Information about the Administrator of personal data
- Name: Bigarena Ltd, UIC/BULSTAT: 204072747.
- Registered office and registered address. BULGARIA, ul. Golyamokonarsko shose, 29.
- Address for correspondence. BULGARIA, ul. Golyamokonarsko shose, 29.
- Phone: 087 628 8653.
- E-mail: firstname.lastname@example.org.
Information on the competent supervisory authority
- Name: Commission for Personal Data Protection.
- Headquarters and management address: Sofia 1592, “Prof. Tsvetan Lazarov” 2.
- Address for correspondence: Sofia 1592, “Prof. Tsvetan Lazarov” 2.
- Phone: 02 915 3518.
- Website: www.cpdp.bg.
Basis for collecting, processing and storing your personal data
Art. 1. The administrator collects and processes your personal data on the basis of Art. 6, para. 1, Regulation (EU) 2016/679, and more specifically based on the following:
- Explicit consent obtained from you as a service user/customer.
- Performance of the Administrator’s obligations under a contract with you.
- Compliance with a legal obligation applicable to the Administrator.
- Protect the vital interests of you or another individual.
- The performance of a task of public interest or in the exercise of official authority of the Administrator.
- For the purposes of the legitimate interests of the Controller or a third party.
Purposes and principles of collecting, processing and storing your personal data
Art. 2. (1) The administrator collects and processes the personal data that you provide to us for the purposes of implementing
obligations under the contract, including for the following purposes:
- accounting purposes;
- statistical purposes;
- information security protection;
- securing the performance of the contract for the provision of the relevant service;
- dispute resolution between you and third parties.
(2) The controller shall comply with the following principles when processing your personal data:
- legality, fairness and transparency;
- limitation of the purposes of processing;
- relevance to the purposes of the processing and minimisation of the data collected;
- data accuracy and timeliness;
- limitation of storage to achieve the objectives;
- integrity and confidentiality of processing and ensuring an appropriate level of security of personal data.
(3) In processing and storing personal data, the Controller may process and store personal data in order to protect its following legitimate interests:
- fulfilling its obligations to the National Revenue Agency, the Ministry of the Interior and other state and municipal authorities.
What types of personal data does the controller collect, process and store?
Art. 3. (1) The administrator performs the following operations with personal data for the following purposes:
- creating a profile to use the service – the purpose of this operation is to identify the person in order to provide the service;
- processing of payment for service and accounting – the purpose of this operation is to enable payment and accounting;
- performance of the contracted service and interaction with online advertising systems, if this is provided for in the contract.
The controller processes the following categories of personal data and information for the following purposes:
- Your personal data (for natural persons: three names, personal identification number, address, e-mail address, telephone number; for legal entities: company name, UIC/PIC, registered office and registered address, correspondence address, VAT number, manager, person with signature authority, MOL) – for the purpose of creating a profile for using the service;
- the type and duration of the services you use – for accounting purposes;
- the value of the services used for the relevant period – for accounting purposes;
- information related to payment and the payment methods chosen- for accounting purposes;
- other data necessary for the performance of the contractual obligations – for the purpose of performing the contractual service.
(2) The controller shall not collect or process personal data relating to the following:
- reveal racial or ethnic origin;
- reveal political, religious or philosophical beliefs, or trade union membership;
- genetic and biometric data, health data or data on sex life or sexual orientation.
(3) The controller shall process the special categories of data referred to in paragraph 2 on one or more of the following grounds:
- Your express consent;
- A requirement of labour and social security law and protection;
- Processing is necessary to protect the vital interests of you or another natural person where you are physically or legally incapable of giving your consent in person;
- The processing is related to the activities of a foundation, association or other non-profit, political, philosophical, religious or trade union legal entity, if the processing is related to the members or former members of that entity, or persons maintaining a relationship with them, with your consent;
- You have made your data public;
- Processing is necessary for the establishment, exercise or defence of legal claims or for the performance of the functions of the courts;
- There is an important public interest based on EU or Member State law;
- The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of an employee’s fitness for work, medical diagnosis, the provision of health or social care or treatment, for the purposes of the management of health or social care services and systems, or under a contract with a medical professional;
- The processing is necessary for reasons of public interest in the field of public health;
- The processing is necessary for archiving purposes in the public interest, for scientific or historical research, or for statistical purposes.
(4) Personal data is collected by the Controller from the following sources:
- provided voluntarily by you when filling in online forms on the site or when requested by the Administrator by email;
- data from web analytics systems and online marketing tools to which you have voluntarily given access to the Administrator.
Storage period of your personal data
Art. 4. (1) The administrator stores your personal data for a period not exceeding 3 years. After the expiration of this period, the Administrator takes the necessary care to delete and destroy all your data without undue delay.
(2) The Controller shall notify you in the event that the data retention period needs to be extended in order to fulfil the purposes, fulfil the contract, in view of the legitimate interests of the Controller or otherwise.
Transfer of your personal data for processing
Art. 5. (1) The administrator may, at his own discretion, transfer part or all of your personal data to processors of personal data for the fulfillment of the purposes of processing in compliance with the requirements of Regulation (EU) 2016/679.
(2) The controller shall notify you in the event of an intention to transfer some or all of your personal data to third countries or international organisations.
Your rights in the collection, processing and storage of your personal data Right of access
Art. 6. (1) You have the right to request and receive confirmation from the Administrator as to whether personal data related to you is being processed.
(2) You have the right to obtain access to the data relating to it and to the information concerning the collection, processing and storage of your personal data.
(3) The controller shall provide you, upon request, with a copy of the personal data processed relating to you in electronic or other appropriate form.
(4) Providing access to the data is free of charge, but the Controller reserves the right to impose an administrative fee in case of repetition or excessive requests.
Right of correction or completion
Art. 7. You have the right to ask the Administrator to:
- correct inaccurate personal data relating to you;
- fill in incomplete personal data relating to you.
Right to erasure (“being forgotten”)
Art. 8. (1) You have the right to ask the Administrator to delete the personal data related to you, and the Administrator has the obligation to delete them without undue delay, when any of the following grounds are present:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- You withdraw your consent on which the processing is based and there is no other legal basis for the processing;
- You object to the processing of personal data relating to you, including for direct marketing purposes, and there are no legitimate grounds for the processing that override;
- personal data have been unlawfully processed;
- the personal data must be erased in order to comply with a legal obligation under EU or Member State law to which the Controller is subject.
(2) The controller is not obliged to erase the personal data if it stores and processes them:
- to exercise the right to freedom of expression and the right to information;
- to comply with a legal obligation requiring processing provided for in EU or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- for public health reasons;
- for archiving purposes in the public interest, for scientific or historical research or for statistical purposes;
- for the establishment, exercise or defence of legal claims.
Right to restriction
Art. 9. You have the right to request the Administrator to limit the processing of your data when:
- contest the accuracy of the personal data, for a period that allows the Controller to verify the accuracy of the personal data;
- the processing is unlawful, but you do not wish the personal data to be erased, but only for its use to be restricted;
- The controller no longer needs the personal data for processing purposes, but you require it for the establishment, exercise or defence of legal claims;
- You have objected to processing pending verification that the legitimate grounds of the Controller override your interests.
Right to portability
Art. 10. If you have consented to the processing of your personal data or the processing is necessary for the performance of the contract with the Administrator, or if your data is processed in an automated manner, you may, after identifying yourself to the Administrator:
- request the Controller to provide you with your personal data in a readable format and to transfer it to another Controller;
- to request the Controller to transfer your personal data directly to a controller designated by you, where this is technically feasible.
Right to receive information
Art. 11. You may request the Administrator to inform you about all recipients to whom the personal data for which correction, deletion or restriction of processing has been requested has been disclosed. The administrator may refuse to provide this information if it would be impossible or would require a disproportionate effort.
Right to object
Art. 12. You may object at any time to the Administrator’s processing of personal data relating to you, including if it is processed for the purposes of profiling or direct marketing.
Your rights in the event of a personal data breach
Art. 13. (1) If the Administrator detects a violation of the security of your personal data, which may create a high risk for your rights and freedoms, he shall notify you without undue delay of the violation, as well as of the measures that have been taken or are about to be taken . (2) The administrator is not obliged to notify you if:
- has taken appropriate technical and organisational measures to protect the data affected by the security breach;
- has subsequently taken measures to ensure that the infringement does not result in a high risk to your rights;
- notification would require a disproportionate effort.
Persons to whom your personal data is provided
Art. 14. For the purposes of processing your personal data and providing the service, the Administrator may provide the data to the following persons who are data processors:
- responsible employees of Bigarena Ltd;
- said processors comply with all legality and security requirements when processing and storing your personal data.
Art. 15. Consent does NOT apply to transfer, as the administrator does not share the data entrusted to him with third parties.