My cart

Your shopping cart is empty

Privacy Policy

2023-01-24T16:26:10+02:00

Privacy Policy

 

Mandatory information on the rights of persons on personal data protection

 

Information about the Personal Data Administrator (abbreviated as "Administrator" or "Company") that processes your data:

 

Name: "Altinbas Bulgaria" Ltd.

EIK/BULSTAT: BG 131476888

Headquarters and management address: Sofia, 68 Vitosha Blvd

Address for correspondence: Sofia, 68 Vitosha Blvd

Phone: +359 883 336050

E-mail: shop@altinbas.bg

Website: www.altinbas.bg

 

Information about the competent supervisory authority for the protection of personal data

 

Name: Personal Data Protection Commission

Headquarters and management address: Sofia 1592, "Prof. Tsvetan Lazarov" No. 2

Address for correspondence: Sofia 1592, "Prof. Tsvetan Lazarov" No. 2

Phone: 02 915 3 518

Website: www.cpdp.bg

 

The administrator carries out his activities in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data (GDPR). This information is intended to inform you about all aspects of the processing of your personal data by the Company and the rights you have in relation to this processing.

 

 

Basis for collecting, processing and storing your personal data

 

Art. 1. The administrator collects and processes your personal data in connection with the use of the electronic store www.altinbas.bg and the conclusion of contracts with the company on the basis of Art. 6, para. 1, Regulation (EU) 2016/679 (GDPR), and more specifically on the following grounds:

• Express consent received from you as a customer;

• Fulfillment of the Administrator's obligations under the contract with you;

• Compliance with a legal obligation that applies to the Administrator;

• For the purposes of the legitimate interests of the Administrator or a third party;

 

Purposes and principles in the collection, processing and storage of your personal data

 

Art. 2. (1) We collect and process the personal data that you provide to us in connection with the use of the electronic store and the conclusion of a contract with the company, including for the following purposes:

• creating a profile and providing full functionality when using the online store;

• conclusion and performance of a distance contract;

• individualization of a party to the contract;

• processing of financial information in order to establish a valid payment;

• receiving the purchased goods - personally or through the services of a courier company. In the case when the user chooses to receive the ordered goods through a courier company, the user agrees that the Administrator will transfer his personal data to the courier company, in order to realize the delivery.

• accounting purposes;

• statistical purposes;

• information security protection;

• ensuring the performance of the contract for the provision of the relevant service.

• sending a newsletter if you wish;

(2) We observe the following principles when processing your personal data:

• legality, good faith and transparency;

• limitation of processing purposes;

• relevance to the purposes of the processing and minimization of the collected data;

• accuracy and timeliness of the data;

• limitation of storage in order to achieve the goals;

• completeness and confidentiality of processing and ensuring an appropriate level of personal data security;

• the "need to know" principle: only a limited number of representatives of the Administrator have access to your personal data, and all of them have an obligation to maintain confidentiality in relation to personal data;

• for each operation related to personal data, a trace must remain, allowing to establish who, when and how processed the data;

• personal data is not transferred to a country or territory outside the European Economic Area, unless that country or territory provides an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.

(3) When processing and storing personal data, the Administrator may process and store personal data in order to protect the following legitimate interests:

• fulfillment of obligations to the National Revenue Agency, the Ministry of Internal Affairs and other state and municipal bodies.

 

What types of personal data does our company collect, process and store

 

Art. 3. (1) The company performs the following operations with the personal data provided by you for the following purposes:

• Registration of a user in the e-store and execution of a remote purchase and sale contract - the purpose of this operation is to create a profile for using the e-store to purchase goods and provide contact details for delivery of purchased goods. Registering and creating an account to use the online store is not a mandatory step of providing the service and it is available to a large extent without creating an account.

Conclusion of the impact assessment: Based on the impact assessment carried out, the operation "Registration of a user in the e-shop and execution of a contract of purchase and sale at a distance" is permissible to carry out and provides sufficient guarantees to protect the rights and legitimate interests of the subjects of the data in accordance with the requirements of the GDPR.

• Conclusion and execution of a commercial transaction with a customer or partner - the purpose of this operation is the conclusion and execution of a contract with a commercial partner or customer and its administration. Given the limited scope of the collected personal data and the fact that some of them are collected from publicly available sources, conducting an impact assessment is not necessary to conduct an impact assessment of the operation.

• Sending an information bulletin (newsletter) – the purpose of this operation is to administer the process of sending newsletters to customers who have indicated that they wish to receive them. Given the limited scope of personal data collected, conducting an impact assessment is not necessary to conduct an impact assessment of the operation.

• Exercising the right of refusal or making a complaint - the purpose of this operation is to administer the process of exercising the right of refusal or complaint by the customer. Given the limited scope of personal data collected, conducting an impact assessment is not necessary to conduct an impact assessment of the operation.

(2) The administrator processes the following categories of personal data and information for the following purposes and on the following grounds:

• Your individualizing data: Name and surname; Email

o Purpose for which the data is collected: 1) Making contact with the user and sending information to him, 2) for the purposes of registering a user in the online store, as well as 3) for sending an information bulletin.

o Basis for processing your personal data - By accepting the general conditions and registering in the electronic store or placing an order without registration, or upon concluding a written contract, a contractual relationship is created between the Administrator and you, on the basis of which we process your personal data - Art. 6, para. 1, b. (b) GDPR. Your data for sending a newsletter is processed based on your express consent - Art. 6, para. 1, b. (a) GDPR.

• Delivery details (contact details: e-mail address, physical address and telephone)

 

o Purpose for which the data is collected: Fulfillment of the administrator's obligations under the sales contract and delivery of the purchased goods.

o Basis for processing your personal data - By accepting the general conditions and registering in the electronic store or placing an order without registration, or upon concluding a written contract, a contractual relationship is created between the Administrator and you, on the basis of which we process your personal data - Art. 6, para. 1, b. (b) GDPR.

 

• IP address

 

o Purpose for which the data is collected: when you visit the Administrator's site, your IP address is automatically recorded and used only for system administration and statistical purposes in order to optimize the use of the site. Depending on the circumstances, the collection of IP addresses may allow analysis of user visits to the site. The administrator does not combine IP addresses with any other information about site visitors and cannot attribute a specific IP address to a specific individual. The administrator cannot identify a specific visitor to the site by his IP address. Your IP address is registered when you visit the Administrator's site, but the analytical software used only uses this information to track how many visitors the site has.

• Additional data provided by you - If you wish to complete your profile, you can fill in your name, surname, phone number.

o Purpose for which the data is collected: Supplementing information about the user in his user account.

o Grounds for data processing: You have provided express consent for the processing of his personal data for one or more specific purposes - 6, para. 1, b. (a) of the GDPR at the time of registration in the online store. The provision of these data is not mandatory for registration in the online store.

(3) The administrator does not collect or process personal data related to the following:

• reveal racial or ethnic origin;

• reveal political, religious or philosophical beliefs, or membership in trade unions;

• genetic and biometric data, health data or data on sex life or sexual orientation.

(4) The personal data are collected by the Administrator from the persons to whom they relate.

(5) The company does not perform automated decision-making with data.

Art. 4. (1) The company performs the following operations with the personal data provided by you, as legal representatives or proxies of legal entities-trading partners, for the following purposes:

• Conclusion and execution of a commercial transaction: For the conclusion and execution of a commercial transaction with a commercial company, we process only the three names of the legal representative or the person authorized by the company. Conclusion from the impact assessment: Given the small volume of natural persons whose data is processed and given the limited volume of personal data that is collected, conducting an impact assessment is not necessary for the current operation.

(2) The personal data are collected by the Administrator from the persons to whom they relate and from the Commercial Register at the Registration Agency.

(3) The company does not perform automated decision-making with data.

Art. 5. The administrator can use the so-called "cookies" for the purposes of providing full functionality of the website, improving the user experience, statistical purposes, ease of access, etc., to which you agree by using our website. You can control and/or delete cookies at any time through the settings of your browser. "Cookies" do not constitute personal data and are not used to identify visitors and users of the e-store.

 

Duration of storage of your personal data

 

Art. 6. (1) The administrator stores your personal data for a period not longer than the existence of your profile in an online store. After deleting your account, the Administrator shall take the necessary care to delete and destroy all your data without undue delay or to anonymize it (ie to make it in a form that does not reveal your identity).

(2) The administrator processes your personal data, which you have provided when placing an order without registration in the electronic store, until the order is completed, unless you have given your express consent when placing the order for your data to be processed for the purposes of improving the service, providing recommended content for you, individual terms, promotions, as well as for statistical purposes.

(3) The Administrator stores your personal data provided in connection with online orders for a period of 5 years for the purpose of protecting the Administrator's legal interests in legal or administrative disputes with users of the online store.

(4) The Administrator notifies you in the event that the data storage period needs to be extended in order to fulfill a legal obligation or in view of legitimate interests of the Administrator or otherwise.

(5) The administrator stores the personal data that it is necessary to keep by virtue of the applicable legislation for the relevant stipulated period, which may exceed the period of existence of your profile in the electronic store or until the order is completed.

Art. 7. The Administrator stores the personal data of the legal representatives of its commercial partners for the period of performance of the contract, to comply with the legitimate interests and legal obligations of the Administrator, and this period may exceed the term of the concluded contract.

Transmission of your personal data for processing

 

Art. 8. (1) The administrator may, at its own discretion, transfer part or all of your personal data to processors of personal data for the fulfillment of the processing purposes to which you have agreed, subject to compliance with the requirements of Regulation (EU) 2016/679 (GDPR).

(2) The administrator notifies you in case of intention to transfer part or all of your personal data to third countries or international organizations.

 

Your rights in the collection, processing and storage of your personal data

 

Withdrawal of consent to the processing of your personal data

 

Art. 9. (1) If you do not want the personal data provided by you to be processed for marketing purposes and receiving a newsletter, you can withdraw your consent to processing at any time by filling in the consent withdrawal form in Appendix No. 1 or by requesting in free text, and email it to us.

(2) After we receive your request, we will send you a letter with detailed instructions for your verification as a recipient of newsletters and a subject of the personal data for which withdrawal of consent has been requested, to the email address you have indicated for receiving newsletters and advertising messages.

(3) The withdrawal of consent does not affect the legality of the processing of personal data, which the Administrator has carried out up to this point.

 

Right of access

 

Art. 10. (1) You have the right to request and receive confirmation from the Administrator as to whether personal data related to you is being processed by sending a request in free text by email.

(2) You have the right to access the data related to you, as well as the information related to the collection, processing and storage of your personal data.

(3) After we receive your request, we will send you a letter with detailed instructions for your verification as a subject of the personal data to which access is requested, to the email you used to register or place orders in the e-shop.

(4) After carrying out the verification, according to para. 3. Upon request, the Administrator shall provide you with a copy of the processed personal data related to you in electronic or other appropriate form.

(5) Providing access to the data is free of charge, but the Administrator reserves the right to impose an administrative fee in case of repetitive or excessive requests.

(6) In case of repetitive or excessive requests, the Administrator may refuse to take action on the request.

 

Right to rectification or completion

 

Art. 11. (1) You can at any time correct or complete inaccurate or incomplete personal data related to you through the "Profile edit" option.

(2) You can correct or complete inaccurate or incomplete personal data related to you directly through your profile on the website or by making a request to the Administrator by email, using the form in Appendix No. 4 or by a request in free text.

Right to erasure ("to be forgotten")

 

Art. 12. (1) You have the right to request from the Administrator the deletion of part or all of your personal data, and the Administrator has the obligation to delete them without undue delay, when any of the following grounds are present:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

• You withdraw your consent on which the data processing is based and there is no other legal basis for the processing;

• You object to the processing of your personal data, including for direct marketing purposes, and there are no overriding legal grounds for the processing;

• personal data were processed illegally;

• the personal data must be deleted in order to comply with a legal obligation under EU law or the law of a Member State that applies to the Administrator;

• the personal data were collected in connection with the provision of information society services.

(2) The administrator is not obliged to delete the personal data if it stores and processes them:

• to exercise the right to freedom of expression and the right to information;

• to comply with a legal obligation that requires processing provided for in EU law or Member State law that applies to the Administrator or for the performance of a task in the public interest or in the exercise of official powers granted to him;

• for reasons of public interest in the field of public health;

• for the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes;

• for the establishment, exercise or defense of legal claims.

(3) In order to exercise your right to be forgotten, it is necessary to send by e-mail a request to delete your personal data that the Administrator processes, by filling in the form in Appendix No. 2 or by a request in free text, after which the Administrator will send to the email you used to register or place orders in the e-store, a letter with detailed instructions for your verification as a user of the store and the subject of the personal data for which deletion is requested.

(4) After we have verified the identity of the person who made the request and the person to whom the data relates in accordance with the instructions sent to you, we will delete all data that we process about you in accordance with para. 3.

(5) If there is an order placed by you that is being processed, the earliest you can request to be "forgotten" is upon successful completion of the order.

 

Right to restriction of processing

 

Art. 13. You have the right to request the Administrator to restrict the processing of data related to you by sending us a request in free text by email when:

• dispute the accuracy of the personal data, for a period that allows the Administrator to verify the accuracy of the personal data;

• the processing is illegal, but you do not want the personal data to be deleted, but only to have its use limited;

• The administrator no longer needs the personal data for the purposes of processing, but you require them to establish, exercise or defend your legal claims;

• You have objected to the processing pending verification of whether the legal grounds of the Administrator take precedence over your interests.

(2) After we receive your request, we will send you a letter with detailed instructions for your verification as a user of the store and subject of the requested personal data to the email you used to register or place orders in the e-shop to restrict processing.

(3) After carrying out the verification according to para. 2, The Company will stop processing your data, but will not remove the posts you have made in the online store, if any.

 

Right of portability

 

Art. 14. (1) If you have consented to the processing of your personal data or the processing is necessary for the performance of the contract with the Administrator, or if your data is processed in an automated manner, you may:

• to ask the Administrator to provide you with your personal data in a readable format and to transfer them to another Administrator;

• to ask the Administrator to directly transfer your personal data to an administrator specified by you, when this is technically feasible.

(2) You can exercise the right of portability by sending us by e-mail the completed form according to Appendix No. 3 or a request in free text, after which the Administrator will send to the e-mail you used to register or place orders in the e-store, a letter with detailed instructions for your verification as a store user and subject of the personal data for which portability is requested.

(3) After carrying out the verification according to para. 2. The Company sent the data it processes for you in XML format to the e-mail you specified.

 

Right to receive information

 

Art. 15. You may request the Administrator to inform you about all recipients to whom the personal data for which correction, deletion or restriction of processing has been requested has been disclosed. The administrator may refuse to provide this information if it would be impossible or would require a disproportionate effort.

 

Right to object

 

Art. 16. You may object at any time to the Administrator's processing of personal data relating to you, including if it is processed for the purposes of profiling or direct marketing.

 

Art. 17. (1) You can exercise your rights under Art. 9-16 of this privacy policy by submitting to the Administrator through a written application or in another way determined by the Administrator.

(2) An application may also be submitted electronically under the conditions of the Electronic Document and Electronic Authentication Services Act, the Electronic Government Act and the Electronic Identification Act.

(3) In case you submit an application in free text, the application must contain:

1. name, address, uniform civil number or personal number of a foreigner or other similar identifier, or other identification data of the natural person, determined by the Administrator, in connection with the activity carried out by him;

2. description of the request;

3. preferred form of obtaining information when exercising the rights under Art. 15 - 22 of Regulation (EU) 2016/679;

4. signature, date of submission of the application and address for correspondence.

5. at the request of the subject, additional documents may be attached to the request or complaint.

(4) When submitting an application by an authorized person, the power of attorney shall be attached to the application.

(5) The administrator has an obligation to consider your request within 2 months, and if any of the provisions of the Regulation giving rights to subjects can be applied to it, this should be done. In the event that the data subject does not have the right to exercise the right requested by him, within 2 months of receiving the request, the Administrator sends the data subject a reasoned refusal.

 

Your rights in the event of a breach of the security of your personal data

 

Art. 17. (1) If the Administrator detects a violation of the security of your personal data, which may create a high risk for your rights and freedoms, he shall notify you without undue delay of the violation, as well as of the measures that have been taken or are about to be taken .

(2) The administrator is not obliged to notify you if:

• has taken appropriate technical and organizational measures to protect the data affected by the security breach;

• has subsequently taken measures to ensure that the breach will not result in a high risk to your rights;

• notification would require a disproportionate effort.

 

Persons to whom your personal data is provided

 

Art. 18. In the event that the Administrator engages third parties to operate with personal data on his behalf, this is done with a written contract. The administrator selects personal data processors who are able to provide sufficient guarantees regarding technical and organizational security measures. The selected processors act on behalf of the Administrator and according to his instructions, with the Administrator indicating in writing the necessary information security requirements.

 

Art. 19. The administrator does not transfer your data to third countries.

Art. 20. In the event of a violation of your rights under the above or applicable personal data protection legislation, you have the right to file a complaint with the Personal Data Protection Commission as follows:

Name: Personal Data Protection Commission.

Headquarters and management address: Sofia 1592, "Prof. Tsvetan Lazarov" No. 2

Address for correspondence: Sofia 1592, "Prof. Tsvetan Lazarov" No. 2

Phone: 02 915 3 518

Website: www.cpdp.bg

 

Art. 21. You can exercise all your rights regarding the protection of your personal data through the forms attached to this information. Of course, these forms are not mandatory and you can make your requests in any form that contains a statement to that effect and identifies you as the data owner.

Art. 22. If the consent refers to a transfer, the Administrator describes the possible risks for the transfer of the data to third countries in the absence of a decision for adequate protection and suitable means of protection.

 

Protection of your data

Art. 23. The administrator ensures and maintains appropriate technical and organizational measures to protect personal data against unauthorized access or illegal use and/or against their accidental loss, modification, disclosure, access and/or damage or copying. These measures are intended to ensure the continued protection and privacy of personal data. The administrator reevaluates the measures regularly, in order to achieve permanent security of personal data.

The administrator ensures physical and logical protection of personal data, as indicated below.

 

(i) Physical Protection of Personal Data

 

The administrator implements the following measures to ensure physical protection of personal data:

- restricts physical access to the premises where personal data is stored (access is provided only by authorized representatives of the Administrator within the scope of their duties by using locks and other means of physical access);

- implements a "clean desk" policy, according to which all documents containing personal data should be stored in locked cabinets;

- stores its paper archive in specially equipped premises, ensuring its protection in case of fire or flood;

- the exchange of paper documents containing personal data with persons outside the Administrator is carried out only in sealed envelopes and through the use of authorized representatives and trusted subcontractors, etc.

- in certain cases, the following may have access to personal data: the members of the governing bodies; external service providers, such as: IT systems (website domain, hosting, software developer); accounting services, etc. All third parties acting as processors of personal data hold and use personal data on behalf of the Administrator only for the purpose of providing the Administrator with their services;

 

(ii) Personal Protection

 

Before taking up the relevant position with the Administrator, the persons who carry out data protection and processing:

- Undertake an obligation not to distribute the personal data to which they have access;

- Familiarize themselves with the legal basis, internal rules and policies of the Administrator for the protection of personal data;

- Are instructed about the dangers of breaching the security of personal data processed by the Administrator;

- They undertake not to share critical information (identifiers, access passwords, etc.) with each other and with any other unauthorized persons.

- They are trained to react to events threatening the security of personal data.

 

(iii) Logical protection of personal data

 

The administrator applies the following measures to ensure logical protection of personal data:

- restricts logical access to the information systems through which personal data is processed and stored (access is provided only by authorized representatives of the Administrator, within the scope of their duties, by using individual usernames and passwords).

- Use of antivirus programs;

- Use of secure cloud services, which are accessed with a username and password;

 

This policy was adopted on 01.02.2019. Any change in the policy will be reflected by its publication on the Administrator's website.

 

 

 

 

Appendix № 1

 

 

DECLARATION OF CONSENT TO THE PROCESSING OF PERSONAL DATA

 

The undersigned ………..………………………………………………

(specify the three names), with social security number: ……………………... (or other appropriate identifier, in my capacity as …………………… (specify the person’s capacity in relation to the administrator)

 

I DECLARE

 

I agree, Altinbas Ltd., EIK 131476888, to process my personal data………………..

(indicate the type of personal data)

for the following purposes:

• ……………………

(specify the specific objectives)

 

I am informed and understand that I can withdraw my consent at any time by using a form "Declaration of Withdrawal of Consent" which can be obtained from the Secretariat or found at www.altinbas.bg To withdraw my consent I must provide a completed form of the Secretariat.

 

Date:...................................

city. …………………………..

DECLARATOR:................................

 

Appendix No. 2

 

 

DECLARATION FOR WITHDRAWAL OF CONSENT FOR PERSONAL DATA PROCESSING

 

 

The undersigned………………………………………………………………..…

(indicate the three names), with TIN: ……………….………... (or other appropriate identifier, e.g. customer number), in the capacity of …………………………

(indicate the quality of the person in relation to the administrator)

 

 

I DECLARE

 

I withdraw my consent to the processing of my personal data by Altinbas Ltd., EIK 131476888, given on ……………………..

(if possible, state the date)

for the following processing: …………………….

(specify the type of processing and personal data processed).

I am informed and understand that the withdrawal of my consent does not affect the processing of my personal data before it is carried out.

 

Date:................................................

city. ………………………………..

Signature: ……………………

 

 

 

Appendix No. 3

 

DATA ACCESS REQUEST

 

TO

Altinbas Ltd., EIK 131476888

in the capacity of administrator of personal data

 

DATA ACCESS REQUEST

 

From ……………………..………………………….., EGN/LNCH: ……………………, with address: …………………… ………., Personal number: ………………………., other identification data: ………………………………………………………………., telephone : ……………………………., email address: …………………………………….

(fill in as much data as is necessary for unambiguous recognition of the person, as well as for sending a response)

 

 

Dear ladies and gentlemen,

In relation to your capacity as a personal data controller, please:

(please highlight relevant text)

Pursuant to Art. 15 of Regulation (EU) 2016/679 (the “Regulation”) to be granted access to the following personal data of mine: ………………………………………………………………………… ……………………………..…….. ……………………………………………………………………………………… ………………

Pursuant to Art. 16 of the Regulation to correct the following inaccurate personal data of mine/to supplement the following incomplete personal data of mine: …………………………………………………………………………………… ……………………………………………………………………………………………… ................................................ ...

Pursuant to Art. 17 of the Regulation to delete the following personal data of mine: ………………………………………………………………………………………………………… ………………………………………………………………………………………………

Pursuant to Art. 18 of the Regulation to limit the processing of my following personal data: ………………………………………………………………. ……………………………………………………………………………………...……………………………… ………………………………………...………………………………

Pursuant to Art. 20 of the Regulation to provide me with the following personal data for transfer to another administrator:

………………………………………………………………………………………………. ………………………………………………………………………………………………

Pursuant to Art. 21 of the Regulation, I object to the processing of my following personal data: ………………………………………………………………. ....................... ……………………………………………………………… ………………………………

(Indicate the specific grounds for the request and the data to which it refers)

 

I prefer communication regarding this request to be via e-mail.

 

The undersigned ………………………………, declaring that the circumstances and data specified in this request are true, hereby exercise before Altinbas Ltd., EIK 131476888 my rights in accordance with Regulation (EU) 2016/679.

 

Date: ............................ Applicant: ................ .......................

 

/handwritten three names and signature/

 

 

Appendix No. 4

 

WITHDRAWAL OF CONSENT

 

TO

"Altinbas" Ltd., as the controller of personal data

 

WITHDRAWAL OF CONSENT

 

 

From ……………………..…………………………………….., EGN/LNCH: ……………………, with address: ………… ……………………., Personal number: ………………………., other identification data: ……………………………………………………………… ……., phone: ……………………., email address: ……………………………….

(fill in as much data as is necessary for unambiguous recognition of the person, as well as for sending a response)

 

 

Dear ladies and gentlemen,

I hereby withdraw my consent for the data provided by me to be used for the purposes of:

 

the sending of marketing and informational messages

other (please specify in free text): ……………………………………………

 

The undersigned ………………………………, declaring the truth of the circumstances and data specified in this request, hereby exercise before Altinbas Ltd. my rights in accordance with Regulation 2016/679.

 

 

 

Date: ............................ Applicant: ................ .......................

 

/names and signature/

 

We use cookies to ensure that our website works well for you, respecting all rules and good practices for the privacy of your personal data. Agreement page