18 years Studio Kipo

Internal Data Privacy Policy

1. Purpose

This policy defines the principles, responsibilities, and procedures for the protection of personal data processed by Studio Kipo EOOD, in accordance with the General Data Protection Regulation (GDPR) and applicable national legislation.

2. Scope

This policy applies to all employees, subcontractors, and third parties who process personal data on behalf of Studio Kipo EOOD in relation to the services provided.

3. Core Principles

When processing personal data, Studio Kipo EOOD adheres to the following principles:

  • lawfulness, fairness, and transparency
  • purpose limitation
  • data minimization
  • accuracy and up-to-dateness
  • storage limitation
  • integrity and confidentiality
  • accountability

4. Categories of Activities and Data

We process personal data only when necessary for the performance of contractual obligations or upon explicit instructions from clients. In most cases, access to personal data is limited, technically secured, and temporary.

5. Data Subject Rights Handling

All requests related to:

  • access to personal data
  • correction or erasure
  • restriction of processing
  • objection to processing
  • data portability

are reviewed within 30 calendar days of receipt. The designated officer verifies the identity of the requester, registers the request, takes appropriate actions, and documents the process.

6. Technical and Organizational Measures

Studio Kipo EOOD applies reasonable and proportionate technical and organizational measures to protect personal data, including:

  • access control to information systems
  • encryption of sensitive information
  • backup and data loss protection
  • internal traceability of data processing actions
  • use of reliable hosting and cloud service providers

7. Training and Awareness

All employees with access to personal data receive onboarding training and annual updates regarding best practices and their obligations under this policy.

8. Security Breach Handling

In case of a suspected data breach, the designated officer takes the following steps:

  • analyzes and contains the incident
  • notifies the client within 48 hours
  • documents the incident and response
  • if required - notifies the supervisory authority and affected individuals

9. Review and Updates

This policy is reviewed at least once a year or in the event of significant changes in legal requirements or the company’s operations.

Approved by:
Nikolay Marinov
Managing Director and Data Protection Officer
Date: 01.01.2025