Data Protection Policy

Open Society Institute-Sofia Foundation (OSI-Sofia) is a non-profit legal entity, carrying out public benefit activities, entered in the Commercial Register and the Register of NPLE at the Registry Agency with Company ID Code 831524005 and registered address: 56, Solunska St, Sofia 831524005, tel.: +359 2/9306650, еmail:, website:

OSI-Sofia has the following objectives: democratization of public life in Bulgaria; extension and guaranteeing of civil freedoms; strengthening of civil sector institutions; European integration and regional cooperation of Bulgaria. To achieve its objectives the Institute is developing programmes and carrying out activities, using its property to develop and establish spiritual values, civil society, health care, education and culture, and supports: the development of public debate and policies on important issues for Bulgaria; the integration of Bulgaria into united Europe; civil initiatives; the stabilization of civil society institutions.

OSI-Sofia is data controller within the meaning of the Personal Data Protection Act (PDPA) entered in the public Register of Data Controllers with ID No. 90260.

  1. I. Objectives and scope of the Data Protection Policy
  2. By this Data Protection Policy OSI-Sofia respects the integrity of the person and takes the necessary measures against the unauthorized processing of personal data of individuals. In compliance with the current European and national legislation and the good practices, OSI-Sofia implements the required organizational and technical measures for personal data protection.
  3. By this Data Protection Policy OSI-Sofia aims to inform the interested parties about the purposes of data processing, the grounds for their processing, the categories of recipients the data could be disclosed to, the consequences of refusing to provide them, as well as information about the right to access, correcting, deleting and objection as per Regulation (EU) 2016/679 and the Personal Data Protection Act (PDPA).
  4. II. Personal data processed at OSI-Sofia
  5. OSI-Sofia, in its capacity as data controller, processes personal data structured in separate registers declared in the public Register of Data Controllers.
  6. OSI-Sofia processes personal data provided personally by the subjects they refer to in connection with the fulfillment of a statutory obligation imposed on the controller.
  7. OSI-Sofia processes personal data provided personally by the data subjects if the data subject has agreed to their personal data being processed for one or more specific purposes when the processing is required by a contract or for the purposes of the legitimate interests of the controller.
  8. OSI-Sofia processes personal data which are not provided personally by the subjects they refer to, but by a third person in connection with the fulfillment of a specific contractual obligation related to the implementation and management of programmes and projects for awarding grants or activities for the fulfillment of other contractual obligations. In this cases the person providing the data to OSI-Sofia shall:
  9. provide the data subject with information about the controller – OSI-Sofia;
  10. inform the  data subject about the purposes, the categories of data provided and the categories of data recipients;
  11. provide information about the right to access and correct the personal data of the person they refer to.
  12. (1) OSI-Sofia processes the following categories of personal data, differentiated by specific activity or statutory requirement. Such data are related to:
  13. physical identity: name, personal number, ID data, place of birth, address, telephone, e-mail;
  14. social identity: education, qualification, professional competence, position, work experience – period and CV, nationality, participation in the management bodies of legal entities;
  15. economic identity  – bank account number (IBAN);
  16. data revealing affiliation to a vulnerable group, ethnic affiliation.

(2) To fulfill its statutory obligations OSI-Sofia collects data about the physical and the economic identity.

(3) The following categories of personal data may also be collected, within any of the surveys carried out by OSI-Sofia, regarding:

  1. family identity of the individuals: actual family status – marriage, divorce, cohabitation, widowhood as declared by the individual; household members  – number of household members, including children under 18; in some surveys – relatives in the household as declared by the individual;
  2. education of the individuals: degree and type of education, year of graduation, current educational status (if the individual studies at the moment) as declared by the individual;
  3. employment and economic situation: employment status – employed, retired, unemployed, on maternity leave – as declared by the individual; profession and employment sector as declared by the individual; average monthly gross/net remuneration as declared by the individual; property status and living conditions as declared by the individual; health insurance – as declared by the individual;
  4. individual’s health status: health status – as declared by the individual; any chronic diseases – as declared by the individual;
  5. data related to the social and cultural identity of the individual: ethnic identity – as declared by the individual; religious affiliation – as declared by the individual; support for political parties and leaders– as declared by the individual; reproductive and sexual attitudes – as declared by the individual.

(4) In the cases as per para 3 only contact information may be kept on data storage devices. The survey data are stored on devices and processed for statistical purposes in pseudonymized form only.

(5) Within a contractual obligation regarding project/programme funding and with the explicit consent of the individual, information related to their eligibility may be required (education, vulnerable group affiliation, ethnic affiliation).

III. Personal data processing

  1. In its capacity as data controller OSI-Sofia processes personal data through a combination of actions that may be carried out in respect to personal data with automatic or non-automatic means, such as collecting, recording, organizing, storing, adapting or modifying, consulting, using, blocking, deleting or destroying, in compliance with the following principles:
  2. legality of the data processing;
  3. proportionality of  the data processing;
  4. processing of up-to-date data.
  5. OSI-Sofia processes personal data independently or by assignment to data processors, defining the purposes and obligations assigned by the controller to the data processor, if there are legal grounds as per PDPA. Processors on behalf of OSI-Sofia may be its employees whose rights and obligations regarding the processing of personal data of individuals are duly regulated by the Internal Rules of OSI-Sofia.
  6. IV. Data processing purpose
  7. Personal data are processed in order to unequivocally identify the individuals, current and future employees of OSI-Sofia, contractors, grant beneficiaries, survey participants, persons invited to and participating in events related to the activities carried out by OSI-Sofia. Data processing results from:
  8. the fulfillment of statutory obligations of data controllers arising from the specific requirements of the legislation regulating the activities regarding accounting, pension, health and social security, and human resources management;
  9. the execution of a contract to which the data subject is a party or for taking measures at the request of the data subject before signing the contract;
  10. activities performed by OSI-Sofia – for one or more specific purposes with the consent of the data subject; for the purposes of the legitimate interests of the controller or of a third party with the consent of the data subject.
  11. V. Consequences of refusing to provide personal data
  12. No explicit consent of individuals whose data are processed is necessary if the controller has legal grounds to process personal data. Such grounds may be a statutory obligation regarding the requirements of the labor, tax and social security legislation, the Obligations and Contracts Act, the Accountancy Act, the Measures against Money Laundering Act, the Measures against the Financing of Terrorism Act, etc.
  13. In case of refusal to voluntarily provide the requested personal data, OSI-Sofia will not be able to fulfill its statutory and contractual obligations, including to provide a free service or funding to the subject refusing to give their personal data, a beneficiary under a project carried out by OSI-Sofia or under a project financed by a fund or a grant programme managed by OSI-Sofia.
  14. VI. Disclosure of personal data
  15. OSI-Sofia as a data controller has the right to disclose the personal data processed to the following categories of persons only:
  16. individuals to whom the data refer;
  17. persons having a legitimate right to access them;
  18. persons having a contractual right to access them.

VII. Rights of data subjects

  1. Individuals whose personal data are processed have the following rights:
  2. Right to information regarding the data identifying the controller, the purposes of data processing, the recipients or categories of recipients to whom the data may be disclosed,  the compulsory or voluntary nature of personal data provision and the consequences of refusing to provide them.
  3. Right to access to data referring to individuals. If, when granting the data subject the right to access, personal data of any third person may be disclosed, the controller shall provide a partial access to them, without disclosing any data about the third person.
  4. Right to correct or supplement incorrect or incomplete personal data.
  5. Right to delete personal data whose processing does not meet the regulatory requirements or has no valid legal grounds any more (expired storage term, withdrawn consent, achieved initial purpose for which the data had been collected, etc.), as well as the right to request a notification of any third persons to whom the personal data have been disclosed about any deletion, correction or blocking performed, except when this is not possible or is related to exorbitant efforts.
  6. The right to object to the controller’s processing and/or disclosing of the personal data of the subject if there are legal grounds for that. The rights to be informed before their personal data are disclosed to any third persons if there are legal grounds for that.
  7. The right to defense before the Commission for Personal Data Protection or at court.

VIII. Procedure for exercising rights

  1. (1) Individuals shall exercise their rights by filing a written request to OSI-Sofia (on hard copy or via e-mail) containing at least the following information:
  2. Name, address and other data identifying the respective individual;
  3. Description of the request;
  4. Preferred form in which the information should be provided;
  5. Signature, date of filing of the request and contact address.

(2) The whole procedure for exercising the rights of the individual regarding their personal data is free of charge for the individual.

(3) To avoid any abuse, when filing requests, authorized persons shall also provide a power of attorney attested by a notary.

  1. The controller shall consider the request within 14 days as of the day of its application, and when more time is needed to collect the required data with a view to the complexity of the request – within 30 days respectively.
  2. OSI-Sofia shall prepare a written reply and give it to the applicant personally – for a signature or by mail/courier with acknowledgement of receipt, in the form preferred by the applicant.
  3. If the data, subject of the request, do not exist or their provision is prohibited by law, the applicant shall be refused access to them.
  4. In case OSI-Sofia fails to reply to the applicant within the specified terms or the applicant is not satisfied by the reply and/or considers their rights regarding personal data protection violated, the applicant is entitled to exercise their right to defense before the competent authorities.
  5. IX. Terms and definitions
  6. Within the meaning of this Policy:
  7. Personal Data means any information pertaining to an identified individual or an individual who is directly or indirectly identifiable, particularly by an identifier such as name, identification number or by one or more specific features.
  8. Data Processing means any operation or a combination of operations performed with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transfer, distribution or otherwise, whereby the data become accessible, arranging or combining, restricting, deleting or destroying.
  9. Data Controller is OSI-Sofia, processing personal data individually or jointly/by assignment to a third person.
  10. Personal Data Register is any structured aggregation of personal data accessible by certain criteria as per the Internal Rules of OSI-Sofia, which may be centralized or decentralized and is distributed on a functional principle.

This Data Protection Policy of Open Society Institute-Sofia Foundation is approved by Order of the Executive Director of May 21, 2018 and entered into force on the same date.