James Meads Media & Consulting Ltd.

DATA PROTECTION POLICY

This Data Protection Policy (“the Policy” or “this Policy”) sets out the principles of personal data protection and their specific manifestation in James Meads Media & Consulting Ltd. (hereinafter referred to as the “Company“) detailing the obligations of the latter concerning the processing of personal data.

The Company acts as a data controller regarding the personal data of its contractors, business partners, advertisers, sponsors, clients, and visitors of the Company’s Digital assets.

This Policy also settles the processing of personal data for the purposes of direct marketing and the legal relationship between the Company and its business partners if it requires access to personal data.

Herein are also regulated the guarantees and measures, undertaken by the data controller to prevent the data to be used in a non-transparent manner.

Section I – Definitions

“Digital assets” – the websites www.jamesmeadsconsulting.com, www.procurementsoftware.site and all landing pages maintained by the Company;

“Personal data” – this is any information that relates to a natural person and which, alone or in combination with other information, may lead to his identification or identifies him;

“Personal data subject” – a natural living person who is or can be identified by the processed Personal data;

“Processing of personal data” – this is any action that is performed or can be performed with personal data, including, but not limited to its collection, analysis, or destruction;

“Personal data controller” – a person who alone or jointly with others determines the purposes and means for the processing of personal data. For example, the Company is a controller regarding the personal data of its contractors and clients because it determines the purpose of the processing of personal data, as well as the means for performing the processing (e.g., the technical infrastructure and applications with which the processing is carried out);

“Processor of personal data” – is a person who processes personal data on behalf of the controller. In this case, the controller strictly determines the purpose and means of processing.

“Personal data breach” – means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data which are transmitted, stored, or otherwise processed.

Section II – Information about the controller

2.1. Information about the controller

James Meads Media & Consulting Ltd., UIC 206056463, is a limited liability company duly registered in the Republic of Bulgaria.

The seat and management address of the Company is situated in Bulgaria, Sofia 1421, Lozenets region, 2 Razvigor str., fl. 5, ap. 20.

The sole owner of the Company’s capital is Mr James Meads.

2.2. Digital assets owned by the Personal data controller

The Company owns the following Digital assets:

2.2.1. The website https://procurementsoftware.site/

On its website, the Company presents to the advertisers an opportunity to promote their own software products and services on the Digital assets which are owned and operated by James Meads Media & Consulting Ltd. The Company also connects its customers with its business partners whose products would be of interest and benefit to them.

2.2.2. The website https://jamesmeadsconsulting.com/

On its website, the Company offers digital procurement consulting and other “as-a-service’ options, as well as a list of verified Software Solution Partners.

Section III – Purposes of this Policy: Types of personal data and principles of the processing

1. Purposes of the Policy

The purpose of the Policy is to demonstrate the Company’s commitment to protecting personal data and creating preconditions for lawful processing of such data. As a Personal data controller, James Meads Media & Consulting Ltd. makes every effort to protect the privacy and ensure the security of the Personal data of its contractors, business partners and advertisers, clients and Digital assets visitors. The Personal data that the Company collects and processes should not exceed the amount necessary to carry out the processing inherent to its activities and should in no way affect the rights, freedoms, and legitimate interests of the data subjects. The processing period should not be longer than necessary to achieve the legitimate business purposes for which the personal data is processed and should not exceed the requirements of the applicable legislation.

2. Types of personal data, processed by the Company

a) According to the data subject:

  • Business partners;
  • Contractors/ representatives of contractors;
  • Advertisers and Sponsors;
  • Clients;
  • Website visitors.

b) According to the Personal data source:

  • Directly from the Personal data subject – name, contact details (e-mail, social media handle);
  • From the legal representatives of the business partner, advertiser or contractor – identification data and data for correspondence in connection with establishing a contractual relationship;
  • From state authorities and enforcement bodies (such as tax authorities and bailiffs) – depending on the specific circumstances;

From persons and organisations other than the Company – through cookies and website analytics, online surveys and through registration for webinars and other virtual events, organised by the Company.

3. Legal ground for data processing

a) Signing and execution of a contract

In relation to concluding a contract between the Company and the data subject, the Company collects a certain required minimum of personal data, without which the contract cannot be performed. For example, the Company needs data to identify the company that wants to place an advertisement on any of its Digital assets.

b) Legal requirement

The company has legal obligations to process persona data in order to comply with the requirements of consumer, tax and other applicable legislation.

c) Consent

This legal basis is most often used to send marketing information to data subjects by the Company or its business partners, advertisers or sponsors. The Company stores information on each received and withdrawn consent.

d) Legitimate interest

The Company processes data of data subjects to achieve its internal administrative objectives, including minimizing risk associated with its activities and optimising internal processes.

4. Security principles and personal data protection

When the Company acts as a controller, it has an obligation to report under Art. 5 (2) GDPR. In fulfilment of this obligation, James Meads Media & Consulting Ltd. declares that the processing of personal data follows the following principles:

a) Fair, lawful and transparent processing

The Company determines in advance the purpose and grounds within the meaning of Article 6 of the GDPR of each type of personal data processing, which it performs and communicates in a timely manner in compliance with the information rights under Articles 13 and 14 of the GDPR.

Data subjects receive clear, detailed, and specific information on the basic principles and legal framework for processing their personal data in an accessible language and in an appropriate format.

For visitors on the Company’s Digital assets – through the Privacy Policies, available on the websites.

Personal data should be collected for specific, explicit, and legitimate purposes and should not be further processed in a way incompatible with those purposes.

b) Principle of limitation of purposes

Immediately before the start of the processing of personal data or at the earliest opportunity – when personal data is received by a third party and it has not notified the subject, the latter is notified (if disproportionate effort is not required) of the purpose for which his data will be processed (Article 14 of GDPR).

c) Principle of minimizing data

The Company processes the minimum amount of data that it needs to implement its obligations under a contract with an advertiser, sponsor, contractor, or other processing purposes that are communicated to the data subject.
 
d) Principle of data accuracy

The personal data that the Company processes is accurate and kept up to date. James Meads Media & Consulting Ltd. shall take all reasonable steps to ensure the timely erasure or correction of inaccurate personal data, considering the purposes for which it is processed.

e) Principle of storage restriction

The Company strictly monitors the destruction of personal data after the expiration of the deadlines for its processing – in digital form and, when applicable, on paper. The personal data collected by the Company on the basis of consent shall be stored for a period of 1 year from the last interaction between the Company and the data subject, unless a longer period is established by law for their storage.

f) Principle of integrity and confidentiality of personal data

Personal data shall be processed (including stored and destroyed) in a way that ensures an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures.

g) Principle of accountability

The Company monitors the proper implementation of personal data legislation and compliance with reporting obligations, including, but not limited to, control over the Personal data processors used, balance tests, taking timely measures, including notification and/or escalation of breaches of security, protection and confidentiality of personal data, and others.

Section IV – Security and protection of personal data

1. Access to personal data by authorized third parties and the legal framework for relations between the Company and third parties

James Meads Media & Consulting Ltd. maintains clear and up-to-date reporting of third parties – recipients of personal data, such as business partners, advertisers, sponsors and contractors. As a rule, access to personal data processed by The Company shall not be granted to third parties, except in one of the following cases:

a) Where there is a legal obligation for the Company to provide such data;
b) When the Company has identified a legitimate interest (its own or a third party’s one) in providing personal data processed by it to third parties, it has passed a positive test of the necessity and balance of processing and has decided to apply adequate safeguards to limit the impact on rights, the freedoms and legitimate interests of the data subjects, which is reviewed in the event of any significant change in the test output;
c) With the informed and freely given consent (if this is the reason for processing) of the data subject, without any negative consequences for him. When the data is a special category data as per the meaning of Art. 9 or 10 of the GDPR or the transfer of data to third countries (outside the EU), in the absence of any other reason for the transfer within the meaning of Chapter V of the GDPR, the consent must be an explicit one.
d) Under concluded contracts for personal data processing with third parties, meeting the requirements of Art. 28 of the GDPR;
e) Within the framework of an agreement for joint controllers under Art. 26 of the GDPR (if any);
f) In the framework of a specific investigation by a public authority based on a reasoned written request, which concerns only individual cases and does not apply to the entire personal data register and does not lead to the linking of personal data registers. Except where the public authority has expressly and legitimately requested otherwise, the data provided shall be filtered so as not to prejudice the rights and legitimate interests of third parties who are not the subject of the investigation. In the cases under the previous sentence, the public authority shall not be considered the recipient of the data, information about which should be disclosed in compliance with the information rights of the data subjects;
g) By virtue of a court decision or a decision of an administrative body of a third country, if the act is based on an international agreement containing provisions on mutual legal assistance to which the European Union/ Bulgaria and that third country are parties.
 

2. Identification, escalation, and notification of breaches of the integrity, confidentiality, or accessibility of personal data

a) Definition of a breach

Endangering the security of the processing of personal data processed by the Company may adversely affect the reputation or financial situation of data subjects, impede their access to services or damage their privacy; as an additional effect, the breach may also lead to non-compliance with applicable law.

Breaches of personal data security are a type of information security breaches and are divided into 3 main types:

  • Breaches of confidentiality – in connection with unauthorized or accidental disclosure or access to personal data;
  • Accessibility breaches – when accidental or unauthorized loss or access to / destruction of personal data occurs;
  • Breaches of integrity – in case of accidental or unauthorized alteration of personal data.

Some breaches may fulfil two or three of the conditions described above simultaneously.

For the purposes of this Policy, the breach of personal data includes both confirmed and suspected incidents.

Some non-exhaustive types of breaches listed under this section may be:

  • Providing personal data to a person who is not entitled to receive them under this policy or Bulgarian law;
  • Loss of paper documents;
  • Infiltration of the archive, flooding of the archive, fire;
  • Non-compliance with the deadlines for archiving and destruction of personal data;
  • Hacker attack against the cloud space where the Company’s electronic documents are stored.

b) Early notification for breaches

The Company shall take all reasonable steps to unify the practice of reporting breaches of personal data processing contracts in which it acts as a controller and shall clarify, as appropriate, the definition and criteria for identifying such breaches; processors, if there are such, should, in turn, take care to acquaint other processors they have hired with the Company’s written consent.

c) Risk assessment

As soon as a report of a possible breach of security and protection of personal data is received, the Company assesses which breaches should be addressed together with increased vigilance and, if necessary, external experts (IT and legal specialist):

  • the categories of personal data it affects;
  • the absence or presence of encryption and other relevant circumstances that minimize the risk of breach and – therefore – eliminates the need to notify data subjects;
  • a recommendation, based on the degree of risk identified, on whether to notify the Bulgarian Data Protection Commission and/ or other supervisory authority;
  • a proposal to take specific follow-up measures to further limit the risk of breach.

High risk for the purposes of the assessment exists when the breach is likely to cause physical, material, or non-material damage to the subjects whose security/ data protection is compromised. Examples of such damage are discrimination, identity theft, fraud, financial loss or damage to the reputation of data subjects. Where the infringement includes personal data relating to race or ethnic origin, health, sexual orientation, convictions or criminal prosecution, coercive measures imposed in this regard, the occurrence of physical, material, or non-material damage is presumed.

d) Decision to notify a brach of personal data protection and security

Based on the analysis of the previous point, the Company prepares an opinion on the assessment of the possible risk of the violation and its consequences, including protective measures that may mitigate its effect, and assess whether:

  • to notify the Commission about the violation; and
  • to inform the affected data subjects when there is a high risk according to the previous point.

Section V – Rights of the subjects of personal data

1. Right to information

According to the applicable legislation in the field of personal data, the personal data subject has the rights below, and the Company undertakes to respond to each of the requests within 1 month of receiving the request and free of charge. In the event of any difficulties in the timely execution of such requests, the deadline for execution may be extended by another 2 months, of which the data subject will be notified within 1 month of receipt of the request.

2. Right of access

The personal data subject can request information about what personal data the Company processes and whether personal data is being processed. The subject can request access to his data.

The Company will provide the data subject with a statement of the personal data that is being processed. For additional statements, the Company may charge a reasonable fee based on administrative costs. When a request is being submitted by electronic means, the Company will, if possible, provide the information in a widely used electronic form, unless the data subject has requested otherwise.

3. Right to adjustments

If The Company processes incomplete or incorrect personal data for the personal data subject, the same can request their correction or supplementation at any time.

4. Right to delete

The personal data subject can request the deletion of his personal data in the following cases:

  • personal data are no longer needed for the purposes for which they were collected or otherwise processed;
  • the subject withdraws his consent on which the data processing is based and there is no other legal basis for the processing;
  • the subject believe that personal data has been processed illegally.

There may be other reasons that prevent the immediate deletion of data, such as statutory storage obligations, pending proceedings, establishment, exercise, or protection of lawsuits, and more.

5. Right to limit processing

The personal data subject has the right to request a restriction on processing if:

  • The subject disputes the accuracy of personal data for a period that allows the Company to verify the accuracy of personal data;
  • the processing is illegal, but the subject does not want the personal data to be deleted, but instead requires restricting their use;
  • The Company no longer needs personal data for the purposes of the processing, but the subject requires the Company to establish, exercise or defend legal claims;
  • The subject has objected to the data processing pending verification of whether the legal grounds of the Data Processing Company take precedence over his interests.

If a processing restriction is requested, the Company will inform the personal data subject before the processing restriction is lifted.

6. Right to data portability

The personal data subject can ask The Company to provide him with the personal data the Company processes for him in a format that can be easily read by a computer and transferred to another administrator. This only applies when:

  • the processing of specific data is based on the data subject’s consent or in connection with the conclusion and implementation of a contract; and
  • processing is performed in an automated manner.

7. Right to object

The personal data subject has the right, at any time and on grounds relating to his specific situation, to object to the processing of his personal data based on legitimate interest – the grounds are listed above, including profiling based on this basis.

8. Right to file a complaint

If the Personal data subject believes that the Company has violated applicable data protection laws in the processing of his data and as a result, they have violated his rights, the subject could contact the Company to the following:

Email address: info@jamesmeadsconsulting.com

The data subject also has the right to complain to the Data Protection Commission.

Section VI – Data processing registers

The Company maintains registers of processing activities under Art. 30 of the GDPR according to whether it processes personal data as a controller or as a processor.

This Policy was approved by the Director of James Meads Media & Consulting Ltd.

Date: March 2022

James Meads, Director