The project “Panorama of Roma culture” was implemented under the program “Cultural entrepreneurship, heritage and cooperation”, with the financial support of the Financial Mechanism of the European Economic Area (EEA FM) 2014-2021.

Association “Roma Academy for Culture and Education” is a beneficiary and administrator of personal data within the meaning of the Personal Data Protection Act (PDPA).

More information regarding the personal data protection policy applied to RAKO’s management activities can be found as follows:

Personal data protection policy

Association “Roma Academy for Culture and Education” /RAKO/ is a legal entity with a non-profit purpose, determined to carry out activities for the public benefit, entered in the Commercial Register and the Register of the National Register of the National Register of Citizens of the Registration Agency with EIC 119679662 and with a registered office and address of management in the city of Sliven, Tsar Osvoboditel Blvd. No. 34-G, e-mail:, website:

RAKO has the following goals:

To raise the educational level of the Roma community and full educational integration of the ethnic group;
To create conditions for increasing the influence of the community in the decision-making process related to its development;
To motivate the Roma for their full inclusion in the public life of the city and villages through advocacy activities, campaigns, volunteering;
To support Roma access to social, health, educational services;
To stimulate the processes of integration of the Roma community in Bulgarian society;
To work to reduce discrimination;
To develop and popularize Roma history, culture, way of life, traditions, folklore;
To attract more and more young Roma – volunteers, who will work to achieve the goals of RAKO.

I. Objectives and scope of the Personal Data Protection Policy

With this Personal Data Protection Policy, RAKO takes into account the inviolability of the individual and takes the necessary measures to protect against unlawful processing of personal data of natural persons. In accordance with the current European and national legislation and good practices, RAKO implements the required organizational and technical measures to protect personal data.
With this Personal Data Protection Policy, RAKO aims to inform interested parties about the purposes of personal data processing, the grounds for their processing, the categories of recipients to whom the data may be disclosed, the consequences of refusing to provide them, as well as information about the right of access, correction, deletion and objection, according to the requirements of Regulation (EU) 2016/679 and the GDPR.

II. Personal data processed in RAKO

RAKO, in its capacity as a personal data administrator, processes personal data structured in separate registers, which are announced in the Public Register of registered personal data administrators.
RAKO processes personal data provided personally by the subjects of personal data to which they refer in connection with compliance with a legal obligation that applies to the controller.
RAKO processes personal data provided personally by the subjects of personal data, in cases where the subject of the data has given consent to the processing of his personal data for one or more specific purposes, when the processing is necessary on the basis of contractual requirements or for the purposes of legitimate interests of the administrator.
RAKO also processes personal data that were not received from the subject of the personal data to whom they relate, but were provided by a third party in connection with the fulfillment of a specific contractual obligation to implement and manage programs and projects for free financing or implementation activities of other contractual obligations. In these cases, the person who provided this data to RAKO undertakes:
to provide the subject of personal data with information about the administrator – RAKO;
to notify the subject of personal data about the purposes, the categories of data provided and the categories of recipients of this data;
to provide information on the right of access and correction of personal data of the person to whom it relates.
(1) Differentiated from the specific activity or legal requirement are the following categories of personal data that are processed by RAKO. Such data relates to:
physical identity: name, social security number, data from an identity document, place of birth, address, telephone, e-mail;
social identity: education, qualification, legal capacity, position held, work activity – experience and professional biography, citizenship, participation in management bodies of legal entities;
economic identity – bank account number (IBAN);
data revealing belonging to a vulnerable group, ethnicity.

(2) In connection with compliance with legal obligations, RAKO collects data on physical and economic identity.

(3) Within some of the sociological surveys conducted by RAKO, it is also possible to collect the following categories of personal data related to:

family identity of the persons: de facto marital status – marriage, divorce, cohabitation, widowhood according to the person’s self-assessment; household composition – number of household members, including children up to 18 years of age; in some studies – family ties in the household according to the person’s self-assessment;
education of the persons: educational level and type of education, year of graduation, current educational status (whether the person is currently studying) according to the person’s self-assessment;
employment and material situation: employment status – employed, retired, unemployed, maternity leave – according to the person’s self-assessment; profession and sector of employment according to the person’s self-assessment; average monthly gross/net remuneration according to the person’s self-assessment; financial situation and living conditions according to the person’s self-assessment; availability of health insurance – according to the person’s self-assessment;
health status of the person: health status – according to the person’s self-assessment; presence of a chronic disease – according to the person’s self-assessment;
data concerning the social and cultural identity of the person: ethnic identity – by self-determination of the person; religious affiliation – by self-determination; attitude to support political parties and leaders – by self-determination; reproductive and sexual attitudes – by self-determination.

(4) In the cases under para. 3, only the contact data of the persons are uploaded on a technical medium. The data from the survey cards are uploaded to a technical medium and processed for statistical purposes only in pseudonymized form.

(5) Within the framework of a contractual obligation related to the financing of a project/program, with the express consent of the person, information related to meeting certain requirements for his inclusion (education, belonging to a vulnerable group, ethnicity) may be requested.

III. Processing of personal data

As a personal data controller, RAKO processes personal data through a set of actions that can be performed in relation to personal data by automatic or non-automatic means, such as collection, recording, organization, storage, adaptation or modification, consultation, use, blocking, deletion and destruction, subject to the following principles:
lawfulness of personal data processing;
proportionality of personal data processing;
up-to-dateness of processed personal data.
RAKO processes personal data independently or by assigning data processors, determining the objectives and volume of duties assigned by the controller to the data processor, in the presence of a relevant legal basis, according to the GDPR. Processors on behalf of RAKO are, for example, its employees, whose rights and obligations, in connection with the processing of personal data of natural persons, are duly regulated in RAKO’s Internal Rules.

IV. Purpose of personal data processing

The purpose of personal data processing is to unambiguously identify individuals, current and future employees of RAKO, contractors, beneficiaries of grant contracts, participants in certain sociological surveys, invitees and participants in events carried out in connection with the implementation of the activities of CANCER. Data processing is due to:
the fulfillment of legally established obligations of the administrator of personal data arising from the specifics of the requirements of the legislation regulating financial and accounting reporting, pension, health and social security activities, human resources management activities;
the performance of a contract to which the data subject is a party, or to take steps at the data subject’s request prior to entering into a contract;
in the implementation of RAKO activities – for one or more specific purposes with the consent of the data subject; for the purposes of the legitimate interests of the controller or of a third party with the consent of the data subject.

V. Consequences of refusal to provide personal data

Express consent of natural persons whose data is processed is not necessary if the administrator has a legal basis for processing personal data. Such grounds are, for example, a legally established obligation in connection with the requirements of labor, tax and social security legislation, the Law on Obligations and Contracts, the Accounting Law, the Law on Measures Against Money Laundering, the Law on Measures Against the Financing of Terrorism, etc.
In the event of refusal to voluntarily provide requested personal data, RAKO will not be able to fulfill its statutory or contractual obligations, including not being able to provide a free service or financing to the entity that refuses to provide its personal data, a beneficiary under a project implemented by RAKO or under a project financed by a RAKO-managed or grant program.

VI. Disclosure of Personal Data

RAKO, as a personal data controller, has the right to disclose processed personal data only to the following categories of persons:
natural persons to whom the data refer;
persons for whom the right of access is legally established;
persons for whom the right arises by virtue of a contract.

VII. Rights of personal data subjects

Natural persons whose personal data are processed have the following rights:
Right to information about the data that identifies the controller, the purposes of personal data processing, the recipients or categories of recipients to whom the data may be disclosed, the mandatory or voluntary nature of the provision of personal data and the consequences of refusing to provide them.
Right of access to data relating to natural persons. In cases where, when granting the right of access to the data subject, personal data may also be disclosed to a third party, the administrator is obliged to grant partial access to them without disclosing data to the third party.
Right to correct or supplement inaccurate or incomplete personal data.
The right to delete personal data, the processing of which does not meet the regulated requirements or has no legal basis (storage period expired, consent withdrawn, the original purpose for which the data were collected fulfilled, etc.), as well as the right to request that the third parties to whom the personal data of the individual have been disclosed be notified of any deletion, correction or blocking that has been carried out, except in cases where this is impossible or involves excessive efforts.
Right to object to the administrator against the processing and/or disclosure of the subject’s personal data if there is a legal basis for this. Right to be notified before his personal data is disclosed to third parties if there is a legal basis for this.
Right to defense before the CPDP or by court order.

VIII. Order for exercising rights

  1. (1) Natural persons exercise their rights by submitting a written application to RAKO (on paper or by e-mail), containing at least the following information:
    Name, address and other identification data of the relevant natural person;
    Description of the request;
    Preferred form of information provision;
    Signature, date of submission of application and address for correspondence.

    (2) The entire procedure for exercising the rights of an individual in relation to their personal data is free for the individual.

    (3) In order to avoid abuses, when an application is submitted by an authorized person, a notarized power of attorney shall be attached to the application.

    The deadline for considering the application and the administrator’s ruling on it is 14 days, starting from the day of submission of the application, respectively 30 days when more time is needed to collect the requested data and in view of the complexity of the request.
    RAKO prepares a written response and communicates it to the applicant in person – against a signature or by mail/courier with return receipt, taking into account the applicant’s preferred form of providing the information.
    When the data subject to the application do not exist or their provision is prohibited by law, the applicant is denied access to them.
    In the event that RAKO does not respond to the applicant within the stipulated time or the applicant is not satisfied with the response received and/or considers that his rights related to the protection of personal data have been violated, he has the right to exercise his right of defense before the competent authorities .

    IX. Terms and definitions used

    In terms of this Policy:
    “Personal data” means any information relating to an identified natural person or a natural person who can be identified directly or indirectly, in particular by an identifier such as a name, an identification number or by one or more specific characteristics.
    “Processing of personal data” means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, distribution or other way in which data is made available, arranged or combined, restricted, deleted or destroyed.
    “Personal data administrator” is RAKO, which alone or jointly/by assigning another person processes personal data.
    “Personal data register” is any structured collection of personal data accessible according to certain criteria, which can be centralized or decentralized and is distributed on a functional basis.