eFellows Ltd. Procedure for Managing Work with Third Parties

 

1. Purpose
This procedure is developed with the aim to:


• Define a process to manage the selection, control, and evaluation of suppliers, clients, or other external personnel to eFellows according to clearly defined requirements;
• Ensure that access to information assets is provided only to external parties with an agreement and approval.

 

 

2.Scope
The procedure applies to all employees of eFellows. It is relevant to relationships with external parties regarding various commitments, including:


•Clients;
• Suppliers of goods and services, including those supporting the eFellows infrastructure;
• Cleaning and other external personnel.

 

3. Execution Procedure
3.1 Selection of Suppliers

- eFellows purchases goods and services from suppliers for:
• The needs of the company's clients
• Ensuring the company's own operations

- New suppliers are sought through the internet, third-party recommendations, personal contacts from fairs and exhibitions by department/office managers;

- After an initial screening, contact is made with several companies, and quotes, brochures, and samples (where possible) are requested;

- Once sufficient information is gathered, suppliers are evaluated based on the following criteria:
• Available recommendation
• Market price
• Support – Warranty / SLA
• Evaluation by the Manager

- The final selection is made by the Manager or the Financial-Operational Director. Then, the supplier's information is entered into the "Suppliers" registry by an employee from the Administration Department.

- A confidentiality agreement is signed with all suppliers expected to have access to the company's infrastructure.

- The Manager defines the authorities of employees in organizing deliveries.

- Foreign deliveries are carried out only by the Administration Department after approval by the Manager or Financial-Operational Director.

- When working with suppliers, the requirements for suppliers must be strictly followed and must be clear and objective.

- Every employee has the right to propose a supplier or a change of supplier by providing information to the Manager or Financial-Operational Director through the company's communication channels.

 

-           

  1.    Contract Terms and Supplier Change

- Deliveries can be made according to a contract or direct orders.

- Only the Manager signs contracts with suppliers, while department heads also have the right to negotiate with them.

- If the supplier's performance does not meet the requirements stated in the order/offer/contract, any employee may propose a new supplier following the procedure described above.

 

  1.  Acceptance of Goods from Supplier/Courier

-  Receiving goods delivered by a supplier is carried out by eFellows employees, who use a handover protocol. The equipment is received, listed, and placed on shelves for incoming equipment.

- In cases where the equipment is for a specific client, the Administration Manager organizes the delivery/collection of the equipment from the client.

-  In cases where the equipment is for storage, the Administration Manager registers it in the warehouse without indexing it until it is assigned to a specific destination.

-  Receiving equipment/correspondence/shipments via courier – an eFellows employee meets the courier at the designated location for receiving shipments/equipment or correspondence and signs the necessary documents for accepting the shipment.

 

3.4. Actions in Case of Non-Conformities and Complaints to Suppliers

- Acceptance of delivered goods for the direct activities of the company is performed by any employee in the office, who must check the conformity of the delivery against the electronic system.

- In case of any discrepancy, the employee documents it in a protocol and notifies the Administration Manager.

- The Administration Manager has the authority to assess the severity of the non-conformity against the pre-established requirements and criteria for the delivery and decide whether to file a complaint, accept the delivery, or notify the Manager in case of financial discrepancies, who makes the final decision.

 

  1.  Evaluation of Deliveries and Suppliers

- At least annually, during the management review, an analysis of deliveries, complaints, and suppliers is conducted, and management decides whether to continue working with them, change the terms of cooperation, or terminate the relationship.

- In the event of termination of the relationship with a supplier, the QMS (Quality Management System) Officer removes the supplier from the "Suppliers" registry.

- The final report from the management review includes findings and recommendations regarding the current status of all suppliers or their replacement and removal from the registry.

 

3.6. Security Requirements
External parties that have access to eFellows' information resources are subject to additional measures. The connection with external parties includes reviewing and identifying risks to eFellows' information and information processing resources and applying appropriate control mechanisms before granting access.


Access to the information resource is approved by the "owner" of the resource and the Manager and is documented in a formal agreement.


Before signing contracts and agreements with external parties, the owner of the information resource and the Manager consider the following aspects of the relationship with the third party:

- The criticality and sensitivity of the information and systems to which access will be allowed, including physical access, logical access, network connection, etc.;

- Evaluation of the relationship with the third party (from well-known partners to new and relatively unknown organizations);

- The type of business process to be performed by the third party (information retrieval, order fulfillment, remote support, etc.);

- Effectiveness of the information infrastructure in limiting the third party's access to the agreed capabilities;

Technical aspects of the connection (e.g., access control mechanisms and connection methods);

- Restrictions imposed by legal or regulatory requirements;

- The impact on the third party's activities that could result from lack of access or delivery of inaccurate or false information.

 

Employees of partner companies and key service providers are subject to risk assessment according to the Risk Assessment procedure.

 

3.6.1 Security in Working with Clients and Suppliers of Goods and Services 
3.6.1.1 Physical and Logical Access

Unless otherwise regulated by an agreement, third parties have controlled access: only in the presence of company employees and only to the designated sector/employee with whom they have specific relations.

Access is provided by the Administration Manager or another eFellows employee.

Meetings with clients are held in designated areas of the office.

External individuals do not have access rights to the organization's information system and databases.

Control of access and use of assets is carried out by the respective responsible persons (asset owners).

 

3.6.2. Security in Working with Service Providers

Service providers sign a contract, including an agreed level of service (SLA), if necessary.

Physical access is provided depending on the specific needs for service delivery but always in the presence of an authorized eFellows employee.

Responsibility for selecting suppliers and monitoring their activities lies with the managers.

Contracts/agreements specify the rights of audit/control by authorized eFellows employees over the work of the third party or the functioning of third-party systems.

 

3.6.3. Confidentiality

To meet security requirements, the parties sign a NON-DISCLOSURE AGREEMENT (NDA) as legal entities (individually or as part of a general contract), if necessary.

As natural persons, external parties sign a Confidentiality Declaration.

All confidentiality agreements and contracts are subject to review at least once a year as part of the management review.

The organization is obliged to inform the third party of any changes regarding the security policy and newly introduced measures.

 

3.6.4 Security in Relations with Landlords:

Under a signed contract, the office landlords provide:

- Office space;

- Maintenance of facilities, systems, and installations – electrical installations, plumbing, heating appliances;

- Maintenance of building access systems, video surveillance, fire alarm systems, and security systems.

 

 

4. Data Processed by eFellows in Working with Third Parties
The data controller for the data processed under this Policy is еFellows Ltd., UIC 131335001, with its registered office and address at 81 "Bulgaria" Blvd., Building B, 6th floor, Sofia 1404, Bulgaria.
Under this Policy, еFellows Ltd. processes the following categories of personal data:

 

 

Data Type Provider –

Supplier –

Legal / physical

person

Representative

Person for

contact

 

Names/Company

 

˅

 

˅

 

˅

 

Position

 

˅

 

˅

 

˅

EGN

 

х

 

х

 

х

 

Number, date, place and

issuing authority of

document for identity

 

 

 

х

 

 

х

 

 

х

 

Email address

 

˅

 

˅

 

˅

 

Contact phone number

 

˅

 

˅

 

˅

 

Education data,

skills and/or

qualification

 

х

 

х

 

х

 

Legend: The designation "x" indicates that eFellows does not collect the specified data.
The designation "˅" indicates that eFellows collects the specified data.

Note: The same individual may act in more than one capacity – as a representative and a contact person.

 

5. Processing of Personal Data by eFellows in Working with Third Parties

5.1 eFellows processes personal data to facilitate the selection of suppliers
To effectively select suppliers, eFellows needs to process personal data about them (if they are individuals), their representatives, and contact persons.

5.2 eFellows processes personal data to conclude contracts with suppliers
The conclusion of a valid and binding contract with a supplier is impossible without processing certain personal data about the supplier (if the supplier is an individual) or their representative(s). eFellows processes personal data to fulfill its obligations to the suppliers and to seek their compliance. To fulfill its obligations to suppliers and to seek their compliance, eFellows must process personal data about suppliers (if they are individuals), representatives, and contact persons/employees. Without processing personal data about suppliers (if they are individuals), representatives, and contact persons/employees, it would be impossible to:

  • place, modify, amend, or withdraw orders to suppliers;
  • carry out written correspondence, as well as conduct phone and/or video calls, and/or joint meetings regarding the performance of concluded contracts;
  • organize the receipt and testing of delivered goods and/or services;
  • receive and account for invoices and make payments for them, among other tasks.

 

5.3 eFellows processes personal data for the purpose of amending or terminating contracts with suppliers
During the term of contracts with suppliers, negotiations may be conducted for their amendment or termination. In such cases, eFellows needs to process personal data about the suppliers (if they are individuals), their representatives, and/or contact persons.

5.4 eFellows processes personal data in accordance with applicable legislation to assist competent state and/or municipal authorities in conducting inspections
During inspections, the relevant authorities have the authority to conduct checks and require eFellows to provide documents and information it holds. It is possible that the documents and information requested during such an inspection may contain personal data of suppliers – individuals, their representatives, contact persons, and/or employees.

5.5 eFellows processes personal data to fulfill its obligations under accounting and tax legislation
The tax and accounting legislation of the Republic of Bulgaria requires legal entities to create and store, for a certain period, information, data, and documents relevant to tax and social security control. In fulfilling this obligation, the relevant information and documents containing personal data of suppliers – individuals, their representatives, and/or contact persons are stored by eFellows for periods prescribed by the applicable laws.

5.6 eFellows processes personal data for the settlement of legal disputes
To exercise rights or legitimate interests (for example, to seek compensation for damages), eFellows may need to process personal data of certain suppliers – individuals, their representatives, contact persons, and/or employees in order to make an out-of-court claim or initiate a lawsuit. Similarly, suppliers, the aforementioned third parties, or the individuals themselves may make an out-of-court claim or file a lawsuit against eFellows. In such cases, we may need to process personal data to organize and conduct our defense, thereby protecting ourselves against unlawful encroachments on our property and/or reputation. The type and scope of the processed personal data depend on the nature of the out-of-court claims or the filed lawsuits.