PRIVACY POLICY FOR PERSONAL DATA PROCESSING
Introduction
Among BeConnected As and BeConnected Bulgaria OOD’s top priorities is the security of personal data of physical persons — our clients and partners — which means we have taken the necessary measures to comply with the best practices and legal requirements for privacy and data protection.
This Policy aims to clarify why we collect and how we treat the information and personal data you submit to us.
This Policy applies to data, collected by BeConnected Bulgaria OOD, with business registration number: 202240829, registered at address: Dobrudzha str. 5, fl. 1, ap. 1, Sofia 1000, Bulgaria (hereinafter referred to as the “Company”, “we”, or the “Administrator”), in its capacity as Personal Data Administrator.
Before becoming our customer and/or using our website, please read this Privacy Policy carefully as it provides information about the way in which we process personal data and use “cookies”. We will process your data that you have submitted to us in the manner described in this Policy.
By presenting this Policy, we aim to clarify to you what information we collect about you, why and how we collect it, what your rights are under the Personal Data Protection Act (PDPA) and the General Data Protection Regulation (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND THE COUNCIL, dated 27 April 2016, also referred to as the Regulation or GDPR).
Why we need your consent
It is our top-most priority to protect your personal data and to obtain your voluntary, informed and unambiguous consent for the processing of your personal data by BeConnected Bulgaria OOD.
If you place a check mark next to “I read the Terms & Conditions and I agree with them”, you acknowledge that you submit your personal data voluntarily; that you are familiar with your rights under the PDPA and the Regulation (EU) 2016/679 of the European Parliament and the Council, dated 27 April 2016, also referred to as the Regulation or GDPR; and you provide us with your consent to collect, process, store and transfer your personal data to third parties for the purposes we have specified below.
Definitions
“Personal Data” shall denote any information, related to an identified or identifiably physical person (“data subject” or “user”); an identifiably physical person is a person that can be identified, directly or indirectly, more specifically through an identifier such as a name, ID number, location data, online ID or by one or more traits, specific to the physical, physiological, genetic, psychological and mental, economic, cultural or social identity of that person.
“Administrator” shall denote an agency that, on its own or jointly with other agencies, defines the purposes and means for processing personal data; when the purposes and means for this processing are defined by the law of the European Union or the law of the Republic of Bulgaria, the Administrator or the special criteria for determining the Administrator may be established in the law of the European Union or in Bulgarian law. In this case, the Administrator is BeConnected Bulgaria OOD, a company, duly registered and acting in accordance with the law of the Republic of Bulgaria, with business registration number: 202240829, registered at address: Dobrudzha str. 5, fl. 1, ap. 1, Sofia 1000, Bulgaria
“Personal Data Processor” shall denote any physical or legal entity, public agency, authority or other structure, which processes personal data on behalf of the Administrator
“Processing” shall denote any operation or combination of operations, performed with personal data or a set of personal data through automatic or other means, such as: collecting, recording, sorting, structuring, storing, adapting or modifying, extracting, consulting, using, disclosing through transfer, distribution or other form of access to data, arranging or combining, restricting, deleting or destroying
“Supervisor” shall denote a European Union member-country’s independent public agency that is in charge of monitoring the observance of rules for personal data protection. For the Republic of Bulgaria, the supervisor is the Commission for Personal Data Protection.
“Specific traits” are traits, related to the physical, physiological, genetic, mental, psychological, economic, cultural, social or other identity of a person.
“Personal data register” is a structured collection of personal data, accessible through means, defined in accordance with the internal documents of BeConnected Bulgaria OOD, which may be centralised or decentralised and are distributed in accordance with function.
“Physical person consent” is any freely expressed, specific and informed declaration of personal will, through which the physical person, to whom the personal data relates, provides unambiguous consent for the processing of this data.
“Sensitive personal data” is information for racial or ethnic background, religious beliefs, belonging to a professional body, genetic or biometric data, health status, data for sexual life or sexual orientation. This type of data is subject to specific conditions for processing.
“Data pseudonymisation” is a data protection tool that adds an extra step — a pseudonym — between the person and the information about them. This process is reversible, meaning that the information can be traced back to the person.
“Data anonymisation” is a data protection tool that separates personal information from the specific person it relates to. The process is irreversible and this type of data is not a subject of the Regulation.
“Data processing restriction” – as per the Regulation, companies and institutions only have the right to process data that is related to their business. For example, if you offer a car sharing service, you may ask for a name, address, credit card number and possibly information about the health condition of a physical person, but not information about their racial background or sexual orientation.
“Legitimate interest” is a condition for processing personal data, when the company or institution uses the data in a manner that physical persons would expect, that has minimal impact on the privacy of their personal life, or where there is undeniable justification for the processing.
“Profiling” is any form of automated personal data processing, which consists of using personal data for the assessment of specific personal aspects, related to a physical person, and more specifically, for analyzing and predicting aspects, related to the professional duties of said physical person, their economic status, health, personal preferences, interests, reliability, behaviour, location or movement. These may be the performance of work duties, economic status, health status, personal interests, behaviour, location. For example, profiling is used for assessment/refusal to issue a credit card, or for staff selection processes.
“Child” –- the Regulation defines a child as anyone under the age of 16 years; however, this may be reduced to 13 years by a member-country’s legislation. Processing the personal data of a child is only legal if a parent or guardian has given consent. In such cases, the Administrator makes reasonable effort to verify that the person in parental charge of the child has given or is authorised to give their consent.
“Personal data security breach” – a breach of security that leads to accidental or illegal destruction, loss, change, forbidden disclosure or access to personal data that are transferred, stored, or otherwise processed;
“Main settlement location” – the headquarters of the EU Administrator shall be the location in which they make the main decisions regarding the purpose and means of their data processing activities. Concerning the personal data processor, their main settlement location in the EU shall be their administrative hub. If the Administrator’s headquarters is outside the EU, they need to appoint their representative within the jurisdiction in which the Administrator operates, who would act on behalf of the Administrator and who would handle communication with the supervisors.
“Recipient” – a physical or legal entity, public agency, authority or other structure, to which personal data is disclosed, regardless of whether they are a third party or not. However, public agencies that can receive personal data within a specific investigation in accordance with the law of the Union or a member-country’s law, are not considered “recipients”; processing this data by the respective public agencies is in accordance with the applicable rules for data protection with relation to the processing purposes;
“Third party” – any physical or legal entity, public agency, authority or other body that is not the Data Subject, the Administrator, the personal data Processor or the persons, directly managed by the Administrator or the personal data Processor, who have the right to process personal data;
Purpose of this Policy
This Privacy Policy’s purpose is to guarantee that the Administrator:
1. Complies with the law in the area of data protection, more specifically the Personal Data Protection Act (PDPA) and the General Data Protection Regulation and other applicable law, and observes best practices;
2. Protects BeConnected Bulgaria OOD’s customers and partners;
3. Guarantees transparency regarding the ways in which subjects’ personal data are stored and processed;
4. Guarantees protection from risks, associated with data breaches.
Required Information
The information and data about you that we may require, use, and process, includes:
- Information, submitted by you through filling out forms on BeConnected Bulgaria OOD’s website or any other information you submit to us through the website or via email;
- Records of correspondence through the website http://beconnected.no/, email, phone or other methods;
- Your answers to customer polls or questionnaires that we carry out;
- Data of transactions you execute through the website http://beconnected.no/, phone or other methods;
- Data about your visits to the website http://beconnected.no/, including, but not limited to traffic data and other communication data.
When reasonable and when it does not infringe upon your rights and liberties, we also collect personal data from publicly accessible sources, such as Internet searches, companies and broadcast media.
Protection of Your Personal Data
Your personal data are protected not only by BeConnected Bulgaria OOD’s high standards and the actions we have taken, but also by the Personal Data Protection Act and the Regulation. In accordance with the law, we may process your personal data, only if we have an applicable reason for that action, which may be one of the following:
- Performing under the terms of a contract, signed between us and you
- We have a legal obligation to do so
- If you have given your consent for processing
- If it is in our legitimate interest
- If it is in the general public’s interest
- If it is in your vital interest
Legitimate Interests
When we have commercial or business reasons to process your personal data, it is a “legitimate interest”. Your personal data are protected and we must not process them in a way that would be unfair to you or your interests.
If the reasons for our processing of your personal data is grounded in the existence of a legitimate interest, we will inform you about that and about what our legitimate interests are. We will also provide you with a method to send us queries or objections, should you have those. Even so, the convincing grounds for the processing of such information may override your right to an objection.
Lawfulness of Processing
Within the frame of GDPR, there are six alternative ways in which the lawfulness of a specific personal data processing case may be established. It is BeConnected Bulgaria OOD’s policy to identify the appropriate grounds for processing and to document these in accordance with the Regulation. The options are briefly described in the following sections.
Consent
Unless required for a reason admissible under GDPR, BeConnected Bulgaria OOD will always ask for the data subject’s explicit consent to collect and process their data. For children under the age of 18 years or persons under interdiction, consent will be requested from the parent/guardian. The subjects may exercise their rights under GDPR (request for access to their personal data, correction, restriction of processing, denial of automated profiling, omission) in a manner, established and communicated with them, in accordance with the law, free of charge and within 30 (thirty) days after submission of the request.
Performance of Contract
When the collected and processed personal data is required for the performance of a contract with the data subject, no explicit consent is necessary. This is often the case when a contract cannot be concluded and fulfilled without the relevant personal data.
Legal Obligation
If the collection and processing of personal data is required for compliance with the law, no explicit consent is necessary. This may be the case with some data, related to employment, social security, taxation, and enforcing court orders.
Data Subject’s Vital Interests
In cases in which personal data is required for the protection of vital interests of the data subject or another physical person, this may be used as legitimate grounds for processing. BeConnected Bulgaria OOD will keep reasonable and documented proof that this is the case when this reason is used as legitimate grounds for processing personal data. For example, this is applied in cases of significance to the general public.
Performing a Task in the Interest of the General Public
When BeConnected Bulgaria OOD has to perform a task it considers to be in the interest of the general public or part of a business obligation, no consent will be requested from the data subject. The assessment of the interest of the general public or the business obligation shall be documented and provided as evidence, if required.
Legal Interests
If personal data processing is within the legal interests of BeConnected Bulgaria OOD and it is considered that this does not have material impact on the rights and liberties of the data subject, this may be established as legitimate grounds for processing. Again, the arguments for this perspective shall be documented.
Privacy Right Protection
BeConnected Bulgaria OOD has adopted the principle of privacy for its development and will guarantee that the determination and planning of all new or significant changes in the procedures for collecting or processing personal data will be subject to proper consideration of matters, related to privacy, including completing one or more assessments of the impact on data protection. The assessment of impact on data protection shall include:
- Considering how the personal data would be processed and for what purposes
- Assessing whether the proposed personal data processing is required and proportional to the purpose (purposes)
- Risk assessment for physical persons, concerning personal data processing
- What control devices are necessary for handling the established risks and for proving adherence to the law
- Using techniques such as data minimisation and pseudonymisation will be discussed, when applicable and appropriate.
Contracts Concerning Personal Data Processing
BeConnected Bulgaria OOD warrants that all relevant relations that involve personal data processing are subject to a documented contract that includes the specific information and conditions, required by the GDPR.
International Transfer of Personal Data
BeConnected Bulgaria OOD does not transfer personal data to other countries, including countries outside the European Union.
Principles for Processing Your Personal Data
We adhere to the following principles when processing your personal data:
1. Principle of lawfulness, good faith and transparency – this means we will process your personal data, only when we have legal grounds, in good faith and in a manner that is transparent to you.
2. Purpose restriction principle – this means that we only collect your data for specific purposes, stated explicitly below in this Policy, and we do not process data in further ways that do not comply with these purposes.
3. Data minimisation principle – this means that we only collect the amount of data that is minimally necessary for the purposes of processing.
4. Principle of correctness – we take all reasonable and available measures to guarantee the timely deletion or correction of incorrect personal data, considering the purposes for which it is being processed.
5. Storage limitation principle – we do not store data longer than the legally defined period for the Republic of Bulgaria, or the period that is necessary for the purposes for which the data is being processed.
6. Loyalty and privacy principle – we provide an appropriate level of personal data security, including protection against unpermitted or unlawful processing and accidental loss, destruction or damage, by applying the relevant and available appropriate technical or organisational measures, considering the available technology.
Processing Purposes and Protection Measures
For your convenience, we provide below a clear explanation as to why we process your personal data:
1. We register our personal data;
2. For signing and performing contractual relations;
3. We collect and process personal data in order to comply with the legal and regulatory requirements, more specifically – the laws and regulations of the Republic of Bulgaria, the regulations about complying with the law and the tax and social security legislation that applies in the Republic of Bulgaria;
4. We create personal profiles upon your request, only with the attributes and personal data you have provided;
5. We carry out customer research, polls and analyses for statistical purposes, improvement of our services and increasing your satisfaction when using our services;
6. We provide you with information about our promotional offers and products and services if you have given us your explicit consent for this or if there are other valid legal grounds;
7. We monitor transactions, including when we are legally bound to collect data for the origination of funds with the purpose of preventing crimes, unusual betting, money laundering and fraud in accordance with the applicable legislation in the area of measures against money laundering and terrorism funding.
8. In other circumstances that are not mentioned above, when it is our legal obligation or when it is necessary for the protection of a legitimate interest or the interest of the general public.
What we do | How it is justified | Our legitimate Interests |
We maintain our relationship with our customers We develop new products, systems and services for our clients and for the development of our business We test the developed new products, systems and services We create and distribute marketing materials We research the manner in which our customers use our products and services We provide support for our products and services | Your voluntary legitimate consent Performance of contracts Performance of our legitimate interests Our legal obligations | Maintaining a database Developing new products, services and systems, analysing interest towards them and the requirement to inform you about relevant products Performing legal and contractual requirements in the most effective manner |
We develop and maintain our brands and products We manage our relationships and we control the execution of products and services we have assigned to other companies for our customers | Performance of contracts Performance of our legitimate interests Our legal obligations | Developing new products, services and systems, analysing interest towards them and the requirement to inform you about relevant products Performing legal and contractual requirements in the most effective manner Activities for the development of our business, reputation and brand and ensuring growth |
We create, manage and maintain profiles, accounts, payments from accounts for our clients We respond to customers’ complaints | Performance of contracts Performance of our legitimate interests Our legal obligations | Performing legal and contractual requirements in the most effective manner |
We prevent and uncover inappropriate use of our systems We discover, investigate, report and prevent criminal activities We manage the risks related to our customers We observe the applicable laws | Performance of contracts Performance of our legitimate interests Our legal obligations | Developing methods for preventing, uncovering, investigating and reporting crime or attempted crime Protection of our customers from harm by unlawful activities Performing legal and contractual requirements in the most effective manner |
We manage our activities, so that we provide quality products, services and systems to our customers We manage our financial resources We perform our legal and contractual rights and obligations in an effective and lawful manner | Performance of contracts Performance of our legitimate interests Our legal obligations | Performing legal and contractual requirements in the most effective manner |
If you prefer not to provide your personal data, this may prevent us from observing our legal obligations, contracts, or performing the services that are necessary for managing and supporting your account. If you do not provide us with your personal data, this might mean we are unable to provide you with our products or services.
Rules for Personal Data Management
The personal data shall be stored in such a way that the Data Subject may only be identified for as long as it is necessary for processing purposes.
When personal data is retained after the date of processing, it will be stored in an appropriate way (data is stored in specialised facilities, protected by working security systems; the access to BeConnected Bulgaria OOD’s administrative departments is restricted with a controlled access system; external individuals are only allowed access after they identify themselves; there is a working surveillance system on the territory of BeConnected Bulgaria OOD; the data in electronic format is stored in specialised software applications that are only accessible to the relevant individuals responsible (management staff), for whom separate access rules apply with a separate user name and password only known to the relevant individual responsible; the passwords need to be changed frequently with the purpose of achieving a higher level of data security; specialised software products are used in relation to GDPR with a high level of protection – only certain individuals with certain rights, protected with certain passwords, have access; the electronic registries are stored on a server with a high level of security; there are various procedures in place that guarantee security when processing, storing and destroying data; all computer devices have anti-virus software and firewalls installed; when software applications that contain data detect inactivity, the access to them is disabled automatically; every employee, who works with a computer device, has to input a user name and password in order to use it; data on paper are stored in a locked cabinet only accessible to the relevant individual responsible;
Regarding the information security inside the software product that is used by the finance/accounting department, the following security measures have been implemented: entry into the system with an encrypted user name and password that are sent to the server, where they are verified; the information that is exchanged between workstations and the server, is encoded; every user is assigned a specific role/s, which defines what data they can access and what operations they can execute with the system. The server is locked in a separate room; the database is backed up at planned time intervals.
Personal data shall be kept in accordance with the “Personal data management procedure”, and after the storage time frame has passed, this data has to be destroyed in a reliable manner specified in the procedure.
BeConnected Bulgaria OOD has to give special approval for any retaining of data that exceeds the time frame, defined in the “Personal data management procedure”, which guarantees that the grounds are clearly defined and in accordance with the requirements of the legislation about data protection.
Personal data shall be processed in a manner that guarantees appropriate security (art. 24, art. 32 of the Regulation)
BeConnected Bulgaria OOD performs or verifies impact assessments (risk assessments) by taking into account all circumstances related to the operations for managing or processing data by BeConnected Bulgaria OOD.
When determining how appropriate processing would be, BeConnected Bulgaria OOD also takes into account the degree of possible damage or losses that could be inflicted on physical persons (like staff or contractors) should a security breach occur, as well as any possible damage to the Administrator’s reputation, including a possible loss of trust by the contractors, suppliers, sub-contractors, users, and customers.
Accountability Principle
Regulation (EU) 2016/679 includes stipulations that encourage accountability and manageability and complement the requirements for transparency. The accountability principle, stipulated in art. 5, para. 2 of the Regulation requires the Administrator prove compliance with the other principles in the Regulation, and explicitly states this is a responsibility of the Administrator.
BeConnected Bulgaria OOD shall prove adherence to the principles for data protection by applying policies for data protection, joining codes of conduct, implementing appropriate technical and organisational measures, adopting techniques for data protection at the planning stages, ensuring data protection by default, assessing the impact on personal data security, having a procedure for informing about personal data breaches, etc.
Addressing GDPR Compliance
The following measures have been taken to ensure that BeConnected Bulgaria OOD complies with GDPR’s accountability principle at all times:
- The legal grounds for processing personal data are clear and unambiguous
- The entire staff involved in personal data processing understands their responsibilities for adhering to best practices for data protection
- The entire staff has been provided with data protection training
- The rules for consent and notification are observed
- The paths are available for Data Subjects who wish to exercise their rights with regard to personal data, and their queries are processed in an effective manner
- Procedures, involving personal data, are reviewed on a regular basis
- Protection of the right to personal privacy is adopted for all new or amended systems and processes
- The following documentation is recorded about processing activities:
- Name of the organisation and relevant details
- Purpose of personal data processing
- Categories of individuals and processed personal data
- Categories of personal data recipients
- Agreements and devices for personal data transfer to countries outside the EU, including details about implemented control measures
- Time schedules for personal data retention
- Existent technical and organisational control
These measures are regularly reviewed as part of the management process concerning data protection.
With whom we share your personal data
We will use all necessary measures to make sure that the information your provide us with is stored in a reliable and safe manner.
The data, indicated above, is only provided to our trusted partners (technical suppliers of IT services) or commercial banks (when it is necessary for processing your data), for which we have ensured that they adhere to the highest standards of information security and privacy. Providing data to our partners is necessary, so that we can provide you with the services you have requested, as well as to improve the performance of our website.
We will not sell your personal data or share it with any other company for their own use without prior notification to you in writing and, when necessary, obtaining your consent.
Please note that we are bound by law and the Republic of Bulgaria’s applicable legislation to submit your data to government, administrative and judicial agencies when these agencies request us to do so.
We will submit your data to a third country or international organisation only in situation in which we are bound to do so by a stipulation of valid legislation in the Republic of Bulgaria and/or EU law regarding the warranties, provided in this legislation and/or established by the competent supervising authorities or the European Commission.
How long we store your personal data
BeConnected Bulgaria OOD will store personal data only for the purposes, mentioned above, and only for the minimally required period of time.
When we process your personal data on the basis of your consent (eg. for direct marketing purposes) and in situations in which there are no other legal grounds for processing this data, we will discontinue processing your data if you decide to withdraw the consent you have previously given us (see more in section “What your rights are”).
If you are no longer our customer, we will only store your data for the minimal period of time required for the protection of our interests and rights and in accordance with the obligations, imposed on us by law and regulations.
Please note that the Republic of Bulgaria’s Gambling Act obliges us to keep your data related to the gambling services we provide to you in the form in which it was created, for a term of 5 (five) years after the prescriptive time period for the lapse of public liabilities related to this data.
Phone conversations
Phone conversations to and from our customer service department are recorded for security purposes as well as in order to serve for training and evaluation of the service you have received.
Your rights regarding your personal data
Access to Information
You have a right to access the information we store about you.
Your right of access may be used in accordance with Bulgaria’s Personal Data Protection Act and the applicable EU legislation in the area of personal data.
We will provide you with a single copy of your personal data that is being processed. For any additional copies you request, we may impose a reasonable fee based on administrative expenses, for which you will receive prior notice. The personal data you have submitted will be provided to you in a method chosen by BeConnected Bulgaria OOD.
If you submit a request through electronic means, if possible, the information will be provided in a widely used electronic format, unless you have requested otherwise.
Please note that your right to access cannot affect adversely the rights and liberties of other persons.
Right to Correct
You have the right to request us to correct any incorrect personal data related to you. Regarding the purposes of processing, you have the right to complete any incomplete personal data, including adding on, which would be performed through your submission of corrected data.
Right to Deletion (Right of “Being Forgotten”)
You have the right to request us to delete and/or erase the following personal data of yours, if any of the following circumstances exist:
Right to Restrict Processing
1. You have the right to request us to restrict processing when any of the following grounds applies:
a) The personal data’s accuracy is being disputed by you for a period of time that allows the Administrator to verify the personal data’s accuracy;
b) Processing is illegal, but you do not want your personal data to be deleted and would rather restrict its use;
c) We do not need more of your personal data for the sake of processing, but you require the data for the establishment, exercising or protection of legal claims;
d) You have objected to processing for the period of time for verifying whether the legal grounds we have indicated override your interests.
2. When the processing is restricted in accordance with a) above, such data will be processed, excluding storage, only with your consent or for the sake of establishing, exercising or protecting legal claims and protecting the rights of another physical person or due to important reasons of interest to the general public of the European Union or a member-country.
3. When you have requested a restriction on processing as per clause 1) above, we will notify you, before the processing restriction is cancelled.
Other
It is important for you to know that you can withdraw your consent for personal data processing at any time.
If you believe your rights of data protection have been infringed upon, you have the right to file a complaint to a Personal Data protection Commission.
For questions related to your rights, or if you would like to exercise any of them, please contact us at: info@beconnected.no.
For more information about your rights over your personal data, you can contact us at the email address: info@beconnected.no.
Amendments to Our Policy
Any future amendments we make to our Policy will be announced on our website in a timely manner and they will enter into force at the time of their posting.
If we introduce any material or significant changes to this Policy, we will make an effort to inform you through email, an announcement on the website or other means of communication previously agreed upon.
We will give you prior notice about the amendments, which will give you an appropriate period of time to review and understand the changes before they come into effect.
We will not introduce significant changes to our Policy, without having obtained your consent. If you refuse to accept the changes in this Policy, or for any other reason you do not accept the changes within the time period, we may be unable to provide some or all of our products or services.
This Privacy Policy is up-to-date as of 25 May 2018.