Protection of personal data

Pursuant to the General Regulation on Personal Data Protection (EU) 2016/679 (ORZLD) and the Personal Data Protection Act of the Republic of Bulgaria, the Thracian University has taken the necessary organizational and technical measures to ensure the processing of personal data in a lawful, appropriate manner. and transparent way.

Our Approach to Your Personal Data

The university places great importance on the protection of personal data and collects and processes personal data only in compliance with the requirements of local and European legislation. The purpose of this "Data Protection Policy" is to inform you about how we process your data, what personal data we may collect about you, for what purpose, for how long, and what your rights are.

Personal Data

Trakia University collects and processes personal data of the following categories of individuals: prospective students, current students, doctoral students (including candidates), and individuals enrolled in postgraduate programs. It is also possible that personal data of visitors (e.g., data from video surveillance) may be collected and processed.

These data are provided to Trakia University through the application and enrollment forms.

Depending on the services you use, we may collect and process the following information: names as per the ID card; UCN (Unique Citizenship Number) or personal number; address as per the ID card; ID card details – number, issue date, expiration date, issuing authority, citizenship; marital status; education details; gender; bank details; faculty number; academic performance data; contact phone number; email address; citizenship and residence status; letters and emails received from you; username and password when using the website; video recordings when visiting our administrative premises for security purposes.

In connection with the fulfillment of regulatory obligations (Art. 68, para. 3 of the Higher Education Act), the Regulation on the Structure, Activities, and Management of Trakia University, and ensuring social security and social protection (according to Regulation 2016/679 EU), the following documents may be processed: decision of the Admission Committee, birth certificates, orphanage records, and death certificates. In case of non-provision of the specified documents, obtaining priority during the application process is not possible.

The personal data for which Trakia University has a legal obligation to collect is detailed in the Higher Education Act, the Regulation on State Requirements for Admission of Students to Higher Education Institutions in the Republic of Bulgaria, the Regulation on State Requirements for the Content of Basic Documents Issued by Higher Education Institutions, and for doctoral students - in the Law on the Development of the Academic Staff in the Republic of Bulgaria and its implementing regulations, among other legislative acts.

Purpose and Legal Basis for Processing Your Data

The university processes your data only for the purposes for which they are collected and does not use them for other purposes. These purposes are entirely related to admission and education – organizing the educational process, supporting education through various means, issuing documents in compliance with state requirements, and maintaining the registers stipulated in the Higher Education Act. Specifically, these purposes include:

• Кандидатстване за образователно-квалификационна степен "професионален бакалавър", "бакалавър" и "магистър";

• Кандидатстване за образователна и научна степен "доктор";

• Recognition of diplomas as well as student transfers;

• For the purposes of postgraduate qualifications;

• Entering into contracts with the university;

• Administration of education – e.g., maintaining the main student register, issuing student ID cards, certificates, academic transcripts, diplomas for higher education and academic degrees, as well as certificates for additional training and registers for them;

• Access to educational resources – e.g., the library, etc.;

• Financial transactions – e.g., sending scholarships or other financial incentives;

• Processing of applications – e.g., for the restoration of rights, interruption, transfer, etc.  

• Graduation of students;

• Exchange of students and lecturers;

• Ensuring effective communication;

• Ensuring security.

Legal grounds.

In most cases, we require your personal data for the purpose of entering into a contract, complying with a legal obligation, or protecting our legitimate interests. Of course, for some services, you provide this information yourself by choosing and consenting to its processing. Without this data, we would not be able to provide the respective services.

Processing of data necessary for the conclusion and performance of a contract

• For the fulfillment of contractual obligations under concluded contracts for the provision of educational services;

• Providing comprehensive support and administration during the period of education.

Processing data necessary for fulfilling our regulatory obligations.

• The Higher Education Act, Regulation on State Requirements for Admission of Students to Higher Education Institutions in the Republic of Bulgaria, Regulation on State Requirements for the Content of Basic Documents Issued by Higher Education Institutions, Rules for the Structure, Activities, and Management of Trakia University, Rules for Educational Activities at Trakia University, and other related regulatory acts.

• Obligations to provide information to all state commissions and regulatory bodies.

• Providing information to the court and law enforcement authorities.

Processing of data. based on your consent.

• During student application campaigns, transfer requests, recognition of diplomas, etc.

• Data transfer outside the EU;

• Direct marketing.

Processing of data. Based on our legitimate interest.

• Conducting video surveillance in our administrative premises.

Sharing your information:

The university uses third parties to assist in certain contractual activities or when fulfilling legal obligations. We do not provide your personal data to third parties until we are assured that all technical and organizational measures have been taken to protect this data. We strive to exercise strict control over the execution of this purpose. We may provide data to accounting firms, law firms, other universities, student dormitories and canteens, etc.

The provision of personal data in some cases is mandatory for us to comply with our legal requirements, and in this regard, we provide information to:

• The Ministry of Education and Science – e.g., for maintaining the Register of all active and discontinued students and doctoral students by degrees of education and by professional fields and the Register of graduated students and doctoral students (Higher Education Act).

• The National Revenue Agency for the needs of health insurance.

• MFA, MOI - Migration Directorate, and the Ministry of Education. The university is obligated to provide personal data of foreign students for the issuance of a D visa. The university may share personal data with officials, representatives of immigration authorities regarding the status of prospective students or students whose citizenship is outside the European Union.

• National Center for Information and Documentation.

• Regional Education Inspectorate.

• Other.

Automated algorithms.

We do not use means of automated decision-making.

Security

The security of the data you have entrusted to us is very important. Therefore, we protect your data by applying all appropriate technical and organizational measures available to us to prevent unauthorized access, unauthorized or malicious use, loss, or premature deletion of information.

Trakia University takes measures to protect your personal data from accidental loss and unauthorized access, use, alteration, or disclosure. The university implements policies and procedures designed to safeguard information from loss, misuse, and unlawful disclosure. Additionally, extra measures for information security are undertaken, including access control, strict physical protection, and reliable practices for collecting, storing, and processing information. Some of the actions taken in this regard include:

1. Physical, organizational, and technical measures for protection:

Determining access-controlled zones; defining premises where personal data is processed, including server locations, and restricting access; organizing physical access; specifying technical means used for physical protection in special rooms and cabinets secured by keys; establishing an incident response team.

2. Personal protection: Familiarization of the personnel with the specifics of personal data processing and with the regulatory framework in the field of personal data protection, with the current policy, and with other related internal regulations; confidentiality of information; staff training.

3. Documentary protection: Determination of retention periods; rules for dissemination, procedures for destruction, monitoring, and control of processing.

On the other hand, we apply technical measures such as encryption, pseudonymization, and anonymization of the collected personal data.

When do we delete your personal data?

We store all the information we have collected about you and destroy it in a specified order within the legal deadlines, and if there are none, within the deadlines determined by us in accordance with the Internal Rules for the creation, use, and maintenance of the university archive.

Some of the deadlines include:

- A minimum of 50 years for data related to issued diplomas and certificates;

- 10 years according to the Accounting Act for the storage and processing of accounting data;

- 30 days from the recording date for video surveillance data;

- 1 year from the end of the student application campaign regarding competition records, exam papers, attached documents to the record, including acts and diplomas.

- 5 years from the end of the student application campaign for exam protocols.

Transfer between countries.

The university may transfer your data outside the EU under the "Erasmus+" program, but only after obtaining your explicit written consent.

Your rights regarding personal data:

At any time, you can request from the University to provide you with information and access to the personal data collected and stored about you. You can also request the University to correct, delete, or update such personal data. The University ensures your right to object and restrict the processing of personal data, as well as your rights in automated decision-making processes.

You can withdraw your consent for the collection, storage, and use of your personal data by the University at any time. However, the withdrawal will not affect the lawfully processed data prior to the withdrawal.

Some of your rights, such as data deletion or objection to processing, may be restricted by applicable legislation.

Requests for access to information or correction can be submitted in person or by a person explicitly authorized by you, through a written authorization. Requests can also be submitted electronically, following the procedures of the Electronic Document and Electronic Signature Act.

We inform you that under current legislation, you also have the right to file a complaint with the supervisory authority, the Commission for Personal Data Protection, located in Sofia 1592, Prof. Tsvetan Lazarov Blvd. No 2, or through their website www.cpdp.bg.

Changes to the current Privacy Policy:

This procedure for protecting personal information may be subject to changes over time. Such changes will take effect immediately upon their announcement. Regularly reviewing this page ensures that you are always aware of what information we collect, how and for what purposes the University uses it, and under what circumstances (if any) we disclose it to other parties.