Declaration Of Conformity With GDPR

DECLARATION OF CONFORMITY WITH GDPR

Introduction
The General Data Protection Regulation (GDPR) of the EU enters into force in the European
Union on 25 May 2018 and leads to the most significant changes in the data protection
regulation after two decades. Based on the principle of personal data protection at the
design stage and the adoption of a risk-based approach, the GDPR has been developed to
meet the requirements of the digital age. The 21st century brings with it a wider use of
technology, new definitions of what personal data are and a huge increase in cross-border
processing. The new regulation aims to standardize the data protection and processing
legislation in the EU by giving individuals stronger, more consistent rights to access and
control their personal information.

Our commitment
We at CONTEMPORARY BOHEMIANS Ltd., UIC 204194469, with address: Bulgaria, Sofia 1527, 24 Vrabcha Str.,
Floor 2, e-mail: info@cb.studio we are committed to guarantee security and
protection of the personal information we process and to provide a consistent and
consistent approach to data protection. We have always had a robust and effective data
protection policy that is in line with existing regulations and respects data protection
principles. However, we accept our obligation to update and expand this policy to meet the
requirements of the GDPR and the amendments to the Personal Data Protection Act in view
of the adoption and operation of Regulation 2016/679.

Contemporary Bohemians Ltd. is dedicated to the processes of protection of personal information, which
is within the scope of our competence and in the development of data protection
mechanisms that are effective, suitable for the purposes set and demonstrate
understanding and synchronization with GDPR.
Our preparation and objectives for compliance with GDPR are summarized in this statement
and include the development and implementation of new roles, policies, procedures,
controls and data protection measures to ensure maximum and consistent compliance.

How do we prepare for GDPR
Contemporary Bohemians Ltd. already has the same level of data protection and security in our
organization, as our preparation included:

• Information Audit – Performing a complete company information audit to identify and
evaluate the personal information that is contained with us, where it comes from, how and
why it is being processed, and if revealed – to whom.
• Policies and procedures – Introducing new data protection policies and procedures to
meet GDPR requirements and standards and data protection regulations, including:

► Privacy Protection – our main policy document and data protection procedures have been
revised to meet GDPR standards and requirements. Accountability and management
measures have been taken to ensure that we understand and adequately disseminate and
prove our duties and responsibilities, with particular attention to the principle of personal
data protection at the design stage and the protection of individuals' rights.

Data retention and deletion – We have updated our policy and timetable for storing data to
ensure that we comply with the data minimization and containment principles and that
personal information is stored, archived, and destroyed compliant and ethically. We have
specialized deletion procedures in place to meet the new "Right to Deletion" obligation, and
we know when these and other rights apply to data subjects, along with any exceptions,
response time, and notification responsibilities.

► Data security breaches – Our data breach procedures ensure safeguards and measures to
identify, assess, investigate and report violations of personal data as early as possible. The
procedures are sustainable and are distributed to all employees, informing them of the
reporting channels and the steps to be followed.

► Data transfer and third party disclosure – where we store or transmit personal
information, we have robust procedures and safeguards to protect, encrypt and maintain
data integrity.

► Data access request – We have redrafted our data access procedures to apply the revised
time periods to provide requested information and to ensure that this activity is free of
charge. Our new procedures detail how to verify the data subject, what steps are taken
when processing an access request, what exceptions apply, and a set of response templates
to ensure that communications with data subjects are consistent, consistent and adequate.

• Legal basis for the processing of personal data – We review all processes and processing of
personal data to identify the legal basis for processing and to ensure that each ground is
appropriate for the activity to which it relates. Where applicable, we also maintain reports
on our processing activities by ensuring that our obligations under Article 30 of the GDPR
are met.
• Our Privacy Policy aims to comply with the GDPR by ensuring that all individuals whose
personal information we process is informed of why we need their data, what their rights
are in relation to whom this information is provided and what safeguards are in place to
protect its data.
• Obtaining consent – we have redrafted our consent mechanisms in obtaining personal
data to ensure that people understand what they provide, why, and how we use it, and to
provide clear and defined ways to obtain consent to receive certain information, as well and
the fundamental rights and claims that each user can address to us.
• We have developed robust procedures for documenting consent by making sure and can
prove that we have confirmation of the options for inclusion and receipt of certain data as
well as time and date records that are easy to understand, and an accessible way to
withdraw consent at any time time.
• We have also redesigned the wording and processes for direct marketing, including the
introduction of a separate additional agreement to provide direct marketing, as well as the
introduction of clear mechanisms for including marketing subscriptions, clear notes and
ways to exclude and provide write- all subsequent marketing materials and activities.
We perform an Impact Assessment on data protection where we handle personal
information that is considered as high risk, we have developed robust procedures and
models for making impact assessments that
fully comply with the requirements of Art. 35 GDPR. We have implemented documentary
processes that take account of each assessment, allow us to assess the risk posed by
processing operations and to implement mitigation measures to reduce the risk that is
created for data subjects.

• When we need to use third parties to process personal information on our behalf (e.g.,
payroll, information gathering, hosting, etc.), we have compiled compatible data processing
and due diligence agreements, to make sure that they (as we do) understand the GDPR
obligations. These measures include initial and ongoing reviews of the services provided, the
necessity of the processing activities, the technical and organizational measures introduced
and the observance of the GDPR.
• Special Categories of Personal Data – When we receive and process information from a
special category of personal data, we do so in full compliance with the requirements of Art.
9 GDPR, and we have high-level encryption and protection for all such data. Special
categories of personal data are processed only when necessary and processed only on
condition that a legal basis under Art. 9 (2) of the GDPR. When we rely on consent to
processing, this is explicit and is confirmed by a signature, with the entity's right to change
or remove the consent that is clearly indicated.
Rights of data subjects
In addition to the above rules and procedures, which ensure that individuals can enforce
their rights to privacy, by providing us with letterhead with different requests, both our
headquarters and address, and our website.

All our clients / contractors should know that at any time there is an opportunity to request
information about:
• What personal data we have for you;
• The purposes of the processing of personal data;
• Categories of relevant personal data;
• Recipients to whom personal information is / will be disclosed;
• How long do we intend to store the relevant personal data?
• If we have not collected the data directly from you, source information;
• The right to correct or fill in incomplete or inaccurate data for you and the process of
requesting it;
• The right to request the deletion of personal data (where applicable) or to restrict data
protection processing, as well as the ability to oppose any direct marketing and obtaining
information for any automatic decision-making, which is used;
• The right to lodge a complaint or to seek legal protection, as well as competent liaison
officers in such cases.
Information security and technical and organizational measures
Contemporary Bohemians Ltd. takes very seriously the protection of personal information and takes all
reasonable and precautionary measures to protect and secure the personal data we
process.
We have robust security policies and procedures to protect personal data from
unauthorized access, change, disclosure or destruction, and we have several layers of
security measures including: (Insert measures like SSL, access control, password policy,
encryption , pseudonymization, practices, constraints, IT authentication, etc.)
GDPR Roles and Employees

Contemporary Bohemians Ltd. has designated as our responsible person and appointed a Data
Protection Team to develop and implement rules for compliance with the new data
protection regulation. The team is responsible for promoting GDPR in the organization,
evaluating our readiness for GDPR, identifying all areas of mismatch, and implementing the
new policies, procedures and measures.

Our employees are fully involved in our plans to prepare for compliance with the GDPR and
the relevant training programs are implemented at all levels of the organization.

If you have questions about our preparation for GDPR, please contact Mr. Yavor Pavlov – Data Protection
Officer.

Approved by:
Yavor Pavlov – Manager