill the respective obligation is established by a competent authority – the administrative penalty (fine) provided for in the Personal Data Protection Act and Regulation (EU) 2016/679. If damages to a third party have resulted from the actions of the respective official processing personal data, said party may seek liability under general civil legislation or criminal law if the act constitutes a more serious offense for which criminal liability is provided.

Chapter Five VIDEO SURVEILLANCE

Art. 43. All commercial sites of the controller are under constant video surveillance. The information is stored for a period of 48 hours, after which it is automatically deleted. The received information is processed in accordance with the principles of lawfulness, expediency, and proportionality, based on the legitimate interest of the controller, pursuant to Regulation (EU) 2016/679, solely for the purpose of ensuring the security and safety of the site and preventing theft and malicious activities by third parties.

Art. 44. Information obtained from video surveillance is provided solely to law enforcement authorities – prosecutor's office, investigative bodies, and the Ministry of Interior, only in case of reasonable suspicion of a committed crime.

Art. 45. The Controller provides information and access to the collected personal data, including upon explicit request by the affected persons to be "forgotten", by contacting the official "Data Processing Specialist" at email: security@medina-med.com and tel. 042/ 600 261.

Chapter Six NOTIFICATION OF PERSONAL DATA BREACH

Art. 46. Every employee processing personal data is obliged to monitor the security of the personal data entrusted to them.

Art. 47. Upon ascertaining a breach of personal data security, the processing employee immediately notifies the manager of the company, or in their absence the deputy manager, and the "Data Processing Specialist".

Art. 48. The manager and/or deputy manager immediately form a commission consisting of – the "Data Processing Specialist" at the controller, a computer specialist, and a qualified legal advisor, to take all necessary legal and factual actions to cease the breach and minimize the damages of the breach accordingly.

Art. 49. Within 72 hours of establishing the breach, the commission appointed by the controller notifies the Commission for Personal Data Protection and prepares a written report to the manager regarding the nature and extent of the breach, as well as any damages incurred.

FINAL PROVISIONS

For the purposes of these rules: § 1. "Personal Data Controller" is MEDINA MED Ltd., a company registered under the laws of the Republic of Bulgaria, with registered office and management address at 6000 Stara Zagora, 8 Hrishtensko Shose Str., VAT ID No. BG123737210, UIC 123737210, represented by the company manager Eng. Ivan Nikolov Panchov. § 2. "Personal Data Processors" are officials from the administration of MEDINA MED Ltd., holding the following positions: (1) Deputy Managers; (2) Chief Accountant; (3) Operational Accountants; (4) "Personnel" Specialist; (5) "Information Data Processing" Specialist; (6) "Sales" Managers, incl. "Internet Sales"; (7) Managers of stores and service centers; (8) Head of workshops; § 3. Control over the implementation of these internal rules is assigned to the Deputy Manager for Commercial Affairs and the "Information Data Processing" Specialist. § 4. These rules are issued on the basis of Regulation (EU) 2016/679 and an Audit Report dated 15.05.2018 regarding an inspection of compliance with personal data protection rules and an impact assessment of Regulation (EU) 2016/679 on the activity of "MEDINA MED" Ltd. § 5. The Rules were adopted by a decision of the company manager on 25.05.2018 and enter into force on the date of their adoption. § 6. Amendments and supplements to these rules are made by the manager of the company. § 7. A copy of the Rules is available to employees and clients in the administrative building of the company and in the remote service centers. § 8. A copy of the Rules shall be published on the company's website.

These Internal Rules are in force as of 25.05.2018.