Mandatory information on the rights of personal data protection persons
Company information, which processes your data:
Website: [site_url]
Information on the competent data protection supervisory authority
Name: Commission for Personal Data Protection
Headquarters and address of management: city. Sofia 1592, this is a. "Prof.. Tsvetan Lazarov ”№ 2
Mailing address: city. Sofia 1592, this is a. "Prof.. Tsvetan Lazarov ”№ 2
Phone: 02 915 3 518
Web page: www.cpdp.bg
[site_url] (Hereinafter referred to as "Administrator" or "Company") carries out its activities in accordance with the Personal Data Protection Act and the Regulation (ES) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Company and the rights, that you have in connection with this processing.
Grounds for collection, processing and storage of your personal data
Art. 1.The administrator collects and processes your personal data in connection with the use of the electronic store [site_url] and concluding contracts with the company on the basis of Art. 6, he. 1, Regulation (ES) 2016/679 (GDPR), and in particular on the following grounds:
- Explicit consent from you as a customer;
- Fulfillment of the obligations of the Administrator under a contract with you;
- Compliance with a legal obligation, which applies to the Administrator;
- For the purposes of the legitimate interests of the Administrator or a third party;
Objectives and principles of collection, the processing and storage of your personal data
Art. 2. (1)We collect and process personal data, which you provide to us in connection with the use of the e-shop and concluding a contract with the company, including for the following purposes:
- creating an account and providing full functionality when using the online store;
- concluding and executing a distance contract;
- individualization of a party to the contract;
- accounting purposes;
- statistical purposes;
- protection of information security;
- ensuring the implementation of the contract for the provision of the respective service.
- sending an information bulletin if you wish;
(2) We follow the following principles when processing your personal data:
- legality, good faith and transparency;
- restriction of processing purposes;
- relevance to the purposes of processing and minimizing the data collected;
- accuracy and timeliness of data;
- limitation of storage in order to achieve the objectives;
- integrity and confidentiality of the processing and ensuring an appropriate level of security of personal data.
(3) In the processing and storage of personal data, The administrator may process and store personal data in order to protect the following legitimate interests:
- fulfillment of its obligations to the National Revenue Agency, Ministry of Interior and other state and municipal bodies.
What types of personal data does it collect, processes and stores our company
Art. 3. (1) The company performs the following operations with the personal data provided by you for the following purposes:
- Registration of a user in the e-shop and fulfillment of a distance sales contract - the purpose of this operation is to create an account for the use of the e-shop for the purchase of goods and to provide contact information for the delivery of purchased goods. Registering and creating an account for using the online store is not a mandatory step in providing the service and it is available to a large extent without creating an account..
Conclusion from the impact assessment: Based on the impact assessment performed, the operation "User registration in the e-shop and execution of a distance sales contract" is eligible and provides sufficient guarantees to protect the rights and legitimate interests of data subjects in accordance with the requirements of the GDPR. - Concluding and executing a commercial transaction with a client or partner - the purpose of this operation is to conclude and execute a contract with a trading partner or client and its administration. Given the limited scope of the personal data collected and the circumstance, that some of them are collected from publicly available sources, conducting an impact assessment it is not necessary to carry out an impact assessment of the operation.
- Sending a newsletter (newsletter) - The purpose of this operation is to administer the process of sending newsletters to customers, who have stated, that they wish to receive. Given the limited scope of the personal data collected, conducting an impact assessment it is not necessary to carry out an impact assessment of the operation.
- Exercising the right to refuse or make a complaint - the purpose of this operation is to administer the process of exercising the right of withdrawal or complaint by the client. Given the limited scope of the personal data collected, conducting an impact assessment it is not necessary to carry out an impact assessment of the operation.
(2) The controller processes the following categories of personal data and information for the following purposes and on the following grounds:
- Your personal data (Email, name, etc.)
- Purpose, for which data are collected: 1) Making contact with the user and sending information to him, 2) for the purposes of user registration in the online store, as well as 3) to send a newsletter.
- Grounds for processing your personal data – By accepting the general conditions and registration in the e-shop or placing an order without registration, or when concluding a written contract, a contractual relationship is created between the Administrator and you, on what basis we process your personal data - art. 6, he. 1, b. (b) GDPR. Your data for sending a newsletter is processed with your explicit consent – Art. 6, he. 1, b. (and) GDPR.
- Delivery details(names, phone, address, etc.)
- Purpose, for which data are collected: Fulfillment of obligations of the administrator under a contract of sale and delivery of purchased goods.
- Grounds for processing your personal data – By accepting the general conditions and registration in the e-shop or placing an order without registration, or when concluding a written contract, a contractual relationship is created between the Administrator and you, on what basis we process your personal data - art. 6, he. 1, b. (b) GDPR.
- Additional data, provided by you - If you want to complete your account, you can fill in name data in it, surname, phone number.
- Purpose, for which data are collected: Adding information about the user in his user account.
- Grounds for data processing: You have given your explicit consent to the processing of his personal data for one or more specific purposes – 6, he. 1, b. (a) of GDPR at the time of registration in the online store. The provision of this data, is not required to register in the online store.
(3)The administrator does not collect or process personal data, which relate to the following:
- reveal racial or ethnic origin;
- reveal politically, religious or philosophical beliefs, or trade union membership;
- genetic and biometric data, health data or data on sexual life or sexual orientation.
(4) Personal data is collected by the Administrator from individuals, to which they relate.
(5) The company does not perform automated decision making with data.
Art. 4. (1) The company performs the following operations with those provided by you, as legal representatives or proxies of legal entities-trading partners, personal data for the following purposes:
- Concluding and executing a commercial transaction: For the conclusion and execution of a commercial transaction with a commercial company, we process only the three names of the legal representative or the person authorized by the company. Conclusion from the impact assessment: Given the small volume of individuals, whose data are processed and given the limited amount of personal data, which are collected, an impact assessment is not required for this operation.
(2) Personal data is collected by the Administrator from individuals, to which they also refer from the Commercial Register to the Registry Agency.
(3) The company does not perform automated decision making with data.
Art. 5. The administrator can use the so-called. Cookies for the purpose of providing full functionality of the website, improving the user experience, statistical purposes, facilitated access, etc., which you agree to by using our website. You can control and / or delete cookies at any time through the settings of your browser. Cookies do not constitute personal data and are not used to identify visitors and users of the e-shop.
Term of storage of your personal data
Art. 6. (1) The administrator stores your personal data for a period not longer than the existence of your account in the online store. After deleting your account, The administrator takes the necessary care to delete and destroy all your data, without undue delay or anonymizing them (ie. to bring them into shape, which does not reveal your identity).
(2) The administrator processes your personal data, which you have provided when placing an order without registration in the e-shop, until the completion of the order, unless you have given your explicit consent when processing your order for your data to be processed for the purpose of improving the service, providing recommended content for you, individual conditions, promotions, as well as for statistical purposes.
(3) The administrator stores your personal data, provided in connection with online orders for a period of 5 years for the purposes of protecting the legal interests of the Administrator in court or administrative disputes with users of the online store.
(4) The administrator notifies you, in case, that the data retention period needs to be extended in order to fulfill a regulatory obligation or in view of the legitimate interests of the Administrator or otherwise.
(5) The administrator stores personal data, which it is necessary to keep in accordance with the applicable legislation for the respective envisaged term, which may exceed the validity period of your e-shop account or until the completion of the order.
Art. 7. The administrator stores the personal data of the legal representatives of its business partners for the term of the contract, to comply with the legitimate interests and legal obligations of the Administrator, as this term may exceed the term of the concluded contract.
Transfer of your personal data for processing
Art. 8. (1) The administrator may, at its own discretion, transfer part or all of your personal data to personal data processors for the fulfillment of the processing purposes., with which you have agreed, subject to the requirements of a Regulation (ES) 2016/679 (GDPR).
(2) The administrator notifies you in case of intention to transfer part or all of your personal data to third countries or international organizations..
Your collection rights, the processing and storage of your personal data
Withdrawal of consent for the processing of your personal data
Art. 9. (1) If you do not want the personal data provided by you to be processed for marketing purposes and receiving a newsletter, You can withdraw your consent to processing at any time, by filling in the withdrawal form in Annex № 1 or by request in free text, and send it to us by email.
(2) Once we receive your request, we will send you an email, which you have specified to receive newsletters and advertisements, a letter with detailed instructions for your verification as a newsletter recipient and personal data subject, for which withdrawal of consent has been requested.
(3) Withdrawal of consent does not affect the lawfulness of the processing of personal data, which the Administrator has performed so far.
Right of access
Art. 10. (1) You have the right to request and receive confirmation from the Administrator whether personal data is processed, related to you, by sending a free text request by email.
(2) You have the right to access the data, related to you, as well as to the information, relating to collection, the processing and storage of your personal data.
(3) Once we receive your request, we will send you an email, which you used to register or place orders in the e-shop, a letter with detailed instructions for your verification as a data subject, to which access is requested.
(4) After performing the verification, according to par. 3, The administrator provides you on request, a copy of the processed personal data, related to you, in electronic or other appropriate form.
(5) Providing access to data is free of charge, but the Administrator reserves the right to impose an administrative fee, in case of recurrence or excessiveness of the requests.
Right of correction or completion
Art. 11. (1) You can correct or fill in inaccurate or incomplete personal data at any time, related to you, via the "Edit account" option.
(2) You may correct or complete inaccurate or incomplete personal data, connected to you directly through your account on the website or by making a request to the Administrator by email, using the form in Appendix № 4 or by request in free text.
Right to delete ("To be forgotten")
Art. 12. (1) You have the right to request from the Administrator the deletion of part or all of the personal data related to you, and the Administrator has the obligation to delete them without undue delay, when any of the following grounds are present:
- personal data are no longer needed for the purposes, for which they have been collected or otherwise processed;
- You withdraw your consent, on which the data processing is based and there is no other legal basis for the processing;
- You object to the processing of your personal data, including for direct marketing purposes and there are no legal grounds for processing, which have an advantage;
- personal data have been processed illegally;
- personal data must be deleted in order to comply with a legal obligation under EU law or the law of a Member State, which applies to the Administrator;
- personal data have been collected in connection with the provision of information society services.
(2) The administrator is not obliged to delete personal data, if it stores and processes them:
- to exercise the right to freedom of expression and the right to information;
- to comply with a legal obligation, which requires processing, provided for in EU law or the law of a Member State, which applies to the Administrator either for the performance of a task of public interest or in the exercise of official authority, which are provided to him;
- for reasons of public interest in the field of public health;
- for archiving purposes in the public interest, for scientific or historical research or for statistical purposes;
- for the establishment, the exercise or defense of legal claims.
(3) To exercise your right to be forgotten, you need to send an e-mail request to delete your personal data, which the Administrator processes, by filling in the form in Appendix № 2 or by request in free text, then the Administrator will send to the email, which you used to register or place orders in the e-shop, a letter with detailed instructions for your verification as a store user and personal data subject, for which a deletion request has been made.
(4) Once we verify the identity of the person, made the request and the person, to which the data relates in accordance with the instructions sent to you, we will delete all data, which we process for you, in accordance with para. 3.
(5) If there is an order made by you, which is in the process of processing, the earliest moment, in which you can ask to be "forgotten", is upon successful completion of the order.
Right of restriction
Art. 13. You have the right to ask the Administrator to restrict the processing of data related to you, by sending us a free text request by email, when:
- challenge the accuracy of personal data, for a period, which allows the Administrator to verify the accuracy of personal data;
- processing is illegal, but you do not want the personal data to be deleted, but only their use should be limited;
- The administrator no longer needs personal data for processing purposes, but you require them for establishment, the exercise or defense of their legal claims;
- You have objected to the processing pending verification of whether the legal grounds of the Administrator take precedence over your interests.
(2) Once we receive your request, we will send you an email, which you used to register or place orders in the e-shop, a letter with detailed instructions for your verification as a store user and personal data subject, for which a request for restriction of processing has been made.
(3) After performing the verification according to par. 2, The company will stop processing your data, but will not remove posts, which you made in the online store, if available.
Right of portability
Art. 14. (1) If you have given consent for the processing of your personal data or the processing is necessary for the performance of the contract with the Administrator, or if your data is processed automatically, you can:
- to ask the Administrator to provide you with your personal data in a readable format and to transfer them to another Administrator;
- to ask the Administrator to directly transfer your personal data to an administrator specified by you, when technically feasible.
(2) You can exercise the right of portability by sending us by e-mail a completed form according to Appendix № 3 or a free text request, then the Administrator will send to the email, which you used to register or place orders in the e-shop, a letter with detailed instructions for your verification as a store user and personal data subject, for which a portability request has been made.
(3) After performing the verification according to par. 2, The company sent the data to the e-mail specified by you, which processes for you, in XML format.
Right to receive information
Art. 15. You can ask the Administrator to inform you about all recipients, of which personal data, for which correction has been requested, delete or restrict processing, have been discovered. The administrator may refuse to provide this information, if this would be impossible or would require a disproportionate effort.
Right to object
Art. 16. You can object at any time to the processing of personal data by the Administrator, relating to it, including if processed for profiling or direct marketing purposes.
Your rights in the event of a breach of the security of your personal data
Art. 17. (1) If the Administrator finds a breach of the security of your personal data, which can pose a high risk to your rights and freedoms, it notifies you without undue delay of the breach, as well as for the measures, which have been taken or are to be taken.
(2) The administrator is not obliged to notify you, if:
- has taken appropriate technical and organizational data protection measures, affected by the security breach;
- has subsequently taken action, which guarantee, that the violation will not lead to a high risk to your rights;
- notification would require a disproportionate effort.
Faces, to whom your personal data is provided
Art. 18. (1) For the purposes of processing your personal data and providing the service in its full functionality and in view of your interests, The administrator may provide the data to the following persons, which are processing data:
Processing personal data Purpose of personal data processing
……………………………………….. ……………………………………………………………
……………………………………….. ……………………………………………………………
……………………………………….. ……………………………………………………………
(2) The processors of personal data comply with all requirements for legality and security in the processing and storage of your personal data..
Art. 19. The administrator does not transfer your data to third countries.
Art. 20. In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Data Protection Commission, as follows:
Name: Commission for Personal Data Protection.
Headquarters and address of management: city. Sofia 1592, this is a. "Prof.. Tsvetan Lazarov ”№ 2
Mailing address: city. Sofia 1592, this is a. "Prof.. Tsvetan Lazarov ”№ 2
Phone: 02 915 3 518
Web page: www.cpdp.bg
Art. 21. You can exercise all your rights regarding the protection of your personal data through the forms, attached to this information. Of course, these forms are optional and you can submit your requests in any form, which contains a statement to that effect and identifies you as the data owner.
Art. 22. If the consent relates to a transfer, The controller shall describe the possible risks for the transfer of data to third countries in the absence of a solution for adequate protection and appropriate means of protection..
Appendix No. 1
Withdrawal form of consent for processing purposes
Your Name*: …………………….
your e-mail, which you used in the e-shop *: …………………….
Feedback data (e-mail)*: …………………….
To
Name: …………………….
UIC / BULSTAT: …………………….
Headquarters and address of management: …………………….
Mailing address: …………………….
Phone: …………………….
E-mail: …………………….
Website: …………………….
I hereby withdraw my consent to the processing of personal data provided by me for the purposes of obtaining a newsletter., advertising messages or other marketing materials, as I am aware of the conditions for withdrawal of consent in accordance with the Mandatory information on the rights of persons for personal data protection of the e-shop.
In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Data Protection Commission, as follows:
Name: Commission for Personal Data Protection.
Headquarters and address of management: city. Sofia 1592, this is a. "Prof.. Tsvetan Lazarov ”№ 2
Mailing address: city. Sofia 1592, this is a. "Prof.. Tsvetan Lazarov ”№ 2
Phone: 02 915 3 518
Web page: www.cpdp.bg
Appendix No. 2
Request to be forgotten – to delete personal data, related to me
Your Name*: …………………….
your e-mail, with which you have registered or used for orders in the e-shop *: …………………….
Feedback data (e-mail)*: …………………….
To
Name: …………………….
UIC / BULSTAT: …………………….
Headquarters and address of management: …………………….
Mailing address: …………………….
Phone: …………………….
E-mail: …………………….
Website: …………………….
Please all personal data, which you collect, process and store, provided by me or by third parties, which are related to me, according to the specified identification, to be deleted from your databases.
I declare, that I know, that some or all of my personal data may continue to be processed and stored by the controller for the purpose of fulfilling his legal obligations.
In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Data Protection Commission, as follows:
Name: Commission for Personal Data Protection.
Headquarters and address of management: city. Sofia 1592, this is a. "Prof.. Tsvetan Lazarov ”№ 2
Mailing address: city. Sofia 1592, this is a. "Prof.. Tsvetan Lazarov ”№ 2
Phone: 02 915 3 518
Web page: www.cpdp.bg
Appendix No. 3
Request for portability of personal data
Your Name*: …………………….
your e-mail, with which you have registered or used for orders in the e-shop *: …………………….
Feedback data (e-mail)*: …………………….
To
Name: …………………….
UIC / BULSTAT: …………………….
Headquarters and address of management: …………………….
Mailing address: …………………….
Phone: …………………….
E-mail: …………………….
Website: …………………….
Please all personal data related to me, which are collected, process and store in your databases, to be sent in XML format to:
e-mail: …………………….
Administrator - receiving the data: …………………….
Name: …………………….
ID (EIK, BULSTAT, reg. KZLD number): …………………….
E-mail: …………………….
In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Data Protection Commission, as follows:
Name: Commission for Personal Data Protection.
Headquarters and address of management: city. Sofia 1592, this is a. "Prof.. Tsvetan Lazarov ”№ 2
Mailing address: city. Sofia 1592, this is a. "Prof.. Tsvetan Lazarov ”№ 2
Phone: 02 915 3 518
Web page: www.cpdp.bg
Appendix No. 4
Request for correction of data
Your Name*: …………………….
your e-mail, with which you have registered or used for orders in the e-shop *: …………………….
Feedback data (e-mail)*: …………………….
To
Name: …………………….
UIC / BULSTAT: …………………….
Headquarters and address of management: …………………….
Mailing address: …………………….
Phone: …………………….
E-mail: …………………….
Website: …………………….
Please the following personal data, which you collect, process and store, provided by me or by third parties, which are related to me, to be adjusted as follows:
Data, which are subject to adjustment:
…………………………………………..
Please correct them as follows:
…………………………………………..
In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Data Protection Commission, as follows:
Name: Commission for Personal Data Protection.
Headquarters and address of management: city. Sofia 1592, this is a. "Prof.. Tsvetan Lazarov ”№ 2
Mailing address: city. Sofia 1592, this is a. "Prof.. Tsvetan Lazarov ”№ 2
Phone: 02 915 3 518