- General terms
- Categories of Data Subjects
- Personal Data Processed
- Purposes and means of Processing
- Retention period
- Third parties
- Data Subject rights
- Data accuracy
|I. GENERAL TERMS
(2) When processing Personal Data, BST complies with all applicable to its activities, including the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data.
Art.2. In this Policy, the following definitions of the terms, deriving from Art. 4 of the Regulation, are used:
|1) “Regulation” – General Data Protection Regulation of 27 April 2016, repealing Directive 95/46/EC on the protection of Personal Data. It has direct effect and implies an amendment to the legislation of the member states in the field of Personal Data protection. Its purpose is to protect the “rights and freedoms” of natural persons and to guarantee that their Personal Data is not being processed without their knowledge, and where possible, processing is subject to their consent.|
|2) “Personal Data” – can be any information that may be related to a natural person who is identified, or a natural person who might be identified, directly or indirectly, through the use of one or more specific features or identifiers associated with that natural person. From the point of view of the nature of the information, the term “Personal Data” includes any kind of statement concerning a person. This entails “objective” information and “subjective” information, opinions or assessments. With regards to the form or medium in which this information is contained, the term “Personal Data” includes information in any form, whether alphabetical, digital, graphic, photographic or acoustic. For example, it includes information stored on paper as well as information stored in computer memory.|
|3) “Special (sensitive) categories of Personal Data” means a particular type of Personal Data due to the specific nature of the information it discloses about the natural person. In particular, this information reveals racial or ethnic origin, religious and philosophical beliefs, political views, membership in trade union (or professional) organizations, data concerning the health of the individual, biometric data for the sole purpose of identifying the natural person.|
|4) “Controller” means BST, which determines the purposes and means of the processing of Personal Data of natural persons.|
|5) “Processor” may be any natural or legal person, public authority or body that processes Personal Data on behalf of and on the express written assignment of BST. The processor of Personal Data is always a person who is external to the structure of the Company and is not in an employment relationship with the Company. The employees of the Company are not processors of Personal Data.
The Company may also act as a Personal Data Processor. In such cases, the Company processes the relevant Personal Data, pursuant to a written contract with a Personal Data Controller, his documented instructions and in compliance with the Company’s statutory obligations.
|6) “Processing of Personal Data” means any operation or set of operations carried out with Personal Data, such as the collection, recording, organization, structuring, storage, modification, use, disclosure by transmission and access, arrangement, erasure or destruction. In practice, any activity involving the use of Personal Data in some form may involve the processing of Personal Data.|
|7) “Data Subject”– any living natural person, who is subject to Personal Data stored by the Controller.|
|III. CATEGORIES OF DATA SUBJECTS
Art.3. In connection with the activity it undertakes, the Company processes data regarding the following Data Subjects:
a) visitors of the Website;
b) natural persons, who have sent inquiries (incl. by phone), requests, signals, complaints to or other correspondence with the Company;
c) natural persons, whose data is contained in inquiries (incl. by phone), requests, signals, complains to or other correspondence with the Company.
|IV. PERSONAL DATA PROCESSED
Art.4. BST shall processes your Personal Data:
a) provided when using BST’s Website;
b) provided when using BST’s application;
c) provided in relation to a correspondence, complaints and signals, namely: data concerning user communication, provided when contacting BST, by email and/or phone;
d) The Website can store data concerning visits to the Website (date, time and IP address).
|V. PURPOSES AND MEANS OF PROCESSING
Art.5. BST collects, uses and Processes the information described above for the following purposes:
(1) To protect and enforce BST’s legitimate interests. Those are purposes linked to BST’s lawful interests and/or third parties such as other users, companies, and others. Those purposes include:
a) Ensuring the normal functioning and utilization of the Website on Your end and on other users’ ends, maintenance and service management, dispute resolution, detection and prevention of malicious actions.
b) Identifying and resolving technical issues linked to functionality, development and improvement of the Website.
c) Carrying out communication with You, including by electronic means.
d) Acceptance and processing of received signals, complaints, requests and other correspondence;
e) Exercising and protecting the rights and legitimate interests of BST, including in court proceedings, as well as cooperation in the exercise and protection of the rights and legitimate interests of other users of the Website and/or affected third parties.
For those purposes, it may be necessary to process a part of or all of the abovementioned categories.
(2) Purposes, for which you have given your explicit consent. Your data may be processed, on the grounds of Your explicit consent, where such processing is specific in its extent and range, as provided for in the relevant consent.
(3) For BST to comply with its legal obligations, including fulfillment of obligations provided for in the legislation, to retain or provide information when an order by a competent state or judicial authority is received, when providing an opportunity to the competent authorities to exercise their control powers, when fulfilling BST’s legal obligations to inform You about circumstances relating to Your rights, the provided Services or with the protection of Your data and other. For these purposes, it may be necessary to process a part of or all of the abovementioned categories.
(4) For statistical purposes including analyzing the performance of applications on the Website as well as their utilization by users.
(6) Website logs related to security, maintenance, development and other aims may be used for the following purposes:
• For securing the reliable functioning of the Website and identification of technical issues;
• For security reinforcement and detection of malicious actions;
• For the development and improvement of the Website;
• For measuring traffic and usability of the Website;
• Logs as required by the law
Server logs, logs on devices guaranteeing security (Web Application Firewalls) and other devices falling in this category. Those logs are necessary for detecting technical issues, detecting malicious activities and other purposes as listed above. Logs are retained for a period of up to 1 (one) calendar year. Logs can contain the following information: date, hour, IP address, URL, browser and userdevice metadata.
Art.6. The Services provided by BST and the provided functionalities in the Website are not intended for storage and Processing of special categories of Personal Data pursuant to Art. 9 and Art. 10 of the Regulation.
Art.7. BST does not collect and does not process Personal Data of minors aged 16 or below, unless with the consent of a parent, subject to the applicable local legislation. Should BST find out that Personal Data of a minor has been accidentally collected, We shall delete the data as soon as reasonably possible.
|VI. RETENTION PERIOD
Art.8. BST stores Your Personal Data for a period necessary to achieve the purposes for which it was collected. Upon achieving the relevant purpose, Your Personal Data shall be immediately destroyed, unless BST is obliged to Process it for a longer period pursuant to applicable legislation.
(2) After the expiration of the above period, we shall destroy the collected Personal Data, unless We are obliged to Process it for a longer period pursuant to the applicable legislation, including when protecting Company’s legitimate interests (including limitation periods pursuant to applicable legislation that govern the process of filing claims and similar).
Art.10. In certain circumstances BST has the right to anonymize Your Personal Data for research, statistical or other purposes, in which event the Company may use this data for an indeterminate period of time without having to additionally notify You.
Art.11. In the event that BST no longer requires Your Personal Data, the latter shall be deleted or anonymized, so that all details which lead to Your identification shall be removed. In the absence of legal grounds for the lawful Processing of Your Personal Data or when you have withdrawn Your consent to Processing, BST shall delete the Personal Data within a reasonable time period.
Art.12. In events where we Process Your Personal Data on the grounds of Your consent, including but not limited to marketing purposes, the data shall be Processed and stored until we receive Your request to have it deleted (forgotten).
Art.13 In the event a dispute or legal proceedings have arisen, requiring the retention of Personal Data and/or upon request by a competent state authority, it is possible to retain the Personal Data for a longer period than the one specified, until resolution of the dispute or completion of the legal proceedings at all judicial levels. The specified period is subject to change if an alternative retention obligation is determined pursuant to the current legislation.
|VII. THIRD PARTIES
Art.14 Your Personal Data may be provided to third parties only in the following events:
1) when this is provided for in the legislation;
2) when duly requested by a competent state or judicial authority;
3) when we have received Your explicit consent;
4) when necessary for the protection of the rights and legitimate interests of BST and/or other users.
Art.15. In the events of Art.14, BST implements contractual arrangements and mechanism for data security, aiming to protection Your Personal Data, as well as to comply with the data protection, privacy and security standards.
Art.16. Personal Data, stored by BST, may be made available and/or transferred to:
a) Companies within the BST Group;
b) Third parties and/or organizations, which supply us with applications and/or functionalities; IT services and services related to Personal Data Processing.
c) Third parties who assist us with the provision and management of our internal IT systems. For example, provider of information technologies, providers of cloud services, identity management, hosting and website management, data analysis, data archiving, security and storage services. The servers that power up and facilitate this cloud infrastructure are located in protected data centers around the globe and Personal Data can be stored in any of them;
d) Third parties/organizations, who assist us with service or information delivery in alternative means;
e) Auditors and other professional
f) Law enforcement authorities, other state and regulatory agencies and other third parties as required by and in compliance with the applicable legislation;
Art.17. With regards to Personal Data regulated by EU legislation, please bear in mind that cross-border transfers might include countries outside of the European Economic Area (EEA) and countries, which have no laws to provide for specific Personal Data Protection. We have taken all necessary steps to guarantee that all Personal Data has the necessary protection and that all transfers of Personal Data outside of EEA are conducted lawfully. When transferring Personal Data outside the EEA in a country which is not classified by the European Commission as providing adequate level of Personal Data protection, such transfers take place in accordance with an agreement, complying with the requirements of EU for Personal Data transfers outside the EEA – for example, the approved by the European Commission Standard Contractual Clauses (SCCs). You can find more about those clauses here.
|VIII. DATA SUBJECT RIGHTS
Art.18. Data Subject Rights in the Regulation:
|a) Right to be informed.
This Policy is intended to inform You in detail about the Processing of Your Personal Data in connection with the Services provided.
|b) Right to Access.
You have the right to receive a confirmation whether Your Personal Data is being Processed, access to such data and information regarding their Processing and Your respective rights. The right to access can be exercised at any time.
|c) Right to rectification.
You have the right to rectify Your Personal Data in the event it is incomplete or inaccurate.
You can exercise the right to rectify Your Personal Data at any time through a request to BST
|d) Right to deletion.
You have the right to request the deletion of Personal Data, except in cases where there is a substantial basis and/or legal obligation for its Processing.
Data can be deleted upon expiry of the specified period. Meanwhile, the data can be provided in due course only to the competent state authorities in exercise of their control powers or to a court of competency in the case of court proceedings which the court has a standing for. In the event a dispute or legal proceedings have arisen, requiring the retention of Personal Data and/or upon request by a competent state authority, it is possible to retain the Personal Data for a period longer than the one specified, until resolution of the dispute or completion of the legal proceedings at all levels.
|e) Right to restriction of processing.
The Regulation provides for the possibility of restricting the Processing of Your Personal Data, provided that the statutory grounds required to exercise this right are present.
|f) Right to inform third parties.
Where applicable, You have the right to request from the Controller of Your Personal Data to inform relevant third parties, whom the Controller has shared Your Personal Data with, about any rectification, deletion or restriction of Processing of Your Personal Data.
It is important to note that BST is not an intermediary in the relationship between You and third parties.
|g) Right to data portability.
You have the right to obtain Your Personal Data in a structured, commonly used and machine readable format, and have the right to transmit this data to another Controller at Your own discretion.
|h) Automated decision-making.
You have the right not to be subject to automated decision making, including profiling, which produces legal effects for Your or in a similar fashion significantly affects You, unless the grounds provided for in the applicable Personal Data Protection legislation and appropriate safeguards for Your rights, freedoms and legitimate interests are present.
The Website does not utilize technologies falling in this category.
|i) Right to withdraw consent.
You have the right, at any time, to withdraw Your consent from the Processing of Personal Data, which is on the grounds of Your consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
For Services like the subscription to email advertisements, where the subscription is on the grounds of Your will (consent), an option to terminate the subscription at any time (withdrawal of consent) is given.
|j) Right to object.
You have the right to object to the Processing of Your Personal Data which is based on the grounds of public interests, exercise of official authority or legitimate interest.
In the event of such objection, BST shall process Your request and if found reasonable, we will fulfill it. Should we consider that there are convincing statutory grounds for such Processing or it is necessary for the establishment, exercise or defense of legal claims, we shall inform You of such development.
|k) Right to lodge a complaint.
You have the right to lodge a complaint with the supervisory authority or a judicial authority, if you consider that Processing of Your Personal Data violates the applicable Personal Data protection legislation. The supervisory authority of Republic of Bulgaria is the Commission for Personal Data Protection, with address: Sofia 1592, 2 Prof. Tsvetan Lazarov blvd.
|IX. DATA ACCURACY
Art.19. BST does not bear any responsibility for the accuracy of Your Personal Data, does not conduct checks in this regard, and does not guarantee the true identity of the natural persons who have provided the data. In all events of doubt on your behalf, of established fraud and/or misuse, we kindly ask you to inform us immediately. You are obliged, when providing any information on the Website, not to violate the rights of third parties in relation to the protection of their Personal Data or other rights.