GENERAL PERSONAL DATA PROTECTION POLICY
(in force as of 24.05.2018)
I. SCOPE AND APPLICATION
HRT OOD (“we”, “our” or “us”), UIC 121099920, seat and registered address: Sofia 1784, 111V Tsarigradsko Shose Blvd., as a personal data controller, realizes the importance of protecting your personal data.
The purpose of this General Personal Data Protection Policy (the “General Policy”) is to inform you regarding the following:
- The categories of personal data we collect and process:
(i) when you sign up or use our website www.hrt-holds.com or some of the associated to it sites or pages in the social media, or when you use another application or online service referring to this personal data protection policy (hereafter referred to as the “Services”);
(ii) when you apply for a job position we have announced or during the process of recruiting or hiring you as our employee, worker or subcontractor;
(iii) when you get in touch with us (including via some of our websites) or ask us to provide information regarding the goods and services we offer;
(iv) when we conduct the work you have assigned us, including the sale of goods and services we offer.
- The sources and methods in which we collect and protect the personal data we process.
- The purposes for processing your personal data and the legal basis for doing so.
- Collecting and processing children’s personal data.
- The cases when we transfer your personal data to third parties.
- The term for which we retain your personal data and when we delete the same.
- Your rights in respect to your personal data processing.
- Your personal data protection.
- The means through which you can contact us on matters related to your personal data processing.
This General Personal Data Protection Policy applies every time when we process your personal data. Our special policies for protecting certain data categories apply in addition to this General Policy.
We may from time to time update this General Personal Data Protection Policy. When we do so, we will publish on our website a notification of the update, as well as the amended version of the policy.
Should you have any questions related to this General Policy, don’t hesitate to contact us through any of the methods described in the end of this document.
For the purposes of this General Policy:
“Personal Data” means any information related to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, mental, economic, cultural or social identity of that natural person
“Sensitive Personal Data” includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
We do not process sensitive personal data unless necessary to carry out our regulatory obligations, for example the obligations we have under the labour or anti-discrimination laws. Please do not send or otherwise provide us with any sensitive personal data related to you (or someone else) unless we have expressly asked you to do so in writing and after we have confirmed to you that we have the necessary consents and that all other legal requirements for data processing have been met.
“Personal Data” does not include data that can not be related to or associated with a particular natural person.
II. THE CATEGORIES OF PERSON DATA WE PROCESS
The Personal Data we process includes:
Basic information, such as your name (including title), the organization you represent or work for and your position in the same.
Contact information, such as postal address, email, telephone number, fax number, and Skype name.
Financial information, such as your credit/debit card number or your bank account in respect to particular transaction or series of related transactions.
Technical information, such as data generated as a result of your use of the website or an application embedded in the same (app, plug-in, etc.), as well as information regarding materials and communication received from you or sent to you electronically.
Information in connection to business meetings, such as any information you provide us regarding your participation in business seminars, conferences and other similar commercial events organized by us or some of the businesses associated with us.
Other personal data provided to us by you or on your behalf or generated in relation to the preparation or execution of an order you have placed with us, such as the history of the orders and payments.
III. SOURCES AND METHODS OF PERSONAL DATA COLLECTION
- Personal data you provide directly to us
Part of the personal data we collect and process is provided by you directly (e.g. when you sign up or use some of the websites we operate or contact us via telephone or online to apply for a job or obtain information for the goods and services we provide or the status of execution of your order).
To specify, personal data that you provide directly to us include:
Identification data, such as your name, date of birth, permanent address, delivery address or correspondence address, telephone number, email address, password and user name when you create your own customer account in some of the websites we operate (as far as the respective website supports such a functionality);
In some cases, the personal data you provide may include age, gender, interests or membership in branch organization;
The personal data contained in the electronic communication you have sent us, such as the data in an email message addressed to us, our employee or sales representative;
Data created by you in the context of assigning and executing orders you have created via a website we operate or otherwise, such as the orders history, including data for the date of the assignment and/or acceptance of the orders and the status of their execution;
Financial information, such as your credit/debit card number or your bank account for the purpose of execution of a particular financial transaction or series of such transactions;
Personal data generated by you or related to your customer account in the respective website, such as data you input when you update your customer account or information of the products you have added to your cart or wish list;
Data you generate when you use certain social media plug-ins, such as Facebook’s “like” or “follow” plug-ins for the purpose of expressing your attitude toward certain material or content published on our websites or social media pages;
Other personal data you supply per our request when we are required or permitted by law to collect the subject data in order to identify you or confirm the information we already have.
In certain cases, when permitted by law, we collect data related to criminal convictions and offences. For example, when we are prohibited by law to hire on certain positions individuals who have been convicted of certain crimes, we will process the date provided by you only as long as necessary to comply with our legal obligation.
- Automatically collected personal data
Part of the processed by us personal data is collected automatically when you sign up or use a website operated by us in order to contact us or place an order. This information is provided by the devices (such as your personal or work computer, smartphone, tablet, etc.) you use to access our websites, social media pages or the applications and other online services we offer and include you’re the ID of your device or the unique identifier related to the device or browser you use, location data, the type of the device or browser you use.
We do not use automated decision-making, including profiling as a result of automated personal data processing.
- Personal data we collect from other sources
In addition to the personal data we collect directly from you or the device you use, we collect data from other sources. As an example, in some cases, if not prohibited by law, we collect information related to your credit history as well as other similar information provided by а credit bureau or licensed credit or financial institutions you have had or have financial or business relations with.
Personal data provided by third parties include data contained in your public profile in the social, to which we get access when you choose to sign in your customer account using your social media account, such as Facebook or G+. Note that most of the data published in your profiles in the social media, such as your public profile, location data, language, public posts and comments, are publicly available which leads to certain responsibilities and poses certain risks to the inviolability of your personal space. You control what data you share with us through the site settings of the respective social media, as well as the consents you give us in relation to the processing of your personal data contained on the social media sites.
IV. THE PURPOSES FOR PROCESSING YOUR PERSONAL DATA AND THE LEGAL BASIS FOR DOING SO
We collect, keep and otherwise process personal data as long as this complies with the law and our personal data protection policies. We process personal data for various business purposes and on various legal bases. In accordance with the applicable law, we must have a legal basis for processing your personal data. Depending on the basis on which we process your personal data, you have certain rights. You can find further information on your rights in Section IX.
In particular, we process the personal data we have collected on the legal bases listed below for one or more of the following purposes:
We process your personal data for the purposes of executing and performing a contract with you.
We can collect and process your personal data in order to execute and perform a contract with you and to take certain steps before the execution of the contract per your request. The main purposes for processing your personal data on this basis are as follows:
– to identify a customer who wants to order or has ordered products and services we offer and persons who want to become or has already become our suppliers or subcontractors;
– to establish the legal ground for conclusion of a contract, as well as the additional requirements for the validity of the contract, such as the presence of third parties’ consents;
– for preparation and communication of offers for execution of amendment of a contract, drafts of contracts, and distance contracts;
– to provide additional information and clarifications regarding the characteristics and the method of use of the products and services we offer;
– to execute an order for products and services placed by a customer;
– to prepare accounts, invoices, credit/debit notes and statements for our sales or free deliveries of products and services;
– to trace the payments for placed orders;
– to contact customers, suppliers and subcontractors on matters related to the execution or amendment of concluded contracts for delivery of goods and services;
– to provide oral and written technical advice and information, including advice on the optimal and safe use of the products and services we offer;
– to send messages, newsletters and notifications for recall of certain products from the market;
– to perform our obligations under the product warranties we provide;
– to coordinate the execution of a particular contract with a customer or a subcontractor;
– to conduct credit risk assessments, including when the payment of contractual obligations is deferred;
– to review and analyse the complaints and signals related to our products and services to take the necessary measures for eliminating the issues related to the performance of the contracts we have concluded or the use of products or services we have delivered;
– to establish and prevent any unlawful activities by customers, including activities contradicting to a legally-binding contract with us;
– to prevent unauthorized disclosure, usage, amendment or destruction of confidential information or other legally protected information;
– to ensure the normal functioning of the operated by us electronic stores or other channels for sale and distribution of our products and services;
– to register customer accounts on the websites we maintain and operate.
We process your personal data in order to perform the legal obligations we have under the law of the European Union and the EU member states.
Specifically, we process personal data when we perform the legal obligations we have due to the fact that we are simultaneously an employer and a seller/purchaser of goods and services. In this regard, we process personal data in order to carry out our specific obligations that originate from or are related to the following:
– social security rights of the employees, workers and subcontractors, including the obligations we have under the Social Security Code, Health Insurance Act and the acts governing the individual taxation of the natural persons, as well as their equivalents in the other member states of the EU;
– sales (including distance sales) of goods and services to consumers within the meaning of the Consumer Protection Act;
– identification of customers when necessary for carrying out the obligations we have under the Measures Against Money Laundering Act or the Measures Against the Financing of Terrorism Act;
– the lawful accounting of the economic operations in which we participate, including the taxation of the deliveries of goods and services performed or received by us;
– our obligation to assist the competent authorities in the course of the audits, revisions, and inspections they conduct and in other cases when such authorities exercise their control rights on legal grounds;
– our participation in court proceedings and related procedures as a party or as a third liable party, such as for example our obligation to provide data and information necessary for the resolution of a particular legal dispute;
We can collect and process your personal data with your consent
In some cases, upon receipt of your consent to process your personal data for a specific purpose, we can use these data as follows:
– for direct marketing purposes in relation to the products and services offered by us or our affiliates, where the marketing may be performed in the form of phone calls, sending letter, SMSs or emails. For example, if you subscribe to our newsletter or wish to receive promotional offers, we can ask you to provide us personal data, such as your name, telephone number, email address, as well as other relevant information. If you no longer want to receive promotional and marketing messages from us, you can let us know at any time or simply follow the unsubscribe instructions contained in the communications and messages sent to you We take measures for limiting the marketing content sent by us to reasonable and proportional amount by sending you only content we believe could be interested or relevant to you based on the information we have;
– for the purposes of your participation in various polls, surveys and events of commercial or non-commercial nature, such as parties organized by us or some of our associate businesses;
– for performing specific obligations to you originating stemming from the law or a contract, as long as the processing of the respective personal data (for example health information or other sensitive personal data) is not prohibited by the law.
You have the right to withdraw your consent for personal data processing at any time. Further information about this right can be find below.
We can process your personal data when we have legal (legitimate) interest to do so, such as for example, our legitimate interest to:
– constantly improve and develop the products and services we offer, including their functionalities, design and/or content;
– encourage and monitor the introduction and implementation of enhanced and/or innovative measures for the safe use of the products and services offered by us or our affiliates;
– monitor and analyse our performance on the respective market;
– develop the skills of our personnel and subcontractors in respect to working with customers on the respective markets;
– personalize the products and services we provide in order to increase your overall satisfaction by them and your communication with us;
– monitor the technical condition of our information systems and resources, including our electronic stores and other websites, as well as to eliminate problems with the proper functioning, security and integrity of the same.
V. COLLECTING AND PROCESSING CHILDREN’S PERSONAL DATA
We understand the importance of taking additional measures for protecting the personal data of children who use our products and services, including the websites we operate. We do not collect personal data from children who are younger than 16 or data related to children younger than 16 without parental consent or, if applicable, without the consent of another individual who can legally consent to the processing of the personal data of the child (such as the guardian of the child).
We do not allow children younger than 16 to create their own customer accounts on the websites we operate or to otherwise provide us with their personal data.
If we find out that we have collected or processed personal data of a child without having the required by law parental consent, we will take measures for destroying such information without any undue delay.
VI. IN WHAT CASES WE TRANSFER YOUR PERSONAL DATA TO THIRD PARTIES
- Third parties processing data on behalf of the Company
We may assign the processing of your personal data to third parties – subcontractors who assist us with the data processing. These third parties process your data on our behalf and in correspondence with our instructions for all or some of the purposes indicated in this General Policy. We do not allow third parties – subcontractors to use your personal data for their own purposes, including for direct marketing.
We require all third parties that process your personal data on our behalf to process the data in accordance with the applicable law and to guarantee the safety of the data, including by taking the necessary technical and organizational measures for personal data protection. The categories of recipients that process personal data on our behalf are:
- accounting and audit companies that process personal data for the purposes of accounting and auditing our financial reports, as well as for complying with our obligations under the labour, tax, and insurance laws;
- entities that provide services of the information society, including hosting services and/or information and technical services related to the maintenance, security and development of our information and communication infrastructure and resources;
- licensed postal operators and transport or forwarding companies when we deliver products you have ordered, as well as licensed suppliers of payment services for the purposes of processing payments from/to you;
- security companies having license to provide private security services for the purposes of guaranteeing the safety in and the controlled access to the buildings and premises we own or use on legal grounds; and
- state authorities to which we are legally obliged to provide your personal data, such as courts or administrative bodies performing regulatory, supervisory or other similar functions (for example the Consumer Protection Commission, the Personal Data Protection Commission, the Competition Protection Commission, as well as other competent authorities that are legally allowed to collect and process personal data).
- To protect our legitimate interests
In some cases, when this is necessary to protect our legitimate interests, we can disclose your personal data to third parties, such as:
- our legal counsels and representatives for the purposes of obtaining legal advice or preparing and organizing our representation in pending or potential legal disputes, including for the purpose of participating in a mediation procedure or another voluntary dispute resolution proceeding;
- entities that have acquired part of or our whole enterprise or activity as a result of a reorganization (such as merger, acquisition, etc.), a commercial transaction with us (such as sale, exchange) or an act of a competent authority.
- Entities, for which we have received your consent, such as:
- companies that can provide you with information or offers for their own products and services.
VII. THE TERM FOR WHICH WE RETAIN YOUR PERSONAL DATA AND WHEN WE DELETE THE SAME
We retain your personal data for such period as required or allowed to fulfil the purposes for which we process the data. Upon fulfilment of these purposes or in case we no longer have legitimate interest or legal basis for data processing (for example, when the consent for processing has been withdrawn), we will erase your personal data without undue delay.
The criteria that serve as grounds for determination of the period of retention of your personal data include: (а) the period for which we maintain commercial relations with you and provide you with our services, (b) the periods for data retention set forth in the legal regulations that apply to us, and (c) the period for which are required to retain your data for in connection to our participation and the protection of our rights and legal interests in court and administrative proceedings and the expiration of the respective limitation periods.
We will retain the personal data, contained in our accounting books, for the periods set forth in the Accounting Act.
VIII. HOW IS YOUR PERSONAL INFORMATION PROTECTED
When processing your personal data, we take the necessary technical and organizational measures to protect such data from unauthorized access, amendment, or erasure. These measures include the following:
- establishing internal policies for personal data processing in order to prevent unauthorized access to the systems and premises where we store your personal data;
- setting forth a duty of confidentiality for our employees, subcontractors and suppliers;
- assigning the processing of your personal data only to organization that process personal data in accordance with the law and provide guarantee for the data’s security, including through taking the required technical and organizational measures for the protection of your personal data.
IX. YOUR RIGHTS IN RESPECT TO YOUR PERSONAL DATA PROCESSING
At all times during the period of processing of your personal data, you have certain rights that are listed below.
You can exercise your rights under this Policy and the General Data Protection Regulation by sending an email or a letter to our Data Protection Officer describing your specific request. If possible, your request shall be signed by hand or with a qualified electronic signature. If you are not able to sign your request in one of the aforesaid ways, we may ask you to provide additional information in order to establish your identity.
We will respond to your request free of charge and without undue delay. In the event we receive duplicated requests, we may decline to take action on the request or set a fee (based on the expenses on our part) that you will have to pay in order for us to provide you the information or communication or take the requested actions.
RIGHT OF ACCESS AND INFORMATION
You have the right to request and receive:
- information about the purposes for which we process your personal data, the categories of personal data that we process and the recipients or categories of recipients to which we disclose your personal data to, as well as any other information regarding the source of your personal data;
- a copy of your personal data we process in electronic or other suitable form.
RIGHT OF RECTIFICATION AND COMPLETION
If you find out that the personal data we process are inaccurate and/or incomplete, you can ask us to rectify and/or complete them.
RIGHT OF OBJECTION
When we process your personal data based on our legitimate interest, you have the right to object to such processing. We will cease the processing of your data without undue delay and will erase the data unless we have compelling legitimate grounds to continue processing your data, which override your rights and legal interests or if the processing of your personal data is required for the establishment, exercise or defence of legal claims. Moreover, you have the right to object at any time to the processing of your personal data for marketing and advertising purposes. We will terminate the processing without undue delay, immediately upon receipt of your objection.
RIGHT TO RESTRICTION OF PROCESSING
You have the right to ask us to suspend the processing of your personal data in the future when:
- you believe that the personal data we process is inaccurate and you want us to rectify them for the period necessary for us to verify the accuracy of your data and make the required rectifications;
- it is established that for some reason we unlawfully process your personal data, but you do not want to erase your data, instead you want us to process only part of your data;
- we no longer need your data but you want us to retain the same for the purpose of exercising your rights or defending against legal claims of third parties, or
- you have objected to the processing your personal data (when we process the date based on our legitimate interest), but we need to verify whether we have legitimate grounds or legal obligation to process your personal data.
RIGHT TO ERASURE (“RIGHT TO BE FORGOTTEN”)
You have the right to ask us to erase your personal data and we are obliged to erase the same without undue delay when:
- your personal data are no longer necessary for the purposes for which they have been collected or otherwise processed;
- you have withdrawn your consent on the basis of which the data processing was conducted and there is no other legal ground for the processing;
- you have objected to the processing and we have no legitimate grounds overriding your interests, rights, and freedoms;
- your personal data have been unlawfully processed;
- your personal data have to be erased in compliance with our legal obligation;
- your personal data have been collected in relation to the offer of information society services.
In some cases, we will not be able to comply with your request, such as when the processing of your personal data is necessary for the following:
- exercising the right of freedom of expression and information;
- compliance with a legal obligation that we have;
- the establishment, exercise or defence of legal claims.
RIGHT TO WITHDRAW YOUR CONSENT
When we are relying on your consent in order to process your personal data, you have the right to withdraw your consent with immediate effect. In this case, we will stop any future processing of your personal data.
PORTABILITY OF YOUR DATA
When we process your personal data on the basis of your consent or in order to perform any contractual obligations we have to you, as long as this does not adversely affect the rights and freedoms of other people, you have the right to obtain the data that you have provided to us in structural, frequently used, machine-readable form or, if technically possible, to ask us to transfer the data to a third party.
RIGHT TO COMPLAIN
If you believe that we process your personal data in a way that does not comply with the applicable law, you have the right to file a complaint to the competent authority. You can contact the supervisory authority with jurisdiction at your place of residence or your country or the supervisory authority with jurisdiction at our domicile.
The competent authority in the Republic of Bulgaria is the Personal Data Protection Commission with address:
2, Prof. Tsvetan Lazarov Blvd.
tel.: 02/915 – 3518
X. HOW TO CONTACT US
On all matters related to the processing of your personal data or exercising your rights, you can contact our Data Protection Officer in one of the following ways:
Via email, by sending an electronic message to firstname.lastname@example.org
Via mail, at postal address: Sofia 1784, 111V Tsarigradsko Shose Blvd., fl. 3