GDPR Privacy Policy of Law Office „MANCHEVA“
This internal policy sets out the rules for confidentiality and the protection of personal data of natural persons processed by Law Office „MANCHEVA“ (hereinafter: the „Law Office“). The Law Office is owned and managed by attorney Stefani Ivanova Mancheva, registered with the Sofia Bar Association under No. 1900821810, with office address: Bulgaria, Sofia, 4 „Paster Svyat“ Street, e-mail: mancheva.attorney@gmail.com, tel.: +3594 553375.
I. Goals and Scope of the Policy
Art. 1. This Policy governs the principles, rules and measures applied by the Law Office for ensuring confidentiality and lawful processing of personal data of natural persons in the course of its professional activity.
Art. 2. The Law Office protects the inviolability of personality and the right to protection of personal data of natural persons whose data it processes, including clients, counterparties, employees, job applicants and other data subjects.
Art. 3. In accordance with applicable international, European and national legislation, including Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), and in line with good professional practice, the Law Office applies appropriate technical and organisational measures for protection against unlawful collection, processing and storage of personal data.
II. Definitions
Art. 3a. For the purposes of this Policy, the terms used have the meanings defined in Regulation (EU) 2016/679, including but not limited to:
- „Personal data“ means any information relating to an identified or identifiable natural person („data subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- „Processing of personal data“ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- „Personal data register“ means any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
- „Data controller“ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Policy, the data controller is Law Office „MANCHEVA“.
- „Data processor“ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- „Genetic data“ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
- „Biometric data“ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
- „Special categories of personal data“ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- „Consent of the data subject“ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
III. Personal Data Collected, Processed and Stored by Law Office „MANCHEVA“
Art. 4. The Law Office acts as a controller and, where applicable, as a processor of personal data. Personal data are structured and maintained in the following internal registers:
- Register of Counterparties („Counterparties Register“);
- Register of Employees („Employees Register“);
- Register for Video Surveillance („Video Surveillance Register“);
- Register of Incoming Requests from Data Subjects („Register of Incoming Requests from Data Subjects“).
Art. 4(2). The Law Office processes personal data provided by natural persons in connection with the provision of legal and related services, on the basis of their freely given, specific, informed and unambiguous consent and/or for the purposes of preparing, concluding, performing or terminating contracts with such persons.
Art. 4(3). The Law Office may also process personal data that have not been obtained directly from the data subject, but have been provided by a third party authorised to do so in connection with a specific service, mandate or legal representation.
IV. Processing of Personal Data
Art. 6. The Law Office processes personal data by performing one or more of the following actions: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, updating, restriction, blocking, erasure or destruction.
Art. 7. The processing of personal data is carried out in strict compliance with the principles laid down in Regulation (EU) 2016/679, including:
- Lawfulness, fairness and transparency – personal data are processed lawfully, fairly and in a transparent manner in relation to the data subject;
- Purpose limitation – personal data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Data minimisation (proportionality) – personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accuracy – personal data are accurate and, where necessary, kept up to date; every reasonable step is taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Storage limitation – personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, unless a longer period is required by law;
- Integrity and confidentiality – personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
- Accountability – the Law Office is responsible for, and must be able to demonstrate compliance with, the above principles.
V. Purpose of Processing Personal Data
Art. 8. The purposes for which the Law Office collects and processes personal data include in particular:
- fulfilment of legal obligations laid down in applicable legislation and in acts of competent state bodies;
- fulfilment of contractual and pre-contractual obligations of the Law Office as controller arising from the specific nature of its professional activity as a law office, including the provision of legal assistance, representation and protection of the rights and legitimate interests of clients;
- administration of contractual relations with counterparties and suppliers;
- human resources and payroll management, including conclusion, performance and termination of employment and civil contracts;
- ensuring the security of the premises, property and information, including through video surveillance under the conditions of this Policy and the law;
- responding to requests from data subjects and ensuring the exercise of their rights under the GDPR;
- other purposes directly related to those listed above, insofar as they are compatible and lawful.
VI. Consequences of Refusal to Provide Personal Data
Art. 11. The provision of personal data by the data subject may be necessary for the conclusion or performance of a contract, for the fulfilment of a legal obligation of the Law Office, or may be based on consent.
Art. 11(1). Where the processing of personal data is based on consent, the data subject has the right at any time to:
- request restriction of processing;
- object to processing;
- exercise the right „to be forgotten“ (right to erasure);
- request access to his or her personal data;
- request rectification or restriction of processing of personal data.
Art. 11(2). In cases where the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, refusal to provide such data may result in the impossibility of the Law Office providing the requested services, entering into or performing the respective contract, or fulfilling its legal obligations.
VII. Retention Period for Personal Data
Art. 13. The Law Office stores personal data for periods not longer than necessary for the purposes for which the data are processed, unless a longer retention period is required by applicable legislation. The basic retention periods are as follows:
- Payroll records, employment contracts, orders and notices for their amendment and termination and related documents: 50 (fifty) years, in accordance with applicable labour and social security legislation;
- Contracts with counterparties and related documentation: 11 (eleven) years, or at least for the minimum statutory period for financial and tax audits applicable to the respective contractual period, whichever is longer;
- Video surveillance recordings: up to 30 (thirty) calendar days from the date of recording, unless a longer retention period is necessary in connection with an ongoing inspection, dispute or investigation by a competent authority;
- All other personal data: 3 (three) years, unless a different period is provided for by law or is necessary for the protection of legal claims of the Law Office.
VIII. Disclosure of Personal Data
Art. 14. The Law Office may disclose personal data processed by it only to the following categories of recipients, and only to the extent necessary for the respective purposes and on a lawful basis:
- the natural persons to whom the data relate (data subjects) or their duly authorised representatives;
- persons, authorities and institutions to whom access is provided by virtue of a normative act or an international treaty ratified, promulgated and in force for the Republic of Bulgaria, including courts, investigative and law enforcement authorities, tax and supervisory authorities and other competent bodies;
- persons, including processors, for whom the right to receive the data arises by virtue of a contract with the Law Office or directly from the law, where this is necessary for the fulfilment of the purposes of processing and subject to compliance with confidentiality and data protection obligations.
IX. Rights of Natural Persons (Data Subjects)
Art. 15. Natural persons whose personal data are processed by the Law Office have the rights provided for in Regulation (EU) 2016/679 and applicable national law, including but not limited to:
- Right to information – to be informed about the identity and contact details of the controller, the purposes and legal grounds for processing, the categories of data, the recipients or categories of recipients of the data, the retention period, the rights of the data subject, including the right to lodge a complaint, and other information required by law;
- Right of access – to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and to information in accordance with Art. 15 GDPR;
- Right to rectification – to request the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed;
- Right to erasure („right to be forgotten“) – to request erasure of personal data concerning him or her under the conditions of Art. 17 GDPR;
- Right to restriction of processing – to request restriction of processing of personal data in the cases provided for in Art. 18 GDPR;
- Right to object – to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the legitimate interests of the Law Office, including profiling; in such a case the Law Office shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing;
- Right to be informed in advance – to be informed before personal data are disclosed for the first time to third parties or used for the purposes of direct marketing, and to have the right to object to such processing;
- Right to data portability – where applicable, to receive the personal data concerning him or her, which he or she has provided to the Law Office, in a structured, commonly used and machine-readable format and to transmit those data to another controller;
- Right to lodge a complaint and to effective protection – to lodge a complaint and seek protection before the Commission for Personal Data Protection, the European Data Protection Board (through the competent national authority), as well as before the competent courts, when he or she considers that his or her rights related to the protection of personal data have been violated.
X. Procedure for Exercising Rights Before the Controller/Processor
Art. 16. Data subjects exercise their rights before the Law Office by submitting a written application in paper form or by electronic means, containing at least the following information:
- name of the person (and, where applicable, of his or her representative);
- correspondence address and, where applicable, other contact details for reply;
- a description of the request, specifying the right being exercised and the personal data to which it relates;
- preferred form of receiving the information (on paper or electronically), where possible and appropriate;
- date and signature (for applications on paper) or electronic signature/other method of identification, where required by law.
Art. 17. The Law Office may request additional information necessary to confirm the identity of the data subject or his or her representative where there are reasonable doubts in this regard.
Art. 18. The submission of applications for the exercise of rights is, as a rule, free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Law Office may charge a reasonable fee or refuse to act on the request, in accordance with Art. 12(5) GDPR.
Art. 19. The Law Office shall examine and respond to the application without undue delay and in any event within 14 (fourteen) days from its receipt. Where, due to the complexity and number of the requests, the Law Office cannot respond within this period, the time limit may be extended up to 30 (thirty) days, of which the applicant shall be duly informed.
XI. Access Control and Incident Response
Art. 22. Access to the personal data registers maintained by the Law Office is granted only to employees and collaborators for whom this is necessary in view of their job duties and the nature of the services provided, including accounting and administrative services. Access is granted on the basis of the „need-to-know“ principle.
Art. 23. All employees, collaborators and persons working under a contractual relationship with the Law Office are obliged to be familiar with the provisions of the GDPR, with this Policy and with the internal rules for information security, and to comply with them strictly.
Art. 24. Persons who have access to personal data are obliged to maintain full confidentiality regarding such data and may not use or disclose them to third parties except as provided for by law or by this Policy and only to the extent necessary for the performance of their duties.
Art. 25. The Law Office shall take appropriate measures for responding to personal data breaches, including identifying, containing, reporting and remedying incidents, as well as notifying the competent supervisory authority and the affected data subjects in the cases and under the conditions laid down in Regulation (EU) 2016/679.
XII. Final Provisions
§1. This Policy was last updated on 08.05.2026 and shall apply from that date until it is amended or replaced by a subsequent version.
§2. The following annexes constitute an integral part of this Policy:
- Annex No. 1 – Declaration of Consent for the Processing of Personal Data;
- Annex No. 4 – Application for Restriction of Processing / Objection to Processing / Erasure (Right to be Forgotten);
- Annex No. 5 – Application for Provision of Personal Data (Access, Copy, Portability).