This policy for the protection of personal data (hereinafter referred to as the "Policy") regulates the personal data processing activities of Blopo LTD, EIK 207222614, with an address of management in the city of Sofia, 2-4 Rilski ezera St, (hereinafter referred to as "the Company"), with a comprehensive guarantee of compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in connection with the processing of personal data and on the free movement of such data (General Regulation on data protection, hereinafter referred to as the "Regulation"), as well as with all other applicable regulations on personal data protection. This Policy applies to matters of personal data protection, for which there is no other regulation according to other acts of the Company.
1. Information about the Company
BLOPO is a brand owned by Blopo LTD, EIK 207222614, with management address: Sofia, 2-4 Rilski Ezera St. (hereinafter referred to as the "Company"). For the purposes of data protection legislation, the company is the administrator in the processing of personal data.
2. Terms and Abbreviations Used
All terms and abbreviations not expressly defined in the Policy shall have the meaning set forth in the Regulation.
3. Personal data processing activities
3.1. Principles of personal data processing
The processing of personal data by the Company is subject to the principles of legality, good faith and transparency and of reducing data to a minimum. The personal data processed are limited to what is necessary in relation to the purposes for which they are processed. Personal data is collected for specific, explicitly stated and legitimate purposes and is not further processed in a manner incompatible with these purposes. Personal data are accurate and, if necessary, kept up-to-date. Personal data are stored in a form that allows the identification of the data subject for a period no longer than is necessary for the purposes for which the personal data are processed. Personal data are processed in a way that ensures an appropriate level of personal data security, including protection against unauthorized or unlawful processing and against accidental loss, disclosure, destruction or damage, applying appropriate technical or organizational measures, while respecting the principles of permanent the confidentiality, integrity, availability and resilience of processing systems and services.
3.2. The Company has the right to process personal data regarding its customers as follows:
• for its main activity of offering and trading products, in relation to which personal data such as name, surname, date of birth, IP address, e-mail address, telephone number, address (postal and delivery) may be processed, information on invoicing and acceptance of bank payments, etc. The purposes for processing this category of subjects include: (i). acceptance, processing and execution of requests to order products and/or services offered by the Company, including the use of the Company's website; (II). tax and accounting register storage; (III). fulfillment of legislative requirements; (IV). purposes related to the legitimate interests of the Company; (v). purposes for which the data subject has consented to the processing of his data; (vi). sending commercial messages with full information and advertising of own goods and/or services.
3.2.1. The Company retains personal data for a longer period of time, necessary either to comply with the applicable laws and regulations, or another period according to the requirements applicable to the Company's commercial activity or to its activity as an employer or contractor under civil contracts. The processing of personal data is based on the principle of reducing data to a minimum, depending on and for the purposes of providing the services used by the respective customer.
4. Categories of data recipients
The Company may disclose personal data to the following persons:
• service providers - consultants, lawyers, accountants, IT specialists, etc., in connection with the conclusion of contracts from the Company's main activity, fulfilment of legal requirements, technical support, etc.;
• subcontractors – provision of services on behalf of the Company (distributors, etc.), in connection with the conclusion and execution of contracts for trade with the products offered by the Company;
• persons providing services for provision and maintenance of equipment, software and hardware used for processing (including storage) of personal data, for reporting payments, etc.;
• banks, for servicing payments by data subjects;
• public and/or judicial authorities, to the extent permitted and/or required by law.
5. Obligations of the Company
The company has the following obligations:
• to determine the policies and procedures for the protection of processed personal data according to the applicable legislation;
• to introduce appropriate technical and organizational measures with a view to the effective application of data protection principles, as well as to ensure that by default only personal data that are necessary for the relevant purpose of processing are processed;
• to ensure the exercise of the subjects' rights to protect personal data;
• to update the maintained databases and control compliance with protection requirements, establish circumstances related to protection violations and take measures to eliminate them;
• to maintain the personal data in a form that allows identification of the relevant subjects for a period not longer than necessary for the purposes for which these data are processed;
• to inform, as appropriate, the employees on the issues of personal data protection;
• to provide assistance in the implementation of the control functions of the Commission for the Protection of Personal Data (hereinafter referred to as "CPPD");
• to determine the rights of employees to access personal data in information systems according to the purposes of processing;
• to use processors of personal data that provide sufficient guarantees through the application of appropriate technical and organizational protection measures;
• to comply with certain rules in the event of a breach of personal data security;
• to document breaches of personal data security in accordance with applicable legislation;
• to carry out a risk assessment, in accordance with the requirements of the Regulation, respectively an impact assessment, if the conditions for this are present according to the Regulation.
6. Duties of the Company's employees. Responsibility. Confidentiality
6.1. The employees of the Company start processing personal data after familiarizing themselves with:
• the regulations in the field of personal data protection;
• the policy and other internal acts of the Company related to the protection of personal data;
• the dangers for the personal data processed by the Company.
The employees of the Company are obliged to:
• comply with the requirements of the Regulation, other applicable legislation in the field of personal data protection, the Policy and other internal acts of the Company related to the protection of personal data;
• to process personal data only if there is a condition for lawful processing, namely: legal basis for processing; or a basis for processing that arises from the contractual relationship with the person or is necessary for the eventual conclusion of a contractual relationship with the person; or a basis for processing that derives from the express consent of the individual; or a basis for processing arising from the legitimate interest of the Company or a third party in accordance with the requirements of the Regulation;
• to use personal data in accordance with the purposes for which they are collected and not to process them further in a manner incompatible with these purposes;
• not to use the personal data to which they have access in their capacity as employees of the Company, for any personal purposes;
• to comply with the rule to avoid the possibility of unregulated access to personal data and to leave accessible personal data unattended at the relevant workplace. In premises to which outsiders have access, the relevant employees are obliged to take measures so that outsiders do not have any unlawful access to documents containing personal data, including being able to view, copy or photograph them with a technical means ;
• when the performance of the relevant activity allows, to limit the personal data used to the maximum extent;
• to ensure and guarantee compliance with the subjects' rights in relation to the processing of personal data;
• not to allow, assist or create conditions for security breaches in the processing of personal data; not to share or provide to each other or to third parties information essential for data security (your usernames, passwords to access the systems, etc.);
• not to copy files with corporate information containing personal data onto a portable medium in an unencrypted (or non-password protected) form;
• not to send by e-mail to e-mail addresses outside the Company information containing substantial volumes of personal data, or any special categories of personal data, or other personal data, the unlawful access to which may constitute a high risk for the rights and interests of the data subjects concerned in non-password-protected files or in unencrypted or otherwise pseudonymized form.
• not to publish personal data about customers or employees of the Company on public sites, etc., without an adequate legal basis for this;
6.2. Liability of employees
6.2.1. All actions that lead to or may lead to unregulated deletion, destruction or modification of personal data received by the Company in electronic form or on paper, as well as unregulated sharing/disclosure of personal data by employees of the Company are prohibited and may lead to the realization of the responsibility of the relevant employee (disciplinary, administrative-penal and/or criminal, and/or civil).
6.3. The company ensures that all employees who process personal data for it sign a declaration of confidentiality and non-distribution of personal data and informs the employees who process personal data of their obligations related to this processing.
7. Maintaining a Register of personal data processing activities as an administrator
According to the requirements of Art. 30, par. 1 of the Regulation, the Company maintains a Register of processing activities as an administrator, which contains the name and contact details of the Company. The register includes a detailed description of all personal data processing activities pursuant to Art. 30, par. 1 of the Regulation, including the following characteristics: name of the processing activity (business process, function); the purposes of processing; the categories of natural persons for whom personal data is processed; the categories of personal data that are processed in the relevant activity; third parties that receive or otherwise participate in the processing of personal data in the relevant activity; when applicable, the transfer of personal data to a third country, outside the EU; the stipulated periods for storage and deletion of the various categories of personal data, where possible; a general description of the technical and organizational security measures, where possible.
8. Maintaining a Register of personal data processing activities as a processor
In the event that, in view of the Company's activities, the need arises for it to maintain a Register of personal data processing activities as a processor within the meaning of Art. 30, para. 2 of the Regulation, the Company will create and maintain such a Register in the form, volume and content required by the applicable legislation.
9. Data Protection Officer
The Company will appoint a data protection officer (hereinafter referred to as the "DPO") in the event that the appointment of such is or becomes necessary in accordance with the applicable legislative requirements for the protection of personal data.
10. Rights of data subjects
The company ensures the exercise of the following rights of data subjects:
• right to information, when collecting personal data from the data subject;
• right of access to the data of the data subject and in particular: (i). confirmation whether personal data of the data subject is processed by the Company; (ii). providing access to the data through a copy of the data that is being processed, as well as information about the purposes of the processing; the categories of personal data; the recipients or categories of recipients to whom the personal data has been or will be disclosed; the terms of storage of personal data; the existence of the right to correct or delete personal data or limit the processing of personal data, or to object to processing; the right to appeal to the CPPD; the sources of personal data; the existence of automated decision-making, including profiling.
• right to correction - to request the correction or completion of his personal data, if the same are inaccurate or incomplete; right to delete personal data when the grounds provided for in the Regulation are present;
• right to limit processing;
• right to data portability;
• right to object;
• right of the data subject not to be the subject of a decision based solely on automated processing, including profiling, which gives rise to legal consequences or otherwise significantly affects him;
• giving, changing or withdrawing consent for the processing of personal data, when the basis for the processing is the consent of the data subject.
Data subjects can exercise their rights by submitting a written application to the Company, in one of the following ways:
• by e-mail to the address: firstname.lastname@example.org through a qualified electronic signature, according to the Law on electronic document and electronic authentication services (called below "KEP");
• by post to the Company's contact address with the sending of a notarized application in order to ensure the identification of the applicant, and in cases where the application is submitted by a legal representative of the applicant, or through an authorized representative of the applicant with a notarized power of attorney, the application also should contain a notarized signature of the signatory.
Applications are processed without undue delay. Within one month of submitting the application, the Company notifies the data subject of the actions taken on the application, respectively of the reasons for not taking action and of the possibility of filing a complaint with a supervisory authority and seeking legal protection. If actions are taken in relation to the application, the period for notifying the data subject of these actions may be extended to a total of three months, taking into account the complexity and number of applications. In this case, the Company shall notify the data subject of the extension of the term within the initial one-month term.
The information (which may vary depending on which right of the data subject is exercised) is provided in paper form personally to the data subject or to his legal or authorized representative with an express notarized power of attorney. If the application is submitted by e-mail, the information is also provided by e-mail to the e-mail address from which the submitted application originates in password-protected files.
11. Consent of the data subject as a basis for processing
In cases where the basis for the processing of personal data is consent within the meaning of the Regulation, the consent should be given in person by means of a written declaration, in electronic form or another way determined by the Company to ensure that the consent is freely given, specifically , informed, and unambiguous.
11.2. Data Subjects
The Company may collect consents for all categories of data subjects for whom personal data processing is carried out, including customers, employees and persons with whom the Company has entered into civil contracts for the provision of services or orders, etc.
The Company provides an opportunity for data subjects to change or withdraw their consent in an easy way, without causing adverse legal consequences for them, when it is objectively possible to do so. Changes or withdrawal of consent are carried out by the data subjects according to the order of consent collection. In the event of a partial or complete withdrawal of consent, when the processing of personal data is carried out on this basis, the Company may be unable to provide the service requested by the client or to carry out the activity for which the corresponding provision of personal data was required. The withdrawal of consent does not affect the lawfulness of the processing based on the given consent until the moment of its withdrawal.
11.4. Collection of consents
Consents are collected in one of the following ways:
• through the form on the Company's website www.blopo.eu
• by e-mail - for current employees;
• through a licensed postal operator with notarization of the statement of consent; or
• a statement of consent signed by the KEP, sent by e-mail.
11.5. Giving and withdrawing consents online
In the presence of cases in which obtaining consent for the processing of personal data by the Company is required in view of the services provided by the Company, which are requested or online, this consent is obtained (respectively, withdrawn) also online.
The consents for the processing of personal data are registered and stored by the Company, in the type and volume possible for such storage.
12. Processing of personal data by the Company through a personal data processor
For the performance of its activities, the Company may use third parties (subcontractors, distributors, courier service providers, etc.) who are processors of personal data within the meaning of Art. 4, item 8 of the Regulation. Such processors can be:
• commercial companies;
• natural persons employed on civil contracts.
When assigning the processing of personal data to a processor, the Company complies with the following requirements:
• processors are selected who provide sufficient guarantees for the implementation of appropriate technical and organizational measures for the protection of personal data;
• the conditions for the protection of personal data are settled in writing between the Company and the processor.
The contracts/agreements that the Company concludes with the processors of personal data define and regulate: the subject and term of operation, the purposes and nature of the processing; the categories of data subjects whose personal data are processed; the type of personal data that the processor will process on behalf of the Company; the rights and obligations of the Company and the processor; the requirements for the technical and organizational protection measures that the processor should apply (with respect to the processor, no deviation from the provisions of this Policy is allowed); obligation for the processor to cooperate according to Art. 31-36 of the Regulation; obligation for the processor to notify the Company without undue delay after becoming aware of a security breach; requirements for the processor and other mandatory conditions, according to Art. 28, item 3 of the Regulation.
13. Rules for reacting in the event of a breach of personal data security
13.1. Detection of a security breach by an employee
In the event of a security breach discovered by an employee of the Company, the employee shall immediately notify the management of the Company, or the Data Protection Authority, if such is determined, in writing (and if possible – also orally), providing the information, which there is for this - about the nature of the violation, about the alleged time of occurrence / commission of the violation, etc.
13.2. Security breach investigation and measures
Without undue delay, the Company should investigate the facts, carry out an analysis and assessment of the severity of the breach, in view of the risk to the rights and freedoms of the subjects, the number of affected data subjects, etc., and propose appropriate remedial measures, and where this is impossible - to minimize the identified risks and possible adverse consequences.
13.3. Notification of CPPD
In the event of a security breach, the Company informs the CPPD within 72 hours of its establishment, unless in the specific case there is any possibility that the security breach would create a risk to the rights and freedoms of individuals.
13.4. Notification to data subjects
When the security breach may result in a high risk to the rights and freedoms of natural persons, the Company shall relay the personal data security breach to the affected data subjects without unreasonable delay. The notification shall describe the nature of the security breach and shall include at least: the name and contact details of the Company; description of the possible consequences of the violation; a description of the measures taken or proposed by the Company to deal with the violation. The Company has the right not to communicate the breach to affected data subjects if:
(I). has taken appropriate technical and organizational security measures in advance and these measures have been implemented (e.g. encryption); and/or
(II). has subsequently taken measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; and/or
(III). such disclosure would result in a disproportionate effort. In this case, the Company makes a public announcement on its website and/or by disseminating in an appropriate way through the mass media about the violation.
Reports of personal data security breaches are registered and stored by the Company.
14. Technical and organizational measures to protect personal data
14.1. Technical and organizational measures of the Company as administrator
The Company's activities include the necessary technical and organizational measures to protect personal data from accidental or illegal destruction, or from accidental loss, from illegal access, modification or distribution, as well as from other illegal forms of processing. The types of protection are physical, personal, documentary, protection of automated information systems and/or networks, cryptographic protection.
14.2. Technical and organizational measures of the Company as processor
In the event that the Company processes personal data as a processor for other administrators, the specific technical and organizational measures applied by the Company in its capacity as a processor are determined in individual agreements with the relevant administrator. If there is no such determination, the Company will adhere to the technical and organizational measures it applies as an administrator.
15. Transfer of personal data outside the European Economic Area (EEA)
The Company may carry out international transfers of data originating from the European Economic Area (EEA) when the European Commission has recognized a country outside the EEA as providing an adequate level of data protection. For transmissions to countries outside the EEA, the level of protection of which is not recognized by the European Commission, the Company will invoke either a certain derogation applicable to the specific situation, according to the Regulation, or will apply one of the guarantees provided by the applicable legislation. In the remaining cases, for the transfer of personal data outside the EEA, this is carried out on the basis of the express consent of the data subject to the proposed data transfer, obtained in compliance with the requirements of the Regulation for this.