Data Protection Policy

1. Introduction

National Crime Prevention Service (NCPS), registered in the Commercial Register of the Republic of Bulgaria under (NCPS Ltd) Bulstat / UIC: 208390351.

2. Purpose

This policy outlines our responsibility to protect personal data, ensure transparency and maintain high standards of data integrity and lawful processing within Bulgaria and the EU.

This policy serves to:

  • Ensure all personal data is processed lawfully, fairly and transparently, in line with Bulgarian and EU law
  • Define clear practices for data collection, storage, use and destruction
  • Outline responsibilities for employees, contractors and partners in complying with GDPR and Bulgarian ZZLD
  • Mitigate risks relating to privacy breaches, unlawful processing or non compliance

3. Scope

This policy applies to all NCPS employees, consultants, contractors, sub processors and third parties who process personal data under NCPS control. It includes data stored or handled electronically on paper or in hybrid systems.

4. Data Protection Principles

NCPS adheres strictly to the GDPR and ZZLD principles of data processing:

4.1 Lawfulness, Fairness and Transparency

All data is processed based on a lawful legal ground (e.g. consent, contract, legal obligation) and with clear communication to the data subject.

4.2 Purpose Limitation

Data is collected only for specific, legitimate purposes and not reused in ways incompatible with those purposes without lawful basis.

4.3 Data Minimisation

Only the minimum necessary personal data is collected and used.

4.4 Accuracy

Reasonable steps are taken to ensure that data is accurate and up to date.

4.5 Storage Limitation

Data is retained only for as long as necessary, consistent with retention schedules under Bulgarian and EU law.

4.6 Integrity and Confidentiality

Appropriate technical and organisational measures are in place to prevent unauthorised access, loss or alteration of personal data.

4.7 Accountability

NCPS can demonstrate full compliance through records, audits staff training and documentation procedures.

5. Rights of Data Subjects

Under Articles 12–23 of the GDPR and Articles 13–18 of the Bulgarian ZZLD, data subjects have the right to:

5.1 Access

Request a copy of their personal data held by NCPS.

5.2 Rectification

Request corrections to inaccurate or incomplete data.

5.3 Erasure (“Right to be Forgotten”)

Request deletion of their data when legally permitted.

5.4 Restriction of Processing

Request that processing be temporarily or permanently limited under certain conditions.

5.5 Data Portability

Receive their data in a structured, machine-readable format or request transfer to another controller.

5.6 Objection

Object to data processing, particularly where it is based on legitimate interest or automated profiling.

All such requests must be addressed by NCPS within one month, as required under GDPR and Bulgarian law.

6. Data Security

6.1 Technical and Organisational Measures

NCPS uses encryption, access controls, secure storage and IT safeguards in line with CPDP guidance.

6.2 Third-Party Data Processors

Any third party used by NCPS must sign a data processing agreement and demonstrate adequate security and legal compliance.

6.3 Breach Notification

Any personal data breach must be reported to the Data Protection Officer and if required to the CPDP within 72 hours. Affected individuals will be informed in accordance with GDPR Article 34.

7. International Transfers

Transfers of personal data outside the European Economic Area (EEA) will only occur:

  • With adequate safeguards (e.g. Standard Contractual Clauses approved by the EU Commission)
  • Based on a legal adequacy decision
  • Or with explicit consent from the data subject

Transfers from Bulgaria are subject to supervision by the CPDP.

8. Training and Awareness

All NCPS staff receive mandatory initial and periodic training on GDPR, Bulgarian data law and internal data protection procedures.

9. Data Protection Officer (DPO)

NCPS has appointed a Data Protection Officer responsible for:

  • Monitoring internal compliance
  • Providing expert advice
  • Liaising with the CPDP
  • Acting as a point of contact for data subjects

10. Non-Compliance

Failure to follow this policy or applicable legislation will result in disciplinary action, which may include termination of contract. NCPS may also face fines from the CPDP or other EU authorities for non-compliance.

11. Policy Review

This policy will be reviewed annually or upon changes to relevant laws, regulations or internal operations. All staff will be informed of any revisions.

National Crime Prevention Service (NCPS)
Powered by  GDPR Cookie Compliance
Privacy Overview

Cookie Notice for NCPS

This website uses cookies to ensure we deliver the best experience for our visitors. Cookie data is stored securely in your browser and helps NCPS recognise you when you return, improving site functionality and allowing our team to understand which pages and services you find most useful for your security needs.