Notes about the personal data protection policy
This personal data protection policy reflects the current status of personal data which is processed by you.
In order to comply with the requirements of the new Regulation, you should:
- Know about and control all inbound and outbound personal data flows in your company;
- Prepare your staff and teach them what their duties are;
- Ensure data security technically;
- Adjust the processes on your site to requirements (ordering, subscribing to newsletters, processing data via cookies, etc.);
- Comply with the explicit consent policy for direct marketing, remarketing, and more. You are required to receive the explicit consent of the customer on a case-by-case basis! Agreeing with the policy is not enough.
This Policy is adjusted to your relationship with your customers. The most important condition to comply with the requirements of the Regulation is to фе aware about the personal data coming in and out of your company, and to tailor the processes on the site.
A good personal data protection policy is a prerequisite for complying with the requirements of the Regulation, but the existence of such a policy does not guarantee an absolute compliance.
Personal data protection policy
Information about the personal data controller:
“CITY DESIGN DEVELOPMENT” Ltd. is an entity, registered in the Commercial Register of the Registry Agency with UIC 131284973, with headquarters and business address: 1680 Sofia, 88 Bulgaria blvd., Phone number: 02808303; e-mail: firstname.lastname@example.org.
Grounds and purposes for which we use your personal information
We process your personal data on the following grounds:
- Contract concluded between us and you in order to fulfill our obligations under it;
- Your explicit consent - the purpose is stated on a case-by-case basis;
- Under a legal obligation;
In the following paragraphs, you will find detailed information about the processing of your personal data, depending on the reason we process it.
FOR EXECUTION OF CONTRACT OR IN THE CONTEXT OF PRE-CONTRACTUAL RELATIONS
We process your personal data in order to perform the contractual and pre-contractual obligations and to use the rights under the contracts concluded with you.
- managing and executing your request and executing a contract;
- preparing an offer for concluding a contract;
- preparation and sending a bill/ invoice for the services you use us;
- to provide you with the full service you need, as well as to collect the due amounts for the services used;
- keeping correspondence in relation to previous orders, processing requests, reporting problems, and more.
- notification of anything related to the services you use from us;
- identify and / or prevent unlawful actions or actions inconsistent with our terms of service;
Data we process on this ground:
Based on the agreement between you and us, we process information about the type and content of the contractual relationship as well as any other information related to the contractual relationship, including:
- personal contact details - names, contact address, email, phone number;
- identification data - names, permanent address;
- data about the orders made;
- correspondence in relation to the entire service - emails, letters, information about your requests for troubleshooting, complaints, requests, complaints, feedback we receive from you;
- credit or debit card information, bank account number or other bank and payment information related to the payments made;
- other information such as:
- IP address when visiting our website;
- Information from your actions on the site
The processing of the abovementioned personal data is obligatory for us in order to be able to conclude the contract with you and execute it. Without providing us with this information, we would not be able to fulfill our contractual obligations.
We provide third parties with personal data
We provide your personal information to third parties, and our main purpose is to offer you quality, fast and comprehensive service. We do not provide third parties with your personal data before making sure that all technical and organizational measures are taken to protect this data by striving to carry out strict control to meet this goal. In this case, we remain responsible for the confidentiality and security of your data.
We provide the following categories of recipients (personal data controllers) with personal data:
- postal operators and courier companies;
- persons who, by assignment, keep equipment, software and hardware used for the processing of personal data and necessary for the operation of the company
- persons performing consultancy services in different spheres.
When do we delete the data collected on this basis?
The data collected on this basis will be erased 2 years after termination of the contractual relationship, whether due to expiration of the contract, termination or other grounds.
FOR THE EXECUTION OF LEGAL OBLIGATIONS
It is possible that we are obliged by the law to process your personal data. In these cases, we are required to do so. Examples for this obligations are:
- Obligations under the Measures against Money Laundering Act;
- Execution of obligations in relation to distance selling, off-premises sales provided by the Consumer Protection Act;
- Providing information to the Consumer Protection Commission or third parties in connection with the Consumer Protection Act;
- Provision of information to the Commission on the protection of personal data in relation to obligations provided by the legislation on the protection of personal data;
- Obligations stipulated in the Accountancy Act and the Tax-Insurance Procedure Code and other related normative acts in relation to the lawful accounting;
- Provision of information to the court and third parties, in the course of proceedings in the court, in accordance with the requirements of the normative acts applicable to the proceedings;
- Age authentication when shopping online.
When do we delete personal data collected on this basis?
The data collected according to an obligation under the law is deleted after the collection and storage obligation has been fulfilled or dropped. For example:
- under the Accountancy Act for the storage and processing of accounting data (11 years),
- obligations to provide information to the court, competent state bodies, etc. grounds provided by current legislation (5 years).
Provision of 3rd parties with personal data
When we are required to do so by law, we may give your personal data to the competent governmental authority, a natural or legal person.
AFTER YOUR EXPLICIT CONSENT
We process your personal data on this ground only after your expressly, unambiguously and voluntarily agree. We will not provide any unfavorable consequences for you if you refuse to agree your personal data to be processed.
Consent is a separate ground for the processing of your personal data and the purpose of the processing is specified therein and is not covered by the objectives listed in this policy. If you give us the appropriate consent and until we withdraw or terminate any contractual relationship with you, we prepare appropriate product / service suggestions for you by performing detailed analyzes of your basic personal data;
Advanced analytics is a method of performing an analysis that allows the processing of large volumes of data through statistical models and algorithms and others that involve the use of personal data as well as the processes of aliasing and anonymizing them to retrieve information about trends and different statistical indicators.
Data we process on this ground:
On this ground, we process only the data you have given us our explicit consent for. Specific data is determined for each individual case. Typically, this data is an email and a name.
Provision of data to third parties
We do not provide third parties with our personal data.
Withdrawal of consent
Consent submitted may be withdrawn at any time. Withdrawal of consent will not affect the performance of contractual obligations. If you withdraw your consent to the processing of personal data for any or all of the ways described above, we will not use your personal information and information for the purposes set forth above. Withdrawal of consent does not affect the lawfulness of consent-based processing prior to its withdrawal.
To withdraw your consent, you only need to use our site or simply contact us.
When do we delete the data collected on this basis?
The data collected on this basis is deleted at your request or 12 months after its initial collection.
PROCESSING OF ANONYMOUS DATA
We process your data for static purposes, this means for analyzes where the results are only generalized and therefore the data is anonymous. Identifying a specific person from this information is impossible.
Your data can also be anonymized. Anonymisation is an alternative to data deletion. In anonymization, any personal identifiable elements / elements that allow you to identify yourself are irrevocably deleted. Anonymized data is not legally obligatory for deletion because it does not constitute personal data.
Why and how we use automated algorithms
For the processing of your personal data, we use partially automated algorithms and methods to continually improve our products and services to adapt our products and services to your needs in the best possible way. This process is called profiling.
How we protect your personal information
To ensure adequate data protection for the company and its customers, we apply all necessary organizational and technical measures provided in the Personal Data Protection Act.
For the sake of maximum security when processing, transferring and storing your data, we may use additional security mechanisms such as encryption, pseudonymisation, and more.
Personal data we have received from third parties
We do not get data from third parties.
Each user of the site has all rights to protection of personal data in accordance with Bulgarian and European Union legislation.
The user can exercise their rights through the contact form or by sending a message to our email.
Each User is entitled to:
- Awareness (in connection with the processing of his or her personal data by the controller);
- Access to their own personal data;
- Correction (if data is inaccurate)
- Deleting personal data (right to be forgotten);
- Restriction of processing by the controller or the processor of personal data;
- Portability of personal data between individual controllers;
- Appeal against the processing of his or her personal data;
- The data subject may also not be the subject of a decision based solely on automated processing involving profiling that produces legal consequences for the data subject or similarly affects him or her significantly;
- Entitlement to judicial or administrative redress if the rights of the data subject have been violated.
The user may request deletion if one of the following conditions is true:
- Personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- The consumer withdraws his consent on which the processing of the data is based and no other legal basis for the processing;
- The data user opposes the processing and there are no legitimate grounds for the processing that have an advantage;
- Personal data has been tampered with;
- Personal data shall be deleted in order to comply with a legal obligation under Union law or the law of a Member State applicable to the controller;
- Personal data have been gathered in connection with the provision of child information society services and consent is given by parental responsibility for the child.
The customer is entitled to restrict the processing of his personal data by the controller when:
- Opposes the accuracy of personal data. In this case, the limitation of the processing is for a period that allows the controller to verify the accuracy of the personal data;
- Processing is unlawful, but the User does not want personal data to be deleted but instead requires a limitation of their use;
- The controller no longer needs personal data for the purposes of processing, but the User requires them to establish, exercise or protect legal claims;
- Appeals against processing pending verification that the legitimate grounds of the controller have an advantage over the User's interests.
Right of portability.
The data subject has the right to receive the personal data that concerns him and which he has provided to an controller in a structured, widely used and machine readable format and has the right to transfer this data to another controller without hindrance by the controller to whom the personal data is provided when the processing is based on consent or a contractual obligation and the processing is done in an automated manner. When exercising its right to data portability, the data subject is also entitled to receive a direct transfer of personal data from one controller to another when technically feasible.
Right of objection.
Users have the right to object to the controller against the processing of their personal data. The Personal Data Administrator is required to discontinue the processing unless he can prove that there are convincing legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject or for the establishment, exercise or protection of legal claims. In case of objection to the processing of personal data for the purposes of direct marketing, the processing should be terminated immediately.
Appeal to the supervisory authority
Each User has the right to file a complaint against the unlawful processing of his personal data with the Personal Data Protection Commission or the competent court.
Keeping a registry
We keep a Register of the processing activities for which we respond. This Register contains all of the following information:
- Name and contact details of the controller
- Targets of processing;
- Description of categories of data subjects and categories of personal data;
- The categories of recipients to whom personal data is or will be disclosed;
- Including recipients in third countries or international organizations;
- Where possible, the deadlines for deleting the different categories of data;
- Where possible, a general description of the technical and organizational security measures.