PRIVACY POLICY
With this Privacy Policy, as Kastamonu Bulgaria AD, a company registered with the Bulgarian Commercial Register and Register of Non-Profit Legal Entities with Unified Identify Code (UIC) 123006579 with its seat and registered address in Republic of Bulgaria, Stara Zagora Region, Pavel Banya Municipality, 6151, Gorno Sahrane Village, in the capacity of the controller (herein after referred to as “controller”, “we”, “us”, “our”) pursuant to the meaning laid down in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), and the local Personal Data Protection Act (“PDPA”) and the relevant Bulgarian legislation and sublegislation, we would like to inform you about the processing of your personal data.
Тhis Privacy Policy is aimed to enlighten our customers, suppliers, business partners, dealers, consultants and website visitors in regard to the specifics when we collect your personal data related to all kinds of communications received and sent through our website.
Detailed information on personal data processed through cookies on the website is contained in the "Cookie Policy".
Your personal data can be collected under two different scopes, by filling out the Contact Form on our website and as part of the E-Newsletter Subscription. In this context, your personal data regarding your identity, contact details and other information about yourself, which you may have provided us via the Contact Form, are processed.
In general, this Privacy Policy will inform you as regards to the following main questions concerning the processing of your personal data:
1. CATEGORIES OF PERSONAL DATA PROCESSED;
2. PURPOSES OF PROCESSING PERSONAL DATA;
3. TRANSFER OF PERSONAL DATA;
4. LEGAL GROUNDS FOR PERSONAL DATA PROCESSING;
5. DATA RETENTION RULES;
6. DATA PROTECTION AND DATA PRIVACY MEASURES;
7. RIGHTS OF THE DATA SUBJECTS;
8. HOW TO CONTACT US.
CATEGORIES OF PERSONAL DATA PROCESSED
Regardless of the way under which you have send us communications (via the respective Contact Form on our website and/or via the E-Newsletter Subscription), we obtain directly and automatically from you or we may ask you to provide us with certain information about yourself.
Your personal data collected in regard to communications handled may include the following categories:
Personal data related to your identity: names;
Contact information: e-mail address, telephone number, city and country of residence;
Personal data about you, which you may have provided us via the Conctact Form.
Considering that we are processing your personal data in order to manage and respond to all of the communications which you have sent us (or for the purposes of direct marketing activities performed on our part), this processing appears necessary to fulfil those purposes. If you do not provide us with the respective information – for example, your names, contact information, etc., as the case might be, we will not be able to exercise our assistance in view of your requests or complaints. In any case, when collecting your personal data, we shall explicitly inform you whether providing the respective data is necessary and what shall be the consequences if you refuse.
PURPOSES OF PROCESSING THE PERSONAL DATA
Your personal data obtained within the scope of the Contact Form may be processed for the following purposes:
Exercising, planning and execution of all kinds of communication activities for all customers, non-customers and suppliers;
Managing the process of evaluating requests and complaints;
Sending all incoming requests and complaints to the relevant department, dealers or third-party companies for resolution and recording those requests and complaints and sharing the answers with the relevant people;
Sending commercial messages for the purpose of giving information within the scope of marketing activities;
Notification of joint work with third party companies.
Your personal data obtained from E-Newsletter Subscription can be processed for the following purposes:
Sending commercial messages for the purpose of providing marketing information;
Notification of joint work with third party companies.
TRANSFER OF PERSONAL DATA
Your personal data, depending on the nature of the activity performed, for which processing personal data appears necessary, may be transferred to any of the following third parties:
Companies and organizations, including within our corporate group, from which we receive various information technology services (e.g. Microsoft as a provider of cloud services serving for personal data storage), or cooperate with in compliance with the applicable legislation and for the purposes specified in this Privacy Policy.
Companies and organizations – suppliers of goods and services (for example, suppliers of goods which we offer/sell, companies operating direct marketing activities on behalf of the controller, operating processes related to resolution and recording of requests/complaints on behalf of the controller, consultants, etc.), with which explicit contracts have been concluded;
Public bodies and institutions, courts, prosecution, upon explicit request thereof, and in performance of our legal obligations under the respective applicable legislation;
Your personal data are transferred to third parties located in the Republic of Turkey, for which third country outside the European Union, the European Commission (“EC”) has not yet adopted an Adequacy Decision. Therefore, and in order to ensure appropriate safeguards as regards to the protection of the data transferred, we have concluded standard contractual clauses (issued by the EC as of 4-th June 2021) with the respective company, part of our corporate group.
Additionally, the partner organizations which provide us with the respective information technology services (provision and support of IT systems, etc.) utilize Microsoft-based software products, as well as take the highest level of organisational and technical measures to ensure the protection of your personal data. We shall only transfer to these partner organizations the personal data they need in order to provide us the contracted services to us, without further allowing them to use your personal data for their own purposes.
As regards to your personal data obtained through the Contact Form on our website, it may be shared with suppliers of ours in case of a complaint regarding the quality of products or services which we offer/sell. In the event that the respective suppliers are located outside the EEA territory, and to whom personal data may be transferred, we shall ensure the appropriate safeguards with respect to the protection of personal data transferred (in terms of standard contractual clauses to be executed with the same suppliers).
LEGAL GROUNDS FOR PROCESSING PERSONAL DATA
Your personal data are collected and processed automatically when you provide us with the relevant information via either the Contact Form, or through the E-Newsletter Subscription opt-in setting, found on our website. The respective personal data, which you have submitted under any of the two scopes, may be processed on the following legal grounds:
When there is an explicit consent given – Art. 6, para. 1, l. “a” of the GDPR (applicable to the processing of personal data for direct marketing purposes);
When the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract – Art. 6, para. 1, l. “b” of the GDPR (as regards to complaints/requests/offers submitted under our Contact Form in regard to contracts which you are party to);
When the processing is necessary for the legitimate interests of the controller, or by a third party, provided that it does not harm the fundamental rights and freedoms of the data subject – Art. 6, para. 1, l. “f” of the GDPR (with respect to filing and defending against legal claims).
DATA RETENTION RULES
Pursuant to the applicable data protection legislation, we have implemented and follow an internal general data privacy policy, which sets out the retention periods for which we store your personal data. The periods concerned are based on (a) the type of information we collect and (b) the purposes for which we collect it.
In principle, we retain your personal data for as long as is necessary for the processing purposes for which the data is collected, or until the expiration of a statutory period. Your personal data are stored, respectively are erased, destructed or anonymised in compliance with the relevant legislative provisions, after being stored for the period required by either the same legislative provisions or for the purpose for which they are initially processed.
For instance, in events where we process your personal data collected for direct marketing purposes on the basis of your explicit, informed consent (given through the E-Newsletter Subscription opt-in setting), we limit the storage of the personal data concerned to 2 (two) years from the time of obtaining the relevant consent. In any case, should you opt-out of receiving further direct marketing communications in accordance with the procedure laid down in our “Terms and Conditions”, the processing carried out prior to the withdrawal of the respective consent, shall be deemed lawful. Furthermore, the relevant personal data may continue to be processed on a different legal ground (e.g. legitimate interest of the controller as regards to filing and defense against legal claims) until the expiry of the legally required period concerned.
It is our legitimate interest to retain some of your personal data collected in view of contracts executed (or to be entered) for the statute limitation period for making claims – 5 (five) years as of the expiry or termination of the contract concluded with you. Furthermore, we will not delete or anonymize your personal data if it is necessary for any pending judicial or administrative proceedings on complaints you may have against us.
For all other cases regarding personal data collected on the grounds of explicit consent (for example, personal data obtained via the Contact Form on our website in view of an offer or request you may have), we shall limit the retention period to 2 (two) years as of the time of obtaining the relevant consent (the moment of receiving the electronic communications in our systems).
DATA PROTECTION AND DATA PRIVACY MEASURES
In performance of our legal obligations as per the GDPR and the local applicable data privacy legislation, we have implemented appropriate technical and organizational measures to ensure a high level of security to the personal data we process.
In view of the above, we have adopted all the necessary internal policies and procedures, while defining the respective data protection records to be maintained, including on paper, the persons who are responsible for their protection, as well as those who may access them. We have also explicitly stipulated the rules regarding the storage periods of the personal data processed, and the procedures for their destruction.
With respect to the personal data collected automatically for the purposes specified in this Privacy Policy, it is stored in a Dynamics CRM Online Cloud system, owned by Microsoft in its capacity of data processor (on behalf of the controller). In this regard, and in order to ensure its compliance with the GDPR Microsoft has implemented all the appropriate technical and organizational measures. You can find more information as regards to Microsoft’s regulatory compliance measures at: https://learn.microsoft.com/en-us/dynamics365/get-started/gdpr/.
The remote access to the systems concerned is allowed only through an encrypted VPN connection, whereas the employees, who may access the respective electronic systems used by the controller, must use an individual personal profile with specific username and password, the disclosure of which is strictly forbidden. Furthermore, we utilize appropriate antivirus and cybersecurity software products, ensuring the necessary level of protection against security breaches and malicious attacks.
On a physical level, we have ensured a system of measures related to the protection of the buildings, premises and facilities in which personal data processed and stored may be accessed, including by means of chip cards for access to premises, locks, separate cabinets, including locked cabinets, metal crates, fire alarms, equipment on the premises appropriate to the needs, purposes and level of impact of the processing of personal data. In cases of transfer of personal data, we require our suppliers and partner organizations who have access to your personal data to use appropriate measures to ensure the protection and confidentiality of your personal data. However, you are also responsible for safeguarding your personal data that you share with us over the Internet. Unfortunately, the transmission of information over the Internet may not be completely secure, despite the measures we have taken, given the passage of the same through the networks, channels and platforms of third party electronic service providers. Therefore, please note that the transmission of your personal information over the Internet is done at your own risk.
RIGHTS OF THE DATA SUBJECTS
In relation to your personal data, you have certain rights which are granted to you pursuant to the GDPR and the other applicable local legislation. Sometimes certain rights can only arise and be exercised on certain grounds for processing your personal data; other rights are subject to certain limitations and exceptions under the law. To exercise your rights or ask questions, you should direct your request to the email or contact address below.
Specifically, you have the following rights under applicable law:
1. Right of access to your personal data processed
You have the right of access and can request more detailed information about whether we process your personal data, what categories, for what purposes, to whom we disclose it, etc. If you have requested, we will provide you with access to your personal data that is being processed in the form of a copy. The copy is free of charge. If you request further copies or individually formatted or more detailed information or disproportionately exercise (abuse) your rights, we may charge you a reasonable fee to cover our administrative costs for producing them. When you have made the request by electronic means, we will, where possible, provide the information to you in a commonly used electronic form, unless you have requested otherwise from us.
2. Right of rectification of the inaccurate personal data related to you
When you want us to correct your personal data, you may request that we also notify the third parties to whom it has been disclosed, except where this is impossible or involves excessive effort.
3. Right to erasure (“right to be forgotten”) of your personal data processed
You have the right to request the erasure of your personal data when they are no longer necessary for the purposes for which they were initially collected or otherwise processed; when you withdraw your consent to the processing of your personal data and there is no other legal basis for the processing; when you object to processing based on a legitimate interest and it does not override your rights, freedoms and interests; when processing is without legal basis or the erasure of your personal data is our legal obligation under Bulgarian or European law. Pursuant to the latter, we have the right to continue processing despite your request for erasure in order to comply with our legal obligations under the law of the Republic of Bulgaria or the European Union law that require processing of your personal data or where necessary for the establishment, exercise or defense of legal claims.
4. Right to restriction of the processing of your personal data
Where the processing of your personal data has been restricted, we could still continue processing it in two cases:
with your explicit consent; or
for the establishment, exercise or defense against legal claims or for the protection of the rights of another natural person or for important reasons of public interest for the European Union or a Member State.
5. The right to receive the personal data that you have provided to us and that concerns you and to transmit those data to another controller (“right to portability”)
The right to portability can only be exercised where the following two conditions are met:
it concerns processing carried out by automated means (i.e. this right does not apply to processing of data in the form of paper files), and in addition to being processing by automated means;
the processing of your personal data is based on (i) your consent or (ii) a contract to which you are a party or to take steps at your request before entering into a contract.
You have the right to receive your personal data in a structured, commonly used and machine-readable format or to request a direct transfer of your personal data to another controller where this is technically feasible.
You should be aware that when you exercise the right of portability, this does not result in your data being deleted from our systems. You will be able to continue to benefit from our services even after the data portability operation. Data portability also does not affect the initial retention period that applies to the transmitted data. You may exercise your other rights that are set out in the legislation and we have listed here while we continue to process the data.
6. Right to object to processing of your personal data which is based the legitimate interest of the controller, including when profiling is carried out on this legal ground
In the event that your personal data is used for direct marketing purposes, you have the right, free of charge and at any time, to object to its processing for this purpose notifying us at the addresses set out at the end of this Notice under How to contact us. Once you have notified us, we shall no longer process the personal data for this specific purpose, however we may continue the processing for the rest of the respective retention period (2 years), if there are other compelling legitimate grounds for the processing, which override your interests, rights and freedoms (such as our interest in regard to filing and defense against legal claims).
7. Right to file a complaint before the competent supervisory authority or before a court if your rights have been violated or you have suffered unlawful processing of your personal data.
In the event of a complaint, you also have the right to contact the Commission for the Protection of Personal Data (“CPPA”):
In writing to the following address: Sofia, 1592, Sofia Municipality, 2, blvd. Tsvetan Lazarov;
Telephone numbers: 02/91-53-519; 02/91-53-555;
Fax: 029153525; or
E-mail: kzld@cpdp.bg
The CPPD website can be found at: www.cpdp.bg
8. Where the processing is based on consent given by you, you have the right to withdraw your consent at any time by notifying us at the addresses listed at the end of this document.
HOW TO CONTACT US
In order to exercise any of your rights listed above or to contact us if you have any questions regarding this document, you may contact us using any of the contact information below:
Contact person on data protection matters: Mrs. Ella Mikolaivna Kobets
You can submit your request via e-mail address to the following: ella.kobets@keas.bg
Address for correspondence: Republic of Bulgaria, Stara Zagora Region, Pavel Banya Municipality, 6151, Gorno Sahrane Village, 24 Shipchenska Epopeya str.
The controller of personal data is Kastamonu Bulgaria AD, a company registered with the Bulgarian Commercial Register and Register of Non-Profit Legal Entities with Unified Identify Code UIC 123006579, with seat and registered office in Republic of Bulgaria, Stara Zagora Region, Pavel Banya Municipality, 6151, Gorno Sahrane Village.
As per requests relating to the exercise of your rights, they should be generally made in person or by a person expressly authorized by you.
We shall respond to your request in the form in which you made your enquiry to us - in writing on paper or in electronic form. Where you have made a request by electronic means, where possible the information will be provided to you in a commonly used electronic form unless you have requested otherwise.
Further to the above, we will provide you with information about the action we have taken on your request within one month of receiving it. If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests. If such an extension is necessary, we will notify you within one month of the submission of your request, explaining the reasons for the extension.
The most up-to-date Privacy Policy can always be found on our website. In this regard, you will be always able to inform yourselves in regard to any change which have been made to this Policy.
This Privacy Policy has been adopted and is effective as of 03.02.2023